Reporting Fields
To configure the data fields you want to download from Security Service Edge (SSE), you add a suitable header name and version number to the command line. Fields are then downloaded according to the header information.
The format for specifying the header information is:
<header name>-version: <version number>
Example: x-mwg-api-version: 1
If no header version is specified, the latest version is used.
The following table shows the headers that are available, together with their fields. Beginning with version 7, the SSE version that a version of the Forensics API was introduced with is also stated. For example, version 7 was introduced with SSE 6.0.0.
For examples of how header information is specified in a download command and fields are filled with values in the output, see Reporting Examples.
Header name and version | Fields | Remarks |
---|---|---|
x-mwg-api-version: 1 | With this header, the following fields are downloaded: user_id username source_ip http_action server_to_client_bytes client_to_server_bytes requested_host requested_path result virus request_timestamp_epoch request_timestamp uri_scheme category (comma-separated list of categories) |
|
x-mwg-api-version: 2 | With this header, all fields from version 1 are downloaded, plus these fields: media_type application_type |
|
x-mwg-api-version: 3 | With this header, all fields from versions 1 and 2 are downloaded, plus this field: reputation |
|
x-mwg-api-version: 4 | With this header, all fields from versions 1 – 3 are downloaded, plus these fields: last_rule http_status_code client_ip location block_reason user_agent_product user_agent_version user_agent_comment |
|
x-mwg-api-version: 5 | With this header, all fields from versions 1 – 4 are downloaded, plus these fields: process_name destination_ip destination_port |
|
x-mwg-api-version: 6 | With this header, no new fields are added. All fields from versions 1 – 5 are downloaded. | Beginning with this version of the REST (Forensics) API, an error message is sent with the response to a download request that has timed out. |
x-mwg-api-version: 7 | With this header, all fields from versions 1 – 6 are downloaded, plus these fields: pop_country_code referer ssl_scanned av_scanned_up av_scanned_down rbie |
Introduced with SSE 6.0.0 |
x-mwg-api-version: 8 | With this header, all fields from versions 1 – 7 are downloaded, plus these fields: dlp client_system_name filename pop_egress_ip pop_ingress_ip proxy_port |
Introduced with SSE 6.0.2 The pop_ingress_ip field contains the ingress IP address or ingress IP/24 network of the Point of Presence (PoP) where a request was received, depending on the type of PoP. When no ingress IP address or network could be retrieved, the value of the field is 0.0.0.0. |
x-mwg-api-version: 9 | With this header, no new fields are added. All fields from versions 1 – 8 are downloaded. | Introduced with SSE 6.2.1 Beginning with this version of the Forensics API, you can also download data originating from traffic that is isolated under Remote Browser Isolation (RBI), as well as from Private Access traffic and from traffic that goes through a firewall. For more information, see Reporting Examples. |
x-mwg-api-version: 10 | With this header, all fields from versions 1 – 9 are downloaded, plus these fields: mw_probability discarded_host ssl_client_prot ssl_server_prot |
Introduced with SSE 6.2.0 The new fields in this version are only downloaded for the following types of traffic:
|
x-mwg-api-version: 11 | With this header, all fields from versions 1 – 10 are downloaded, plus this field: domain_fronting_url |
Introduced with SSE 6.3.1 The new field in this version is only downloaded for the following types of traffic:
For more information, see Reporting Examples. |
x-mwg-api-version: 12 | With this header, all fields from versions 1 – 11 are downloaded, plus these fields:
|
Introduced with SSE 6.4.0 The new fields in this version are only downloaded for the types of traffic that are specified here. For more information, see Reporting Examples. |
x-mwg-api-version: 13 |
With this header, all fields from versions 1 – 12 are downloaded, plus these fields: popid |
Introduced with SSE 6.6.2 The new fields in this version are only downloaded for the following types of traffic:
|