The OpenDNS Network Devices API Developer Hub

Welcome to the OpenDNS Network Devices API developer hub. You'll find comprehensive guides and documentation to help you start working with OpenDNS Network Devices API as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Security Activity Report

GET /v1/organizations/{organizationId}/security-activity

Provides detailed blocked security activity events from an organization.

This endpoint currently returns data for the last 24 hours for a single child organization and can return a maximum of 500 results in a single query. The organization's "organizationId" must be specified in the query string.

Request Parameters

The security activity endpoint accepts the following parameters:



from 1 to 500, the number of results to return. if not specified, the default is 100.



the start of the time window for which results are shown. Specified as Unix (epoch) timestamp in seconds.



the stop of the time window for which results are shown. Specified as Unix (epoch) timestamp in seconds.



used for pagination and gathered from the output of the previous query. Specified as Unix (epoch) timestamp in milliseconds.

Sample query:

curl -i -X GET --url<organizationId>/security-activity --header 'Authorization: Basic %base64string%'

Sample query with parameters applied

curl -i -X GET --url{organizationId}/security-activity?limit=2&start=1512432000&end=1512518400 --header 'Authorization: Basic %base64string%'

The query above would show the first two security results from between the time stamps.

Please Note

The above query will only return blocked events.

Sample response:

curl --include \
     --header "Authorization: Basic %base64string%" \{organizationId}/security-activity
RESPONSE (HTTP 200, Content-Type: application/json)
  "requests": [
    	"originId": 105489403,
      "internalIp": "",
      "externalIp": "",
      "destination": "",
      "originLabel": "IDENTITY-NAME-GOES-HERE",
      "categories": [
      "originType": "Roaming Computers",
      "actionTaken": "BLOCKED",
      "datetime": "2017-11-15T06:34:27.841Z"

The information in the JSON payload will be given per-security event in descending order from the newest to oldest.

Returned Values For Output


the numerical identifier for the identity making the request.


the internal IP address of the computer making the request; this can be the same as the external IP if no identity granularity is present.


the external IP or egress IP of the network from which the request was made.


the name of the Umbrella Identity (as seen in the dashboard) that performed the request.


the security categories (only) that this request was blocked under. It is possible for a request to have triggered more than one category.


the type of Identity—Roaming Computer, Network, AnyConnect Roaming Module, etc.


Blocked. At this time the Security Activity endpoint only reports blocked events.


the time at which the security activity event occurred, in UTC.


the destination to which this request was made.

Updated about a year ago

Security Activity Report

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.