The following shows how to generate the dns-analytics-plx-events report using either the Reporting API's Generate a report POST operation or the Get a cacheable report GET operation. Details about each report's supported products, metrics, filters, and available data intervals are also available dynamically by running the API's Get a report type operation, also shown below. See also other available reports.
Report definition
This report shows data on Prolexic events such as type of event, the severity level of the event, when the threat was detected, and more.
Business object: accountId
Data available for: 90 days
Available metrics
| Metric | Description |
|---|---|
| Data metrics | |
customer | The policy domain identifier for the account associated with this observation. Represents the logical grouping under which the Prolexic routing policies are managed. This is the policy domain, not necessarily their display name. |
customerRealm | The policy domain identifier for the account associated with this observation. Represents the logical grouping under which the Prolexic routing policies are managed. This is the policy domain, not necessarily their display name. |
details | A list of internal Prolexic resource URIs (plx://) that this observation is linked to. Each URI points to the underlying attack or event record that triggered this observation. This information is useful for cross-referencing with other platform systems. |
duration | The total duration of the attack or event, expressed as a human-readable string. This value is populated when isDuration is true. It's calculated as the difference between startTime and endTime. |
endTime | The timestamp when the observation ended in ISO-8601 timestamp format with a UTC offset. |
investigateLink | A deep link to the specific attack event in the Routed Events page of Control Center. |
ip | A list of the destination IP addresses that are being targeted in this attack or flagged in this alert. These are the customer's own IPs, routed through Prolexic scrubbing infrastructure. |
isActive | Indicates whether the attack or alert is currently ongoing. It's set to "true" for active, in-progress events. It's set to "false" once the event has ended or been resolved. Use this field to distinguish live incidents from historical records. |
isDuration | Indicates whether a calculated duration is available for this observation. When "true", the duration field is populated with the elapsed time between the start time and end time. When "false", the duration cannot be computed (for example, the event is still active or the end time is unavailable). |
longMessage | Rich or verbose observation message that appears in a fully rendered HTML table. Contains a structured summary of the observation including the attack event ID, attack type, destination IPs, start time, and end time. This is the rich/verbose version of the observation message. |
observationCategory | The top-level category of this observation. Determines whether the record is an unconfirmed alert (event) or a confirmed attack.
|
observationOn | The internal Prolexic resource URI (plx://) that identifies the specific attack or event record this observation is associated with. |
observationSubcategory | A secondary classification code that further categorizes the observation within its observationCategory. |
prfType | Event PRF type. |
severity | The assessed severity level of the observation derived from an internal numeric severity score. Reflects the potential or confirmed impact of the event on your infrastructure. These are the severity levels:
|
shortMessage | A concise summary of the observation. The format and content of this field varies depending on the source:
|
source | Identifies the originating system that generated this observation. The source can be any of the following:
|
startTime | Event start time in ISO-8601 timestamp format with a UTC offset. |
uri | The canonical internal URI for this observation within the Prolexic platform. |
| Summary metrics | |
totalCount | Total number of events. |
POST request
POST /reporting-api/v1/reports/dns-analytics-plx-events/versions/2/report-data{?start,end}
Sample: /reporting-api/v1/reports/dns-analytics-plx-events/versions/2/report-data?start=2026-02-01T00%3A00%3A00Z&end=2026-03-01T00%3A00%3A00Z
Query parameters
| Parameter | Type | Sample | Description |
|---|---|---|---|
| Required | |||
start | String | 2026-02-01T00:00:00Z | Specifies the start of the reported period as an ISO-8601 timestamp with optional time zone. The report includes data that matches the start value’s timestamp. |
end | String | 2026-03-01T00:00:00Z | Specifies the end of the reported period as an ISO-8601 timestamp with optional time zone. The report excludes any data that matches the end value’s timestamp. |
JSON request members
| Member | Type | Description |
|---|---|---|
objectIds | Array | Specifies the set of accountId values you want to report on. |
objectIds | Enumeration | As an alternative to an array of ID values, specify all as a string for unfiltered data. Either way, objectIds is required. |
metrics | Array | The set of desired metrics. If omitted, the report includes all available metrics. |
Request body:
{
"objectIds": [
"1111",
"1122",
"2222",
"2233"
],
"metrics": [
"customer",
"customerRealm",
"details",
"duration",
"endTime",
"investigateLink",
"ip",
"isActive",
"isDuration",
"longMessage",
"observationCategory",
"observationOn",
"observationSubcategory",
"prfType",
"severity",
"shortMessage",
"source",
"startTime",
"totalCount",
"uri"
]
}GET request
GET /reporting-api/v1/reports/dns-analytics-plx-events/versions/2/report-data{?start,end,objectIds,allObjectIds,metrics}
Sample: /reporting-api/v1/reports/dns-analytics-plx-events/versions/2/report-data?start=2026-02-01T00%3A00%3A00Z&end=2026-03-01T00%3A00%3A00Z&objectIds=1111,1122,2222,2233&metrics=customer%2CcustomerRealm
Query parameters
| Parameter | Type | Sample | Description |
|---|---|---|---|
| Required | |||
start | String | 2026-02-01T00:00:00Z | Specifies the start of the reported period as an ISO-8601 timestamp with optional time zone. The report includes data that matches the start value’s timestamp. |
end | String | 2026-03-01T00:00:00Z | Specifies the end of the reported period as an ISO-8601 timestamp with optional time zone. The report excludes any data that matches the end value’s timestamp. |
| Optional | |||
allObjectIds | Boolean | true | As an alternative to objectIds, enabling this generates a report that includes all IDs available for the accountId objectType. This parameter is ignored if the request also specifies a set of objectIds. |
objectIds | String | 1111,1122,2222,2233 | As an alternative to allObjectIds, specifies the set of unique IDs for the accountId objectType you want to report on, formatted as a comma-delimited list. |
metrics | String | customer,customerRealm | Specifies a comma-separated list of metrics to include in the report, otherwise all metrics if omitted. The set of available metrics depends on the type of report. URL-encode the entire value in the GET request. |
JSON response
Status 200 application/json
Response body:
{
"metadata": {
"name": "dns-analytics-plx-events",
"version": "2",
"outputType": "FLAT",
"groupBy": [
"startTime"
],
"start": "2026-02-01T00:00:00Z",
"end": "2026-03-01T00:00:00Z",
"availableDataEnds": null,
"suggestedRetryTime": null,
"rowCount": 4,
"filters": [],
"columns": [
{
"name": "groupBy",
"label": "startTime"
},
{
"name": "customer",
"label": "Customer"
},
{
"name": "customerRealm",
"label": "Customer Realm"
},
{
"name": "details",
"label": "Details"
},
{
"name": "duration",
"label": "Duration"
},
{
"name": "endTime",
"label": "End Time"
},
{
"name": "investigateLink",
"label": "Investigate Link"
},
{
"name": "ip",
"label": "IPs"
},
{
"name": "isActive",
"label": "Is Active"
},
{
"name": "isDuration",
"label": "Is Duration"
},
{
"name": "longMessage",
"label": "Long Message"
},
{
"name": "observationCategory",
"label": "Observation Category"
},
{
"name": "observationOn",
"label": "Observation On"
},
{
"name": "observationSubcategory",
"label": "Observation Subcategory"
},
{
"name": "prfType",
"label": "Type"
},
{
"name": "severity",
"label": "Severity"
},
{
"name": "shortMessage",
"label": "Short Message"
},
{
"name": "source",
"label": "Source"
},
{
"name": "startTime",
"label": "Start Time"
},
{
"name": "uri",
"label": "URI"
}
],
"objectType": "accountId",
"objectIds": [
"1111",
"1122",
"2222",
"2233"
]
},
"data": [
{
"startTime": "2026-01-19 08:00:00 +00:00",
"customer": "test_customer0",
"customerRealm": "test_customer0",
"details": "[plx://observations/attacks/attack.e111110]",
"duration": "2 hours 15 minutes",
"endTime": "2026-01-19 10:15:08 +00:00",
"investigateLink": "/apps/securitycenter/#/routed-events?attackid=111110",
"ip": "[10.11.12.10,10.12.21.20]",
"isActive": "false",
"isDuration": "true",
"longMessage": "<table class='plx-ob-table'><tr><th>Attack Event Id</th><th align=left>Attack Type</th><th align=left>Destination IPs</th><th align=left>Start Time</th><th align=left>End Time</th></tr><tr><td>111110</td><td align=left>[DNS Flood]</td><td align=left>[10.11.12.10,10.12.21.20]</td><td align=left>2026-01-19 21:15:00 UTC</td><td align=left>2026-01-20 02:04:08 UTC</td></tr></table>",
"observationCategory": "attack",
"observationOn": "plx://observations/attacks/attack.e111110",
"observationSubcategory": "01",
"prfType": "<div style='text-wrap: wrap; white-space: normal; font-family: monospace; word-wrap: break-all'><a href='/apps/securitycenter/#/routed-events?attackid=111110'>Attack</a></div>",
"severity": "High",
"shortMessage": "[\"DNS Flood\"]",
"source": "socdash",
"uri": "plx://observations/attacks/attack.e111110",
"totalCount": 2,
},
{
"startTime": "2026-01-20 04:00:00 +00:00",
"customer": "test_customer1",
"customerRealm": "test_customer1",
"details": "[plx://observations/attacks/attack.e111111]",
"duration": "4 hours",
"endTime": "2026-01-20 08:00:00 +00:00",
"investigateLink": "/apps/securitycenter/#/routed-events?attackid=111111",
"ip": "[10.11.12.11,10.12.21.21]",
"isActive": "false",
"isDuration": "true",
"longMessage": "<table class='plx-ob-table'><tr><th>Attack Event Id</th><th align=left>Attack Type</th><th align=left>Destination IPs</th><th align=left>Start Time</th><th align=left>End Time</th></tr><tr><td>111111</td><td align=left>[DNS Flood]</td><td align=left>[10.11.12.11,10.12.21.21]</td><td align=left>2026-01-19 21:15:00 UTC</td><td align=left>2026-01-20 02:04:08 UTC</td></tr></table>",
"observationCategory": "attack",
"observationOn": "plx://observations/attacks/attack.e111111",
"observationSubcategory": "01",
"prfType": "<div style='text-wrap: wrap; white-space: normal; font-family: monospace; word-wrap: break-all'><a href='/apps/securitycenter/#/routed-events?attackid=111111'>Attack</a></div>",
"severity": "High",
"shortMessage": "[\"DNS Flood\"]",
"source": "socdash",
"uri": "plx://observations/attacks/attack.e111111",
"totalCount": 4,
},
{
"startTime": "2026-01-21 02:00:00 +00:00",
"customer": "test_customer2",
"customerRealm": "test_customer2",
"details": "[plx://observations/attacks/attack.e111112]",
"duration": "4 hours",
"endTime": "2026-01-21 06:00:00 +00:00",
"investigateLink": "/apps/securitycenter/#/routed-events?attackid=111112",
"ip": "[10.11.12.12,10.12.21.22]",
"isActive": "false",
"isDuration": "true",
"longMessage": "<table class='plx-ob-table'><tr><th>Attack Event Id</th><th align=left>Attack Type</th><th align=left>Destination IPs</th><th align=left>Start Time</th><th align=left>End Time</th></tr><tr><td>111112</td><td align=left>[DNS Flood]</td><td align=left>[10.11.12.12,10.12.21.22]</td><td align=left>2026-01-19 21:15:00 UTC</td><td align=left>2026-01-20 02:04:08 UTC</td></tr></table>",
"observationCategory": "attack",
"observationOn": "plx://observations/attacks/attack.e111112",
"observationSubcategory": "01",
"prfType": "<div style='text-wrap: wrap; white-space: normal; font-family: monospace; word-wrap: break-all'><a href='/apps/securitycenter/#/routed-events?attackid=111112'>Attack</a></div>",
"severity": "High",
"shortMessage": "[\"DNS Flood\"]",
"source": "socdash",
"uri": "plx://observations/attacks/attack.e111112",
"totalCount": 6,
},
{
"startTime": "2026-01-22 05:00:00 +00:00",
"customer": "test_customer3",
"customerRealm": "test_customer3",
"details": "[plx://observations/attacks/attack.e111113]",
"duration": "4 hours",
"endTime": "2026-01-22 09:00:00 +00:00",
"investigateLink": "/apps/securitycenter/#/routed-events?attackid=111113",
"ip": "[10.11.12.13,10.12.21.23]",
"isActive": "false",
"isDuration": "true",
"longMessage": "<table class='plx-ob-table'><tr><th>Attack Event Id</th><th align=left>Attack Type</th><th align=left>Destination IPs</th><th align=left>Start Time</th><th align=left>End Time</th></tr><tr><td>111112</td><td align=left>[DNS Flood]</td><td align=left>[10.11.12.13,10.12.21.23]</td><td align=left>2026-01-19 21:15:00 UTC</td><td align=left>2026-01-20 02:04:08 UTC</td></tr></table>",
"observationCategory": "attack",
"observationOn": "plx://observations/attacks/attack.e111113",
"observationSubcategory": "01",
"prfType": "<div style='text-wrap: wrap; white-space: normal; font-family: monospace; word-wrap: break-all'><a href='/apps/securitycenter/#/routed-events?attackid=111113'>Attack</a></div>",
"severity": "High",
"shortMessage": "[\"DNS Flood\"]",
"source": "socdash",
"uri": "plx://observations/attacks/attack.e111113",
"totalCount": 8,
}
],
"summaryStatistics": {
"totalCount": {
"value": "2191",
"details": {}
}
}
}Get report details
This sample Get a report type operation gets the same information you need to run the dns-analytics-plx-events report as provided in this reference documentation, but available dynamically to your API client application.
GET /reporting-api/v1/reports/dns-analytics-plx-events/versions/2
Status 200 application/json
Response body:
{
"name": "dns-analytics-plx-events",
"description": "This report shows data on Prolexic events such as type of event, the severity level of the event, when the threat was detected, and more.",
"businessObjectName": "accountId",
"version": 2,
"status": "PUBLISHED",
"deprecated": false,
"timeBased": false,
"supportsPagination": false,
"outputType": "FLAT",
"available": true,
"metrics": [
{
"name": "severity",
"description": " The assessed severity level of the observation.",
"label": "Severity",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "uri",
"description": "The canonical internal URI for this observation within the Prolexic platform.",
"label": "URI",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "startTime",
"description": "Event start time in in ISO-8601 timestamp format with a UTC offset.",
"label": "Start Time",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "endTime",
"description": "The timestamp when the observation ended in ISO-8601 timestamp format with a UTC offset.",
"label": "End Time",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "duration",
"description": "The total duration of the attack or event, expressed as a human-readable string. Only populated when isDuration is `true`. Calculated as the difference between startTime and endTime.",
"label": "Duration",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "shortMessage",
"description": "A concise summary of the observation.",
"label": "Short Message",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "longMessage",
"description": "Rich or verbose observation message that appears in a full rendered HTML table.",
"label": "Long Message",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "observationCategory",
"description": "The top-level category of this observation. Determines whether the record is an unconfirmed alert (event) or a confirmed attack.",
"label": "Observation Category",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "observationSubcategory",
"description": "A secondary classification code that further categorizes the observation within its observationCategory.",
"label": "Observation Subcategory",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "isActive",
"description": "Indicates whether the attack or alert is currently ongoing.",
"label": "Is Active",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "isDuration",
"description": "Indicates whether a calculated duration is available for this observation.",
"label": "Is Duration",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "customerRealm",
"description": "The policy domain identifier for the account associated with this observation. Represents the logical grouping under which the Prolexic routing policies are managed. This is the policy domain, not necessarily their display name.",
"label": "Customer Realm",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "customer",
"description": "The policy domain identifier for the account associated with this observation. Represents the logical grouping under which the Prolexic routing policies are managed. This is the policy domain, not necessarily their display name.",
"label": "Customer",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "observationOn",
"description": "The internal Prolexic resource URI (plx://) that identifies the specific attack or event record that this observation is associated with.",
"label": "Observation On",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "details",
"description": "A list of internal Prolexic resource URIs (plx://) that this observation is linked to. Each URI points to the underlying attack or event record that triggered this observation. Useful for cross-referencing with other platform systems.",
"label": "Details",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "source",
"description": "Identifies the originating system that generated this observation.",
"label": "Source",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "ip",
"description": "A list of the customer's destination IP addresses that are being targeted in this attack or flagged in this alert. These are the customer's own IPs, routed through Prolexic scrubbing infrastructure.",
"label": "IPs",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "investigateLink",
"description": "A deep link to the specific attack event in the Control Center Routed Events page.",
"label": "Investigate Link",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "totalCount",
"description": "Total number of events.",
"label": "Total Events",
"unit": "COUNT",
"summaryStatistic": true
},
{
"name": "prfType",
"description": "Event PRF type.",
"label": "Type",
"unit": "STRING",
"summaryStatistic": false
}
],
"groupOutlyingValues": {
"enabled": false
},
"groupBy": [
"startTime"
],
"intervals": [
"FIVE_MINUTES"
],
"dataRetentionDays": 90,
"links": [
{
"rel": "self",
"href": "/reporting-api/v1/reports/dns-analytics-plx-events/versions/2"
},
{
"rel": "versions",
"href": "/reporting-api/v1/reports/dns-analytics-plx-events/versions"
},
{
"rel": "all-reports",
"href": "/reporting-api/v1/reports"
},
{
"rel": "execute-report",
"href": "/reporting-api/v1/reports/dns-analytics-plx-events/versions/2/report-data"
}
]
}