Reporting Examples

Last updated
Save as PDF

The data is downloaded for reporting in CSV format. The XML format is no longer supported. You can use any HTTP client tool for the download, for example, curl or wget. In the following examples, curl is used.

Examples are provided for downloading data originating from different types of traffic:

Web traffic (not isolated)
Remote Browser Isolation (RBI)
Private Access
Firewall

For each of these downloads, the download command is shown, together with its output.

The command includes a header for the API version. If no version is specified here, the latest version is used.

Downloading Data from Web Traffic

When downloading data from web traffic, the download command and output are, for example, as shown in the following. Among other items, the command includes a header for the API version and a URL that begins with a country code, for example, https://de.logapi.skyhigh.cloud/mwg/...ensic/12345678?

Command

curl --insecure --verbose --header 'Accept: text/csv' header 'x-mwg-api-version: 12' --compressed
user <user name>:<password> https://<country code>logapi.skyhigh.cloud/mwg/api/reporting/forensic/12345678?
filter.requestTimestampFrom=1527279524&filter.requestTimestampTo=1527283124&order.0.requestTimestamp=asc

The command first returns a header row, which includes the names of the data fields that were downloaded. It can extend over more than one line. Data fields are downloaded depending on the version header, which is specified as one of the header parameters in the command.

This is followed by the values for these fields. There is one row with values for each request for web access that was processed during the time range specified by the timestamp filters in the command. Value rows can also extend over more than one line. An empty field is shown if no value could be retrieved for it.

Output (first part): Header with data field names

"user_id","username","source_ip","http_action","server_to_client_bytes","client_to_server_bytes","requested_host", (7)
"requested_path","result","virus","request_timestamp_epoch","request_timestamp","uri_scheme","category","media_type", (8)
"application_type","reputation","last_rule","http_status_code","client_ip","location","block_reason","user_agent_product", (8)
"user_agent_version",
"user_agent_comment",
"process_name","destination_ip","destination_port","pop_country_code","referer","ssl_scanned","av_scanned_up","av_scanned_down",
"rbi","dlp","client_system_name","filename","pop_egress_ip","pop_ingress_ip","proxy_port",
"mw_probability","discarded_host","ssl_client_prot","ssl_server_prot","domain_fronting_url"

Output (second part): Data field values

"-1","z93234","220.97.226.87","CONNECT","7528","5918","graph.microsoft.com",
"/","OBSERVED","","1677572804","2023-02-28 08:26:44","https","Technical/Business Forums","application/x-empty",
"","Minimal Risk","Bypass Office 365","200","192.168.24.146","","","Edge",
"109.0.1518.61",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edge/109.0.1518.61",
"msedge.exe","20.190.141.43","443","jp","","f","f","f",
"f","f","com-pc25046","","185.221.70.12","185.221.70.12","8080",
"0","graph.microsoft.com","","", "graph.microsoft.com/"

Downloading Data from Remote Browser Isolation (RBI) Traffic

When downloading data from Remote Browser Isolation (RBI) traffic, the download command and output are, for example, as shown in the following.

When data for this type of traffic is downloaded for reporting, version 9 or higher of the REST (Forensics) API must be used. The version must be specified in a header of the download command, for example, as x-mwg-api-version: 11.

The command also includes a header for specifying that data from RBI traffic should be downloaded, as well as a URL that begins with a country code, for example, https://de.logapi.skyhigh.cloud/mwg/...ensic/12345678?.

Command

curl --insecure --verbose --header 'Accept: text/csv' --header 'rbi: 1' --header 'x-mwg-api-version: 11' --compressed
user <user name>:<password> https://<country code>logapi.skyhigh.cloud/mwg/api/reporting/forensic/12345678?
filter.requestTimestampFrom=1527279524&filter.requestTimestampTo=1527283124&order.0.requestTimestamp=asc

This is followed by the values for these fields. There is one row with values for each request for isolated web access that was processed during the time range specified by the timestamp filters in the command. Value rows can also extend over more than one line. An empty field is shown if no value could be retrieved for it.

Output (first part): Header with data field names

"user_id","username","source_ip","http_action","bytes_sc","bytes_cs","requested_host",
"requested_path","result","virus","request_timestamp_epoch","request_timestamp","uri_scheme","category","media_type",
"application_type","reputation","last_rule","http_status_code","client_ip","location","block_reason","user_agent_product",
"user_agent_version",
"user_agent_comment",
"process_name","destination_ip","destination_port","pop_country_code","referer","ssl_scanned","av_scanned_up","av_scanned_down",
"rbi","dlp","client_system_name","filename","pop_egress_ip","pop_ingress_ip","proxy_port",
"mw_probability","discarded_host","ssl_client_prot","ssl_server_prot","domain_fronting_url",
"site","action","action_reason,","request_url","risk_score","mcp_yn","isolate_type",
"filename_upload","filename_download","filesize_upload,"filesize_download"

Output (second part): Data field values

"-1","z93794","220.97.226.87","CONNECT","6400","5581","umwatson.events.data.microsoft.com",
"/","OBSERVED","","1679380587","2023-03-21 06:36:27","https","Business, Software/Hardware","application/x-empty",
"","Minimal Risk","Bypass Office 365","200","192.168.24.78","","","Other",
"",
"",
"wermgr.exe","52.182.143.212","443","jp","","f","f","f",
"t","f","com-pc-24789","","185.221.70.12","185.221.70.12","8080",
"0","umwatson.events.data.microsoft.com","","","umwatson.events.data.microsoft.com/",
"microsoft.com","ALLOW","NO_WEB_ACCESS","umwatson.events.data.microsoft.com/","-1","t","2",
"","","",""

Downloading Data from Private Access Traffic

When downloading data from Private Access traffic, the download command and output are, for example, as follows.

The command also includes a header for specifying that data from Private Access traffic should be downloaded, as well as a URL that begins with a country code, for example, https://de.logapi.skyhigh.cloud/mwg/...ensic/12345678?.

Command

curl --insecure --verbose --header 'Accept: text/csv' --header 'pa: 1' --header 'x-mwg-api-version: 9' --compressed
user <user name>:<password> https://<country code>logapi.skyhigh.cloud/mwg/api/reporting/forensic/12345678?
filter.requestTimestampFrom=1527279524&filter.requestTimestampTo=1527283124&order.0.requestTimestamp=asc

This is followed by the values for these fields. There is one row with values for each request for private web access that was processed during the time range specified by the timestamp filters in the command. Value rows can also extend over more than one line. An empty field is shown if no value could be retrieved for it.

Output (first part): Header with data field names

"request_timestamp","username","pa_application_name","requested_host","request_url","pa_app_group","pa_used_connector",
"device_profile","host_os_name","bytes_sc","bytes_cs","http_status_code","action","block_reason","virus"

Output (second part): Data field values

"2023-06-13 06:06:00","pa@automation.com","pahttps","pa.https.fakepa.com","pa.https.fakepa.com/","india","preprod_automation-1682170627",
"dp_filepath_registry_process_valid","dp_greater_equal","microsoft windows [version 10.0.20348]","2801","769","200","ALLOW","","Trojan-FQRU!C6BD65963396"

Downloading Data from Firewall Traffic

When downloading data from traffic that goes through a firewall, the download command and output are, for example, as shown in the following.

The command also includes a header for specifying that data from firewall traffic should be downloaded, as well as a URL that begins with a country code, for example, https://de.logapi.skyhigh.cloud/mwg/...ensic/12345678?.

Command

curl --insecure --verbose --header 'Accept: text/csv' --header 'firewall: 1' --header 'x-mwg-api-version: 9' --compressed
user <user name>:<password> https://<country code>logapi.skyhigh.cloud/mwg/api/reporting/forensic/12345678?
filter.requestTimestampFrom=1527279524&filter.requestTimestampTo=1527283124&order.0.requestTimestamp=asc

This is followed by the values for these fields. There is one row with values for each request that was directed through a firewall and processed during the time range specified by the timestamp filters in the command. Value rows can also extend over more than one line. An empty field is shown if no value could be retrieved for it.

Output (first part): Header with data field names

"request_timestamp","username","client_ip","destination_ip","process_name","client_port","destination_port","firewall_action",
"client_country","destination_country","application_name", "policy_name","protocol","detected_protocol","connectivity_method",
"location","egress_client_port","tunnel_ingress_port","bytes_sc","bytes_cs","transaction_id", ”client_host_name”,”host_os_name”,
”scp_policy_name”,”process_exe_path”

Output (second part): Data field values

"2022-09-20 11:49:21","admin","10.213.136.19","170.114.10.84","CHROME.EXE","54709","443","BLOCK",
"","us","","LocalBreakout[B]","tcp","","",
"","","","0","0","",”https://zoom.us/”,”PC-HOSTNAME”,"microsoft windows [version 10.0.19045]",
”scp_policy1”,”c:\program files (x86)\microsoft\edge\application\msedge.exe”