Reporting
The Umbrella Reporting API provides visibility into the traffic, events, and activities of the user devices, resources, and networks in an organization.
This guide provides information about the Reporting API path and query parameters, Umbrella content categories and IDs, and other location-related parameters that are required when making a request to the Reporting API. For questions about setting the location
and location-trusted
flags and redirecting HTTP requests, see HTTP Redirects and Request Authorization Header.
- Use Cases and Best Practices
- Rate Limits for Reports API Endpoints
- Request Headers
- Request Path Parameters
- Request Query Parameters
- Request Data by Time Range
- Time Range Header
- HTTP Redirects and Request Authorization Header
- Umbrella Reporting API Endpoints
Use Cases and Best Practices
The Umbrella Reporting API enables you to programmatically access logs and reports, and build widgets or custom reports. The Reporting API does not support bulk data retrieval. If you must export all your data or large data collections, you can enable logging to Amazon Simple Storage Service (Amazon S3). For more information about Umbrella logs, see Manage Your Logs in the Umbrella User Guide.
Use Case | Granularity or Type | Recommendation | Considerations |
---|---|---|---|
Compliance or long-term event retention | Export and store all events. | Use a customer owned Amazon S3 bucket. | |
SIEM: Event correlation | Export all events. | Use a Cisco managed Amazon S3 bucket. | Umbrella retains data for 30 days. |
Dashboard KPI or widgets | Activity Search and Aggregations. | Use the Reporting API. | Use query parameters to filter requests. |
Report generation | Aggregations. | Use the Reporting API. | |
SOAR workflow: trigger | Activity Search. | Use the Reporting API. | Use query parameters to filter requests. |
Rate Limits for Reports API Endpoints
Umbrella enables rate limits on the Reporting API endpoints. For more information, see Rate Limits > Reports.
Request Headers
Unless specified, the Umbrella API endpoints use JSON for all requests and responses.
Note: For POST, PUT, and PATCH operations, set the HTTPContent-Type
header toapplication/json
in your API request.
Request Path Parameters
The Umbrella Reporting API endpoints require various path parameters.
Parameter | Example | Description |
---|---|---|
type | dns | Specify the type of traffic. Valid values: dns or proxy . |
type | ip | Specify the type of traffic. Valid values: dns , proxy , or ip . |
type | firewall | Specify the type of traffic. Valid values: dns , proxy , firewall , or ip . |
type | intrusion | Specify the type of traffic. Valid values: dns , proxy , firewall , intrusion , or ip . |
identityid | 42 | An identity ID |
threattypeid | Ransomware | A threat type name |
threatnameid | WannaCry | The threat name |
Request Query Parameters
You can customize and filter the Umbrella Reporting API requests with query parameters. Each Reporting API endpoint defines its required query parameters.
Note: Umbrella uses the timestamp of the events to sort the/activity
,/activity/dns
,/activity/proxy
,/activity/intrusion
,/activity/firewall
, and/activity/amp-retrospective
collections. If multiple events occur in the same second, the order of the collection is not guaranteed to be consistent.
For more information about time-related query parameters, see Timestamp and Relative Time Strings.
Parameter | Example | Description |
---|---|---|
from | 1639146300000 | A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time. Required |
to | 1640010300000 | A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time. Required |
offset | 0 | A number that represents an index into the collection. |
limit | 100 | The maximum number of records to return from the collection. Required |
limit | 100 | (Identities utility endpoint) The number of records to return from the collection. The default limit is 100. In a single response, the server returns at most 5000 records from the collection. Required |
timezone | ASIA%2fCALCUTTA | Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'. |
domains | cisco.com ,nasa.gov |
A domain name or comma-delimited list of domain name. |
urls | https://google.com ,facebook.com/help |
A URL or comma-delimited list of URL. |
categories | 148,151,66 | A category ID or comma-delimited list of category ID. |
policycategories | 67,69 | A category ID or comma-delimited list of category ID. Filter request by the categories that trigger a policy. |
ip | 10.10.10.10 | An IP address |
order | desc | A string that describes how to order the results (for example: 'asc' or 'desc'). |
ports | 7351,80 | A port number or comma-delimited list of port number. |
identityids | 1,2,3 | An identity ID or comma-delimited list of identity ID. |
identitytypes | network,roaming | An identity type or comma-delimited list of identity type. |
applicationid | 1 | An application ID. |
verdict | allowed,blocked,proxied | A verdict string or comma-delimited list of verdict string. |
ruleid | 1 | A firewall policy rule ID. |
filename | myfilename_* | A string that identifies a filename. Filter request by the filename. Supports globbing or use of the wildcard character (''). The asterisk () matches zero or more occurrences of any character. |
securityoverridden | true | Specify whether to filter on requests that override security. |
bundleid | 1 | A proxy bundle ID. |
threats | A threat name or comma-delimited list of threat name. | |
threattypes | A threat type or comma-delimited list of threat type. | |
ampdisposition | clean,malicious,unknown | An AMP disposition string or a comma-delimited list of AMP disposition string. |
isolatedstate | isolated | A string that describes the remote browser isolation (RBI) isolation type (for example: 'isolated' or 'not-isolated'). |
isolatedFileAction | downloaded-safe-pdf | A string that describes the remote browser isolation (RBI) file action type (for example: 'viewed', 'downloaded-original-file', or 'downloaded-safe-pdf'). |
datalosspreventionstate | blocked | A string that describes the status of a destination (for example: 'blocked'). Filter data for requests that were blocked to protect data. |
sha256 | ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad | A SHA-256 hash |
antivirusthreats | Trojan.Linux.Generic.144075 | A threat name or comma-delimited list of threat name. |
tenantcontrols | true | If set to 'true', filter data for requests that are part of a tenant control policy. |
search | somelabel | A string that represents a search parameter. Filter data for requests where the search string appears in the endpoint data. |
application | Games | The application name |
filternoisydomains | true | filter out domains that generate a lot of insignificant traffic (noise). |
httperrors | certificateerror | Filter data for requests that resulted in a TLS error or a certificate error. Valid values: certificateerror or tlserror . |
signatures | 1-2,1-4 | list of |
signaturelistids | 1,2 | list of signature list ids, comma delimited |
intrusionaction | detected,would_block | list of intrusion actions, comma delimited. Valid values are: would_block, blocked, detected |
exists | destinationlistids,threattypes | Specify a comma-separated list of attributes to filter the data. Valid values are: categories, policycategories, applicationid, nbarapplicationid, nbarapplicationtypeids, privateapplicationid, applicationgroupids, sha256, filename, threats, threattypes, antivirusthreats, destinationlistids, httperrors. |
connectionevent | connected | Specify the type of connection event. |
osversions | linux-64-Ubuntu 20.04.5 LTS (Focal Fossa) | Specify a comma-separated list of OS versions to filter the data. |
anyconnectversions | 4.10.05095 | Specify a comma-separated list of AnyConnect Roaming Security module versions to filter the data. |
Categories Query Parameter
The Umbrella Reporting API categories
query parameter accepts a string with a single category ID or list of comma-separated category IDs. Use the categories
query parameter to search for events in your reports that are related to the categories. You can get the list of Umbrella categories from the Umbrella Reporting API /categories
endpoint. The category object includes the category ID. For more information about the Umbrella Reporting API /categories
endpoint, see Get Categories.
Umbrella Reporting API Categories with IDs
Click to view the Umbrella Reporting API category IDs and labels
ID | Label |
---|---|
1 | Alcohol |
2 | Auctions |
6 | Dating |
10 | Gambling |
11 | Games |
14 | Humor |
24 | Social Networking |
27 | Advertisements |
30 | Weapons |
37 | Parked Domains |
38 | Tobacco |
44 | Pornography |
52 | Politics |
55 | Travel |
60 | Drive-by Downloads/Exploits |
61 | Dynamic DNS |
62 | Mobile Threats |
63 | High Risk Sites and Locations |
64 | Command and Control |
65 | Command and Control |
66 | Malware |
67 | Malware |
68 | Phishing |
70 | FireEye |
71 | Block List |
72 | Allow List |
73 | Global Whitelist |
74 | Sinkhole |
76 | Check Point |
79 | ZeroFOX |
82 | ThreatQ |
84 | ThreatConnect |
96 | Cisco AMP Threat Grid |
106 | Unauthorized IP Tunnel Access |
107 | URL Shorteners |
108 | Newly Seen Domains |
109 | Potentially Harmful |
110 | DNS Tunneling VPN |
111 | Arts |
112 | Astrology |
113 | Computer Security |
114 | Digital Postcards |
115 | Dining and Drinking |
116 | Dynamic and Residential |
117 | Fashion |
118 | File Transfer Services |
119 | Freeware and Shareware |
120 | Hacking |
121 | Illegal Activities |
122 | Illegal Downloads |
123 | Infrastructure and Content Delivery Networks |
124 | Internet Telephony |
125 | Lotteries |
126 | Mobile Phones |
127 | Nature and Conservation |
128 | Online Trading |
129 | Personal Sites |
130 | Professional Networking |
131 | Real Estate |
132 | SaaS and B2B |
133 | Safe for Kids |
134 | Science and Technology |
135 | Sex Education |
136 | Social Science |
137 | Society and Culture |
138 | Software Updates |
139 | Web Hosting |
140 | Web Page Translation |
141 | Organizational Email |
142 | Online Meetings |
143 | Paranormal |
144 | Personal VPN |
145 | DIY Projects |
146 | Hunting |
147 | Military |
148 | Application |
150 | Cryptomining |
151 | Application Block |
152 | Application Allow |
153 | Infringing Intellectual Property |
161 | Adult |
162 | Web-based Email |
163 | Business and Industry |
164 | Chat and Instant Messaging |
165 | Cheating and Plagiarism |
166 | Child Abuse Content |
167 | Computers and Internet |
168 | Education |
169 | Entertainment |
170 | Extreme |
171 | Filter Avoidance |
172 | Finance |
173 | Government and Law |
174 | Hate Speech |
175 | Health and Medicine |
176 | Illegal Drugs |
177 | Job Search |
178 | Lingerie and Swimsuits |
179 | News |
180 | Non-governmental Organizations |
181 | Non-sexual Nudity |
182 | Not Actionable |
183 | Online Communities |
184 | Online Storage and Backup |
185 | Web Cache and Archives |
186 | Peer File Transfer |
187 | Photo Search and Images |
188 | Reference |
189 | Religion |
190 | Search Engines and Portals |
191 | Shopping |
192 | Sports and Recreation |
193 | Streaming Audio |
194 | Streaming Video |
195 | Transportation |
196 | Animals and Pets |
197 | Cannabis |
198 | Cloud and Data Centers |
199 | Conventions, Conferences and Trade Shows |
200 | Cryptocurrency |
201 | DoH and DoT |
202 | Internet of Things |
203 | Museums |
204 | Terrorism and Violent Extremism |
205 | Online Document Sharing and Collaboration |
206 | Private IP Addresses as Host |
207 | Recipes and Food |
208 | Regional Restricted Sites (Germany) |
209 | Regional Restricted Sites (Great Britain) |
210 | Regional Restricted Sites (Italy) |
211 | Regional Restricted Sites (Poland) |
Umbrella Reporting API Categories with Legacy IDs
Click to view the Umbrella Reporting API legacy category IDs and labels
Legacy ID | Label |
---|---|
2 | Alcohol |
3 | Auctions |
7 | Dating |
11 | Gambling |
12 | Games |
15 | Humor |
24 | Social Networking |
414 | Advertisements |
28 | Weapons |
57 | Parked Domains |
73 | Tobacco |
64 | Pornography |
66 | Politics |
68 | Travel |
83 | Drive-by Downloads/Exploits |
85 | Dynamic DNS |
87 | Mobile Threats |
89 | High Risk Sites and Locations |
90 | Command and Control |
92 | Command and Control |
94 | Malware |
96 | Malware |
98 | Phishing |
102 | FireEye |
112 | Block List |
114 | Allow List |
116 | Global Whitelist |
178 | Sinkhole |
104 | Check Point |
110 | ZeroFOX |
121 | ThreatQ |
125 | ThreatConnect |
147 | Cisco AMP Threat Grid |
169 | Unauthorized IP Tunnel Access |
170 | URL Shorteners |
172 | Newly Seen Domains |
174 | Potentially Harmful |
176 | DNS Tunneling VPN |
327 | Arts |
329 | Astrology |
331 | Computer Security |
333 | Digital Postcards |
335 | Dining and Drinking |
337 | Dynamic and Residential |
339 | Fashion |
341 | File Transfer Services |
343 | Freeware and Shareware |
345 | Hacking |
347 | Illegal Activities |
349 | Illegal Downloads |
351 | Infrastructure and Content Delivery Networks |
353 | Internet Telephony |
355 | Lotteries |
357 | Mobile Phones |
359 | Nature and Conservation |
361 | Online Trading |
363 | Personal Sites |
365 | Professional Networking |
367 | Real Estate |
369 | SaaS and B2B |
371 | Safe for Kids |
373 | Science and Technology |
375 | Sex Education |
377 | Social Science |
379 | Society and Culture |
381 | Software Updates |
383 | Web Hosting |
385 | Web Page Translation |
387 | Organizational Email |
389 | Online Meetings |
391 | Paranormal |
393 | Personal VPN |
395 | DIY Projects |
397 | Hunting |
399 | Military |
400 | Application |
403 | Cryptomining |
405 | Application Block |
407 | Application Allow |
409 | Infringing Intellectual Property |
415 | Adult |
416 | Web-based Email |
417 | Business and Industry |
418 | Chat and Instant Messaging |
419 | Cheating and Plagiarism |
420 | Child Abuse Content |
421 | Computers and Internet |
422 | Education |
423 | Entertainment |
424 | Extreme |
425 | Filter Avoidance |
426 | Finance |
427 | Government and Law |
428 | Hate Speech |
429 | Health and Medicine |
430 | Illegal Drugs |
431 | Job Search |
432 | Lingerie and Swimsuits |
433 | News |
434 | Non-governmental Organizations |
435 | Non-sexual Nudity |
458 | Not Actionable |
437 | Online Communities |
438 | Online Storage and Backup |
467 | Web Cache and Archives |
440 | Peer File Transfer |
441 | Photo Search and Images |
442 | Reference |
443 | Religion |
444 | Search Engines and Portals |
445 | Shopping |
446 | Sports and Recreation |
447 | Streaming Audio |
448 | Streaming Video |
449 | Transportation |
450 | Animals and Pets |
451 | Cannabis |
452 | Cloud and Data Centers |
453 | Conventions, Conferences and Trade Shows |
454 | Cryptocurrency |
455 | DoH and DoT |
456 | Internet of Things |
457 | Museums |
466 | Terrorism and Violent Extremism |
459 | Online Document Sharing and Collaboration |
460 | Private IP Addresses as Host |
461 | Recipes and Food |
462 | Regional Restricted Sites (Germany) |
463 | Regional Restricted Sites (Great Britain) |
464 | Regional Restricted Sites (Italy) |
465 | Regional Restricted Sites (Poland) |
Umbrella Reporting API Categories with Deprecated Legacy IDs
Click to view the Umbrella Reporting API deprecated legacy category IDs and labels
Deprecated Legacy ID | Label |
---|---|
1 | Adware |
4 | Blogs |
5 | Chat |
6 | Classifieds |
8 | Drugs |
9 | Ecommerce/Shopping |
10 | File Storage |
13 | Hate/Discrimination |
14 | Health and Fitness |
16 | Instant Messaging |
17 | Jobs/Employment |
19 | Movies |
33 | News/Media |
20 | P2P/File sharing |
48 | Photo Sharing |
21 | Portals |
22 | Radio |
23 | Search Engines |
47 | Software/Technology |
34 | Television |
26 | Video Sharing |
27 | Visual Search Engines |
29 | Webmail |
56 | Business Services |
52 | Educational Institutions |
55 | Financial Institutions |
49 | Government |
50 | Music |
51 | Sports |
58 | Adult Themes |
60 | Lingerie/Bikini |
63 | Nudity |
61 | Proxy/Anonymizer |
62 | Sexuality |
59 | Tasteless |
72 | Academic Fraud |
70 | Automotive |
67 | Forums/Message boards |
69 | Non-Profits |
71 | Podcasts |
65 | Religious |
54 | Research/Reference |
74 | German Youth Protection |
76 | Anime/Manga/Webcomic |
77 | Web Spam |
126 | Internet Watch Foundation |
401 | Terrorism |
410 | IT-AGCOM |
412 | IT-ADM |
Request Data by Time Range
Many Umbrella Reporting API endpoints require that you set a time range to filter the data. You can define a time range with the to
and from
request query parameters. Also, some Umbrella Reporting API endpoints enable a timerange
header.
Time Range Header
The timerange
header describes how to group data within a 24-hour period. This header accepts the following strings:
- minute
- hour (default value)
- day
Umbrella Reporting API resources that group data by hourly intervals do not enable the timerange
header. These resources include:
- Bandwidth by Hour
- Requests by Hour
- Requests by Hour and Category
Time Range Example
The Requests by Timerange
resource accepts the timerange
header and the to
and from
query parameters. For example, you can set the timerange
header to minute
, the to
query parameter to now
, and the from
query parameter to -1days
.
Timestamp and Relative Time Strings
The to
and from
query parameters accept a timestamp string that is defined in milliseconds from the Unix epoch. For example: 1619007756000
(converted from 2021-04-21:08:22:36 GMT-04:00
).
You can also set other time range strings for these parameters.
Examples of to
query parameter values:
now
-1days
Examples of from
query parameter values:
-2days
-10minutes
-2weeks
Note: The time range set by theto
andfrom
query parameters cannot exceed 30 days.
HTTP Redirects and Request Authorization Header
Umbrella stores the reporting data in geolocated data warehouses. Depending on the location where you make an API request, you must use a base URI in the request that is associated with your location.
The base URIs for reaching the Umbrella Reporting API from Europe (EU) and the United States (US) are:
- EU:
api.umbrella.com/reports.eu/v2
- US:
api.umbrella.com/reports.us/v2
Note: If an HTTP request does not originate from the same continent as the Umbrella data center, Umbrella responds with 302 Found
.
To automatically redirect HTTP requests and preserve the HTTP Authorization header, you can set additional flags on the client and enable a redirect setting.
curl
: You must pass the-L
or--location
, and--location-trusted
flags to redirect thecurl
HTTP request and retain the Authorization header.curl --location --location-trusted \ --request GET --url 'https://api.umbrella.com/reports/v2/activity?from=-7days&to=now&limit=10' \ -H 'Authorization: Bearer %YourAccessToken%' \ -H 'Content-Type: application/json'
Postman
: Within the Postman environment, navigate to an API and choose aGET
method. Navigate to Settings. EnableFollow Authorization header
to preserve the Authorization header for redirect requests.
Umbrella Reporting API Endpoints
You can find the Reporting API endpoints in the reports
scope.
Activity
- Get Activities (All)
- Get Activity DNS
- Get Activity Proxy
- Get Activity Firewall
- Get Activity Intrusion
- Get Activity IP
- Get Activity AMP Retrospective
Top Identities
Identity Distribution
Top Destinations
Top Categories
Top Event Types
Top DNS Query Types
Organization Requests by Hour
Organization Requests by Time Range
Organization Requests by Hour and Category
Organization Requests by Time Range and Category
Deployment and Status
Provider Deployment Status
Provider Requests by Hour
Provider Requests by Time Range
Provider Requests by Organization
Provider Requests by Category
Provider Requests by Destination
Provider Category Requests by Organization
Bandwidth by Hour
Bandwidth by Time Range
Top Files
Total Requests
Top Threats
Top Threat Types
Utility
- Get Applications
- Get Categories
- Get Identities
- Post Identities by IDs
- Get Identity
- Get Threat Types
- Get Threat Types by Threat ID
- Get Threat Names
- Get Threat Name by Threat ID
Utility (Providers)
Top IPs
Summary
Summaries by Category
Summaries by Destination
Summaries by Rule
Contact: Cloud Security Developer Community