GET /v1/organizations/{organizationId}/security-activity
Provides detailed blocked security activity events from an organization.
This endpoint currently returns data for the last 24 hours for a single child organization and can return a maximum of 500 results in a single query. The organization's "organizationId" must be specified in the query string.
Request Parameters
The security activity endpoint accepts the following parameters:
limit
integer
from 1 to 500, the number of results to return. if not specified, the default is 100.
start
integer
the start of the time window for which results are shown. Specified as Unix (epoch) timestamp in seconds.
stop
integer
the stop of the time window for which results are shown. Specified as Unix (epoch) timestamp in seconds.
stopTimestamp
integer
used for pagination and gathered from the output of the previous query. Specified as Unix (epoch) timestamp in milliseconds.
Sample query:
curl -i -X GET --url https://reports.api.umbrella.com/v1/organizations/<organizationId>/security-activity --header 'Authorization: Basic %base64string%'
Sample query with parameters applied
curl -i -X GET --url https://reports.api.umbrella.com/v1/organizations/{organizationId}/security-activity?limit=2&start=1512432000&end=1512518400 --header 'Authorization: Basic %base64string%'
The query above would show the first two security results from between the time stamps.
Please Note
The above query will only return blocked events.
Sample response:
curl --include \ --header "Authorization: Basic %base64string%" \ https://reports.api.umbrella.com/v1/organizations/{organizationId}/security-activity
{ "requests": [ { "originId": 105489403, "internalIp": "192.168.64.5", "externalIp": "59.102.103.63", "destination": "some-bad-website.com", "originLabel": "IDENTITY-NAME-GOES-HERE", "categories": [ "Malware" ], "originType": "Roaming Computers", "actionTaken": "BLOCKED", "datetime": "2017-11-15T06:34:27.841Z" }, {...}, {...} ] }
The information in the JSON payload will be given per-security event in descending order from the newest to oldest.
Returned Values For Output
originId
the numerical identifier for the identity making the request.
internalIp
the internal IP address of the computer making the request; this can be the same as the external IP if no identity granularity is present.
externalIP
the external IP or egress IP of the network from which the request was made.
originLabel
the name of the Umbrella Identity (as seen in the dashboard) that performed the request.
categories
the security categories (only) that this request was blocked under. It is possible for a request to have triggered more than one category.
originType
the type of Identity—Roaming Computer, Network, AnyConnect Roaming Module, etc.
actionTaken
Blocked. At this time the Security Activity endpoint only reports blocked events.
dateTime
the time at which the security activity event occurred, in UTC.
destination
the destination to which this request was made.
Updated about a year ago