Skip to main content

Cisco Umbrella Reporting

This Integration is part of the Cisco Umbrella Reporting Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Cisco Umbrella Reporting#

Use Cisco Umbrella's Reporting to monitor your Umbrella integration and gain a better understanding of your Umbrella usage. Gain insights into request activity and blocked activity, determining which of your identities are generating blocked requests. Reports help build actionable intelligence in addressing security threats including changes in usage trends over time.

The Umbrella Reporting v2 API provides visibility into your core network and security activities and Umbrella logs. This integration was integrated and tested with version v2 of Cisco-umbrella-reporting.

Configure Cisco Umbrella Reporting on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Cisco Umbrella Reporting.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API URLCisco Umbrella Reporting API base URL.True
    API KeyAPI KeyTrue
    API SecretAPI SecretTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

umbrella-reporting-destination-list#


List of destinations ordered by the number of requests made in descending order.

Base Command#

umbrella-reporting-destination-list

Input#

Argument NameDescriptionRequired
traffic_typeSpecify the type of traffic. By default, all supported traffic types are included. Possible values are: dns, proxy, firewall, ip.Optional
domainsA domain name or comma-separated list of domain names.Optional
ipAn IP address.Optional
urlsA URL or comma-separated list of URLs.Optional
portsA port number or comma-separated list of port numbers.Optional
sha256A SHA-256 hash.Optional
threatsA threat name or comma-separated list of threat names.Optional
threat_typesA threat type or comma-separated list of threat types.Optional
amp_dispositionAn Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown.Optional
fromA timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days.Optional
toA timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'.Optional
limitThe maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored.Optional
identity_typesAn identity type or comma-separated list of identity types.Optional
verdictA verdict string. Possible values are: allowed, blocked, proxied.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
categoriesA comma-separated list of category ids to filter on.Optional

Context Output#

PathTypeDescription
UmbrellaReporting.Destination.countNumberTotal number of requests made for this destination.
UmbrellaReporting.Destination.domainStringDestination.
UmbrellaReporting.Destination.bandwidthNumberThe total bandwidth of proxy requests uploaded and downloaded for this destination.
UmbrellaReporting.Destination.rankNumberThe rank of the result based on the number of requests.
UmbrellaReporting.Destination.policycategories.idNumberID of the category.
UmbrellaReporting.Destination.policycategories.labelStringThe human readable label of the category.
UmbrellaReporting.Destination.policycategories.typeStringThe type of category.
UmbrellaReporting.Destination.policycategories.deprecatedBooleanWhether the category is a legacy category.
UmbrellaReporting.Destination.policycategories.integrationBooleanWhether the category is an integration.
UmbrellaReporting.Destination.categories.idNumberID of the category.
UmbrellaReporting.Destination.categories.labelStringThe human readable label of the category.
UmbrellaReporting.Destination.categories.typeStringThe type of category.
UmbrellaReporting.Destination.categories.deprecatedBooleanWhether the category is a legacy category.
UmbrellaReporting.Destination.categories.integrationBooleanWhether the category is an integration.
UmbrellaReporting.Destination.counts.allowedrequestsNumberNumber of requests that were allowed.
UmbrellaReporting.Destination.counts.blockedrequestsNumberNumber of requests that were blocked.
UmbrellaReporting.Destination.counts.requestsNumberTotal number of requests.

Command example#

!umbrella-reporting-destination-list limit=2

Context Example#

{
"UmbrellaReporting": {
"Destination": [
{
"bandwidth": null,
"categories": [
{
"deprecated": false,
"id": 167,
"integration": false,
"label": "Computers and Internet",
"type": "content"
},
{
"deprecated": false,
"id": 123,
"integration": false,
"label": "Infrastructure and Content Delivery Networks",
"type": "content"
},
{
"deprecated": false,
"id": 148,
"integration": false,
"label": "Application",
"type": "application"
},
{
"deprecated": true,
"id": 25,
"integration": false,
"label": "abc/efgh",
"type": "content"
},
{
"deprecated": true,
"id": 32,
"integration": false,
"label": "Business Services",
"type": "content"
}
],
"count": 1286,
"counts": {
"allowedrequests": 1286,
"blockedrequests": 0,
"requests": 1286
},
"domain": "dummy.domain.com",
"policycategories": [],
"rank": 1
},
{
"bandwidth": null,
"categories": [
{
"deprecated": false,
"id": 163,
"integration": false,
"label": "Business and Industry",
"type": "content"
},
{
"deprecated": false,
"id": 167,
"integration": false,
"label": "Computers and Internet",
"type": "content"
},
{
"deprecated": false,
"id": 142,
"integration": false,
"label": "Online Meetings",
"type": "content"
},
{
"deprecated": false,
"id": 148,
"integration": false,
"label": "Application",
"type": "application"
},
{
"deprecated": true,
"id": 25,
"integration": false,
"label": "abc/efgh",
"type": "content"
},
{
"deprecated": true,
"id": 32,
"integration": false,
"label": "Business Services",
"type": "content"
}
],
"count": 1003,
"counts": {
"allowedrequests": 1003,
"blockedrequests": 0,
"requests": 1003
},
"domain": "dummy.domain.com",
"policycategories": [],
"rank": 2
}
]
}
}

Human Readable Output#

Destination List#

DestinationCategoryAllowedBlockedRequests
www.cisco.comComputers and Internet, Infrastructure and Content Delivery Networks, Application, abc/efgh, Business Services128601286
presence.teams.microsoft.comBusiness and Industry, Computers and Internet, Online Meetings, Application, abc/efgh, Business Services100301003

umbrella-reporting-category-list#


List of categories ordered by the number of requests made matching the categories in descending order.

Base Command#

umbrella-reporting-category-list

Input#

Argument NameDescriptionRequired
traffic_typeSpecify the type of traffic. By default, all supported traffic types are included. Possible values are: dns, proxy, ip.Optional
fromA timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days.Optional
toA timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'.Optional
domainsA domain name or comma-separated list of domain names.Optional
urlsA URL or comma-separated list of URLs.Optional
ipAn IP address.Optional
sha256A SHA-256 hash.Optional
threatsA threat name or comma-separated list of threat names.Optional
threat_typesA threat type or comma-separated list of threat types.Optional
amp_dispositionAn Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown.Optional
identity_typesAn identity type or comma-separated list of identity types.Optional
verdictA verdict string. Possible values are: allowed, blocked, proxied.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
categoriesA comma-separated list of category ids to filter on.Optional

Context Output#

PathTypeDescription
UmbrellaReporting.Category.countNumberNumber of requests made that match this category.
UmbrellaReporting.Category.bandwidthStringThe total bandwidth of proxy requests uploaded and downloaded for this category.
UmbrellaReporting.Category.category.idNumberCategory ID.
UmbrellaReporting.Category.category.typeStringCategory type.
UmbrellaReporting.Category.category.labelStringCategory label.
UmbrellaReporting.Category.category.integrationBooleanCategory integration.
UmbrellaReporting.Category.category.deprecatedStringCategory deprecated.
UmbrellaReporting.Category.rankNumberRank of the category.

Command example#

!umbrella-reporting-category-list limit=2

Context Example#

{
"UmbrellaReporting": {
"Category": [
{
"bandwidth": 7974662,
"category": {
"deprecated": false,
"id": 148,
"integration": false,
"label": "Application",
"type": "application"
},
"count": 32446,
"rank": 1
},
{
"bandwidth": null,
"category": {
"deprecated": true,
"id": 25,
"integration": false,
"label": "abc/efgh",
"type": "content"
},
"count": 26112,
"rank": 2
}
]
}
}

Human Readable Output#

Category List#

CategoryTypeActivity
Applicationapplication32446
abc/efghcontent26112

umbrella-reporting-identity-list#


List of identities ordered by the number of requests made matching the categories in descending order.

Base Command#

umbrella-reporting-identity-list

Input#

Argument NameDescriptionRequired
traffic_typeSpecify the type of traffic. By default, all supported traffic types are included. Possible values are: dns, proxy, firewall, ip.Optional
fromA timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days.Optional
toA timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'.Optional
domainsA domain name or comma-separated list of domain names.Optional
urlsA URL or comma-separated list of URLs.Optional
ipAn IP address.Optional
portsA port number or comma-separated list of port numbers.Optional
verdictA verdict string. Possible values are: allowed, blocked, proxied.Optional
sha256A SHA-256 hash.Optional
threatsA threat name or comma-separated list of threat names.Optional
threat_typesA threat type or comma-separated list of threat types.Optional
amp_dispositionAn Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown.Optional
identity_typesAn identity type or comma-separated list of identity types.Optional
limitThe maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
categoriesA comma-separated list of category ids to filter on.Optional

Context Output#

PathTypeDescription
UmbrellaReporting.Identity.requestsNumberTotal number of requests made by this identity.
UmbrellaReporting.Identity.bandwidthNumberThe total bandwidth of proxy requests uploaded and downloaded for this identity.
UmbrellaReporting.Identity.rankNumberThe rank of the result based on the number of requests.
UmbrellaReporting.Identity.counts.allowedrequestsNumberNumber of requests that were allowed.
UmbrellaReporting.Identity.counts.blockedrequestsNumberNumber of requests that were blocked.
UmbrellaReporting.Identity.counts.requestsNumberTotal number of requests.
UmbrellaReporting.Identity.identity.idNumberIdentity ID.
UmbrellaReporting.Identity.identity.type.idNumberOrigin type for the identity.
UmbrellaReporting.Identity.identity.type.typeStringOrigin type name for the identity.
UmbrellaReporting.Identity.identity.type.labelStringOrigin type label for the identity.
UmbrellaReporting.Identity.identity.labelStringLabel for the identity.
UmbrellaReporting.Identity.identity.deletedBooleanIndicates whether the identity was deleted.

Command example#

!umbrella-reporting-identity-list limit=2

Context Example#

{
"UmbrellaReporting": {
"Identity": [
{
"bandwidth": 7974662,
"counts": {
"allowedrequests": 29540,
"blockedrequests": 72,
"requests": 29753
},
"identity": {
"deleted": false,
"id": 589064228,
"label": "DESKTOP-IIQVPJ7",
"type": {
"id": 9,
"label": "Roaming Computers",
"type": "roaming"
}
},
"rank": 1,
"requests": 29753
},
{
"bandwidth": null,
"counts": {
"allowedrequests": 17950,
"blockedrequests": 59,
"requests": 18082
},
"identity": {
"deleted": false,
"id": 593805843,
"label": "S\u2019s MacBook Pro",
"type": {
"id": 9,
"label": "Roaming Computers",
"type": "roaming"
}
},
"rank": 2,
"requests": 18082
}
]
}
}

Human Readable Output#

Identities List#

IdentityRequests
DESKTOP-IIQVPJ729753
S’s MacBook Pro18082

umbrella-reporting-event-type-list#


List of event types ordered by the number of requests made for each type of event in descending order. The event types are: domain_security, domain_integration, url_security, url_integration, cisco_amp and antivirus.

Base Command#

umbrella-reporting-event-type-list

Input#

Argument NameDescriptionRequired
fromA timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days.Optional
toA timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'.Optional
domainsA domain name or comma-separated list of domain names.Optional
urlsA URL or comma-separated list of URLs.Optional
ipAn IP address.Optional
identity_typesAn identity type or comma-separated list of identity types.Optional
verdictA verdict string. Possible values are: allowed, blocked, proxied.Optional
threatsA threat name or comma-separated list of threat names.Optional
threat_typesA threat type or comma-separated list of threat types.Optional
amp_dispositionAn Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
categoriesA comma-separated list of category ids to filter on.Optional

Context Output#

PathTypeDescription
UmbrellaReporting.EventType.eventtypeStringThe event type. One of "domain_security", "domain_integration", "url_security", "url_integration", "cisco_amp" and "antivirus".
UmbrellaReporting.EventType.countNumberNumber of requests made that match this event type.

Command example#

!umbrella-reporting-event-type-list

Context Example#

{
"UmbrellaReporting": {
"EventType": [
{
"count": 2,
"eventtype": "domain_security"
},
{
"count": 0,
"eventtype": "url_integration"
},
{
"count": 0,
"eventtype": "url_security"
},
{
"count": 0,
"eventtype": "antivirus"
},
{
"count": 0,
"eventtype": "application"
},
{
"count": 0,
"eventtype": "cisco_amp"
},
{
"count": 0,
"eventtype": "domain_integration"
}
]
}
}

Human Readable Output#

Event Type List#

Event TypeCount
domain_security2
url_integration0
url_security0
antivirus0
application0
cisco_amp0
domain_integration0

umbrella-reporting-file-list#


List of files within a time frame. Only returns proxy data.

Base Command#

umbrella-reporting-file-list

Input#

Argument NameDescriptionRequired
fromA timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days.Optional
toA timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'.Optional
limitThe maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored.Optional
domainsA domain name or comma-separated list of domain names.Optional
urlsA URL or comma-separated list of URLs.Optional
ipAn IP address.Optional
verdictA verdict string. Possible values are: allowed, blocked, proxied.Optional
sha256A SHA-256 hash.Optional
amp_dispositionAn Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown.Optional
identity_typesAn identity type or comma-separated list of identity types.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
categoriesA comma-separated list of category ids to filter on.Optional

Context Output#

PathTypeDescription
UmbrellaReporting.File.requestsNumberNumber of requests.
UmbrellaReporting.File.identitycountNumberNumber of identities for entry.
UmbrellaReporting.File.sha256StringSHA256 for entry.
UmbrellaReporting.File.filenamesUnknownArray of filenames for entry.
UmbrellaReporting.File.filetypesUnknownArray of file types for entry.
UmbrellaReporting.File.categories.idNumberID of the category.
UmbrellaReporting.File.categories.labelStringThe human readable label of the category.
UmbrellaReporting.File.categories.typeStringThe type of category.
UmbrellaReporting.File.categories.deprecatedBooleanWhether the category is a legacy category.
UmbrellaReporting.File.categories.integrationBooleanWhether the category is an integration.

Command example#

!umbrella-reporting-file-list limit=2

Context Example#

{
"UmbrellaReporting": {
"File": [
{
"categories": [
{
"deprecated": false,
"id": 142,
"integration": false,
"label": "Online Meetings",
"type": "content"
},
{
"deprecated": false,
"id": 148,
"integration": false,
"label": "Application",
"type": "application"
}
],
"filenames": [
"AnyDesk.exe"
],
"filetypes": [],
"identitycount": 1,
"requests": 2,
"sha256": "dummy_sha256"
}
]
}
}

Human Readable Output#

File List#

RequestsIdentity CountSHA256CategoryCategory TypeFile Name
2194fe42af4a67ed5be45bd7913d8a8aebc4e35afddd5675d01bd37df8e9b399aeOnline Meetings, Applicationcontent, applicationAnyDesk.exe

umbrella-reporting-threat-list#


List of top threats within a time frame. Returns both DNS and Proxy data.

Base Command#

umbrella-reporting-threat-list

Input#

Argument NameDescriptionRequired
traffic_typeSpecify the type of traffic. By default, all supported traffic types are included. Possible values are: dns, proxy.Optional
fromA timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days.Optional
toA timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'.Optional
limitThe maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored.Optional
domainsA domain name or comma-separated list of domain names.Optional
ipAn IP address.Optional
identity_typesAn identity type or comma-separated list of identity types.Optional
verdictA verdict string. Possible values are: allowed, blocked, proxied.Optional
threatsA threat name or comma-separated list of threat names.Optional
threat_typesA threat type or comma-separated list of threat types.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
categoriesA comma-separated list of category ids to filter on.Optional

Context Output#

PathTypeDescription
UmbrellaReporting.Threat.threatStringThe threat name.
UmbrellaReporting.Threat.threattypeStringThe threat type.
UmbrellaReporting.Threat.countNumberThe number of requests for that threat name.

Command example#

!umbrella-reporting-threat-list limit=1

Context Example#

{
"UmbrellaReporting":{
"Threat":[
{
"threat": "",
"threattype": "Adware",
"count": 1
}
]
}
}

Human Readable Output#

Threat List#

Threat TypeCount
Adware1

umbrella-reporting-activity-list#


List all activity entries (dns/proxy/firewall/ip/intrusion/amp) within the time frame.

Base Command#

umbrella-reporting-activity-list

Input#

Argument NameDescriptionRequired
fromA timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days.Optional
toA timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'.Optional
limitThe maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored.Optional
domainsA domain name or comma-separated list of domain names.Optional
urlsA URL or comma-separated list of URLs.Optional
ipAn IP address.Optional
portsA port number or comma-separated list of port numbers.Optional
identity_typesAn identity type or comma-separated list of identity types.Optional
verdictA verdict string. Possible values are: allowed, blocked, proxied.Optional
file_nameA string that identifies a filename. Filter the request by the filename. Supports globbing or use of the wildcard character (''). The asterisk (*) matches zero or more occurrences of any character.Optional
threatsA threat name or comma-separated list of threat names.Optional
threat_typesA threat type or comma-separated list of threat types.Optional
amp_dispositionAn Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
categoriesA comma-separated list of category ids to filter on.Optional

Context Output#

PathTypeDescription
UmbrellaReporting.Activity.typeStringType of the request.
UmbrellaReporting.Activity.externalipStringExternal IP address for entry.
UmbrellaReporting.Activity.internalipStringInternal IP address for entry.
UmbrellaReporting.Activity.policycategories.idNumberID of the category.
UmbrellaReporting.Activity.policycategories.labelStringThe human readable label of the category.
UmbrellaReporting.Activity.policycategories.typeStringType of the request. A DNS request always has type dns.
UmbrellaReporting.Activity.policycategories.deprecatedBooleanWhether the category is a legacy category.
UmbrellaReporting.Activity.policycategories.integrationBooleanWhether the category is an integration.
UmbrellaReporting.Activity.categories.idNumberID of the category.
UmbrellaReporting.Activity.categories.labelStringThe human readable label of the category.
UmbrellaReporting.Activity.categories.typeStringThe type of category.
UmbrellaReporting.Activity.categories.deprecatedBooleanWhether the category is a legacy category.
UmbrellaReporting.Activity.categories.integrationBooleanWhether the category is an integration.
UmbrellaReporting.Activity.verdictStringVerdict for entry.
UmbrellaReporting.Activity.domainStringDomain for entry.
UmbrellaReporting.Activity.timestampNumberTimestamp in ms.
UmbrellaReporting.Activity.timeStringThe time in 24 hour format based on the time zone parameter.
UmbrellaReporting.Activity.dateStringThe date from the timestamp based on the time zone parameter.
UmbrellaReporting.Activity.identities.idNumberID of the identity.
UmbrellaReporting.Activity.identities.type.idNumberOrigin type for the identity.
UmbrellaReporting.Activity.identities.type.typeStringOrigin type name for the identity.
UmbrellaReporting.Activity.identities.type.labelStringOrigin type label for the identity.
UmbrellaReporting.Activity.identities.labelStringLabel for the identity.
UmbrellaReporting.Activity.identities.deletedBooleanIndicates whether the identity was deleted.
UmbrellaReporting.Activity.threats.labelBooleanThe threat name or label.
UmbrellaReporting.Activity.threats.typeStringThe type of threat.
UmbrellaReporting.Activity.allapplications.idNumberID of the application.
UmbrellaReporting.Activity.allapplications.typeStringType of the application, NBAR or AVC.
UmbrellaReporting.Activity.allapplications.labelStringLabel of the application.
UmbrellaReporting.Activity.allapplications.category.labelStringLabel of the application category.
UmbrellaReporting.Activity.allapplications.category.idNumberID of the application category.
UmbrellaReporting.Activity.allowedapplications.idNumberID of the application.
UmbrellaReporting.Activity.allowedapplications.labelStringLabel of the application.
UmbrellaReporting.Activity.allowedapplications.typeStringType of the application, NBAR or AVC.
UmbrellaReporting.Activity.allowedapplications.category.labelStringLabel of the application category.
UmbrellaReporting.Activity.allowedapplications.category.idNumberID of the application category.
UmbrellaReporting.Activity.querytypeStringThe type of DNS request that was made. For more information, see Common DNS Request Types. https://support.umbrella.com/hc/en-us/articles/232254248-Common-DNS-return-codes-for-any-DNS-service-and-Umbrella-
UmbrellaReporting.Activity.returncodeNumberThe DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella). https://support.umbrella.com/hc/en-us/articles/232254248-Common-DNS-return-codes-for-any-DNS-service-and-Umbrella-
UmbrellaReporting.Activity.blockedapplications.idNumberID of the application.
UmbrellaReporting.Activity.blockedapplications.labelStringLabel of the application.
UmbrellaReporting.Activity.blockedapplications.typeStringType of the application, NBAR or AVC.
UmbrellaReporting.Activity.blockedapplications.category.labelStringLabel of the application category.
UmbrellaReporting.Activity.blockedapplications.category.idNumberID of the application category.

Command example#

!umbrella-reporting-activity-list limit=2

Context Example#

{
"UmbrellaReporting": {
"Activity": [
{
"allapplications": [
{
"category": {
"id": 46,
"label": "Ad Publishing"
},
"id": 46102,
"label": "Google Marketing Platform"
}
],
"allowedapplications": [],
"blockedapplications": [],
"categories": [
{
"deprecated": false,
"id": 27,
"integration": false,
"label": "Advertisements",
"type": "content"
},
{
"deprecated": false,
"id": 148,
"integration": false,
"label": "Application",
"type": "application"
}
],
"date": "2022-10-29",
"device": {
"id": null
},
"domain": "dummy.domain.com",
"externalip": "4.4.4.4",
"identities": [
{
"deleted": false,
"id": 593805843,
"label": "S\u2019s MacBook Pro",
"type": {
"id": 9,
"label": "Roaming Computers",
"type": "roaming"
}
}
],
"internalip": "1.1.1.1",
"policycategories": [],
"querytype": "A",
"returncode": 0,
"threats": [],
"time": "07:39:08",
"timestamp": 1667029148000,
"type": "dns",
"verdict": "allowed"
},
{
"allapplications": [
{
"category": {
"id": null,
"label": "Sample Application Group"
},
"id": 28,
"label": "Do Not Decrypt Application"
}
],
"allowedapplications": [],
"blockedapplications": [],
"categories": [
{
"deprecated": true,
"id": 25,
"integration": false,
"label": "abc/efgh",
"type": "content"
},
{
"deprecated": false,
"id": 123,
"integration": false,
"label": "Infrastructure and Content Delivery Networks",
"type": "content"
},
{
"deprecated": false,
"id": 148,
"integration": false,
"label": "Application",
"type": "application"
}
],
"date": "2022-10-29",
"device": {
"id": null
},
"domain": "dummy.domain.com",
"externalip": "4.4.4.4",
"identities": [
{
"deleted": false,
"id": 593805843,
"label": "S\u2019s MacBook Pro",
"type": {
"id": 9,
"label": "Roaming Computers",
"type": "roaming"
}
}
],
"internalip": "1.1.1.1",
"policycategories": [],
"querytype": "AAAA",
"returncode": 0,
"threats": [],
"time": "07:38:57",
"timestamp": 1667029137000,
"type": "dns",
"verdict": "allowed"
}
]
}
}

Human Readable Output#

Activity List#

RequestIdentityPolicy or Ruleset IdentityDestinationInternal IPExternal IPDNS TypeActionCategoriesPublic ApplicationApplication CategoryDate & Time
dnsS’s MacBook ProS’s MacBook Prostats.g.doubleclick.net1.1.1.14.4.4.4AallowedAdvertisements, ApplicationGoogle Marketing PlatformAd Publishing2022-10-29T07:39:08Z
dnsS’s MacBook ProS’s MacBook Progoogle.com1.1.1.14.4.4.4AAAAallowedabc/efgh, Infrastructure and Content Delivery Networks, ApplicationDo Not Decrypt ApplicationSample Application Group2022-10-29T07:38:57Z

umbrella-reporting-activity-get#


List all entries within a time frame based on the traffic type selected. Valid activity types are dns, proxy, firewall, intrusion, ip, amp. Only one activity type can be selected at a time.

Base Command#

umbrella-reporting-activity-get

Input#

Argument NameDescriptionRequired
traffic_typeSpecify the type of traffic. By default, all supported traffic types are included. Possible values are: dns, proxy, firewall, ip, intrusion, amp.

Supported optional parameters for DNS traffic type are limit, from, to, offset, domains, ip, verdict, threats, threat_types.

Supported optional parameters for Proxy traffic type are limit, from, to, offset, domains, ip, verdict, threats, threat_types, urls, ports, identity_types, file_name, amp_disposition.

Supported optional parameters for Firewall traffic type are limit, from, to, offset, ip, ports, verdict.

Supported optional parameters for Intrusion traffic type are limit, from, to, offset, ip, ports, signatures, intrusion_action.

Supported optional parameters for IP traffic type are limit, from, to, offset, ip, ports, identity_types, verdict.

Supported optional parameters for Advanced Malware Protection (AMP) traffic type are limit, from, to, offset, amp_disposition, sha256.
Required
fromA timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days.Optional
toA timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'.Optional
limitThe maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored.Optional
domainsA domain name or comma-separated list of domain names.Optional
urlsA URL or comma-separated list of URLs.Optional
ipAn IP address.Optional
portsA port number or comma-separated list of port numbers.Optional
identity_typesAn identity type or comma-separated list of identity types.Optional
verdictA verdict string. Possible values are: allowed, blocked, proxied.Optional
file_nameA string that identifies a filename. Filter the request by the filename. Supports globbing or use of the wildcard character (''). The asterisk (*) matches zero or more occurrences of any character.Optional
threatsA threat name or comma-separated list of threat names.Optional
threat_typesA threat type or comma-separated list of threat types.Optional
amp_dispositionAn Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
signaturesA comma-separated list of Generator id - Signatures ID. Where Generator ID is unique id assigned to the part of the IPS which generated the event and Signature ID is used to uniquely identify signatures. Example:- 1-2,1-4.Optional
intrusion_actionComma-separated list of intrusion actions. Possible values: would_block, blocked, detected.Optional
categoriesA comma-separated list of category ids to filter on.Optional

Context Output for traffic_type = dns for base command umbrella-reporting-activity-get#

PathTypeDescription
UmbrellaReporting.ActivityDns.typeStringType of the request. A DNS request always has type DNS.
UmbrellaReporting.ActivityDns.externalipStringExternal IP address for entry.
UmbrellaReporting.ActivityDns.internalipStringInternal IP address for entry.
UmbrellaReporting.ActivityDns.policycategories.idNumberID of the category.
UmbrellaReporting.ActivityDns.policycategories.labelStringThe human readable label of the category.
UmbrellaReporting.ActivityDns.policycategories.typeStringType of the request. A DNS request always has type dns.
UmbrellaReporting.ActivityDns.policycategories.deprecatedBooleanWhether the category is a legacy category.
UmbrellaReporting.ActivityDns.policycategories.integrationBooleanWhether the category is an integration.
UmbrellaReporting.ActivityDns.categories.idNumberID of the category.
UmbrellaReporting.ActivityDns.categories.labelStringThe human readable label of the category.
UmbrellaReporting.ActivityDns.categories.typeStringThe type of category.
UmbrellaReporting.ActivityDns.categories.deprecatedBooleanWhether the category is a legacy category.
UmbrellaReporting.ActivityDns.categories.integrationBooleanWhether the category is an integration.
UmbrellaReporting.ActivityDns.verdictStringVerdict for entry.
UmbrellaReporting.ActivityDns.domainStringDomain for entry.
UmbrellaReporting.ActivityDns.timestampNumberTimestamp in ms.
UmbrellaReporting.ActivityDns.timeStringThe time in 24 hour format based on the time zone parameter.
UmbrellaReporting.ActivityDns.dateStringThe date from the timestamp based on the time zone parameter.
UmbrellaReporting.ActivityDns.identities.idNumberID of the identity.
UmbrellaReporting.ActivityDns.identities.type.idNumberOrigin type for the identity.
UmbrellaReporting.ActivityDns.identities.type.typeStringOrigin type name for the identity.
UmbrellaReporting.ActivityDns.identities.type.labelStringOrigin type label for the identity.
UmbrellaReporting.ActivityDns.identities.labelStringLabel for the identity.
UmbrellaReporting.ActivityDns.identities.deletedBooleanIndicates whether the identity was deleted.
UmbrellaReporting.ActivityDns.threats.labelBooleanThe threat name or label.
UmbrellaReporting.ActivityDns.threats.typeStringThe type of threat.
UmbrellaReporting.ActivityDns.allapplications.idNumberID of the application.
UmbrellaReporting.ActivityDns.allapplications.typeStringType of the application, NBAR or AVC.
UmbrellaReporting.ActivityDns.allapplications.labelStringLabel of the application.
UmbrellaReporting.ActivityDns.allapplications.category.labelStringLabel of the application category.
UmbrellaReporting.ActivityDns.allapplications.category.idNumberID of the application category.
UmbrellaReporting.ActivityDns.allowedapplications.idNumberID of the application.
UmbrellaReporting.ActivityDns.allowedapplications.labelStringLabel of the application.
UmbrellaReporting.ActivityDns.allowedapplications.typeStringType of the application, NBAR or AVC.
UmbrellaReporting.ActivityDns.allowedapplications.category.labelStringLabel of the application category.
UmbrellaReporting.ActivityDns.allowedapplications.category.idNumberID of the application category.
UmbrellaReporting.ActivityDns.querytypeStringThe type of DNS request that was made. For more information, see https://support.umbrella.com/hc/en-us/articles/232254248-Common-DNS-return-codes-for-any-DNS-service-and-Umbrella-
UmbrellaReporting.ActivityDns.returncodeNumberThe DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella). https://support.umbrella.com/hc/en-us/articles/232254248-Common-DNS-return-codes-for-any-DNS-service-and-Umbrella-
UmbrellaReporting.ActivityDns.blockedapplications.idNumberID of the application.
UmbrellaReporting.ActivityDns.blockedapplications.labelStringLabel of the application.
UmbrellaReporting.ActivityDns.blockedapplications.typeStringType of the application, NBAR or AVC.
UmbrellaReporting.ActivityDns.blockedapplications.category.labelStringLabel of the application category.
UmbrellaReporting.ActivityDns.blockedapplications.category.idNumberID of the application category.

Command example for traffic_type = dns for base command umbrella-reporting-activity-get#

!umbrella-reporting-activity-get traffic_type=dns limit=2

Context Example for traffic_type = dns for base command umbrella-reporting-activity-get#

{
"UmbrellaReporting": {
"ActivityDns": [
{
"allapplications": [
{
"category": {
"id": 46,
"label": "Ad Publishing"
},
"id": 46102,
"label": "Google Marketing Platform"
}
],
"allowedapplications": [],
"blockedapplications": [],
"categories": [
{
"deprecated": false,
"id": 27,
"integration": false,
"label": "Advertisements",
"type": "content"
},
{
"deprecated": false,
"id": 148,
"integration": false,
"label": "Application",
"type": "application"
}
],
"date": "2022-10-29",
"device": {
"id": null
},
"domain": "dummy.domain.com",
"externalip": "4.4.4.4",
"identities": [
{
"deleted": false,
"id": 593805843,
"label": "S\u2019s MacBook Pro",
"type": {
"id": 9,
"label": "Roaming Computers",
"type": "roaming"
}
}
],
"internalip": "1.1.1.1",
"policycategories": [],
"querytype": "A",
"returncode": 0,
"threats": [],
"time": "07:39:08",
"timestamp": 1667029148000,
"type": "dns",
"verdict": "allowed"
},
{
"allapplications": [
{
"category": {
"id": null,
"label": "Sample Application Group"
},
"id": 28,
"label": "Do Not Decrypt Application"
}
],
"allowedapplications": [],
"blockedapplications": [],
"categories": [
{
"deprecated": true,
"id": 25,
"integration": false,
"label": "abc/efgh",
"type": "content"
},
{
"deprecated": false,
"id": 123,
"integration": false,
"label": "Infrastructure and Content Delivery Networks",
"type": "content"
},
{
"deprecated": false,
"id": 148,
"integration": false,
"label": "Application",
"type": "application"
}
],
"date": "2022-10-29",
"device": {
"id": null
},
"domain": "dummy.domain.com",
"externalip": "4.4.4.4",
"identities": [
{
"deleted": false,
"id": 593805843,
"label": "S\u2019s MacBook Pro",
"type": {
"id": 9,
"label": "Roaming Computers",
"type": "roaming"
}
}
],
"internalip": "1.1.1.1",
"policycategories": [],
"querytype": "AAAA",
"returncode": 0,
"threats": [],
"time": "07:38:57",
"timestamp": 1667029137000,
"type": "dns",
"verdict": "allowed"
}
]
}
}

Human Readable Output#

Dns Activity List#

IdentityPolicy or Ruleset IdentityDestinationInternal IPExternal IPDNS TypeActionCategoriesPublic ApplicationApplication CategoryDate & Time
S’s MacBook ProS’s MacBook Prostats.g.doubleclick.net1.1.1.14.4.4.4AallowedAdvertisements, ApplicationGoogle Marketing PlatformAd Publishing2022-10-29T07:39:08Z
S’s MacBook ProS’s MacBook Progoogle.com1.1.1.14.4.4.4AAAAallowedabc/efgh, Infrastructure and Content Delivery Networks, ApplicationDo Not Decrypt ApplicationSample Application Group2022-10-29T07:38:57Z

Context Output for traffic_type = amp for base command umbrella-reporting-activity-get#

PathTypeDescription
UmbrellaReporting.ActivityAMPRetro.timestampNumberTimestamp in ms.
UmbrellaReporting.ActivityAMPRetro.firstseenatNumberFirst seen Timestamp.
UmbrellaReporting.ActivityAMPRetro.dispositionStringDisposition for entry.
UmbrellaReporting.ActivityAMPRetro.hostnameStringHostname for entry.
UmbrellaReporting.ActivityAMPRetro.malwarenameStringMalware name for entry.
UmbrellaReporting.ActivityAMPRetro.sha256StringSHA256 for entry.
UmbrellaReporting.ActivityAMPRetro.scoreNumberScore for entry.

Command example for traffic_type = amp for base command umbrella-reporting-activity-get#

!umbrella-reporting-activity-get traffic_type=amp limit=2

Context Example for traffic_type = amp for base command umbrella-reporting-activity-get#

{
"UmbrellaReporting":{
"ActivityAMPRetro":[
{
"timestamp": 1548311506,
"firstseenat": 1548311506,
"disposition": "clean",
"score": 10,
"hostname": "google.com",
"malwarename": "malware",
"sha256": "dummy_sha256"
}
]
}
}

Human Readable Output#

AMP Activity List#

First SeenDispositionScoreHost NameMalwareSHA256Date & Time
1548311506clean10google.commalware9495b6c155044053953efe30ebaf804780c114e7b721b14f6a5b0a782769696eSep 16, 2022 05:52 AM

Context Output for traffic_type = proxy for base command umbrella-reporting-activity-get#

PathTypeDescription
UmbrellaReporting.ActivityProxy.typeStringType of the request. A Proxy request always has type Proxy.
UmbrellaReporting.ActivityProxy.externalipStringExternal IP for entry.
UmbrellaReporting.ActivityProxy.destinationipStringDestination IP for entry.
UmbrellaReporting.ActivityProxy.blockedfiletypeStringlocked file type for entry.
UmbrellaReporting.ActivityProxy.contenttypeStringThe type of web content, typically text/html.
UmbrellaReporting.ActivityProxy.forwardingmethodStringThe request method (GET, POST, HEAD, etc.)
UmbrellaReporting.ActivityProxy.internalipStringInternal IP for entry.
UmbrellaReporting.ActivityProxy.refererStringThe referring domain or URL.
UmbrellaReporting.ActivityProxy.requestmethodStringThe HTTP request method that was made.
UmbrellaReporting.ActivityProxy.responsefilenameStringResponse filename for entry.
UmbrellaReporting.ActivityProxy.sha256StringThe hex digest of the response content.
UmbrellaReporting.ActivityProxy.urlStringThe URL requested.
UmbrellaReporting.ActivityProxy.useragentStringThe browser agent that made the request.
UmbrellaReporting.ActivityProxy.warnstatusStringWarn Status.
UmbrellaReporting.ActivityProxy.securityoverriddenBooleanSpecify whether to filter on requests that override security.
UmbrellaReporting.ActivityProxy.tenantcontrolsBooleanIf the request was part of a tenant control policy.
UmbrellaReporting.ActivityProxy.bundleidNumberA proxy bundle ID.
UmbrellaReporting.ActivityProxy.portNumberRequest Port.
UmbrellaReporting.ActivityProxy.requestsizeNumberRequest size in bytes.
UmbrellaReporting.ActivityProxy.responsesizeNumberResponse size in bytes.
UmbrellaReporting.ActivityProxy.statuscodeNumberThe HTTP status code; should always be 200 or 201.
UmbrellaReporting.ActivityProxy.policycategories.idNumberID of category.
UmbrellaReporting.ActivityProxy.policycategories.labelStringThe human readable label of the category.
UmbrellaReporting.ActivityProxy.policycategories.typeStringType of the request. a dns request always has type dns.
UmbrellaReporting.ActivityProxy.policycategories.deprecatedBooleanIf the category is a legacy category.
UmbrellaReporting.ActivityProxy.policycategories.integrationBooleanIf the category is an integration.
UmbrellaReporting.ActivityProxy.categories.idNumberid of category
UmbrellaReporting.ActivityProxy.categories.labelStringThe human readable label of the category
UmbrellaReporting.ActivityProxy.categories.typeStringThe type of category
UmbrellaReporting.ActivityProxy.categories.deprecatedBooleanIf the category is a legacy category
UmbrellaReporting.ActivityProxy.categories.integrationBooleanIf the category is an integration
UmbrellaReporting.ActivityProxy.antivirusthreats.othersUnknownOther antivirus threats.
UmbrellaReporting.ActivityProxy.antivirusthreats.puasUnknownPotentially unwanted applications.
UmbrellaReporting.ActivityProxy.antivirusthreats.virusesUnknownViruses.
UmbrellaReporting.ActivityProxy.verdictStringVerdict for entry.
UmbrellaReporting.ActivityProxy.timestampNumberTimestamp in ms.
UmbrellaReporting.ActivityProxy.timeStringThe time in 24 hour format based on the timezone parameter.
UmbrellaReporting.ActivityProxy.dateStringThe date from the timestamp based on the timezone parameter.
UmbrellaReporting.ActivityProxy.identities.idNumberID of identity.
UmbrellaReporting.ActivityProxy.identities.type.idNumberOrigin type for identity
UmbrellaReporting.ActivityProxy.identities.type.typeStringOrigin type name for identity
UmbrellaReporting.ActivityProxy.identities.type.labelStringOrigin type label for identity
UmbrellaReporting.ActivityProxy.identities.labelStringLabel for identity
UmbrellaReporting.ActivityProxy.identities.deletedBooleanIndicates whether the identity was deleted or not
UmbrellaReporting.ActivityProxy.threats.labelStringThe threat name or label.
UmbrellaReporting.ActivityProxy.threats.typeStringThe type of threat.
UmbrellaReporting.ActivityProxy.datacenter.idStringUnique ID for the data center.
UmbrellaReporting.ActivityProxy.datacenter.labelStringName of the data center.
UmbrellaReporting.ActivityProxy.datalossprevention.stateStringIf the request was Blocked for DLP. Either 'blocked' or ''.
UmbrellaReporting.ActivityProxy.egress.ipStringEgress IP.
UmbrellaReporting.ActivityProxy.egress.typeStringEgress Type.
UmbrellaReporting.ActivityProxy.isolated.fileactionStringA string that describes the remote browser isolation (RBI) file action type.
UmbrellaReporting.ActivityProxy.isolated.stateStringA string that describes the remote browser isolation(RBI) isolation type.
UmbrellaReporting.ActivityProxy.allapplications.idNumberID of the application.
UmbrellaReporting.ActivityProxy.allapplications.typeStringType of the application, NBAR or AVC.
UmbrellaReporting.ActivityProxy.allapplications.labelStringLabel of the application.
UmbrellaReporting.ActivityProxy.allapplications.category.labelStringLabel of the application category.
UmbrellaReporting.ActivityProxy.allapplications.category.idNumberID of the application category.
UmbrellaReporting.ActivityProxy.allowedapplications.idNumberID of the application.
UmbrellaReporting.ActivityProxy.allowedapplications.labelStringLabel of the application.
UmbrellaReporting.ActivityProxy.allowedapplications.typeStringType of the application, NBAR or AVC.
UmbrellaReporting.ActivityProxy.allowedapplications.category.labelStringLabel of the application category.
UmbrellaReporting.ActivityProxy.allowedapplications.category.idNumberID of the application category.
UmbrellaReporting.ActivityProxy.blockedapplications.idNumberID of the application.
UmbrellaReporting.ActivityProxy.blockedapplications.labelStringLabel of the application.
UmbrellaReporting.ActivityProxy.blockedapplications.typeStringType of the application, NBAR or AVC.
UmbrellaReporting.ActivityProxy.blockedapplications.category.labelStringLabel of the application category.
UmbrellaReporting.ActivityProxy.blockedapplications.category.idNumberLabel of the application category.
UmbrellaReporting.ActivityProxy.policy.timebasedruleBooleanWhether the policy triggered a time-of-day rule.
UmbrellaReporting.ActivityProxy.policy.ruleidNumberThe rule ID for the policy.
UmbrellaReporting.ActivityProxy.policy.rulesetidNumberThe rule set ID for the policy.
UmbrellaReporting.ActivityProxy.policy.destinationlistidsUnknownThe destination lists that the policy triggered.
UmbrellaReporting.ActivityProxy.httperrors.reasonStringThe name of the error.
UmbrellaReporting.ActivityProxy.httperrors.typeStringType of the error CertificateError or TLSError.
UmbrellaReporting.ActivityProxy.httperrors.attributesUnknownMap of additional information about the error.
UmbrellaReporting.ActivityProxy.httperrors.codeStringThe http error code.
UmbrellaReporting.ActivityProxy.amp.dispositionStringAdvanced Malware Protection (AMP) disposition.
UmbrellaReporting.ActivityProxy.amp.malwareStringAdvanced Malware Protection (AMP) malware.
UmbrellaReporting.ActivityProxy.amp.scoreNumberAdvanced Malware Protection (AMP) score.

Command example for traffic_type = proxy for base command umbrella-reporting-activity-get#

!umbrella-reporting-activity-get traffic_type=proxy limit=2

Context Example for traffic_type = proxy for base command umbrella-reporting-activity-get#

{
"UmbrellaReporting": {
"ActivityProxy": [
{
"allapplications": [],
"allowedapplications": [],
"amp": {
"disposition": "",
"malware": "",
"score": 0
},
"antivirusthreats": {
"others": [],
"puas": [],
"viruses": []
},
"blockedapplications": [],
"blockedfiletype": "",
"bundleid": 13531789,
"categories": [
{
"deprecated": false,
"id": 123,
"integration": false,
"label": "Infrastructure and Content Delivery Networks",
"type": "content"
}
],
"contenttype": "application/pkix-crl",
"datacenter": {
"id": "",
"label": ""
},
"datalossprevention": {
"state": ""
},
"date": "2022-10-17",
"destinationip": "1.1.1.1",
"egress": {
"ip": "",
"type": ""
},
"externalip": "4.4.4.4",
"forwardingmethod": "",
"httperrors": [],
"identities": [
{
"deleted": false,
"id": 589064228,
"label": "DESKTOP-IIQVPJ7",
"type": {
"id": 9,
"label": "Roaming Computers",
"type": "roaming"
}
}
],
"internalip": "1.1.1.1",
"isolated": {
"fileaction": "",
"state": ""
},
"policy": {
"destinationlistids": [],
"ruleid": null,
"rulesetid": null,
"timebasedrule": false
},
"policycategories": [],
"port": 80,
"referer": "",
"requestmethod": "GET",
"requestsize": 0,
"responsefilename": " ",
"responsesize": 0,
"securityoverridden": false,
"sha256": "dummy_sha256",
"statuscode": 304,
"tenantcontrols": false,
"threats": [],
"time": "09:38:32",
"timestamp": 1665999512000,
"type": "proxy",
"url": "http://google.com",
"useragent": "Microsoft-CryptoAPI/10.0",
"verdict": "allowed",
"warnstatus": ""
},
{
"allapplications": [],
"allowedapplications": [],
"amp": {
"disposition": "",
"malware": "",
"score": 0
},
"antivirusthreats": {
"others": [],
"puas": [],
"viruses": []
},
"blockedapplications": [],
"blockedfiletype": "",
"bundleid": 13531789,
"categories": [
{
"deprecated": false,
"id": 123,
"integration": false,
"label": "Infrastructure and Content Delivery Networks",
"type": "content"
}
],
"contenttype": "application/pkix-crl",
"datacenter": {
"id": "",
"label": ""
},
"datalossprevention": {
"state": ""
},
"date": "2022-10-17",
"destinationip": "1.1.1.1",
"egress": {
"ip": "",
"type": ""
},
"externalip": "4.4.4.4",
"forwardingmethod": "",
"httperrors": [],
"identities": [
{
"deleted": false,
"id": 589064228,
"label": "DESKTOP-IIQVPJ7",
"type": {
"id": 9,
"label": "Roaming Computers",
"type": "roaming"
}
}
],
"internalip": "1.1.1.1",
"isolated": {
"fileaction": "",
"state": ""
},
"policy": {
"destinationlistids": [],
"ruleid": null,
"rulesetid": null,
"timebasedrule": false
},
"policycategories": [],
"port": 80,
"referer": "",
"requestmethod": "GET",
"requestsize": 0,
"responsefilename": " ",
"responsesize": 0,
"securityoverridden": false,
"sha256": "dummy_sha256",
"statuscode": 304,
"tenantcontrols": false,
"threats": [],
"time": "08:36:16",
"timestamp": 1665995776000,
"type": "proxy",
"url": "google.com",
"useragent": "Microsoft-CryptoAPI/10.0",
"verdict": "allowed",
"warnstatus": ""
}
]
}
}

Human Readable Output#

Proxy Activity List#

IdentityPolicy or Ruleset IdentityInternal IPExternal IPActionCategoriesDate & Time
DESKTOP-IIQVPJ7DESKTOP-IIQVPJ710.10.10.2174.4.4.4allowedInfrastructure and Content Delivery Networks2022-10-17T09:38:32Z
DESKTOP-IIQVPJ7DESKTOP-IIQVPJ710.10.10.2174.4.4.4allowedInfrastructure and Content Delivery Networks2022-10-17T08:36:16Z

Context Output for traffic_type = firewall for base command umbrella-reporting-activity-get#

PathTypeDescription
UmbrellaReporting.ActivityFirewall.typeStringType of the request. A Firewall request always has type Firewall.
UmbrellaReporting.ActivityFirewall.destinationipStringDestination IP for entry.
UmbrellaReporting.ActivityFirewall.directionStringThe direction of the packet. It is destined either towards the internet or to the customer's network.
UmbrellaReporting.ActivityFirewall.sourceipStringSource IP for entry.
UmbrellaReporting.ActivityFirewall.destinationportNumberDestination port for entry.
UmbrellaReporting.ActivityFirewall.sourceportNumberSource port for entry.
UmbrellaReporting.ActivityFirewall.packetsizeNumberThe size of the packet that Umbrella CDFW received.
UmbrellaReporting.ActivityFirewall.verdictStringVerdict for entry.
UmbrellaReporting.ActivityFirewall.timestampNumberTimestamp in ms.
UmbrellaReporting.ActivityFirewall.timeStringThe time in 24 hour format based on the timezone parameter.
UmbrellaReporting.ActivityFirewall.dateStringThe date from the timestamp based on the timezone parameter.
UmbrellaReporting.ActivityFirewall.identities.idNumberID of identity.
UmbrellaReporting.ActivityFirewall.identities.type.idNumberOrigin type for identity
UmbrellaReporting.ActivityFirewall.identities.type.typeStringOrigin type name for identity
UmbrellaReporting.ActivityFirewall.identities.type.labelStringOrigin type label for identity
UmbrellaReporting.ActivityFirewall.identities.labelStringLabel for identity
UmbrellaReporting.ActivityFirewall.identities.deletedBooleanIndicates whether the identity was deleted or not
UmbrellaReporting.ActivityFirewall.protocol.labelStringName of the protocol.
UmbrellaReporting.ActivityFirewall.protocol.idNumberID of protocol.
UmbrellaReporting.ActivityFirewall.allapplications.idNumberID of the application.
UmbrellaReporting.ActivityFirewall.allapplications.appStringType: "IT Service Management" (string) - application/protocol type.
UmbrellaReporting.ActivityFirewall.allapplications.labelStringLabel of the application.
UmbrellaReporting.ActivityFirewall.rule.labelStringName of the rule
UmbrellaReporting.ActivityFirewall.rule.idStringID of rule.
UmbrellaReporting.ActivityFirewall.rule.privateapplicationgroup.labelStringName of application group.
UmbrellaReporting.ActivityFirewall.rule.privateapplicationgroup.idNumberID of application group
UmbrellaReporting.ActivityFirewall.applicationprotocols.idNumberID of the application.
UmbrellaReporting.ActivityFirewall.applicationprotocols.appStringType: "IT Service Management" (string) - application/protocol type.
UmbrellaReporting.ActivityFirewall.applicationprotocols.labelStringApplication/Protocol label.

Command example for traffic_type = firewall for base command umbrella-reporting-activity-get#

!umbrella-reporting-activity-get traffic_type=firewall limit=2

Context Example for traffic_type = firewall for base command umbrella-reporting-activity-get#

{
"UmbrellaReporting":{
"ActivityFirewall":[
{
"date": "2019",
"destinationip": "1.1.1.1",
"sourceip": "192.168.0.1",
"sourceport": 0,
"destinationport": 0,
"verdict": "allowed",
"time": "12:34",
"timestamp": 1548311506,
"identities": [
{
"id": 1,
"label": "Catch Rate Testing System",
"type": {
"id": 21,
"label": "Sites",
"type": "site"
},
"deleted": false
}
],
"protocol": {
"id": 17,
"label": "UDP"
},
"rule": {
"id": 1,
"label": "Default Rule"
},
"type": "firewall",
"allapplications": [
{
"id": 72,
"label": "dns IT Service Management",
"app": ""
}
],
"applicationprotocols": [
{
"id": 72,
"label": "dns IT Service Management",
"app": ""
}
],
"packetsize": 32,
"direction": "towards"
}
]
}
}

Human Readable Output#

Firewall Activity List#

IdentityPolicy or Ruleset IdentityInternal IPSource IPSource PortDestination PortProtocolRuleTypeActionPublic ApplicationDirectionDate & Time
Catch Rate Testing SystemCatch Rate Testing System1.1.1.1192.168.0.100UDPDefault Rulefirewallalloweddns IT Service ManagementtowardsSep 16, 2022 05:52 AM

Context Output for traffic_type = intrusion for base command umbrella-reporting-activity-get#

PathTypeDescription
UmbrellaReporting.ActivityIntrusion.typeStringType of the request. A Intrusion request always has type Intrusion.
UmbrellaReporting.ActivityIntrusion.classificationStringThe category of attack detected by a rule that is part of a more general type of attack class, such as trojan-activity, attempted-user, and unknown.
UmbrellaReporting.ActivityIntrusion.destinationipStringDestination IP for entry.
UmbrellaReporting.ActivityIntrusion.severityStringThe severity level of the rule, such as High, Medium, Low, and Very Low.
UmbrellaReporting.ActivityIntrusion.sourceipStringSource IP for entry
UmbrellaReporting.ActivityIntrusion.destinationportNumberDestination port for entry.
UmbrellaReporting.ActivityIntrusion.sessionidNumberThe unique identifier of a session, which is used to group the correlated events between various services.
UmbrellaReporting.ActivityIntrusion.sourceportNumberSource port for entry.
UmbrellaReporting.ActivityIntrusion.verdictStringVerdict for entry.
UmbrellaReporting.ActivityIntrusion.timestampNumberTimestamp in ms.
UmbrellaReporting.ActivityIntrusion.timeStringThe time in 24 hour format based on the timezone parameter.
UmbrellaReporting.ActivityIntrusion.dateStringThe date from the timestamp based on the timezone parameter.
UmbrellaReporting.ActivityIntrusion.identities.idNumberID of identity.
UmbrellaReporting.ActivityIntrusion.identities.type.idNumberOrigin type for identity
UmbrellaReporting.ActivityIntrusion.identities.type.typeStringOrigin type name for identity
UmbrellaReporting.ActivityIntrusion.identities.type.labelStringOrigin type label for identity
UmbrellaReporting.ActivityIntrusion.identities.labelStringLabel for identity
UmbrellaReporting.ActivityIntrusion.identities.deletedBooleanIndicates whether the identity was deleted or not
UmbrellaReporting.ActivityIntrusion.protocol.labelStringName of the protocol.
UmbrellaReporting.ActivityIntrusion.protocol.idNumberID of protocol.
UmbrellaReporting.ActivityIntrusion.signature.idNumberID of the application.
UmbrellaReporting.ActivityIntrusion.signature.generatoridNumberUnique id assigned to the part of the IPS which generated the event.
UmbrellaReporting.ActivityIntrusion.signature.labelStringA brief description of the signature.
UmbrellaReporting.ActivityIntrusion.signature.cvesStringAn identifier for a known security vulnerability/exposure.
UmbrellaReporting.ActivityIntrusion.signaturelist.idNumberUnique id assigned to a Default or Custom Signature List.

Command example for traffic_type = intrusion for base command umbrella-reporting-activity-get#

!umbrella-reporting-activity-get traffic_type=intrusion limit=2

Context Example for traffic_type = intrusion for base command umbrella-reporting-activity-get#

{
"UmbrellaReporting":{
"ActivityIntrusion":[
{
"type": "intrusion",
"date": "12-02-22",
"destinationip": "10.10.10.10",
"protocol": {
"id": 17,
"label": "UDP"
},
"sourceip": "10.10.10.10",
"signaturelist": { "id": 1111 },
"classification": "malicious",
"sourceport": 22,
"sessionid": 190898098,
"verdict": "detected",
"destinationport": 33,
"timestamp": 1594557262000,
"time": "09:30",
"identities": [
{
"id": 211034846,
"type": {
"id": 34,
"type": "anyconnect",
"label": "Anyconnect Roaming Client"
},
"label": "omerta",
"deleted": false
}
],
"severity": "HIGH",
"signature": {
"generatorid": 1,
"id": 47829,
"label": "SERVER-OTHER JBoss Richfaces expression language injection attempt",
"cves": [
"cve-2015-0279",
"cve-2018-12532"
]
}
}
]
}
}

Context Output for traffic_type = ip for base command umbrella-reporting-activity-get#

PathTypeDescription
UmbrellaReporting.ActivityIP.typeStringType of the request. A IP request always has type IP.
UmbrellaReporting.ActivityIP.destinationipStringDestination IP for entry.
UmbrellaReporting.ActivityIP.sourceipStringSource IP for entry
UmbrellaReporting.ActivityIP.destinationportNumberDestination port for entry.
UmbrellaReporting.ActivityIP.sourceportNumberSource port for entry.
UmbrellaReporting.ActivityIP.verdictStringVerdict for entry.
UmbrellaReporting.ActivityIP.timestampNumberTimestamp in ms.
UmbrellaReporting.ActivityIP.timeStringThe time in 24 hour format based on the timezone parameter.
UmbrellaReporting.ActivityIP.dateStringThe date from the timestamp based on the timezone parameter.
UmbrellaReporting.ActivityIP.identities.idNumberID of identity.
UmbrellaReporting.ActivityIP.identities.type.idNumberOrigin type for identity
UmbrellaReporting.ActivityIP.identities.type.typeStringOrigin type name for identity
UmbrellaReporting.ActivityIP.identities.type.labelStringOrigin type label for identity
UmbrellaReporting.ActivityIP.identities.labelStringLabel for identity
UmbrellaReporting.ActivityIP.identities.deletedBooleanIndicates whether the identity was deleted or not
UmbrellaReporting.ActivityIP.categories.idNumberid of category
UmbrellaReporting.ActivityIP.categories.labelStringThe human readable label of the category
UmbrellaReporting.ActivityIP.categories.typeStringThe type of category
UmbrellaReporting.ActivityIP.categories.deprecatedBooleanIf the category is a legacy category
UmbrellaReporting.ActivityIP.categories.integrationBooleanIf the category is an integration

Command example#

!umbrella-reporting-activity-get traffic_type=ip limit=2

Context Example for traffic_type = ip for base command umbrella-reporting-activity-get#

{
"UmbrellaReporting":{
"ActivityIP":[
{
"destinationip": "1.1.1.1",
"sourceip": "192.168.0.1",
"date": "03-15-22",
"sourceport": 0,
"destinationport": 0,
"verdict": "allowed",
"timestamp": 1548311506,
"time": "10:15",
"identities": [
{
"id": 1,
"label": "Catch Rate Testing System",
"type": {
"id": 21,
"label": "Sites",
"type": "site"
},
"deleted": false
}
],
"categories": [
{
"id": 66,
"label": "Malware",
"type": "security",
"integration": true
}
],
"type": "ip"
}
]
}
}

Human Readable Output#

IP Activity List#

IdentityDestination IPSource IPSource PortDestination PortCategoriesTypeActionDate & Time
Catch Rate Testing System10.10.10.1010.10.10.102233MalwareIPallowedSep 16, 2022 05:52 AM

umbrella-reporting-summary-list#


Get the summary.

Base Command#

umbrella-reporting-summary-list

Input#

Argument NameDescriptionRequired
summary_typeGet summary list of different summary types. Valid values for summary_type are category, destination, intrusion_rule.
If summary type is not provided by the user, then all summary types i.e., category, destination, intrusion_rule will be considered.

Supported optional parameters for category summary type are domain, urls, ip, identity_types, verdict, file_name, threats, threat_types, amp_disposition.

Supported optional parameters for destination summary type are domain, urls, ip, identity_types, verdict, file_name, threats, threat_types, amp_disposition.

Supported optional parameters for intrusion_rule summary type are signatures, ip, identity_types, intrusion_action, ports.
Optional
fromA timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days.Optional
toA timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'.Optional
limitThe maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored.Optional
domainsA domain name or comma-separated list of domain names.Optional
urlsA URL or comma-separated list of URLs.Optional
ipAn IP address.Optional
portsA port number or comma-separated list of port numbers.Optional
identity_typesAn identity type or comma-separated list of identity types.Optional
verdictA verdict string. Possible values are: allowed, blocked, proxied.Optional
file_nameA string that identifies a filename. Filter the request by the filename. Supports globbing or use of the wildcard character (''). The asterisk (*) matches zero or more occurrences of any character.Optional
threatsA threat name or comma-separated list of threat names.Optional
threat_typesA threat type or comma-separated list of threat types.Optional
amp_dispositionAn Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
signaturesA comma-separated list of Generator id - Signatures ID. Where Generator ID is unique id assigned to the part of the IPS which generated the event and Signature ID is used to uniquely identify signatures. Example:- 1-2,1-4.Optional
intrusion_actionComma-separated List of intrusion actions. Possible values: would_block, blocked, detected.Optional
categoriesA comma-separated list of category ids to filter on.Optional

Context Output for summary for base command umbrella-reporting-summary-list#

PathTypeDescription
UmbrellaReporting.Summary.applicationsNumberTotal number of applications (avc or total).
UmbrellaReporting.Summary.applicationsallowedNumberTotal number of allowed applications.
UmbrellaReporting.Summary.applicationsblockedNumberTotal number of blocked applications.
UmbrellaReporting.Summary.categoriesNumberTotal number of categories.
UmbrellaReporting.Summary.domainsNumberTotal number of domains.
UmbrellaReporting.Summary.filesNumberTotal number of files.
UmbrellaReporting.Summary.filetypesNumberTotal number of file types.
UmbrellaReporting.Summary.identitiesNumberTotal number of identities.
UmbrellaReporting.Summary.identitytypesNumberTotal number of identity types.
UmbrellaReporting.Summary.policycategoriesNumberTotal number of blocked categories.
UmbrellaReporting.Summary.policyrequestsNumberTotal number of policy requests.
UmbrellaReporting.Summary.requestsNumberTotal number of requests.
UmbrellaReporting.Summary.requestsallowedNumberTotal number of allowed requests.
UmbrellaReporting.Summary.requestsblockedNumberTotal number of blocked requests.

Command example#

!umbrella-reporting-summary-list domains=api.tunnels.cdfw.umbrella.com

Context Example#

{
"UmbrellaReporting": {
"Summary": {
"applications": 0,
"applicationsallowed": 0,
"applicationsblocked": 0,
"categories": 4,
"domains": 1,
"files": 0,
"filetypes": 0,
"identities": 3,
"identitytypes": 2,
"policycategories": 0,
"policyrequests": 0,
"requests": 6,
"requestsallowed": 6,
"requestsblocked": 0
}
}
}

Human Readable Output#

Summary List#

ApplicationAllowed ApplicationBlocked ApplicationCategoryDomainFileFile TypeIdentityIdentity TypePolicy CategoryPolicy RequestRequestAllowed RequestBlocked Request
00041003200660

Context Output for summary_type=category for base command umbrella-reporting-summary-list#

PathTypeDescription
UmbrellaReporting.SummaryWithCategory.category.labelStringThe human readable label of the category.
UmbrellaReporting.SummaryWithCategory.category.typeStringThe type of category.
UmbrellaReporting.SummaryWithCategory.category.deprecatedBooleanIf the category is a legacy category.
UmbrellaReporting.SummaryWithCategory.category.integrationbooleanIf the category is an integration.
UmbrellaReporting.SummaryWithCategory.category.idNumberID of category.
UmbrellaReporting.SummaryWithCategory.summary.applicationsNumberTotal number of applications (avc or total).
UmbrellaReporting.SummaryWithCategory.summary.applicationsallowedNumberTotal number of allowed applications.
UmbrellaReporting.SummaryWithCategory.summary.applicationsblockedNumberTotal number of blocked applications.
UmbrellaReporting.SummaryWithCategory.summary.categoriesNumberTotal number of categories.
UmbrellaReporting.SummaryWithCategory.summary.domainsNumberTotal number of domains.
UmbrellaReporting.SummaryWithCategory.summary.filesNumberTotal number of files.
UmbrellaReporting.SummaryWithCategory.summary.filetypesNumberTotal number of file types.
UmbrellaReporting.SummaryWithCategory.summary.identitiesNumberTotal number of identities.
UmbrellaReporting.SummaryWithCategory.summary.identitytypesNumberTotal number of identity types.
UmbrellaReporting.SummaryWithCategory.summary.policycategoriesNumberTotal number of blocked categories.
UmbrellaReporting.SummaryWithCategory.summary.policyrequestsNumberTotal number of policy requests.
UmbrellaReporting.SummaryWithCategory.summary.requestsNumberTotal number of requests.
UmbrellaReporting.SummaryWithCategory.summary.requestsallowedNumberTotal number of allowed requests.
UmbrellaReporting.SummaryWithCategory.summary.requestsblockedNumberTotal number of blocked requests.

Command example for summary_type=category for base command umbrella-reporting-summary-list#

!umbrella-reporting-summary-list summary_type=category limit=1

Context Example for summary_type=category for base command umbrella-reporting-summary-list#

{
"UmbrellaReporting":{
"SummaryWithCategory":[
{
"category": {
"id": 66,
"label": "Malware",
"type": "security",
"integration": true
},
"summary": {
"applications": 0,
"domains": 0,
"requestsblocked": 0,
"filetypes": 0,
"policycategories": 0,
"requests": 0,
"requestsallowed": 0,
"categories": 0,
"identitytypes": 0,
"applicationsblocked": 0,
"files": 0,
"identities": 0,
"applicationsallowed": 0,
"policyrequests": 0
}
}
]
}
}

Human Readable Output#

Summary with Category List#

Category TypeCategory NameApplicationAllowed ApplicationBlocked ApplicationCategoryDomainFileFile TypeIdentityIdentity TypePolicy CategoryPolicy RequestRequestAllowed RequestBlocked Request
securityMalware00000000000000

Context Output for summary_type=destination for base command umbrella-reporting-summary-list#

PathTypeDescription
UmbrellaReporting.SummaryWithDestination.domainStringDestination domain.
UmbrellaReporting.SummaryWithDestination.summary.applicationsNumberTotal number of applications (avc or total).
UmbrellaReporting.SummaryWithDestination.summary.applicationsallowedNumberTotal number of allowed applications.
UmbrellaReporting.SummaryWithDestination.summary.applicationsblockedNumberTotal number of blocked applications.
UmbrellaReporting.SummaryWithDestination.summary.categoriesNumberTotal number of categories.
UmbrellaReporting.SummaryWithDestination.summary.domainsNumberTotal number of domains.
UmbrellaReporting.SummaryWithDestination.summary.filesNumberTotal number of files.
UmbrellaReporting.SummaryWithDestination.summary.filetypesNumberTotal number of file types.
UmbrellaReporting.SummaryWithDestination.summary.identitiesNumberTotal number of identities.
UmbrellaReporting.SummaryWithDestination.summary.identitytypesNumberTotal number of identity types.
UmbrellaReporting.SummaryWithDestination.summary.policycategoriesNumberTotal number of blocked categories.
UmbrellaReporting.SummaryWithDestination.summary.policyrequestsNumberTotal number of policy requests.
UmbrellaReporting.SummaryWithDestination.summary.requestsNumberTotal number of requests.
UmbrellaReporting.SummaryWithDestination.summary.requestsallowedNumberTotal number of allowed requests.
UmbrellaReporting.SummaryWithDestination.summary.requestsblockedNumberTotal number of blocked requests.

Command example for summary_type=destination for base command umbrella-reporting-summary-list#

!umbrella-reporting-summary-list summary_type=destination limit=1

Context Example for summary_type=destination for base command umbrella-reporting-summary-list#

{
"UmbrellaReporting":{
"SummaryWithDestination":[
{
"domain": "dummy.domain.com",
"summary": {
"applications": 0,
"domains": 0,
"requestsblocked": 0,
"filetypes": 0,
"policycategories": 0,
"policyrequests": 0,
"requests": 0,
"requestsallowed": 0,
"categories": 0,
"identitytypes": 0,
"applicationsblocked": 0,
"files": 0,
"identities": 0,
"applicationsallowed": 0
}
}
]
}
}

Human Readable Output#

Summary with Destination List#

DestinationApplicationAllowed ApplicationBlocked ApplicationCategoryDomainFileFile TypeIdentityIdentity TypePolicy CategoryPolicy RequestRequestAllowed RequestBlocked Request
www.google.com00000000000000

Context Output for summary_type=intrusion_rule for base command umbrella-reporting-summary-list#

PathTypeDescription
UmbrellaReporting.SignatureListSummary.signaturelist.idNumberUnique id assigned to a Default or Custom Signature List.
UmbrellaReporting.SignatureListSummary.signatures.generatoridNumberGenerator id.
UmbrellaReporting.SignatureListSummary.signatures.idNumberSignature ID.
UmbrellaReporting.SignatureListSummary.signatures.lasteventatNumberLast Eevent At.
UmbrellaReporting.SignatureListSummary.signatures.counts.blockedNumberBlocked
UmbrellaReporting.SignatureListSummary.signatures.counts.detectedNumberDetected.
UmbrellaReporting.SignatureListSummary.signatures.counts.wouldblockNumberWould Block.

Command example for summary_type=intrusion_rule for base command umbrella-reporting-summary-list#

!umbrella-reporting-summary-list summary_type=intrusion_rule limit=1

Context Example for summary_type=intrusion_rule for base command umbrella-reporting-summary-list#

{
"UmbrellaReporting":{
"SignatureListSummary":[
{
"signaturelist": { "id": 1111 },
"signatures": [
{
"counts": {
"blocked": 0,
"detected": 1,
"wouldblock": 0
},
"generatorid": 1,
"lasteventat": 1594557262000,
"id": 47829
}
]
}
]
}
}

Human Readable Output#

Summary with Intrusion List#

BlockedDetectedWould BlockLast Event
0101594557262000