Document toolboxDocument toolbox

Activity API

Owned by Gary Leicht
Jun 21, 2023
7 min read

Activity

The Activity worker provides information regarding security events on a customer’s network for either hosts or IPs. This includes hits against customer custom lists and policies.


Data Structure:

{
     “results”: {
           “dns”: [
                 {
                      “type”: string
                      “timestamp”: string
                      “qname”: string
                      “opcode”: string
                      “rcode”: string
                      “response”: string
                      “qip”: string
                      “policy_id”: string
                      “device_name”: string
                      “user”: string
                      “network”: string
                      “query_type: string
                 },...
           ],
           “security: [
                 {
                      “type”: string
                      “timestamp”: string
                      “qname”: string
                      “opcode”: string
                      “qip”: string
                      “policy_id”: string
                      “severity”: string
                      “tclass”: string
                      “tproperty”: string
                      “confidence”: string
                      “feed_name”: string
                      “feed_type”: string
                      “device_name”: string
                      “user”: string
                      “network”: string
                      “country”: string
                      “policy_name”: string
                      “policy_action”: string
                      “query_type: string
                 },...
           ]
     }
}


Example:

Given an indicator of “google.com”, Activity will return the following:

{
     “results”: {
           “dns”: [
                 {
                      “type”: “1”,
                      “timestamp”: "1595868534"
                      “qname”: “google.com,
                      “opcode”: “0”,
                      “rcode”: “0”,
                      “response”: "172.253.63.139",
                      “qip”: "22.123.32.33"
                      “policy_id”: "288337"
                      “device_name”: "22.123.32.33",
                      “user”: "unknown",
                      “network”: "test_net",
                      “query_type: "A"
                 },...
           ],
           “security: [
                 {
                      “type”: "2",
                      “timestamp”: "1595868603",
                      “qname”: "google.com.",
                      “opcode”: "0",
                      “qip”: "22.123.32.33"
                      “policy_id”: "288337",
                      “severity”: "Low",
                      “tclass”: "Low",
                      “tproperty”: "dummy",
                      “confidence”: "High",
                      “feed_name”: "dummy",
                      “feed_type”: "FQDN",
                      “device_name”: "22.123.32.33",
                      “user”: "unknown",
                      “network”: "test_net",
                      “country”: "unknown",
                      “policy_name”: "test_pol",
                      “policy_action”: "Block",
                      “query_type: "A"                  
                 },...
           ]
     }
}

Back