Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

About Working with the Forensics API

You can work with the Forensics API  to configure and run commands that download data for reporting. The Forensics API is an application programming interface of the Representational State Transfer (REST) type.

The data is related to the processing of web requests. For example, when a user requests access to the web, the user ID, the source IP address, or the type of action that was performed, such as CONNECT, GET, or POST, can be retrieved. 

Data can also be downloaded for traffic that is isolated using Remote Browser Isolation (RBI), as well as for firewall and Private Access traffic.

After logging on to the Forensics API, you enter a download command, using an HTTP client tool, such as curl or wget. To limit the amount of data that is downloaded, you specify a version header to determine the data fields that are included in a report and timestamp filters to set a time range for running it. 

For more information about how to configure the download command, see Create a Report with the Forensics API.


The Forensics API is available when you are running one of the following Skyhigh Security products:

  • Security Service Edge (SSE)

  • Web Gateway Cloud Service (WGCS)

Web Gateway Cloud Service (WGCS) was scheduled to reach end-of-life (EOL) status on December 31, 2022. It means that no support is provided for this product after this date anymore.

Data Fields

When you are working with the Forensics API, the command that you enter to download data for reporting returns the names of the data fields that were downloaded and the values for each of the fields.

Data fields contain data that is related to the processing of web requests, for example:

  • user_id
  • username
  • source_ip
  • http_action
  • server_to_client_bytes
  • client_to_server_bytes

A version header, for example, x-mwg-api-version: 9, is specified as a parameter of the download command. It determines which data fields are included in a report.

For a list of the available version headers with their data fields, see Reporting Fields.


  • Was this article helpful?