Anomalies Endpoint

The API returns information about anomalies such as users involved, where the events took place, and what platforms they occurred in.

Parameters

  • limit—limit results to a specific number. The maximum number of results is 100,000.
    Example: GET /api/v2/threats?limit=200
  • start_time—limit results to a specific number of days.
    Example: GET /api/v2/threats?start_time=30 (returns results for the last 30 days).
  • status—limit results to Dismissed or Active.
  • created_before—limit results to threats created before a specified date.
  • created_after—limit results to threats created after a specified date.
  • offset—Limit the number of threats that must be skipped. For example, if offset=0, all threats will be returned from the beginning. If offset=10000, all threats starting from the 10001st will be returned.
  • order—Specify an order the threats should be listed as.
    Example:GET /api/v2/threats?order=-start_time&start_time=30 (returns results for last thirty days starting with today).
JSON Field
CSV Field
Type
Description
Example

id

Id

Integer

This is the Cloudlock Internal Identifier for a threat.

G8qz0vb49V

description

Description

string

A brief description of the anomaly.

Unknown user has suspicious login activity from Malaysia.

event_count

Anomalies Count

string

The number of events that occurred in the anomaly.

13

threat_risk

Risk

string

The type of risk associated with the anomaly.

Account Compromise

platforms

Platforms

string

Which platform the anomaly took place in.

office365

users

User emails

string

The user(s) email(s) involved in the anomaly.

status

status

string

The status of the threat in the environment.

Active or Dismissed

locations

countries

string

Country or countries where the anomaly took place.

Malaysia

detected_at

detected at

timestamp

Anomaly detection time in UTC.

2020-09-19T03:16:50.016438+00:00

GET /api/v2/threats

  • Response 200 (application/json)
{
   "limit": 50,
   "offset": 0,
   "total": 420,
   "results": 50,
   "items": [
       {
           "status": "ACTIVE",
           "dismissed_at": null,
           "created_at": "2020-09-19T03:16:50.016438+00:00",
           "dismiss_reason": null,
           "id": 1003391,
           "short_description": "",
           "start_time": "2020-09-18T00:03:27+00:00",
           "threat_type": "suspicious_login",
           "threat_risk": "Account Compromise",
           "threat_entity": "location",
           "platforms": [
               "office365"
           ],
           "event_count": 13,
           "updated_at": "2020-09-19T03:16:50.016448+00:00",
           "end_time": "2020-09-18T10:55:36+00:00",
           "suspicious_ip": null,
           "locations": null,
           "users": [
               {
                   "display_name": "[email protected]",
                   "email": "[email protected]"
               }
           ],
           "description": "[email protected] has an abnormal frequency of suspicious login activity from India"
       },

Updated about a year ago

Anomalies Endpoint


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.