The OpenDNS Network Devices API Developer Hub

Welcome to the OpenDNS Network Devices API developer hub. You'll find comprehensive guides and documentation to help you start working with OpenDNS Network Devices API as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Security Activity Report

GET /v1/organizations/{organizationId}/security-activity

Provides detailed blocked security activity events from an organization.

This endpoint currently returns data for the last 24 hours for a single child organization and can return a maximum of 500 results in a single query. The organization's "organizationId" must be specified in the query string.

Request Parameters

The security activity endpoint accepts the following parameters:

limit

integer

from 1 to 500, the number of results to return. if not specified, the default is 100.

start

integer

the start of the time window for which results are shown. Specified as Unix (epoch) timestamp in seconds.

stop

integer

the stop of the time window for which results are shown. Specified as Unix (epoch) timestamp in seconds.

stopTimestamp

integer

used for pagination and gathered from the output of the previous query. Specified as Unix (epoch) timestamp in milliseconds.

Sample query:

curl -i -X GET --url https://reports.api.umbrella.com/v1/organizations/<organizationId>/security-activity --header 'Authorization: Basic %base64string%'

Sample query with parameters applied

curl -i -X GET --url https://reports.api.umbrella.com/v1/organizations/{organizationId}/security-activity?limit=2&start=1512432000&end=1512518400 --header 'Authorization: Basic %base64string%'

The query above would show the first two security results from between the time stamps.

Please Note

The above query will only return blocked events.

Sample response:

GET https://reports.api.umbrella.com/v1/organizations/{organizationId}/security-activity
REQUEST
curl --include \
     --header "Authorization: Basic %base64string%" \
https://reports.api.umbrella.com/v1/organizations/{organizationId}/security-activity
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
  "requests": [
    {
    	"originId": 105489403,
      "internalIp": "192.168.64.5",
      "externalIp": "59.102.103.63",
      "destination": "some-bad-website.com",
      "originLabel": "IDENTITY-NAME-GOES-HERE",
      "categories": [
        "Malware"
      ],
      "originType": "Roaming Computers",
      "actionTaken": "BLOCKED",
      "datetime": "2017-11-15T06:34:27.841Z"
    },
    {...},
    {...}
   ]
}
    

The information in the JSON payload will be given per-security event in descending order from the newest to oldest.

Returned Values For Output

originId

the numerical identifier for the identity making the request.

internalIp

the internal IP address of the computer making the request; this can be the same as the external IP if no identity granularity is present.

externalIP

the external IP or egress IP of the network from which the request was made.

originLabel

the name of the Umbrella Identity (as seen in the dashboard) that performed the request.

categories

the security categories (only) that this request was blocked under. It is possible for a request to have triggered more than one category.

originType

the type of Identity—Roaming Computer, Network, AnyConnect Roaming Module, etc.

actionTaken

Blocked. At this time the Security Activity endpoint only reports blocked events.

dateTime

the time at which the security activity event occurred, in UTC.

destination

the destination to which this request was made.

Updated 4 months ago

Security Activity Report


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.