Anomalies Endpoint

The API returns information about anomalies such as users involved, where the events took place, and what platforms they occurred in.

Parameters

limit—limit results to a specific number. The maximum number of results is 100,000.
Example: GET /api/v2/threats?limit=200
start_time—limit results to a specific number of days.
Example: GET /api/v2/threats?start_time=30 (returns results for the last 30 days).
status—limit results to Dismissed or Active.
created_before—limit results to threats created before a specified date.
created_after—limit results to threats created after a specified date.
offset—Limit the number of threats that must be skipped. For example, if offset=0, all threats will be returned from the beginning. If offset=10000, all threats starting from the 10001st will be returned.
order—Specify an order the threats should be listed as.
Example:GET /api/v2/threats?order=-start_time&start_time=30 (returns results for last thirty days starting with today).

JSON Field	CSV Field	Type	Description	Example
id	Id	Integer	This is the Cloudlock Internal Identifier for a threat.	G8qz0vb49V
description	Description	string	A brief description of the anomaly.	Unknown user has suspicious login activity from Malaysia.
event_count	Anomalies Count	string	The number of events that occurred in the anomaly.	13
threat_risk	Risk	string	The type of risk associated with the anomaly.	Account Compromise
platforms	Platforms	string	Which platform the anomaly took place in.	office365
users	User emails	string	The user(s) email(s) involved in the anomaly.	[email protected]
status	status	string	The status of the threat in the environment.	Active or Dismissed
locations	countries	string	Country or countries where the anomaly took place.	Malaysia
detected_at	detected at	timestamp	Anomaly detection time in UTC.	2020-09-19T03:16:50.016438+00:00

GET /api/v2/threats

Response 200 (application/json)

{
   "limit": 50,
   "offset": 0,
   "total": 420,
   "results": 50,
   "items": [
       {
           "status": "ACTIVE",
           "dismissed_at": null,
           "created_at": "2020-09-19T03:16:50.016438+00:00",
           "dismiss_reason": null,
           "id": 1003391,
           "short_description": "",
           "start_time": "2020-09-18T00:03:27+00:00",
           "threat_type": "suspicious_login",
           "threat_risk": "Account Compromise",
           "threat_entity": "location",
           "platforms": [
               "office365"
           ],
           "event_count": 13,
           "updated_at": "2020-09-19T03:16:50.016448+00:00",
           "end_time": "2020-09-18T10:55:36+00:00",
           "suspicious_ip": null,
           "locations": null,
           "users": [
               {
                   "display_name": "[email protected]",
                   "email": "[email protected]"
               }
           ],
           "description": "[email protected] has an abnormal frequency of suspicious login activity from India"
       },