Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

About the Anomalous Activity API

The Anomalous Activity API is a REST endpoint that fetches activities for a given anomaly Id. The information fetched from these activities is stored as chunks, and it is applicable to both tenant and incident.

IMPORTANT: This feature is LD flagged and must be enabled by engineering. For assistance, contact Skyhigh Support

Activities Availability

  • Activities are made available 12 hours after an incident is created.
  • Activities are available for incidents created in the last 15 days.
  • The API returns the latest 100000 activities for an anomaly.

REST Endpoint

REQUEST
POST <dashboardURL>/shnapi/rest/external/api/v1/queryActivities
{
  "incident_id": <anomalyId<>
}
Auth required

Mandatory Fields

  • The API requires authentication. It fetches the tenantId based on the user credentials or access tokens. 
  • Basic, Access Token, and IAM token authentication are supported.
  • incident_id for Anomalies are listed under Incidents > Anomalies > Anomalies. Select Actions > Edit Table Columns, and add Anomaly ID. Click Save Table Settings, and the column is added to the table. 

Other Details

  • A clear message is produced if a feature is not enabled for a tenant.

    {
    "code": 401,
    "message": "Feature is not enabled for this tenant"
    }
  • If the feature flag has been turned on for the last x days, and the request comes in for y (where x < y < 15), all available data is shared.
  • No activities are returned if an Anomaly for a provided incident ID does not exist or does not have any activities in the last 15 days.

Example of a Response for a Successful Call

Response Sample: SUCCESS 200 OK

timeStamp,accountId,actionName,asn,asnName,city,clientCategory,clientName,clientOS,collabGroup,collabGroupAndTarget,count,country,cspId,deviceManaged,directory,downloadBytes,eventCount,fileFolderPath,fileName,fileOwner,fileSharingEnabled,fileSize,fileType,geoOrgNameV1,httpMethod,instanceId,isSourceTrusted,locationId,monitoringStatusMetric,networkType,noOfObjects,objectType,operation,profile,proxyDescription,proxyServerTime,proxyTotalTime,proxyType,region,serviceName,shnProcessTimestamp,siteUrl,sourceIP,sourceIdentifier,subCspId,targetId,targetType,tenantId,threatCategory,trustEntity,trustReason,uploadBytes,url,user,userCount

1596831780000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",8987,"amazon data services ireland ltd","san francisco",,,,reallymymail.com,,1,US,4080,false,true,0,1,,,,false,,,"amazon.com inc.",,11253,true,"san francisco::US::ca",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,ca,Box,0,,96.127.68.39,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596832800000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.",portland,,,,reallymymail.com,,1,US,4080,false,true,0,1,,,,false,,,"amazon.com inc.",,11253,true,portland::US::or,0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,or,Box,0,,35.164.38.128,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596827940000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.","frankfurt am main",,,,reallymymail.com,,1,DE,4080,false,true,0,1,,,,false,,,"a100 row gmbh",,11253,true,"frankfurt am main::DE::he",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,he,Box,0,,3.120.8.62,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596828000000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",8987,"amazon data services ireland ltd","san francisco",,,,reallymymail.com,,1,US,4080,false,true,0,1,,,,false,,,"amazon.com inc.",,11253,true,"san francisco::US::ca",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,ca,Box,0,,96.127.68.39,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596828900000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.",portland,,,,reallymymail.com,,1,US,4080,false,true,0,1,,,,false,,,"amazon.com inc.",,11253,true,portland::US::or,0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,or,Box,0,,35.164.38.128,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596830460000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.","frankfurt am main",,,,reallymymail.com,,1,DE,4080,false,true,0,1,,,,false,,,"a100 row gmbh",,11253,true,"frankfurt am main::DE::he",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,he,Box,0,,3.120.8.62,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596831480000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.","frankfurt am main",,,,reallymymail.com,,1,DE,4080,false,true,0,1,,,,false,,,"a100 row gmbh",,11253,true,"frankfurt am main::DE::he",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,he,Box,0,,3.120.8.62,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596831480000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.","frankfurt am main",,,,reallymymail.com,,1,DE,4080,false,true,0,1,,,,false,,,"a100 row gmbh",,11253,true,"frankfurt am main::DE::he",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,he,Box,0,,35.157.197.205,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596831720000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",8987,"amazon data services ireland ltd","san francisco",,,,reallymymail.com,,1,US,4080,false,true,0,1,,,,false,,,"amazon.com inc.",,11253,true,"san francisco::US::ca",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,ca,Box,0,,96.127.68.39,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596831780000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.","frankfurt am main",,,,reallymymail.com,,1,DE,4080,false,true,0,1,,,,false,,,"a100 row gmbh",,11253,true,"frankfurt am main::DE::he",0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,he,Box,0,,35.157.197.205,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

1596832800000,,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",16509,"amazon.com inc.",portland,,,,reallymymail.com,,1,US,4080,false,true,0,1,,,,false,,,"amazon.com inc.",,11253,true,portland::US::or,0,broadband,0.0,ACTIVITY,"USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",,cloud,0,0,hosting,or,Box,0,,54.202.98.56,"Cloud Service API",4080,,,5618,"Insider Threats",Skyhigh,"Trusted Organization",0,,"testdlpa1@reallymymail.com",AQAAAQAAAAIsAQ==

  • Was this article helpful?