Cisco Umbrella Reporting
Cisco Umbrella Reporting Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
#
Cisco Umbrella ReportingUse Cisco Umbrella's Reporting to monitor your Umbrella integration and gain a better understanding of your Umbrella usage. Gain insights into request activity and blocked activity, determining which of your identities are generating blocked requests. Reports help build actionable intelligence in addressing security threats including changes in usage trends over time.
The Umbrella Reporting v2 API provides visibility into your core network and security activities and Umbrella logs. This integration was integrated and tested with version v2 of Cisco-umbrella-reporting.
#
Configure Cisco Umbrella Reporting on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for Cisco Umbrella Reporting.
Click Add instance to create and configure a new integration instance.
Parameter Description Required API URL Cisco Umbrella Reporting API base URL. True API Key API Key True API Secret API Secret True Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
umbrella-reporting-destination-listList of destinations ordered by the number of requests made in descending order.
#
Base Commandumbrella-reporting-destination-list
#
InputArgument Name | Description | Required |
---|---|---|
traffic_type | Specify the type of traffic. By default, all supported traffic types are included. Possible values are: dns, proxy, firewall, ip. | Optional |
domains | A domain name or comma-separated list of domain names. | Optional |
ip | An IP address. | Optional |
urls | A URL or comma-separated list of URLs. | Optional |
ports | A port number or comma-separated list of port numbers. | Optional |
sha256 | A SHA-256 hash. | Optional |
threats | A threat name or comma-separated list of threat names. | Optional |
threat_types | A threat type or comma-separated list of threat types. | Optional |
amp_disposition | An Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown. | Optional |
from | A timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days. | Optional |
to | A timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored. | Optional |
identity_types | An identity type or comma-separated list of identity types. | Optional |
verdict | A verdict string. Possible values are: allowed, blocked, proxied. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
categories | A comma-separated list of category ids to filter on. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
UmbrellaReporting.Destination.count | Number | Total number of requests made for this destination. |
UmbrellaReporting.Destination.domain | String | Destination. |
UmbrellaReporting.Destination.bandwidth | Number | The total bandwidth of proxy requests uploaded and downloaded for this destination. |
UmbrellaReporting.Destination.rank | Number | The rank of the result based on the number of requests. |
UmbrellaReporting.Destination.policycategories.id | Number | ID of the category. |
UmbrellaReporting.Destination.policycategories.label | String | The human readable label of the category. |
UmbrellaReporting.Destination.policycategories.type | String | The type of category. |
UmbrellaReporting.Destination.policycategories.deprecated | Boolean | Whether the category is a legacy category. |
UmbrellaReporting.Destination.policycategories.integration | Boolean | Whether the category is an integration. |
UmbrellaReporting.Destination.categories.id | Number | ID of the category. |
UmbrellaReporting.Destination.categories.label | String | The human readable label of the category. |
UmbrellaReporting.Destination.categories.type | String | The type of category. |
UmbrellaReporting.Destination.categories.deprecated | Boolean | Whether the category is a legacy category. |
UmbrellaReporting.Destination.categories.integration | Boolean | Whether the category is an integration. |
UmbrellaReporting.Destination.counts.allowedrequests | Number | Number of requests that were allowed. |
UmbrellaReporting.Destination.counts.blockedrequests | Number | Number of requests that were blocked. |
UmbrellaReporting.Destination.counts.requests | Number | Total number of requests. |
#
Command example!umbrella-reporting-destination-list limit=2
#
Context Example#
Human Readable Output#
Destination List
Destination Category Allowed Blocked Requests www.cisco.com Computers and Internet, Infrastructure and Content Delivery Networks, Application, abc/efgh, Business Services 1286 0 1286 presence.teams.microsoft.com Business and Industry, Computers and Internet, Online Meetings, Application, abc/efgh, Business Services 1003 0 1003
#
umbrella-reporting-category-listList of categories ordered by the number of requests made matching the categories in descending order.
#
Base Commandumbrella-reporting-category-list
#
InputArgument Name | Description | Required |
---|---|---|
traffic_type | Specify the type of traffic. By default, all supported traffic types are included. Possible values are: dns, proxy, ip. | Optional |
from | A timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days. | Optional |
to | A timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'. | Optional |
domains | A domain name or comma-separated list of domain names. | Optional |
urls | A URL or comma-separated list of URLs. | Optional |
ip | An IP address. | Optional |
sha256 | A SHA-256 hash. | Optional |
threats | A threat name or comma-separated list of threat names. | Optional |
threat_types | A threat type or comma-separated list of threat types. | Optional |
amp_disposition | An Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown. | Optional |
identity_types | An identity type or comma-separated list of identity types. | Optional |
verdict | A verdict string. Possible values are: allowed, blocked, proxied. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
categories | A comma-separated list of category ids to filter on. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
UmbrellaReporting.Category.count | Number | Number of requests made that match this category. |
UmbrellaReporting.Category.bandwidth | String | The total bandwidth of proxy requests uploaded and downloaded for this category. |
UmbrellaReporting.Category.category.id | Number | Category ID. |
UmbrellaReporting.Category.category.type | String | Category type. |
UmbrellaReporting.Category.category.label | String | Category label. |
UmbrellaReporting.Category.category.integration | Boolean | Category integration. |
UmbrellaReporting.Category.category.deprecated | String | Category deprecated. |
UmbrellaReporting.Category.rank | Number | Rank of the category. |
#
Command example!umbrella-reporting-category-list limit=2
#
Context Example#
Human Readable Output#
Category List
Category Type Activity Application application 32446 abc/efgh content 26112
#
umbrella-reporting-identity-listList of identities ordered by the number of requests made matching the categories in descending order.
#
Base Commandumbrella-reporting-identity-list
#
InputArgument Name | Description | Required |
---|---|---|
traffic_type | Specify the type of traffic. By default, all supported traffic types are included. Possible values are: dns, proxy, firewall, ip. | Optional |
from | A timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days. | Optional |
to | A timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'. | Optional |
domains | A domain name or comma-separated list of domain names. | Optional |
urls | A URL or comma-separated list of URLs. | Optional |
ip | An IP address. | Optional |
ports | A port number or comma-separated list of port numbers. | Optional |
verdict | A verdict string. Possible values are: allowed, blocked, proxied. | Optional |
sha256 | A SHA-256 hash. | Optional |
threats | A threat name or comma-separated list of threat names. | Optional |
threat_types | A threat type or comma-separated list of threat types. | Optional |
amp_disposition | An Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown. | Optional |
identity_types | An identity type or comma-separated list of identity types. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
categories | A comma-separated list of category ids to filter on. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
UmbrellaReporting.Identity.requests | Number | Total number of requests made by this identity. |
UmbrellaReporting.Identity.bandwidth | Number | The total bandwidth of proxy requests uploaded and downloaded for this identity. |
UmbrellaReporting.Identity.rank | Number | The rank of the result based on the number of requests. |
UmbrellaReporting.Identity.counts.allowedrequests | Number | Number of requests that were allowed. |
UmbrellaReporting.Identity.counts.blockedrequests | Number | Number of requests that were blocked. |
UmbrellaReporting.Identity.counts.requests | Number | Total number of requests. |
UmbrellaReporting.Identity.identity.id | Number | Identity ID. |
UmbrellaReporting.Identity.identity.type.id | Number | Origin type for the identity. |
UmbrellaReporting.Identity.identity.type.type | String | Origin type name for the identity. |
UmbrellaReporting.Identity.identity.type.label | String | Origin type label for the identity. |
UmbrellaReporting.Identity.identity.label | String | Label for the identity. |
UmbrellaReporting.Identity.identity.deleted | Boolean | Indicates whether the identity was deleted. |
#
Command example!umbrella-reporting-identity-list limit=2
#
Context Example#
Human Readable Output#
Identities List
Identity Requests DESKTOP-IIQVPJ7 29753 S’s MacBook Pro 18082
#
umbrella-reporting-event-type-listList of event types ordered by the number of requests made for each type of event in descending order. The event types are: domain_security, domain_integration, url_security, url_integration, cisco_amp and antivirus.
#
Base Commandumbrella-reporting-event-type-list
#
InputArgument Name | Description | Required |
---|---|---|
from | A timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days. | Optional |
to | A timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'. | Optional |
domains | A domain name or comma-separated list of domain names. | Optional |
urls | A URL or comma-separated list of URLs. | Optional |
ip | An IP address. | Optional |
identity_types | An identity type or comma-separated list of identity types. | Optional |
verdict | A verdict string. Possible values are: allowed, blocked, proxied. | Optional |
threats | A threat name or comma-separated list of threat names. | Optional |
threat_types | A threat type or comma-separated list of threat types. | Optional |
amp_disposition | An Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
categories | A comma-separated list of category ids to filter on. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
UmbrellaReporting.EventType.eventtype | String | The event type. One of "domain_security", "domain_integration", "url_security", "url_integration", "cisco_amp" and "antivirus". |
UmbrellaReporting.EventType.count | Number | Number of requests made that match this event type. |
#
Command example!umbrella-reporting-event-type-list
#
Context Example#
Human Readable Output#
Event Type List
Event Type Count domain_security 2 url_integration 0 url_security 0 antivirus 0 application 0 cisco_amp 0 domain_integration 0
#
umbrella-reporting-file-listList of files within a time frame. Only returns proxy data.
#
Base Commandumbrella-reporting-file-list
#
InputArgument Name | Description | Required |
---|---|---|
from | A timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days. | Optional |
to | A timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored. | Optional |
domains | A domain name or comma-separated list of domain names. | Optional |
urls | A URL or comma-separated list of URLs. | Optional |
ip | An IP address. | Optional |
verdict | A verdict string. Possible values are: allowed, blocked, proxied. | Optional |
sha256 | A SHA-256 hash. | Optional |
amp_disposition | An Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown. | Optional |
identity_types | An identity type or comma-separated list of identity types. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
categories | A comma-separated list of category ids to filter on. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
UmbrellaReporting.File.requests | Number | Number of requests. |
UmbrellaReporting.File.identitycount | Number | Number of identities for entry. |
UmbrellaReporting.File.sha256 | String | SHA256 for entry. |
UmbrellaReporting.File.filenames | Unknown | Array of filenames for entry. |
UmbrellaReporting.File.filetypes | Unknown | Array of file types for entry. |
UmbrellaReporting.File.categories.id | Number | ID of the category. |
UmbrellaReporting.File.categories.label | String | The human readable label of the category. |
UmbrellaReporting.File.categories.type | String | The type of category. |
UmbrellaReporting.File.categories.deprecated | Boolean | Whether the category is a legacy category. |
UmbrellaReporting.File.categories.integration | Boolean | Whether the category is an integration. |
#
Command example!umbrella-reporting-file-list limit=2
#
Context Example#
Human Readable Output#
File List
Requests Identity Count SHA256 Category Category Type File Name 2 1 94fe42af4a67ed5be45bd7913d8a8aebc4e35afddd5675d01bd37df8e9b399ae Online Meetings, Application content, application AnyDesk.exe
#
umbrella-reporting-threat-listList of top threats within a time frame. Returns both DNS and Proxy data.
#
Base Commandumbrella-reporting-threat-list
#
InputArgument Name | Description | Required |
---|---|---|
traffic_type | Specify the type of traffic. By default, all supported traffic types are included. Possible values are: dns, proxy. | Optional |
from | A timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days. | Optional |
to | A timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored. | Optional |
domains | A domain name or comma-separated list of domain names. | Optional |
ip | An IP address. | Optional |
identity_types | An identity type or comma-separated list of identity types. | Optional |
verdict | A verdict string. Possible values are: allowed, blocked, proxied. | Optional |
threats | A threat name or comma-separated list of threat names. | Optional |
threat_types | A threat type or comma-separated list of threat types. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
categories | A comma-separated list of category ids to filter on. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
UmbrellaReporting.Threat.threat | String | The threat name. |
UmbrellaReporting.Threat.threattype | String | The threat type. |
UmbrellaReporting.Threat.count | Number | The number of requests for that threat name. |
#
Command example!umbrella-reporting-threat-list limit=1
#
Context Example#
Human Readable Output#
Threat List
Threat Type Count Adware 1
#
umbrella-reporting-activity-listList all activity entries (dns/proxy/firewall/ip/intrusion/amp) within the time frame.
#
Base Commandumbrella-reporting-activity-list
#
InputArgument Name | Description | Required |
---|---|---|
from | A timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days. | Optional |
to | A timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored. | Optional |
domains | A domain name or comma-separated list of domain names. | Optional |
urls | A URL or comma-separated list of URLs. | Optional |
ip | An IP address. | Optional |
ports | A port number or comma-separated list of port numbers. | Optional |
identity_types | An identity type or comma-separated list of identity types. | Optional |
verdict | A verdict string. Possible values are: allowed, blocked, proxied. | Optional |
file_name | A string that identifies a filename. Filter the request by the filename. Supports globbing or use of the wildcard character (''). The asterisk (*) matches zero or more occurrences of any character. | Optional |
threats | A threat name or comma-separated list of threat names. | Optional |
threat_types | A threat type or comma-separated list of threat types. | Optional |
amp_disposition | An Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
categories | A comma-separated list of category ids to filter on. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
UmbrellaReporting.Activity.type | String | Type of the request. |
UmbrellaReporting.Activity.externalip | String | External IP address for entry. |
UmbrellaReporting.Activity.internalip | String | Internal IP address for entry. |
UmbrellaReporting.Activity.policycategories.id | Number | ID of the category. |
UmbrellaReporting.Activity.policycategories.label | String | The human readable label of the category. |
UmbrellaReporting.Activity.policycategories.type | String | Type of the request. A DNS request always has type dns. |
UmbrellaReporting.Activity.policycategories.deprecated | Boolean | Whether the category is a legacy category. |
UmbrellaReporting.Activity.policycategories.integration | Boolean | Whether the category is an integration. |
UmbrellaReporting.Activity.categories.id | Number | ID of the category. |
UmbrellaReporting.Activity.categories.label | String | The human readable label of the category. |
UmbrellaReporting.Activity.categories.type | String | The type of category. |
UmbrellaReporting.Activity.categories.deprecated | Boolean | Whether the category is a legacy category. |
UmbrellaReporting.Activity.categories.integration | Boolean | Whether the category is an integration. |
UmbrellaReporting.Activity.verdict | String | Verdict for entry. |
UmbrellaReporting.Activity.domain | String | Domain for entry. |
UmbrellaReporting.Activity.timestamp | Number | Timestamp in ms. |
UmbrellaReporting.Activity.time | String | The time in 24 hour format based on the time zone parameter. |
UmbrellaReporting.Activity.date | String | The date from the timestamp based on the time zone parameter. |
UmbrellaReporting.Activity.identities.id | Number | ID of the identity. |
UmbrellaReporting.Activity.identities.type.id | Number | Origin type for the identity. |
UmbrellaReporting.Activity.identities.type.type | String | Origin type name for the identity. |
UmbrellaReporting.Activity.identities.type.label | String | Origin type label for the identity. |
UmbrellaReporting.Activity.identities.label | String | Label for the identity. |
UmbrellaReporting.Activity.identities.deleted | Boolean | Indicates whether the identity was deleted. |
UmbrellaReporting.Activity.threats.label | Boolean | The threat name or label. |
UmbrellaReporting.Activity.threats.type | String | The type of threat. |
UmbrellaReporting.Activity.allapplications.id | Number | ID of the application. |
UmbrellaReporting.Activity.allapplications.type | String | Type of the application, NBAR or AVC. |
UmbrellaReporting.Activity.allapplications.label | String | Label of the application. |
UmbrellaReporting.Activity.allapplications.category.label | String | Label of the application category. |
UmbrellaReporting.Activity.allapplications.category.id | Number | ID of the application category. |
UmbrellaReporting.Activity.allowedapplications.id | Number | ID of the application. |
UmbrellaReporting.Activity.allowedapplications.label | String | Label of the application. |
UmbrellaReporting.Activity.allowedapplications.type | String | Type of the application, NBAR or AVC. |
UmbrellaReporting.Activity.allowedapplications.category.label | String | Label of the application category. |
UmbrellaReporting.Activity.allowedapplications.category.id | Number | ID of the application category. |
UmbrellaReporting.Activity.querytype | String | The type of DNS request that was made. For more information, see Common DNS Request Types. https://support.umbrella.com/hc/en-us/articles/232254248-Common-DNS-return-codes-for-any-DNS-service-and-Umbrella- |
UmbrellaReporting.Activity.returncode | Number | The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella). https://support.umbrella.com/hc/en-us/articles/232254248-Common-DNS-return-codes-for-any-DNS-service-and-Umbrella- |
UmbrellaReporting.Activity.blockedapplications.id | Number | ID of the application. |
UmbrellaReporting.Activity.blockedapplications.label | String | Label of the application. |
UmbrellaReporting.Activity.blockedapplications.type | String | Type of the application, NBAR or AVC. |
UmbrellaReporting.Activity.blockedapplications.category.label | String | Label of the application category. |
UmbrellaReporting.Activity.blockedapplications.category.id | Number | ID of the application category. |
#
Command example!umbrella-reporting-activity-list limit=2
#
Context Example#
Human Readable Output#
Activity List
Request Identity Policy or Ruleset Identity Destination Internal IP External IP DNS Type Action Categories Public Application Application Category Date & Time dns S’s MacBook Pro S’s MacBook Pro stats.g.doubleclick.net 1.1.1.1 4.4.4.4 A allowed Advertisements, Application Google Marketing Platform Ad Publishing 2022-10-29T07:39:08Z dns S’s MacBook Pro S’s MacBook Pro google.com 1.1.1.1 4.4.4.4 AAAA allowed abc/efgh, Infrastructure and Content Delivery Networks, Application Do Not Decrypt Application Sample Application Group 2022-10-29T07:38:57Z
#
umbrella-reporting-activity-getList all entries within a time frame based on the traffic type selected. Valid activity types are dns, proxy, firewall, intrusion, ip, amp. Only one activity type can be selected at a time.
#
Base Commandumbrella-reporting-activity-get
#
InputArgument Name | Description | Required |
---|---|---|
traffic_type | Specify the type of traffic. By default, all supported traffic types are included. Possible values are: dns , proxy , firewall , ip , intrusion , amp .Supported optional parameters for DNS traffic type are limit , from , to , offset , domains , ip , verdict , threats , threat_types .Supported optional parameters for Proxy traffic type are limit , from , to , offset , domains , ip , verdict , threats , threat_types , urls , ports , identity_types , file_name , amp_disposition .Supported optional parameters for Firewall traffic type are limit , from , to , offset , ip , ports , verdict .Supported optional parameters for Intrusion traffic type are limit , from , to , offset , ip , ports , signatures , intrusion_action .Supported optional parameters for IP traffic type are limit , from , to , offset , ip , ports , identity_types , verdict .Supported optional parameters for Advanced Malware Protection (AMP) traffic type are limit , from , to , offset , amp_disposition , sha256 . | Required |
from | A timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days. | Optional |
to | A timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored. | Optional |
domains | A domain name or comma-separated list of domain names. | Optional |
urls | A URL or comma-separated list of URLs. | Optional |
ip | An IP address. | Optional |
ports | A port number or comma-separated list of port numbers. | Optional |
identity_types | An identity type or comma-separated list of identity types. | Optional |
verdict | A verdict string. Possible values are: allowed, blocked, proxied. | Optional |
file_name | A string that identifies a filename. Filter the request by the filename. Supports globbing or use of the wildcard character (''). The asterisk (*) matches zero or more occurrences of any character. | Optional |
threats | A threat name or comma-separated list of threat names. | Optional |
threat_types | A threat type or comma-separated list of threat types. | Optional |
amp_disposition | An Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
signatures | A comma-separated list of Generator id - Signatures ID. Where Generator ID is unique id assigned to the part of the IPS which generated the event and Signature ID is used to uniquely identify signatures. Example:- 1-2,1-4. | Optional |
intrusion_action | Comma-separated list of intrusion actions. Possible values: would_block, blocked, detected. | Optional |
categories | A comma-separated list of category ids to filter on. | Optional |
traffic_type = dns
for base command umbrella-reporting-activity-get
#
Context Output for Path | Type | Description |
---|---|---|
UmbrellaReporting.ActivityDns.type | String | Type of the request. A DNS request always has type DNS. |
UmbrellaReporting.ActivityDns.externalip | String | External IP address for entry. |
UmbrellaReporting.ActivityDns.internalip | String | Internal IP address for entry. |
UmbrellaReporting.ActivityDns.policycategories.id | Number | ID of the category. |
UmbrellaReporting.ActivityDns.policycategories.label | String | The human readable label of the category. |
UmbrellaReporting.ActivityDns.policycategories.type | String | Type of the request. A DNS request always has type dns. |
UmbrellaReporting.ActivityDns.policycategories.deprecated | Boolean | Whether the category is a legacy category. |
UmbrellaReporting.ActivityDns.policycategories.integration | Boolean | Whether the category is an integration. |
UmbrellaReporting.ActivityDns.categories.id | Number | ID of the category. |
UmbrellaReporting.ActivityDns.categories.label | String | The human readable label of the category. |
UmbrellaReporting.ActivityDns.categories.type | String | The type of category. |
UmbrellaReporting.ActivityDns.categories.deprecated | Boolean | Whether the category is a legacy category. |
UmbrellaReporting.ActivityDns.categories.integration | Boolean | Whether the category is an integration. |
UmbrellaReporting.ActivityDns.verdict | String | Verdict for entry. |
UmbrellaReporting.ActivityDns.domain | String | Domain for entry. |
UmbrellaReporting.ActivityDns.timestamp | Number | Timestamp in ms. |
UmbrellaReporting.ActivityDns.time | String | The time in 24 hour format based on the time zone parameter. |
UmbrellaReporting.ActivityDns.date | String | The date from the timestamp based on the time zone parameter. |
UmbrellaReporting.ActivityDns.identities.id | Number | ID of the identity. |
UmbrellaReporting.ActivityDns.identities.type.id | Number | Origin type for the identity. |
UmbrellaReporting.ActivityDns.identities.type.type | String | Origin type name for the identity. |
UmbrellaReporting.ActivityDns.identities.type.label | String | Origin type label for the identity. |
UmbrellaReporting.ActivityDns.identities.label | String | Label for the identity. |
UmbrellaReporting.ActivityDns.identities.deleted | Boolean | Indicates whether the identity was deleted. |
UmbrellaReporting.ActivityDns.threats.label | Boolean | The threat name or label. |
UmbrellaReporting.ActivityDns.threats.type | String | The type of threat. |
UmbrellaReporting.ActivityDns.allapplications.id | Number | ID of the application. |
UmbrellaReporting.ActivityDns.allapplications.type | String | Type of the application, NBAR or AVC. |
UmbrellaReporting.ActivityDns.allapplications.label | String | Label of the application. |
UmbrellaReporting.ActivityDns.allapplications.category.label | String | Label of the application category. |
UmbrellaReporting.ActivityDns.allapplications.category.id | Number | ID of the application category. |
UmbrellaReporting.ActivityDns.allowedapplications.id | Number | ID of the application. |
UmbrellaReporting.ActivityDns.allowedapplications.label | String | Label of the application. |
UmbrellaReporting.ActivityDns.allowedapplications.type | String | Type of the application, NBAR or AVC. |
UmbrellaReporting.ActivityDns.allowedapplications.category.label | String | Label of the application category. |
UmbrellaReporting.ActivityDns.allowedapplications.category.id | Number | ID of the application category. |
UmbrellaReporting.ActivityDns.querytype | String | The type of DNS request that was made. For more information, see https://support.umbrella.com/hc/en-us/articles/232254248-Common-DNS-return-codes-for-any-DNS-service-and-Umbrella- |
UmbrellaReporting.ActivityDns.returncode | Number | The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella). https://support.umbrella.com/hc/en-us/articles/232254248-Common-DNS-return-codes-for-any-DNS-service-and-Umbrella- |
UmbrellaReporting.ActivityDns.blockedapplications.id | Number | ID of the application. |
UmbrellaReporting.ActivityDns.blockedapplications.label | String | Label of the application. |
UmbrellaReporting.ActivityDns.blockedapplications.type | String | Type of the application, NBAR or AVC. |
UmbrellaReporting.ActivityDns.blockedapplications.category.label | String | Label of the application category. |
UmbrellaReporting.ActivityDns.blockedapplications.category.id | Number | ID of the application category. |
traffic_type = dns
for base command umbrella-reporting-activity-get
#
Command example for !umbrella-reporting-activity-get traffic_type=dns limit=2
traffic_type = dns
for base command umbrella-reporting-activity-get
#
Context Example for #
Human Readable Output#
Dns Activity List
Identity Policy or Ruleset Identity Destination Internal IP External IP DNS Type Action Categories Public Application Application Category Date & Time S’s MacBook Pro S’s MacBook Pro stats.g.doubleclick.net 1.1.1.1 4.4.4.4 A allowed Advertisements, Application Google Marketing Platform Ad Publishing 2022-10-29T07:39:08Z S’s MacBook Pro S’s MacBook Pro google.com 1.1.1.1 4.4.4.4 AAAA allowed abc/efgh, Infrastructure and Content Delivery Networks, Application Do Not Decrypt Application Sample Application Group 2022-10-29T07:38:57Z
traffic_type = amp
for base command umbrella-reporting-activity-get
#
Context Output for Path | Type | Description |
---|---|---|
UmbrellaReporting.ActivityAMPRetro.timestamp | Number | Timestamp in ms. |
UmbrellaReporting.ActivityAMPRetro.firstseenat | Number | First seen Timestamp. |
UmbrellaReporting.ActivityAMPRetro.disposition | String | Disposition for entry. |
UmbrellaReporting.ActivityAMPRetro.hostname | String | Hostname for entry. |
UmbrellaReporting.ActivityAMPRetro.malwarename | String | Malware name for entry. |
UmbrellaReporting.ActivityAMPRetro.sha256 | String | SHA256 for entry. |
UmbrellaReporting.ActivityAMPRetro.score | Number | Score for entry. |
traffic_type = amp
for base command umbrella-reporting-activity-get
#
Command example for !umbrella-reporting-activity-get traffic_type=amp limit=2
traffic_type = amp
for base command umbrella-reporting-activity-get
#
Context Example for #
Human Readable Output#
AMP Activity List
First Seen Disposition Score Host Name Malware SHA256 Date & Time 1548311506 clean 10 google.com malware 9495b6c155044053953efe30ebaf804780c114e7b721b14f6a5b0a782769696e Sep 16, 2022 05:52 AM
traffic_type = proxy
for base command umbrella-reporting-activity-get
#
Context Output for Path | Type | Description |
---|---|---|
UmbrellaReporting.ActivityProxy.type | String | Type of the request. A Proxy request always has type Proxy. |
UmbrellaReporting.ActivityProxy.externalip | String | External IP for entry. |
UmbrellaReporting.ActivityProxy.destinationip | String | Destination IP for entry. |
UmbrellaReporting.ActivityProxy.blockedfiletype | String | locked file type for entry. |
UmbrellaReporting.ActivityProxy.contenttype | String | The type of web content, typically text/html. |
UmbrellaReporting.ActivityProxy.forwardingmethod | String | The request method (GET, POST, HEAD, etc.) |
UmbrellaReporting.ActivityProxy.internalip | String | Internal IP for entry. |
UmbrellaReporting.ActivityProxy.referer | String | The referring domain or URL. |
UmbrellaReporting.ActivityProxy.requestmethod | String | The HTTP request method that was made. |
UmbrellaReporting.ActivityProxy.responsefilename | String | Response filename for entry. |
UmbrellaReporting.ActivityProxy.sha256 | String | The hex digest of the response content. |
UmbrellaReporting.ActivityProxy.url | String | The URL requested. |
UmbrellaReporting.ActivityProxy.useragent | String | The browser agent that made the request. |
UmbrellaReporting.ActivityProxy.warnstatus | String | Warn Status. |
UmbrellaReporting.ActivityProxy.securityoverridden | Boolean | Specify whether to filter on requests that override security. |
UmbrellaReporting.ActivityProxy.tenantcontrols | Boolean | If the request was part of a tenant control policy. |
UmbrellaReporting.ActivityProxy.bundleid | Number | A proxy bundle ID. |
UmbrellaReporting.ActivityProxy.port | Number | Request Port. |
UmbrellaReporting.ActivityProxy.requestsize | Number | Request size in bytes. |
UmbrellaReporting.ActivityProxy.responsesize | Number | Response size in bytes. |
UmbrellaReporting.ActivityProxy.statuscode | Number | The HTTP status code; should always be 200 or 201. |
UmbrellaReporting.ActivityProxy.policycategories.id | Number | ID of category. |
UmbrellaReporting.ActivityProxy.policycategories.label | String | The human readable label of the category. |
UmbrellaReporting.ActivityProxy.policycategories.type | String | Type of the request. a dns request always has type dns. |
UmbrellaReporting.ActivityProxy.policycategories.deprecated | Boolean | If the category is a legacy category. |
UmbrellaReporting.ActivityProxy.policycategories.integration | Boolean | If the category is an integration. |
UmbrellaReporting.ActivityProxy.categories.id | Number | id of category |
UmbrellaReporting.ActivityProxy.categories.label | String | The human readable label of the category |
UmbrellaReporting.ActivityProxy.categories.type | String | The type of category |
UmbrellaReporting.ActivityProxy.categories.deprecated | Boolean | If the category is a legacy category |
UmbrellaReporting.ActivityProxy.categories.integration | Boolean | If the category is an integration |
UmbrellaReporting.ActivityProxy.antivirusthreats.others | Unknown | Other antivirus threats. |
UmbrellaReporting.ActivityProxy.antivirusthreats.puas | Unknown | Potentially unwanted applications. |
UmbrellaReporting.ActivityProxy.antivirusthreats.viruses | Unknown | Viruses. |
UmbrellaReporting.ActivityProxy.verdict | String | Verdict for entry. |
UmbrellaReporting.ActivityProxy.timestamp | Number | Timestamp in ms. |
UmbrellaReporting.ActivityProxy.time | String | The time in 24 hour format based on the timezone parameter. |
UmbrellaReporting.ActivityProxy.date | String | The date from the timestamp based on the timezone parameter. |
UmbrellaReporting.ActivityProxy.identities.id | Number | ID of identity. |
UmbrellaReporting.ActivityProxy.identities.type.id | Number | Origin type for identity |
UmbrellaReporting.ActivityProxy.identities.type.type | String | Origin type name for identity |
UmbrellaReporting.ActivityProxy.identities.type.label | String | Origin type label for identity |
UmbrellaReporting.ActivityProxy.identities.label | String | Label for identity |
UmbrellaReporting.ActivityProxy.identities.deleted | Boolean | Indicates whether the identity was deleted or not |
UmbrellaReporting.ActivityProxy.threats.label | String | The threat name or label. |
UmbrellaReporting.ActivityProxy.threats.type | String | The type of threat. |
UmbrellaReporting.ActivityProxy.datacenter.id | String | Unique ID for the data center. |
UmbrellaReporting.ActivityProxy.datacenter.label | String | Name of the data center. |
UmbrellaReporting.ActivityProxy.datalossprevention.state | String | If the request was Blocked for DLP. Either 'blocked' or ''. |
UmbrellaReporting.ActivityProxy.egress.ip | String | Egress IP. |
UmbrellaReporting.ActivityProxy.egress.type | String | Egress Type. |
UmbrellaReporting.ActivityProxy.isolated.fileaction | String | A string that describes the remote browser isolation (RBI) file action type. |
UmbrellaReporting.ActivityProxy.isolated.state | String | A string that describes the remote browser isolation(RBI) isolation type. |
UmbrellaReporting.ActivityProxy.allapplications.id | Number | ID of the application. |
UmbrellaReporting.ActivityProxy.allapplications.type | String | Type of the application, NBAR or AVC. |
UmbrellaReporting.ActivityProxy.allapplications.label | String | Label of the application. |
UmbrellaReporting.ActivityProxy.allapplications.category.label | String | Label of the application category. |
UmbrellaReporting.ActivityProxy.allapplications.category.id | Number | ID of the application category. |
UmbrellaReporting.ActivityProxy.allowedapplications.id | Number | ID of the application. |
UmbrellaReporting.ActivityProxy.allowedapplications.label | String | Label of the application. |
UmbrellaReporting.ActivityProxy.allowedapplications.type | String | Type of the application, NBAR or AVC. |
UmbrellaReporting.ActivityProxy.allowedapplications.category.label | String | Label of the application category. |
UmbrellaReporting.ActivityProxy.allowedapplications.category.id | Number | ID of the application category. |
UmbrellaReporting.ActivityProxy.blockedapplications.id | Number | ID of the application. |
UmbrellaReporting.ActivityProxy.blockedapplications.label | String | Label of the application. |
UmbrellaReporting.ActivityProxy.blockedapplications.type | String | Type of the application, NBAR or AVC. |
UmbrellaReporting.ActivityProxy.blockedapplications.category.label | String | Label of the application category. |
UmbrellaReporting.ActivityProxy.blockedapplications.category.id | Number | Label of the application category. |
UmbrellaReporting.ActivityProxy.policy.timebasedrule | Boolean | Whether the policy triggered a time-of-day rule. |
UmbrellaReporting.ActivityProxy.policy.ruleid | Number | The rule ID for the policy. |
UmbrellaReporting.ActivityProxy.policy.rulesetid | Number | The rule set ID for the policy. |
UmbrellaReporting.ActivityProxy.policy.destinationlistids | Unknown | The destination lists that the policy triggered. |
UmbrellaReporting.ActivityProxy.httperrors.reason | String | The name of the error. |
UmbrellaReporting.ActivityProxy.httperrors.type | String | Type of the error CertificateError or TLSError. |
UmbrellaReporting.ActivityProxy.httperrors.attributes | Unknown | Map of additional information about the error. |
UmbrellaReporting.ActivityProxy.httperrors.code | String | The http error code. |
UmbrellaReporting.ActivityProxy.amp.disposition | String | Advanced Malware Protection (AMP) disposition. |
UmbrellaReporting.ActivityProxy.amp.malware | String | Advanced Malware Protection (AMP) malware. |
UmbrellaReporting.ActivityProxy.amp.score | Number | Advanced Malware Protection (AMP) score. |
traffic_type = proxy
for base command umbrella-reporting-activity-get
#
Command example for !umbrella-reporting-activity-get traffic_type=proxy limit=2
traffic_type = proxy
for base command umbrella-reporting-activity-get
#
Context Example for #
Human Readable Output#
Proxy Activity List
Identity Policy or Ruleset Identity Internal IP External IP Action Categories Date & Time DESKTOP-IIQVPJ7 DESKTOP-IIQVPJ7 10.10.10.217 4.4.4.4 allowed Infrastructure and Content Delivery Networks 2022-10-17T09:38:32Z DESKTOP-IIQVPJ7 DESKTOP-IIQVPJ7 10.10.10.217 4.4.4.4 allowed Infrastructure and Content Delivery Networks 2022-10-17T08:36:16Z
traffic_type = firewall
for base command umbrella-reporting-activity-get
#
Context Output for Path | Type | Description |
---|---|---|
UmbrellaReporting.ActivityFirewall.type | String | Type of the request. A Firewall request always has type Firewall. |
UmbrellaReporting.ActivityFirewall.destinationip | String | Destination IP for entry. |
UmbrellaReporting.ActivityFirewall.direction | String | The direction of the packet. It is destined either towards the internet or to the customer's network. |
UmbrellaReporting.ActivityFirewall.sourceip | String | Source IP for entry. |
UmbrellaReporting.ActivityFirewall.destinationport | Number | Destination port for entry. |
UmbrellaReporting.ActivityFirewall.sourceport | Number | Source port for entry. |
UmbrellaReporting.ActivityFirewall.packetsize | Number | The size of the packet that Umbrella CDFW received. |
UmbrellaReporting.ActivityFirewall.verdict | String | Verdict for entry. |
UmbrellaReporting.ActivityFirewall.timestamp | Number | Timestamp in ms. |
UmbrellaReporting.ActivityFirewall.time | String | The time in 24 hour format based on the timezone parameter. |
UmbrellaReporting.ActivityFirewall.date | String | The date from the timestamp based on the timezone parameter. |
UmbrellaReporting.ActivityFirewall.identities.id | Number | ID of identity. |
UmbrellaReporting.ActivityFirewall.identities.type.id | Number | Origin type for identity |
UmbrellaReporting.ActivityFirewall.identities.type.type | String | Origin type name for identity |
UmbrellaReporting.ActivityFirewall.identities.type.label | String | Origin type label for identity |
UmbrellaReporting.ActivityFirewall.identities.label | String | Label for identity |
UmbrellaReporting.ActivityFirewall.identities.deleted | Boolean | Indicates whether the identity was deleted or not |
UmbrellaReporting.ActivityFirewall.protocol.label | String | Name of the protocol. |
UmbrellaReporting.ActivityFirewall.protocol.id | Number | ID of protocol. |
UmbrellaReporting.ActivityFirewall.allapplications.id | Number | ID of the application. |
UmbrellaReporting.ActivityFirewall.allapplications.app | String | Type: "IT Service Management" (string) - application/protocol type. |
UmbrellaReporting.ActivityFirewall.allapplications.label | String | Label of the application. |
UmbrellaReporting.ActivityFirewall.rule.label | String | Name of the rule |
UmbrellaReporting.ActivityFirewall.rule.id | String | ID of rule. |
UmbrellaReporting.ActivityFirewall.rule.privateapplicationgroup.label | String | Name of application group. |
UmbrellaReporting.ActivityFirewall.rule.privateapplicationgroup.id | Number | ID of application group |
UmbrellaReporting.ActivityFirewall.applicationprotocols.id | Number | ID of the application. |
UmbrellaReporting.ActivityFirewall.applicationprotocols.app | String | Type: "IT Service Management" (string) - application/protocol type. |
UmbrellaReporting.ActivityFirewall.applicationprotocols.label | String | Application/Protocol label. |
traffic_type = firewall
for base command umbrella-reporting-activity-get
#
Command example for !umbrella-reporting-activity-get traffic_type=firewall limit=2
traffic_type = firewall
for base command umbrella-reporting-activity-get
#
Context Example for #
Human Readable Output#
Firewall Activity List
Identity Policy or Ruleset Identity Internal IP Source IP Source Port Destination Port Protocol Rule Type Action Public Application Direction Date & Time Catch Rate Testing System Catch Rate Testing System 1.1.1.1 192.168.0.1 0 0 UDP Default Rule firewall allowed dns IT Service Management towards Sep 16, 2022 05:52 AM
traffic_type = intrusion
for base command umbrella-reporting-activity-get
#
Context Output for Path | Type | Description |
---|---|---|
UmbrellaReporting.ActivityIntrusion.type | String | Type of the request. A Intrusion request always has type Intrusion. |
UmbrellaReporting.ActivityIntrusion.classification | String | The category of attack detected by a rule that is part of a more general type of attack class, such as trojan-activity, attempted-user, and unknown. |
UmbrellaReporting.ActivityIntrusion.destinationip | String | Destination IP for entry. |
UmbrellaReporting.ActivityIntrusion.severity | String | The severity level of the rule, such as High, Medium, Low, and Very Low. |
UmbrellaReporting.ActivityIntrusion.sourceip | String | Source IP for entry |
UmbrellaReporting.ActivityIntrusion.destinationport | Number | Destination port for entry. |
UmbrellaReporting.ActivityIntrusion.sessionid | Number | The unique identifier of a session, which is used to group the correlated events between various services. |
UmbrellaReporting.ActivityIntrusion.sourceport | Number | Source port for entry. |
UmbrellaReporting.ActivityIntrusion.verdict | String | Verdict for entry. |
UmbrellaReporting.ActivityIntrusion.timestamp | Number | Timestamp in ms. |
UmbrellaReporting.ActivityIntrusion.time | String | The time in 24 hour format based on the timezone parameter. |
UmbrellaReporting.ActivityIntrusion.date | String | The date from the timestamp based on the timezone parameter. |
UmbrellaReporting.ActivityIntrusion.identities.id | Number | ID of identity. |
UmbrellaReporting.ActivityIntrusion.identities.type.id | Number | Origin type for identity |
UmbrellaReporting.ActivityIntrusion.identities.type.type | String | Origin type name for identity |
UmbrellaReporting.ActivityIntrusion.identities.type.label | String | Origin type label for identity |
UmbrellaReporting.ActivityIntrusion.identities.label | String | Label for identity |
UmbrellaReporting.ActivityIntrusion.identities.deleted | Boolean | Indicates whether the identity was deleted or not |
UmbrellaReporting.ActivityIntrusion.protocol.label | String | Name of the protocol. |
UmbrellaReporting.ActivityIntrusion.protocol.id | Number | ID of protocol. |
UmbrellaReporting.ActivityIntrusion.signature.id | Number | ID of the application. |
UmbrellaReporting.ActivityIntrusion.signature.generatorid | Number | Unique id assigned to the part of the IPS which generated the event. |
UmbrellaReporting.ActivityIntrusion.signature.label | String | A brief description of the signature. |
UmbrellaReporting.ActivityIntrusion.signature.cves | String | An identifier for a known security vulnerability/exposure. |
UmbrellaReporting.ActivityIntrusion.signaturelist.id | Number | Unique id assigned to a Default or Custom Signature List. |
traffic_type = intrusion
for base command umbrella-reporting-activity-get
#
Command example for !umbrella-reporting-activity-get traffic_type=intrusion limit=2
traffic_type = intrusion
for base command umbrella-reporting-activity-get
#
Context Example for traffic_type = ip
for base command umbrella-reporting-activity-get
#
Context Output for Path | Type | Description |
---|---|---|
UmbrellaReporting.ActivityIP.type | String | Type of the request. A IP request always has type IP. |
UmbrellaReporting.ActivityIP.destinationip | String | Destination IP for entry. |
UmbrellaReporting.ActivityIP.sourceip | String | Source IP for entry |
UmbrellaReporting.ActivityIP.destinationport | Number | Destination port for entry. |
UmbrellaReporting.ActivityIP.sourceport | Number | Source port for entry. |
UmbrellaReporting.ActivityIP.verdict | String | Verdict for entry. |
UmbrellaReporting.ActivityIP.timestamp | Number | Timestamp in ms. |
UmbrellaReporting.ActivityIP.time | String | The time in 24 hour format based on the timezone parameter. |
UmbrellaReporting.ActivityIP.date | String | The date from the timestamp based on the timezone parameter. |
UmbrellaReporting.ActivityIP.identities.id | Number | ID of identity. |
UmbrellaReporting.ActivityIP.identities.type.id | Number | Origin type for identity |
UmbrellaReporting.ActivityIP.identities.type.type | String | Origin type name for identity |
UmbrellaReporting.ActivityIP.identities.type.label | String | Origin type label for identity |
UmbrellaReporting.ActivityIP.identities.label | String | Label for identity |
UmbrellaReporting.ActivityIP.identities.deleted | Boolean | Indicates whether the identity was deleted or not |
UmbrellaReporting.ActivityIP.categories.id | Number | id of category |
UmbrellaReporting.ActivityIP.categories.label | String | The human readable label of the category |
UmbrellaReporting.ActivityIP.categories.type | String | The type of category |
UmbrellaReporting.ActivityIP.categories.deprecated | Boolean | If the category is a legacy category |
UmbrellaReporting.ActivityIP.categories.integration | Boolean | If the category is an integration |
#
Command example!umbrella-reporting-activity-get traffic_type=ip limit=2
traffic_type = ip
for base command umbrella-reporting-activity-get
#
Context Example for #
Human Readable Output#
IP Activity List
Identity Destination IP Source IP Source Port Destination Port Categories Type Action Date & Time Catch Rate Testing System 10.10.10.10 10.10.10.10 22 33 Malware IP allowed Sep 16, 2022 05:52 AM
#
umbrella-reporting-summary-listGet the summary.
#
Base Commandumbrella-reporting-summary-list
#
InputArgument Name | Description | Required |
---|---|---|
summary_type | Get summary list of different summary types. Valid values for summary_type are category , destination , intrusion_rule .If summary type is not provided by the user, then all summary types i.e., category, destination, intrusion_rule will be considered. Supported optional parameters for category summary type are domain , urls , ip , identity_types , verdict , file_name , threats , threat_types , amp_disposition .Supported optional parameters for destination summary type are domain , urls , ip , identity_types , verdict , file_name , threats , threat_types , amp_disposition .Supported optional parameters for intrusion_rule summary type are signatures , ip , identity_types , intrusion_action , ports . | Optional |
from | A timestamp (milliseconds) or relative time string (for example:-1days' or '1639146300000'). Filter for data that appears after this time. Default is -7days. | Optional |
to | A timestamp (milliseconds) or relative time string (for example:'now' or 1661510185000). Filter for data that appears before this time. Default is 'now'. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. If the page_size argument is set by the user then the limit argument will be ignored. | Optional |
domains | A domain name or comma-separated list of domain names. | Optional |
urls | A URL or comma-separated list of URLs. | Optional |
ip | An IP address. | Optional |
ports | A port number or comma-separated list of port numbers. | Optional |
identity_types | An identity type or comma-separated list of identity types. | Optional |
verdict | A verdict string. Possible values are: allowed, blocked, proxied. | Optional |
file_name | A string that identifies a filename. Filter the request by the filename. Supports globbing or use of the wildcard character (''). The asterisk (*) matches zero or more occurrences of any character. | Optional |
threats | A threat name or comma-separated list of threat names. | Optional |
threat_types | A threat type or comma-separated list of threat types. | Optional |
amp_disposition | An Advanced Malware Protection (AMP) disposition string. Possible values are: clean, malicious, unknown. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
signatures | A comma-separated list of Generator id - Signatures ID. Where Generator ID is unique id assigned to the part of the IPS which generated the event and Signature ID is used to uniquely identify signatures. Example:- 1-2,1-4. | Optional |
intrusion_action | Comma-separated List of intrusion actions. Possible values: would_block, blocked, detected. | Optional |
categories | A comma-separated list of category ids to filter on. | Optional |
summary
for base command umbrella-reporting-summary-list
#
Context Output for Path | Type | Description |
---|---|---|
UmbrellaReporting.Summary.applications | Number | Total number of applications (avc or total). |
UmbrellaReporting.Summary.applicationsallowed | Number | Total number of allowed applications. |
UmbrellaReporting.Summary.applicationsblocked | Number | Total number of blocked applications. |
UmbrellaReporting.Summary.categories | Number | Total number of categories. |
UmbrellaReporting.Summary.domains | Number | Total number of domains. |
UmbrellaReporting.Summary.files | Number | Total number of files. |
UmbrellaReporting.Summary.filetypes | Number | Total number of file types. |
UmbrellaReporting.Summary.identities | Number | Total number of identities. |
UmbrellaReporting.Summary.identitytypes | Number | Total number of identity types. |
UmbrellaReporting.Summary.policycategories | Number | Total number of blocked categories. |
UmbrellaReporting.Summary.policyrequests | Number | Total number of policy requests. |
UmbrellaReporting.Summary.requests | Number | Total number of requests. |
UmbrellaReporting.Summary.requestsallowed | Number | Total number of allowed requests. |
UmbrellaReporting.Summary.requestsblocked | Number | Total number of blocked requests. |
#
Command example!umbrella-reporting-summary-list domains=api.tunnels.cdfw.umbrella.com
#
Context Example#
Human Readable Output#
Summary List
Application Allowed Application Blocked Application Category Domain File File Type Identity Identity Type Policy Category Policy Request Request Allowed Request Blocked Request 0 0 0 4 1 0 0 3 2 0 0 6 6 0
summary_type=category
for base command umbrella-reporting-summary-list
#
Context Output for Path | Type | Description |
---|---|---|
UmbrellaReporting.SummaryWithCategory.category.label | String | The human readable label of the category. |
UmbrellaReporting.SummaryWithCategory.category.type | String | The type of category. |
UmbrellaReporting.SummaryWithCategory.category.deprecated | Boolean | If the category is a legacy category. |
UmbrellaReporting.SummaryWithCategory.category.integration | boolean | If the category is an integration. |
UmbrellaReporting.SummaryWithCategory.category.id | Number | ID of category. |
UmbrellaReporting.SummaryWithCategory.summary.applications | Number | Total number of applications (avc or total). |
UmbrellaReporting.SummaryWithCategory.summary.applicationsallowed | Number | Total number of allowed applications. |
UmbrellaReporting.SummaryWithCategory.summary.applicationsblocked | Number | Total number of blocked applications. |
UmbrellaReporting.SummaryWithCategory.summary.categories | Number | Total number of categories. |
UmbrellaReporting.SummaryWithCategory.summary.domains | Number | Total number of domains. |
UmbrellaReporting.SummaryWithCategory.summary.files | Number | Total number of files. |
UmbrellaReporting.SummaryWithCategory.summary.filetypes | Number | Total number of file types. |
UmbrellaReporting.SummaryWithCategory.summary.identities | Number | Total number of identities. |
UmbrellaReporting.SummaryWithCategory.summary.identitytypes | Number | Total number of identity types. |
UmbrellaReporting.SummaryWithCategory.summary.policycategories | Number | Total number of blocked categories. |
UmbrellaReporting.SummaryWithCategory.summary.policyrequests | Number | Total number of policy requests. |
UmbrellaReporting.SummaryWithCategory.summary.requests | Number | Total number of requests. |
UmbrellaReporting.SummaryWithCategory.summary.requestsallowed | Number | Total number of allowed requests. |
UmbrellaReporting.SummaryWithCategory.summary.requestsblocked | Number | Total number of blocked requests. |
summary_type=category
for base command umbrella-reporting-summary-list
#
Command example for !umbrella-reporting-summary-list summary_type=category limit=1
summary_type=category
for base command umbrella-reporting-summary-list
#
Context Example for #
Human Readable Output#
Summary with Category List
Category Type Category Name Application Allowed Application Blocked Application Category Domain File File Type Identity Identity Type Policy Category Policy Request Request Allowed Request Blocked Request security Malware 0 0 0 0 0 0 0 0 0 0 0 0 0 0
summary_type=destination
for base command umbrella-reporting-summary-list
#
Context Output for Path | Type | Description |
---|---|---|
UmbrellaReporting.SummaryWithDestination.domain | String | Destination domain. |
UmbrellaReporting.SummaryWithDestination.summary.applications | Number | Total number of applications (avc or total). |
UmbrellaReporting.SummaryWithDestination.summary.applicationsallowed | Number | Total number of allowed applications. |
UmbrellaReporting.SummaryWithDestination.summary.applicationsblocked | Number | Total number of blocked applications. |
UmbrellaReporting.SummaryWithDestination.summary.categories | Number | Total number of categories. |
UmbrellaReporting.SummaryWithDestination.summary.domains | Number | Total number of domains. |
UmbrellaReporting.SummaryWithDestination.summary.files | Number | Total number of files. |
UmbrellaReporting.SummaryWithDestination.summary.filetypes | Number | Total number of file types. |
UmbrellaReporting.SummaryWithDestination.summary.identities | Number | Total number of identities. |
UmbrellaReporting.SummaryWithDestination.summary.identitytypes | Number | Total number of identity types. |
UmbrellaReporting.SummaryWithDestination.summary.policycategories | Number | Total number of blocked categories. |
UmbrellaReporting.SummaryWithDestination.summary.policyrequests | Number | Total number of policy requests. |
UmbrellaReporting.SummaryWithDestination.summary.requests | Number | Total number of requests. |
UmbrellaReporting.SummaryWithDestination.summary.requestsallowed | Number | Total number of allowed requests. |
UmbrellaReporting.SummaryWithDestination.summary.requestsblocked | Number | Total number of blocked requests. |
summary_type=destination
for base command umbrella-reporting-summary-list
#
Command example for !umbrella-reporting-summary-list summary_type=destination limit=1
summary_type=destination
for base command umbrella-reporting-summary-list
#
Context Example for #
Human Readable Output#
Summary with Destination List
Destination Application Allowed Application Blocked Application Category Domain File File Type Identity Identity Type Policy Category Policy Request Request Allowed Request Blocked Request www.google.com 0 0 0 0 0 0 0 0 0 0 0 0 0 0
summary_type=intrusion_rule
for base command umbrella-reporting-summary-list
#
Context Output for Path | Type | Description |
---|---|---|
UmbrellaReporting.SignatureListSummary.signaturelist.id | Number | Unique id assigned to a Default or Custom Signature List. |
UmbrellaReporting.SignatureListSummary.signatures.generatorid | Number | Generator id. |
UmbrellaReporting.SignatureListSummary.signatures.id | Number | Signature ID. |
UmbrellaReporting.SignatureListSummary.signatures.lasteventat | Number | Last Eevent At. |
UmbrellaReporting.SignatureListSummary.signatures.counts.blocked | Number | Blocked |
UmbrellaReporting.SignatureListSummary.signatures.counts.detected | Number | Detected. |
UmbrellaReporting.SignatureListSummary.signatures.counts.wouldblock | Number | Would Block. |
summary_type=intrusion_rule
for base command umbrella-reporting-summary-list
#
Command example for !umbrella-reporting-summary-list summary_type=intrusion_rule limit=1
summary_type=intrusion_rule
for base command umbrella-reporting-summary-list
#
Context Example for #
Human Readable Output#
Summary with Intrusion List
Blocked Detected Would Block Last Event 0 1 0 1594557262000