API

API concepts

To understand the ​SIA​ Reporting API's various URL resources and the data it exchanges, you need to familiarize yourself with these concepts:

  • Configuration ID: When you sign up for ​SIA​, you receive a configuration and associated ID. You need to use this parameter for all operations in the ​SIA​ Reporting API. See List Configurations in the ​SIA​ Configuration API to obtain this value.

  • Filters: You can filter report data by crafting a Filter object, supplied in the operation URL. You specify filter values to either include or exclude data from the report. You can include additional filter entries and values to further parse report data. See the Filter object type.

  • AUP Event: AUP events provide details on a detected or blocked threat, as directed by the acceptable use policy assigned to your location. You can investigate false positives or provide additional details on why a specific page was blocked.

  • IOC: Indicators of Compromise (IOC) are artifacts observed on a network or in an operating system that indicate a computer intrusion, with high confidence. These can include virus signatures and IP addresses, MD5 hashes of malware files, or URLs or domain names of botnet command and control servers. These artifacts can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

  • DNS Event: DNS Events provide details on detected threats when accessing a malicious domain. SIA then on-ramps the traffic to Nevada for further analysis.

  • Network traffic transaction: Network traffic transactions provide details on all network traffic that is directed to ​SIA​, including suspicious traffic or traffic that bypasses ​SIA​ Proxy. If traffic was dropped, the connection data reports why.

  • Proxy network traffic connection: Proxy network traffic connections provide details on the network traffic that's directed to proxy. Information such as internal client IP, username, group name, and more are logged in this report. The Proxy Activity report also shows what action was applied to traffic.

  • Security Connector Events: Security Connecter events provide details on malicious or suspicious traffic that ​SIA​ routes to a sinkhole device per the policy configuration. ​SIA​ collects information about the user device or machine that made the request, such as the internal IP address of the end user's machine. This information allows you or an IT administrator to identify compromised machines in your network.

  • Threat Event: Threat events provide details on a detected or blocked threat, as directed by your custom ​SIA​ security lists. You can look at traffic details to gain insight on malicious websites or phishing campaigns.

  • Data retention policy: ​SIA​ stores entries for 30 days, after which data becomes unavailable.