Umbrella Reporting API overview

Reporting

The Umbrella Reporting API provides visibility into the traffic, events, and activities of the user devices, resources, and networks in an organization.

This guide provides information about the Reporting API path and query parameters, Umbrella content categories and IDs, and other location-related parameters that are required when making a request to the Reporting API. For questions about setting the location and location-trusted flags and redirecting HTTP requests, see HTTP Redirects and Request Authorization Header.

Use Cases and Best Practices

The Umbrella Reporting API enables you to programmatically access logs and reports, and build widgets or custom reports. The Reporting API does not support bulk data retrieval. If you must export all your data or large data collections, you can enable logging to Amazon Simple Storage Service (Amazon S3). For more information about Umbrella logs, see Manage Your Logs in the Umbrella User Guide.

Use Case Granularity or Type Recommendation Considerations
Compliance or long-term event retention Export and store all events. Use a customer owned Amazon S3 bucket.
SIEM: Event correlation Export all events. Use a Cisco managed Amazon S3 bucket. Umbrella retains data for 30 days.
Dashboard KPI or widgets Activity Search and Aggregations. Use the Reporting API. Use query parameters to filter requests.
Report generation Aggregations. Use the Reporting API.
SOAR workflow: trigger Activity Search. Use the Reporting API. Use query parameters to filter requests.

Rate Limits for Reports API Endpoints

Umbrella enables rate limits on the Reporting API endpoints. For more information, see Rate Limits > Reports.

Request Headers

Unless specified, the Umbrella API endpoints use JSON for all requests and responses.

Note: For POST, PUT, and PATCH operations, set the HTTP Content-Type header to application/json in your API request.

Request Path Parameters

The Umbrella Reporting API endpoints require various path parameters.

Parameter Example Description
type dns Specify the type of traffic. Valid values: dns or proxy.
type ip Specify the type of traffic. Valid values: dns, proxy, or ip.
type firewall Specify the type of traffic. Valid values: dns, proxy, firewall, or ip.
type intrusion Specify the type of traffic. Valid values: dns, proxy, firewall, intrusion, or ip.
identityid 42 An identity ID
threattypeid Ransomware A threat type name
threatnameid WannaCry The threat name

Request Query Parameters

You can customize and filter the Umbrella Reporting API requests with query parameters. Each Reporting API endpoint defines its required query parameters.

Note: Umbrella uses the timestamp of the events to sort the /activity, /activity/dns, /activity/proxy, /activity/intrusion, /activity/firewall, and /activity/amp-retrospective collections. If multiple events occur in the same second, the order of the collection is not guaranteed to be consistent.

For more information about time-related query parameters, see Timestamp and Relative Time Strings.


Parameter Example Description
from 1639146300000 A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.
Required
to 1640010300000 A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.
Required
offset 0 A number that represents an index into the collection.
limit 100 The maximum number of records to return from the collection.
Required
limit 100 (Identities utility endpoint) The number of records to return from the collection. The default limit is 100. In a single response, the server returns at most 5000 records from the collection.
Required
timezone ASIA%2fCALCUTTA Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.
domains cisco.com,nasa.gov A domain name or comma-delimited list of domain name.
urls https://google.com,facebook.com/help A URL or comma-delimited list of URL.
categories 148,151,66 A category ID or comma-delimited list of category ID.
policycategories 67,69 A category ID or comma-delimited list of category ID. Filter request by the categories that trigger a policy.
ip 10.10.10.10 An IP address
order desc A string that describes how to order the results (for example: 'asc' or 'desc').
ports 7351,80 A port number or comma-delimited list of port number.
identityids 1,2,3 An identity ID or comma-delimited list of identity ID.
identitytypes network,roaming An identity type or comma-delimited list of identity type.
applicationid 1 An application ID.
verdict allowed,blocked,proxied A verdict string or comma-delimited list of verdict string.
ruleid 1 A firewall policy rule ID.
filename myfilename_* A string that identifies a filename. Filter request by the filename. Supports globbing or use of the wildcard character (''). The asterisk () matches zero or more occurrences of any character.
securityoverridden true Specify whether to filter on requests that override security.
bundleid 1 A proxy bundle ID.
threats A threat name or comma-delimited list of threat name.
threattypes A threat type or comma-delimited list of threat type.
ampdisposition clean,malicious,unknown An AMP disposition string or a comma-delimited list of AMP disposition string.
isolatedstate isolated A string that describes the remote browser isolation (RBI) isolation type (for example: 'isolated' or 'not-isolated').
isolatedFileAction downloaded-safe-pdf A string that describes the remote browser isolation (RBI) file action type (for example: 'viewed', 'downloaded-original-file', or 'downloaded-safe-pdf').
datalosspreventionstate blocked A string that describes the status of a destination (for example: 'blocked'). Filter data for requests that were blocked to protect data.
sha256 ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad A SHA-256 hash
antivirusthreats Trojan.Linux.Generic.144075 A threat name or comma-delimited list of threat name.
tenantcontrols true If set to 'true', filter data for requests that are part of a tenant control policy.
search somelabel A string that represents a search parameter. Filter data for requests where the search string appears in the endpoint data.
application Games The application name
filternoisydomains true filter out domains that generate a lot of insignificant traffic (noise).
httperrors certificateerror Filter data for requests that resulted in a TLS error or a certificate error. Valid values: certificateerror or tlserror.
signatures 1-2,1-4 list of -, comma delimited
signaturelistids 1,2 list of signature list ids, comma delimited
intrusionaction detected,would_block list of intrusion actions, comma delimited. Valid values are: would_block, blocked, detected
exists destinationlistids,threattypes Specify a comma-separated list of attributes to filter the data. Valid values are: categories, policycategories, applicationid, nbarapplicationid, nbarapplicationtypeids, privateapplicationid, applicationgroupids, sha256, filename, threats, threattypes, antivirusthreats, destinationlistids, httperrors.
connectionevent connected Specify the type of connection event.
osversions linux-64-Ubuntu 20.04.5 LTS (Focal Fossa) Specify a comma-separated list of OS versions to filter the data.
anyconnectversions 4.10.05095 Specify a comma-separated list of AnyConnect Roaming Security module versions to filter the data.

Categories Query Parameter

The Umbrella Reporting API categories query parameter accepts a string with a single category ID or list of comma-separated category IDs. Use the categories query parameter to search for events in your reports that are related to the categories. You can get the list of Umbrella categories from the Umbrella Reporting API /categories endpoint. The category object includes the category ID. For more information about the Umbrella Reporting API /categories endpoint, see Get Categories.

Umbrella Reporting API Categories with IDs

Click to view the Umbrella Reporting API category IDs and labels
IDLabel
1Alcohol
2Auctions
6Dating
10Gambling
11Games
14Humor
24Social Networking
27Advertisements
30Weapons
37Parked Domains
38Tobacco
44Pornography
52Politics
55Travel
60Drive-by Downloads/Exploits
61Dynamic DNS
62Mobile Threats
63High Risk Sites and Locations
64Command and Control
65Command and Control
66Malware
67Malware
68Phishing
70FireEye
71Block List
72Allow List
73Global Whitelist
74Sinkhole
76Check Point
79ZeroFOX
82ThreatQ
84ThreatConnect
96Cisco AMP Threat Grid
106Unauthorized IP Tunnel Access
107URL Shorteners
108Newly Seen Domains
109Potentially Harmful
110DNS Tunneling VPN
111Arts
112Astrology
113Computer Security
114Digital Postcards
115Dining and Drinking
116Dynamic and Residential
117Fashion
118File Transfer Services
119Freeware and Shareware
120Hacking
121Illegal Activities
122Illegal Downloads
123Infrastructure and Content Delivery Networks
124Internet Telephony
125Lotteries
126Mobile Phones
127Nature and Conservation
128Online Trading
129Personal Sites
130Professional Networking
131Real Estate
132SaaS and B2B
133Safe for Kids
134Science and Technology
135Sex Education
136Social Science
137Society and Culture
138Software Updates
139Web Hosting
140Web Page Translation
141Organizational Email
142Online Meetings
143Paranormal
144Personal VPN
145DIY Projects
146Hunting
147Military
148Application
150Cryptomining
151Application Block
152Application Allow
153Infringing Intellectual Property
161Adult
162Web-based Email
163Business and Industry
164Chat and Instant Messaging
165Cheating and Plagiarism
166Child Abuse Content
167Computers and Internet
168Education
169Entertainment
170Extreme
171Filter Avoidance
172Finance
173Government and Law
174Hate Speech
175Health and Medicine
176Illegal Drugs
177Job Search
178Lingerie and Swimsuits
179News
180Non-governmental Organizations
181Non-sexual Nudity
182Not Actionable
183Online Communities
184Online Storage and Backup
185Web Cache and Archives
186Peer File Transfer
187Photo Search and Images
188Reference
189Religion
190Search Engines and Portals
191Shopping
192Sports and Recreation
193Streaming Audio
194Streaming Video
195Transportation
196Animals and Pets
197Cannabis
198Cloud and Data Centers
199Conventions, Conferences and Trade Shows
200Cryptocurrency
201DoH and DoT
202Internet of Things
203Museums
204Terrorism and Violent Extremism
205Online Document Sharing and Collaboration
206Private IP Addresses as Host
207Recipes and Food
208Regional Restricted Sites (Germany)
209Regional Restricted Sites (Great Britain)
210Regional Restricted Sites (Italy)
211Regional Restricted Sites (Poland)

Umbrella Reporting API Categories with Legacy IDs

Click to view the Umbrella Reporting API legacy category IDs and labels
Legacy IDLabel
2Alcohol
3Auctions
7Dating
11Gambling
12Games
15Humor
24Social Networking
414Advertisements
28Weapons
57Parked Domains
73Tobacco
64Pornography
66Politics
68Travel
83Drive-by Downloads/Exploits
85Dynamic DNS
87Mobile Threats
89High Risk Sites and Locations
90Command and Control
92Command and Control
94Malware
96Malware
98Phishing
102FireEye
112Block List
114Allow List
116Global Whitelist
178Sinkhole
104Check Point
110ZeroFOX
121ThreatQ
125ThreatConnect
147Cisco AMP Threat Grid
169Unauthorized IP Tunnel Access
170URL Shorteners
172Newly Seen Domains
174Potentially Harmful
176DNS Tunneling VPN
327Arts
329Astrology
331Computer Security
333Digital Postcards
335Dining and Drinking
337Dynamic and Residential
339Fashion
341File Transfer Services
343Freeware and Shareware
345Hacking
347Illegal Activities
349Illegal Downloads
351Infrastructure and Content Delivery Networks
353Internet Telephony
355Lotteries
357Mobile Phones
359Nature and Conservation
361Online Trading
363Personal Sites
365Professional Networking
367Real Estate
369SaaS and B2B
371Safe for Kids
373Science and Technology
375Sex Education
377Social Science
379Society and Culture
381Software Updates
383Web Hosting
385Web Page Translation
387Organizational Email
389Online Meetings
391Paranormal
393Personal VPN
395DIY Projects
397Hunting
399Military
400Application
403Cryptomining
405Application Block
407Application Allow
409Infringing Intellectual Property
415Adult
416Web-based Email
417Business and Industry
418Chat and Instant Messaging
419Cheating and Plagiarism
420Child Abuse Content
421Computers and Internet
422Education
423Entertainment
424Extreme
425Filter Avoidance
426Finance
427Government and Law
428Hate Speech
429Health and Medicine
430Illegal Drugs
431Job Search
432Lingerie and Swimsuits
433News
434Non-governmental Organizations
435Non-sexual Nudity
458Not Actionable
437Online Communities
438Online Storage and Backup
467Web Cache and Archives
440Peer File Transfer
441Photo Search and Images
442Reference
443Religion
444Search Engines and Portals
445Shopping
446Sports and Recreation
447Streaming Audio
448Streaming Video
449Transportation
450Animals and Pets
451Cannabis
452Cloud and Data Centers
453Conventions, Conferences and Trade Shows
454Cryptocurrency
455DoH and DoT
456Internet of Things
457Museums
466Terrorism and Violent Extremism
459Online Document Sharing and Collaboration
460Private IP Addresses as Host
461Recipes and Food
462Regional Restricted Sites (Germany)
463Regional Restricted Sites (Great Britain)
464Regional Restricted Sites (Italy)
465Regional Restricted Sites (Poland)

Umbrella Reporting API Categories with Deprecated Legacy IDs

Click to view the Umbrella Reporting API deprecated legacy category IDs and labels
Deprecated Legacy IDLabel
1Adware
4Blogs
5Chat
6Classifieds
8Drugs
9Ecommerce/Shopping
10File Storage
13Hate/Discrimination
14Health and Fitness
16Instant Messaging
17Jobs/Employment
19Movies
33News/Media
20P2P/File sharing
48Photo Sharing
21Portals
22Radio
23Search Engines
47Software/Technology
34Television
26Video Sharing
27Visual Search Engines
29Webmail
56Business Services
52Educational Institutions
55Financial Institutions
49Government
50Music
51Sports
58Adult Themes
60Lingerie/Bikini
63Nudity
61Proxy/Anonymizer
62Sexuality
59Tasteless
72Academic Fraud
70Automotive
67Forums/Message boards
69Non-Profits
71Podcasts
65Religious
54Research/Reference
74German Youth Protection
76Anime/Manga/Webcomic
77Web Spam
126Internet Watch Foundation
401Terrorism
410IT-AGCOM
412IT-ADM

Request Data by Time Range

Many Umbrella Reporting API endpoints require that you set a time range to filter the data. You can define a time range with the to and from request query parameters. Also, some Umbrella Reporting API endpoints enable a timerange header.

Time Range Header

The timerange header describes how to group data within a 24-hour period. This header accepts the following strings:

  • minute
  • hour (default value)
  • day

Umbrella Reporting API resources that group data by hourly intervals do not enable the timerange header. These resources include:

  • Bandwidth by Hour
  • Requests by Hour
  • Requests by Hour and Category

Time Range Example

The Requests by Timerange resource accepts the timerange header and the to and from query parameters. For example, you can set the timerange header to minute, the to query parameter to now, and the from query parameter to -1days.

Timestamp and Relative Time Strings

The to and from query parameters accept a timestamp string that is defined in milliseconds from the Unix epoch. For example: 1619007756000 (converted from 2021-04-21:08:22:36 GMT-04:00).

You can also set other time range strings for these parameters.

Examples of to query parameter values:

  • now
  • -1days

Examples of from query parameter values:

  • -2days
  • -10minutes
  • -2weeks

Note: The time range set by the to and from query parameters cannot exceed 30 days.

HTTP Redirects and Request Authorization Header

Umbrella stores the reporting data in geolocated data warehouses. Depending on the location where you make an API request, you must use a base URI in the request that is associated with your location.

The base URIs for reaching the Umbrella Reporting API from Europe (EU) and the United States (US) are:

  • EU: api.umbrella.com/reports.eu/v2
  • US: api.umbrella.com/reports.us/v2

Note: If an HTTP request does not originate from the same continent as the Umbrella data center, Umbrella responds with 302 Found.

To automatically redirect HTTP requests and preserve the HTTP Authorization header, you can set additional flags on the client and enable a redirect setting.

  • curl: You must pass the -L or --location, and --location-trusted flags to redirect the curl HTTP request and retain the Authorization header.

     curl --location --location-trusted \
 --request GET --url 'https://api.umbrella.com/reports/v2/activity?from=-7days&to=now&limit=10' \
 -H 'Authorization: Bearer %YourAccessToken%' \
 -H 'Content-Type: application/json'

  • Postman: Within the Postman environment, navigate to an API and choose a GET method. Navigate to Settings. Enable Follow Authorization header to preserve the Authorization header for redirect requests.

Umbrella Reporting API Endpoints

You can find the Reporting API endpoints in the reports scope.

Activity

Top Identities

Identity Distribution

Top Destinations

Top Categories

Top Event Types

Top DNS Query Types

Organization Requests by Hour

Organization Requests by Time Range

Organization Requests by Hour and Category

Organization Requests by Time Range and Category

Deployment and Status

Provider Deployment Status

Provider Requests by Hour

Provider Requests by Time Range

Provider Requests by Organization

Provider Requests by Category

Provider Requests by Destination

Provider Category Requests by Organization

Bandwidth by Hour

Bandwidth by Time Range

Top Files

Total Requests

Top Threats

Top Threat Types

Utility

Utility (Providers)

Top IPs

Summary

Summaries by Category

Summaries by Destination

Summaries by Rule