Understand Data Management with Log Exports or Reporting API

Available Languages

Download Options

  • PDF     (6.6 KB)
    View with Adobe Reader on a variety of devices
Updated:September 26, 2025
Document ID:225071

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to manage data with log exports or the Reporting API in Cisco Umbrella.

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on Cisco Umbrella.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Overview

    Umbrella is a powerful tool that gives you a lot of information about your internet traffic. Here is a simple guide to help you decide how to best consume your data:

    Use Case Granularity / Type Recommendation Considerations
    Compliance/Long term event retention Export and store all events S3: Customer- owned bucket It is possible to use Cisco Managed Bucket but information is only retained up to 30 days.
    SIEM: Event Correlation Export all events S3: Cisco-managed bucket Information is only retained up to 30 days; offloading needs to be handled.
    Dashboard KPI/Widgets Activity Search/Aggregations Reporting API Query must be well tuned as a broad query can result in timeouts.
    Generate Reports Aggregations Reporting API
    SOAR Workflow: Trigger Activity Search Reporting API Query must be well tuned as a broad query can result in timeouts.

    Additional Information

    Revision History

    Revision Publish Date Comments
    1.0
    26-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products