Skip to main content
Skyhigh Security

Reporting Examples

The data is downloaded for reporting in CSV format. The XML format is no longer supported. You can use any HTTP client tool for the download, for example, curl or wget. In the following examples, curl is used.

Examples are provided for downloading data originating from different types of traffic:

  • Web traffic (not isolated)

  • Remote Browser Isolation (RBI)

  • Private Access
  • Firewall

For each of these downloads, the download command is shown together with its output.
 

Downloading Data from Web Traffic

When downloading data from web traffic, the download command and output are, for example, as shown in the following.
 

Command

curl --insecure --verbose --header 'Accept: text/csv' --header 'x-mwg-api-version: 3' --compressed --user <user name>:<password>
https://msg.mcafeesaas.com/mwg/api/reporting/forensic/
12345678?filter.requestTimestampFrom=1527279524&filter.requestTimestampTo=1527283124&order.0.requestTimestamp=asc

The command first returns a header row, which includes the names of the data fields that were downloaded. It can extend over more than one line. Data fields are downloaded depending on the version header, which is specified as one of the header parameters in the command.

This is followed by the values for these fields. There is one row with values for each request for web access that was processed during the time range specified by the timestamp filters in the command. Value rows can also extend over more than one line. An empty field is shown if no value could be retrieved for it.
 

Output (first part): Header with data field names

"user_id","username","source_ip","http_action","server_to_client_bytes","client_to_server_bytes","requested_host",
"requested_path","result","virus","request_timestamp_epoch","request_timestamp","uri_scheme","category","media_type",
"application_type","reputation"

Output (second part): Data field values

"-1","name","x.x.x.x","POST","112","1024","x.x.x.x",
"/","OBSERVED","","1527279524","2018-05-25 20:18:44","http","Internet Services","",
"","Minimal Risk"

 

Downloading Data from Remote Browser Isolation (RBI) Traffic

When downloading data from Remote Browser Isolation (RBI) traffic, the download command and output are, for example, as shown in the following.

When data for this type of traffic is downloaded for reporting,  version 9 of the REST (Forensics) API must be used. The version must be specified in a header of the download command as x-mwg-api-version: 9.

Additionally, rbi: 1 must be specified in a header for Remote Browser Isolation (RBI) traffic.
 

Command

curl --insecure --verbose --header 'Accept: text/csv' --header 'rbi: 1' --header 'x-mwg-api-version: 9' --compressed
--user <user name>:<password> https://msg.mcafeesaas.com/mwg/api/reporting/forensic/
12345678?filter.requestTimestampFrom=1527279524&filter.requestTimestampTo=1527283124&order.0.requestTimestamp=asc

The command first returns a header row, which includes the names of the data fields that were downloaded. It can extend over more than one line. Data fields are downloaded depending on the version header, which is specified as one of the header parameters in the command.

This is followed by the values for these fields. There is one row with values for each request for isolated web access that was processed during the time range specified by the timestamp filters in the command. Value rows can also extend over more than one line. An empty field is shown if no value could be retrieved for it.
 

Output (first part): Header with data field names

"user_id","username","source_ip","http_action","bytes_sc","bytes_cs","requested_host","requested_path","result","virus"
"request_timestamp_epoch","request_timestamp","uri_scheme","category","media_type","application_type","reputation","last_rule",
"http_status_code","client_ip","location","block_reason","user_agent_product","user_agent_version","user_agent_comment",
"process_name","destination_ip","destination_port","pop_country_code","referer","ssl_scanned","av_scanned_up","av_scanned_down",
"rbi","dlp","client_system_name","filename","pop_egress_ip","pop_ingress_ip","proxy_port","site","action","action_reason,"
"request_url","risk_score","mcp_yn","isolate_type","filename_upload","filename_download","filesize_upload,"filesize_download"

Output (second part): Data field values

"-1","na\cobarnes","98.50.176.83","GET","1174","1172","169.254.169.254","/latest/meta-data//mac","DENIED","",
"1662450254","2022-09-06 07:44:14","http","Global Blocklist","","","Unverified","Block Global Blocklist or Global Blocklist IPs",
"403","10.0.0.81","","","Other","","",
"taniumclient.exe","169.254.169.254","80","us","","f","f","f",
"t","f","","mac","161.69.113.33","161.69.113.133","8080","169.254.169.254","BLOCK","DYNAMIC_RULES",
"169.254.169.254/latest/meta-data//mac","-1","t","2","upload1","","1597","774"

 

Downloading Data from Private Access Traffic

When downloading data from Private Access traffic, the download command and output are, for example, as follows.

When data for this type of traffic is downloaded for reporting,  version 9 of the REST (Forensics) API must be used. The version must be specified in a header of the download command as x-mwg-api-version: 9.

Additionally, pa: 1 must be specified in a header for Private Access traffic.
 

Command

curl --insecure --verbose --header 'Accept: text/csv' --header 'pa: 1' --header 'x-mwg-api-version: 9' --compressed
--user <user name>:<password> https://msg.mcafeesaas.com/mwg/api/reporting/forensic/
12345678?filter.requestTimestampFrom=1527279524&filter.requestTimestampTo=1527283124&order.0.requestTimestamp=asc

The command first returns a header row, which includes the names of the data fields that were downloaded. It can extend over more than one line. Data fields are downloaded depending on the version header, which is specified as one of the header parameters in the command.

This is followed by the values for these fields. There is one row with values for each request for private web access that was processed during the time range specified by the timestamp filters in the command. Value rows can also extend over more than one line. An empty field is shown if no value could be retrieved for it.
 

Output (first part): Header with data field names

"request_timestamp","username","pa_application_name","requested_host","request_url","pa_app_group","pa_used_connector",
"device_profile","host_os_name","bytes_sc","bytes_cs","http_status_code","action","block_reason"

Output (second part): Data field values

"2022-07-29 15:20:50","user1","google.exe","x.x.x.x","","appgroup1","conn1",
"","","","","","BLOCK",""

 

Downloading Data from Firewall Traffic

When downloading data from traffic that goes through a firewall, the download command and output are, for example, as shown in the following.

When data for this type of traffic is downloaded for reporting,  version 9 of the REST (Forensics) API must be used. The version must be specified in a header of the download command as x-mwg-api-version: 9.

Additionally, fire:wall: 1 must be specified in a header for firewall traffic.
 

Command

curl --insecure --verbose --header 'Accept: text/csv' –header 'firewall: 1' --header 'x-mwg-api-version: 9' --compressed
--user <user name>:<password> https://msg.mcafeesaas.com/mwg/api/reporting/forensic/
12345678?filter.requestTimestampFrom=1527279524&filter.requestTimestampFrom=1663669878&filter.requestTimestampTo=1663679878
&filter.createdTimestampFrom=1663669878&filter.createdTimestampTo=1663679878&order.0.requestTimestamp=asc” 

The command first returns a header row, which includes the names of the data fields that were downloaded. It can extend over more than one line. Data fields are downloaded depending on the version header, which is specified as one of the header parameters in the command.

This is followed by the values for these fields. There is one row with values for each request that was directed through a firewall and processed during the time range specified by the timestamp filters in the command. Value rows can also extend over more than one line. An empty field is shown if no value could be retrieved for it.
 

Output (first part): Header with data field names

"request_timestamp","username","client_ip","destination_ip","process_name","client_port","destination_port","firewall_action",
"client_country","destination_country","application_name", "policy_name","protocol","detected_protocol","connectivity_method",
"location","egress_client_port","tunnel_ingress_port","bytes_sc","bytes_cs","transaction_id" 

Output (second part): Data field values

"2022-09-20 11:49:21","admin","10.213.136.19","170.114.10.84","CHROME.EXE","54709","443","BLOCK",
"","us","","LocalBreakout[B]","tcp","","",
"","","","0","0",""
  • Was this article helpful?