Download Report Data

Last updated
Save as PDF

This topic helps you understand how to download data from the following traffic sources:

Web traffic (not isolated)
Remote Browser Isolation (RBI)
Private Access
Firewall

The examples show the download command and its output for each traffic type. The command includes a header for the API version and a URL that begins with a country code, for example, https://de.logapi.skyhigh.cloud/mwg/...ensic/12345678?. The command first returns a header row with the data field names, followed by one row of values for each request processed during the specified time range. Rows can extend over more than one line. Empty fields appear if no value is available

NOTE: The command uses the latest version by default when you do not specify.

Download Data from Web Traffic

Use the following command to download data from web traffic.

Output (first part): Header with data field names.
Output (Second part): Data field values.

Command

curl --insecure --verbose --header 'Accept: text/csv' --header 'x-mwg-api-version: 3' --compressed --user <user name>:<password> "https://logapi.skyhigh.cloud/mwg/api/reporting/forensic/12345678?filter.requestTimestampFrom=1527279524&filter.requestTimestampTo=1527283124&order.0.requestTimestamp=asc"

curl --insecure --verbose --header 'Accept: text/csv' --header 'x-mwg-api-version: 14' --compressed -u <user name>:<password> "https://<country code>logapi.skyhigh.cloud/mwg/api/reporting/forensic/12345678?filter.requestTimestampFrom=1527279524&filter.requestTimestampTo=1527283124&order.0.requestTimestamp=asc"

The command first returns a header row with the names of the downloaded fields. The fields depend on the API version in the header. After the header row, the command returns one row of values for each web access request within the specified timestamp range. Empty fields appear if no value is available.

"user_id","username","source_ip","http_action","server_to_client_bytes","client_to_server_bytes","requested_host",
"requested_path","result","virus","request_timestamp_epoch","request_timestamp","uri_scheme","category","media_type", 
"application_type","reputation","last_rule","http_status_code","client_ip","location","block_reason","user_agent_product", 
"user_agent_version",
"user_agent_comment",
"process_name","destination_ip","destination_port","pop_country_code","referer","ssl_scanned","av_scanned_up","av_scanned_down",
"rbi","dlp","client_system_name","filename","pop_egress_ip","pop_ingress_ip","proxy_port",
"mw_probability","discarded_host","ssl_client_prot","ssl_server_prot","domain_fronting_url"

"-1","z93234","220.97.226.87","CONNECT","7528","5918","graph.microsoft.com",
"/","OBSERVED","","1677572804","2023-02-28 08:26:44","https","Technical/Business Forums","application/x-empty",
"","Minimal Risk","Bypass Office 365","200","192.168.24.146","","","Edge",
"109.0.1518.61",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edge/109.0.1518.61",
"msedge.exe","20.190.141.43","443","jp","","f","f","f",
"f","f","com-pc25046","","185.221.70.12","185.221.70.12","8080",
"0","graph.microsoft.com","","", "graph.microsoft.com/"

Download Data from Remote Browser Isolation (RBI) Traffic

When you download RBI traffic data, use REST (Forensics) API version 9 or higher. Include the header rbi: 1.

Output (first part): Header with data field names.
Output (Second part): Data field values.

Command

curl --insecure --verbose --header 'Accept: text/csv' --header 'rbi: 1' --header 'x-mwg-api-version: 11' --compressed --user <user name>:<password> "https://<country code>logapi.skyhigh.cloud/mwg/api/reporting/forensic/12345678?filter.requestTimestampFrom=1527279524&filter.requestTimestampTo=1527283124&order.0.requestTimestamp=asc"

The command first returns a header row, followed by rows of values for each isolated web request.

"user_id","username","source_ip","http_action","bytes_sc","bytes_cs","requested_host",
"requested_path","result","virus","request_timestamp_epoch","request_timestamp","uri_scheme","category","media_type",
"application_type","reputation","last_rule","http_status_code","client_ip","location","block_reason","user_agent_product",
"user_agent_version",
"user_agent_comment",
"process_name","destination_ip","destination_port","pop_country_code","referer","ssl_scanned","av_scanned_up","av_scanned_down",
"rbi","dlp","client_system_name","filename","pop_egress_ip","pop_ingress_ip","proxy_port",
"mw_probability","discarded_host","ssl_client_prot","ssl_server_prot","domain_fronting_url",
"site","action","action_reason,","request_url","risk_score","mcp_yn","isolate_type",
"filename_upload","filename_download","filesize_upload,"filesize_download"

"-1","z93794","220.97.226.87","CONNECT","6400","5581","umwatson.events.data.microsoft.com",
"/","OBSERVED","","1679380587","2023-03-21 06:36:27","https","Business, Software/Hardware","application/x-empty",
"","Minimal Risk","Bypass Office 365","200","192.168.24.78","","","Other",
"",
"",
"wermgr.exe","52.182.143.212","443","jp","","f","f","f",
"t","f","com-pc-24789","","185.221.70.12","185.221.70.12","8080",
"0","umwatson.events.data.microsoft.com","","","umwatson.events.data.microsoft.com/",
"microsoft.com","ALLOW","NO_WEB_ACCESS","umwatson.events.data.microsoft.com/","-1","t","2",
"","","",""

Download Data from Private Access Traffic

When you download Private Access traffic data, use REST (Forensics) API version 9 or higher. Include the header pa: 1.

Output (first part): Header with data field names.
Output (Second part): Data field values.

Command

curl --insecure --verbose --header 'Accept: text/csv' --header 'pa: 1' --header 'x-mwg-api-version: 9' --compressed --user <user name>:<password> "https://<country code>logapi.skyhigh.cloud/mwg/api/reporting/forensic/12345678?filter.requestTimestampFrom=1527279524&filter.requestTimestampTo=1527283124&order.0.requestTimestamp=asc"

The command first returns a header row, followed by one row of values for each private web access request

"request_timestamp","username","pa_application_name","requested_host","request_url","pa_app_group","pa_used_connector",
"device_profile","host_os_name","bytes_sc","bytes_cs","http_status_code","action","block_reason","virus"

"2023-06-13 06:06:00","pa@automation.com","pahttps","pa.https.fakepa.com","pa.https.fakepa.com/","india","preprod_automation-1682170627",
"dp_filepath_registry_process_valid","dp_greater_equal","microsoft windows [version 10.0.20348]","2801","769","200","ALLOW","","Trojan-FQRU!C6BD65963396"

Download Data from Firewall Traffic

When you download firewall traffic data, use REST (Forensics) API version 9 or higher. Include the header firewall: 1.
Output (first part): Header with data field names
Output (second part): Data field values

Command

curl --insecure --verbose --header 'Accept: text/csv' --header 'firewall: 1' --header 'x-mwg-api-version: 9' --compressed --user <user name>:<password> "https://<country code>logapi.skyhigh.cloud/mwg/api/reporting/forensic/12345678?filter.requestTimestampFrom=1527279524&filter.requestTimestampTo=1527283124&order.0.requestTimestamp=asc"

The command first returns a header row, followed by one row of values for each request processed by the firewall.

"request_timestamp","username","client_ip","destination_ip","process_name","client_port","destination_port","firewall_action",
"client_country","destination_country","application_name", "policy_name","protocol","detected_protocol","connectivity_method",
"location","egress_client_port","tunnel_ingress_port","bytes_sc","bytes_cs","transaction_id", ”client_host_name”,”host_os_name”,
”scp_policy_name”,”process_exe_path”

"2022-09-20 11:49:21","admin","10.213.136.19","170.114.10.84","CHROME.EXE","54709","443","BLOCK",
"","us","","LocalBreakout[B]","tcp","","",
"","","","0","0","",”https://zoom.us/”,”PC-HOSTNAME”,"microsoft windows [version 10.0.19045]",
”scp_policy1”,”c:\program files (x86)\microsoft\edge\application\msedge.exe”