HomeDocumentation and Guides

Anomalies Endpoint

The API returns information about anomalies such as users involved, where the events took place, and what platforms they occurred in.


  • limit—limit results to a specific number. The maximum number of results is 100,000.
    Example: GET /api/v2/threats?limit=200
  • start_time—limit results to a specific number of days.
    Example: GET /api/v2/threats?start_time=30 (returns results for the last 30 days).
  • status—limit results to Dismissed or Active.
  • created_before—limit results to threats created before a specified date.
  • created_after—limit results to threats created after a specified date.
  • offset—Limit the number of threats that must be skipped. For example, if offset=0, all threats will be returned from the beginning. If offset=10000, all threats starting from the 10001st will be returned.
  • order—Specify an order the threats should be listed as.
    Example:GET /api/v2/threats?order=-start_time&start_time=30 (returns results for last thirty days starting with today).
JSON FieldCSV FieldTypeDescriptionExample
idIdIntegerThis is the Cloudlock Internal Identifier for a threat.G8qz0vb49V
descriptionDescriptionstringA brief description of the anomaly.Unknown user has suspicious login activity from Malaysia.
event_countAnomalies CountstringThe number of events that occurred in the anomaly.13
threat_riskRiskstringThe type of risk associated with the anomaly.Account Compromise
platformsPlatformsstringWhich platform the anomaly took place in.office365
usersUser emailsstringThe user(s) email(s) involved in the anomaly.[email protected]
statusstatusstringThe status of the threat in the environment.Active or Dismissed
locationscountriesstringCountry or countries where the anomaly took place.Malaysia
detected_atdetected attimestampAnomaly detection time in UTC.2020-09-19T03:16:50.016438+00:00

GET /api/v2/threats

  • Response 200 (application/json)
   "limit": 50,
   "offset": 0,
   "total": 420,
   "results": 50,
   "items": [
           "status": "ACTIVE",
           "dismissed_at": null,
           "created_at": "2020-09-19T03:16:50.016438+00:00",
           "dismiss_reason": null,
           "id": 1003391,
           "short_description": "",
           "start_time": "2020-09-18T00:03:27+00:00",
           "threat_type": "suspicious_login",
           "threat_risk": "Account Compromise",
           "threat_entity": "location",
           "platforms": [
           "event_count": 13,
           "updated_at": "2020-09-19T03:16:50.016448+00:00",
           "end_time": "2020-09-18T10:55:36+00:00",
           "suspicious_ip": null,
           "locations": null,
           "users": [
                   "display_name": "[email protected]",
                   "email": "[email protected]"
           "description": "[email protected] has an abnormal frequency of suspicious login activity from India"