Skip to main content
McAfee Enterprise MVISION Cloud

About the Anomalous Activity API

The Anomalous Activity API is a REST endpoint that fetches activities for a given anomaly Id. The information fetched from these activities is stored as chunks, and it is applicable to both tenant and incident.

IMPORTANT: This feature is LD flagged and must be enabled by engineering. For assistance, contact MVISION Cloud Support. 

Activities Availability

  • Activities are made available 12 hours after an incident is created.
  • Activities are available for incidents created in the last 15 days.
  • The API returns the latest 100000 activities for an anomaly.

REST Endpoint

REQUEST
POST <dashboardURL>/shnapi/rest/external/api/v1/queryActivities
{
  "incident_id": <anomalyId<>
}
Auth required

Mandatory Fields

  • The API requires authentication. It fetches the tenantId based on the user credentials or access tokens. 
  • Basic, Access Token, and IAM token authentication are supported.
  • incident_id for Anomalies are listed under Incidents > User Activity > Activity Monitoring on the Anomalies tab. Select an Anomaly from the list to see the Anomaly ID in the severity bar of the Anomaly Details section on the right.

Other Details

  • A clear message is produced if a feature is not enabled for a tenant.

    {
    "code": 401,
    "message": "Feature is not enabled for this tenant"
    }
  • If the feature flag has been turned on for the last x days, and the request comes in for y (where x < y < 15), all available data is shared.
  • No activities are returned if an Anomaly for a provided incident ID does not exist or does not have any activities in the last 15 days.

Example of a Response for a Successful Call

Response Sample: SUCCESS 200 OK

timeStamp,accountId,actionName,asn,asnName,city,clientCategory,clientName,clientOS,collabGroup,collabGroupAndTarget,count,country,cspId,deviceManaged,directory,downloadBytes,eventCount,fileFolderPath,fileName,fileOwner,fileSharingEnabled,fileSize,fileType,geoOrgNameV1,httpMethod,instanceId,isSourceTrusted,locationId,monitoringStatusMetric,networkType,noOfObjects,objectType,operation,profile,proxyDescription,proxyServerTime,proxyTotalTime,proxyType,region,serviceName,shnProcessTimestamp,siteUrl,sourceIP,sourceIdentifier,subCspId,targetId,targetType,tenantId,threatCategory,trustEntity,trustReason,uploadBytes,url,user,userCount

1596831780000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",8987,"amazon data services ireland ltd","san francisco",,,,reallymymail.com,,1,US,4080,false,true,0,1,,,,false,,,"amazon.com inc.",,11253,true,"san francisco::US::ca",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,ca,Box,0,,96.127.68.39,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596832800000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.",portland,,,,reallymymail.com,,1,US,4080,false,true,0,1,,,,false,,,"amazon.com inc.",,11253,true,portland::US::or,0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,or,Box,0,,35.164.38.128,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596827940000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.","frankfurt am main",,,,reallymymail.com,,1,DE,4080,false,true,0,1,,,,false,,,"a100 row gmbh",,11253,true,"frankfurt am main::DE::he",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,he,Box,0,,3.120.8.62,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596828000000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",8987,"amazon data services ireland ltd","san francisco",,,,reallymymail.com,,1,US,4080,false,true,0,1,,,,false,,,"amazon.com inc.",,11253,true,"san francisco::US::ca",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,ca,Box,0,,96.127.68.39,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596828900000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.",portland,,,,reallymymail.com,,1,US,4080,false,true,0,1,,,,false,,,"amazon.com inc.",,11253,true,portland::US::or,0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,or,Box,0,,35.164.38.128,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596830460000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.","frankfurt am main",,,,reallymymail.com,,1,DE,4080,false,true,0,1,,,,false,,,"a100 row gmbh",,11253,true,"frankfurt am main::DE::he",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,he,Box,0,,3.120.8.62,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596831480000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.","frankfurt am main",,,,reallymymail.com,,1,DE,4080,false,true,0,1,,,,false,,,"a100 row gmbh",,11253,true,"frankfurt am main::DE::he",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,he,Box,0,,3.120.8.62,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596831480000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.","frankfurt am main",,,,reallymymail.com,,1,DE,4080,false,true,0,1,,,,false,,,"a100 row gmbh",,11253,true,"frankfurt am main::DE::he",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,he,Box,0,,35.157.197.205,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596831720000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",8987,"amazon data services ireland ltd","san francisco",,,,reallymymail.com,,1,US,4080,false,true,0,1,,,,false,,,"amazon.com inc.",,11253,true,"san francisco::US::ca",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,ca,Box,0,,96.127.68.39,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596831780000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.","frankfurt am main",,,,reallymymail.com,,1,DE,4080,false,true,0,1,,,,false,,,"a100 row gmbh",,11253,true,"frankfurt am main::DE::he",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,he,Box,0,,35.157.197.205,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596832800000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.",portland,,,,reallymymail.com,,1,US,4080,false,true,0,1,,,,false,,,"amazon.com inc.",,11253,true,portland::US::or,0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,or,Box,0,,54.202.98.56,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

  • Was this article helpful?