Skip to main content
Skyhigh Security

Reporting Fields

To configure the data fields you want to download from Security Service Edge (SSE) to your on-prem reporting solution, you add a suitable header name and version number to the command line. Fields are then downloaded according to the header information.

The format for specifying the header information is:

<header name>-version: <version number>

Example: x-mwg-api-version: 1 

If no header version is specified, the latest version is used. 

The following table shows the headers that are available, together with their fields. Beginning with version 7, the SSE version that a version of the Forensics API was introduced with is also stated. For example, version 7 was introduced with SSE 6.0.0. 

For examples of how header information is specified in a download command and fields are filled with values in the output, see Reporting Examples.

Header name and version Fields Remarks
x-mwg-api-version: 1 With this header, the following fields are downloaded:

user_id
username
source_ip
http_action
server_to_client_bytes
client_to_server_bytes
requested_host
requested_path
result
virus
request_timestamp_epoch
request_timestamp
uri_scheme
category (comma-separated list of categories)
 
x-mwg-api-version: 2 With this header, all fields from version 1 are downloaded, plus these fields:

media_type
application_type
 
x-mwg-api-version: 3 With this header, all fields from versions 1 and 2 are downloaded, plus this field:

reputation
 
x-mwg-api-version: 4 With this header, all fields from versions 1 – 3 are downloaded, plus these fields:

last_rule
http_status_code
client_ip
location
block_reason
user_agent_product
user_agent_version
user_agent_comment
 
x-mwg-api-version: 5 With this header, all fields from versions 1 – 4 are downloaded, plus these fields:

process_name
destination_ip
destination_port
 
x-mwg-api-version: 6 With this header, no new fields are added. All fields from versions 1 – 5 are downloaded. Beginning with this version of the REST (Forensics) API, an error message is sent with the response to a download request that has timed out.
x-mwg-api-version: 7 With this header, all fields from versions 1 – 6 are downloaded, plus these fields:

pop_country_code
referer
ssl_scanned
av_scanned_up
av_scanned_down
rbie
Introduced with: SSE 6.0.0
x-mwg-api-version: 8 With this header, all fields from versions 1 – 7 are downloaded, plus these fields:

dlp
client_system_name
filename
pop_egress_ip
pop_ingress_ip 
proxy_port
Introduced with: SSE 6.0.2

The pop_ingress_ip field contains the ingress IP address or ingress IP/24 network of the PoP – Point of Presence where a request was received, depending on the type of PoP. When no ingress IP address or network could be retrieved, the value of the field is 0.0.0.0.
x-mwg-api-version: 9 With this header, no new fields are added. All fields from versions 1 – 8 are downloaded. Introduced with: SSE 6.2.1

Beginning with this version of the REST (Forensics) API, you can also download data originating from traffic that is isolated under Remote Browser Isolation (RBI), as well as from Private Access traffic and from traffic that goes through a firewall.

For more information, see Reporting Examples.
x-mwg-api-version: 10 With this header, all fields from versions 1 – 9 are downloaded, plus these fields:

mw_probability
discarded_host
ssl_client_prot
ssl_server_prot
Introduced with: SSE 6.2.0

The new fields in this version are only downloaded for the following types of traffic:
  • Web
  • Remote Browser Isolation (RBI) 
x-mwg-api-version: 11 With this header, fields from versions 1 – 10 are downloaded, plus this field:

domain_fronting_url

 
Introduced with: SSE 6.3.1

The new field in this version is only downloaded for the following types of traffic:
  • Web
  • Remote Browser Isolation (RBI)

For more information, see Reporting Examples.
 

x-mwg-api-version: 12 With this header, fields from versions 1 – 11 are downloaded, plus these fields:
  • Downloaded for firewall traffic:

    domain_name
    client_host_name
    host_os_name
    scp_policy_name
    process_exe_path
     

  • Downloaded for Private Access traffic:

    virus

Introduced with SSE 6.4.0

The new fields in this version are only downloaded for the types of traffic that are specified here.

For more information, see Reporting Examples.
  • Was this article helpful?