The following shows how to generate the security-analytics-hijacked-domains report using either the Reporting API's Generate a report POST operation or the Get a cacheable report GET operation. Details about each report's supported products, metrics, filters, and available data intervals are also available dynamically by running the API's Get a report type operation, also shown below. See also other available reports.
Report definition
This report shows hijacked domains in Edge DNS zones.
Business object: edns
Data available for: 90 days
Available metrics
| Metric | Description |
|---|---|
| Data metrics | |
actualAnswer | IP address that the name server responds with for the domain name. If the domain name is hijacked, the IP address returned in the actualAnswer field does not match one of the IP addresses in the allowedAnswers field. |
allowedAnswers | List of expected IP addresses that the name server should respond with when resolving a domain name. |
countryIsoCode | The ISO 3166-1 alpha-2 country code. |
countryName | Name of the country where the name server is located. |
detectedAt | Date and time when the threat was detected expressed as an ISO-8601 timestamp with optional time zone. |
domainName | Name of hijacked domain. |
nameserverIp | IP address of the name server. |
recordType | Type of DNS record. |
type | Specific threat type. The threat type can be Certain domains might be blocked or banned in some countries. A name server might respond with an NXDOMAIN for a blocked or banned domain depending on the country. In these situations, the domain name is also considered hijacked and assigned the |
zoneName | Name of the zone. |
| Summary metrics | |
threatCount | Total number of hijacked domains that were detected. |
POST request
POST /reporting-api/v1/reports/security-analytics-hijacked-domains/versions/1/report-data{?start,end}
Sample: /reporting-api/v1/reports/security-analytics-hijacked-domains/versions/1/report-data?start=2026-02-01T00%3A00%3A00Z&end=2026-03-01T00%3A00%3A00Z
Query parameters
| Parameter | Type | Sample | Description |
|---|---|---|---|
| Required | |||
start | String | 2026-02-01T00:00:00Z | Specifies the start of the reported period as an ISO-8601 timestamp with optional time zone. The report includes data that matches the start value’s timestamp. |
end | String | 2026-03-01T00:00:00Z | Specifies the end of the reported period as an ISO-8601 timestamp with optional time zone. The report excludes any data that matches the end value’s timestamp. |
JSON request members
| Member | Type | Description |
|---|---|---|
objectIds | Array | Specifies the set of edns values you want to report on. |
objectIds | Enumeration | As an alternative to an array of ID values, specify all as a string for unfiltered data. Either way, objectIds is required. |
metrics | Array | The set of desired metrics. If omitted, the report includes all available metrics. |
Request body:
{
"objectIds": [
"www.example.com",
"m.example.com",
"blog.example",
"example.com",
"testdomain.com",
"testblackhole.com",
"testbanned.com"
],
"metrics": [
"actualAnswer",
"allowedAnswers",
"countryIsoCode",
"countryName",
"detectedAt",
"domainName",
"nameserverIp",
"recordType",
"threatCount",
"type",
"zoneName"
]
}GET request
GET /reporting-api/v1/reports/security-analytics-hijacked-domains/versions/1/report-data{?start,end,objectIds,allObjectIds,metrics}
Sample: /reporting-api/v1/reports/security-analytics-hijacked-domains/versions/1/report-data?start=2026-02-01T00%3A00%3A00Z&end=2026-03-01T00%3A00%3A00Z&objectIds=example.com,testdomain.com,testblackhole.com,testbanned.com,www.example.com,m.example.com,blog.example.com&metrics=actualAnswer%2CallowedAnswers
Query parameters
| Parameter | Type | Sample | Description |
|---|---|---|---|
| Required | |||
start | String | 2026-02-01T00:00:00Z | Specifies the start of the reported period as an ISO-8601 timestamp with optional time zone. The report includes data that matches the start value’s timestamp. |
end | String | 2026-03-01T00:00:00Z | Specifies the end of the reported period as an ISO-8601 timestamp with optional time zone. The report excludes any data that matches the end value’s timestamp. |
| Optional | |||
allObjectIds | Boolean | true | As an alternative to objectIds, enabling this generates a report that includes all IDs available for the edns objectType. This parameter is ignored if the request also specifies a set of objectIds. |
objectIds | String | www.example.com,m.example.com, blog.example.com,example.com,testdomain.com,testblackhole.com,testbanned.com | As an alternative to allObjectIds, specifies the set of unique IDs for the edns objectType you want to report on, formatted as a comma-delimited list. |
metrics | String | actualAnswer,allowedAnswers | Specifies a comma-separated list of metrics to include in the report, otherwise all metrics if omitted. The set of available metrics depends on the type of report. URL-encode the entire value in the GET request. |
JSON response
Status 200 application/json
Response body:
{
"metadata": {
"name": "security-analytics-hijacked-domains",
"version": "1",
"outputType": "FLAT",
"groupBy": [
"zoneName",
"domainName"
],
"start": "2026-02-01T00:00:00Z",
"end": "2026-03-01T00:00:00Z",
"availableDataEnds": null,
"suggestedRetryTime": null,
"rowCount": 4,
"filters": [],
"columns": [
{
"name": "groupBy",
"label": "zoneName"
},
{
"name": "groupBy",
"label": "domainName"
},
{
"name": "actualAnswer",
"label": "Actual Answer"
},
{
"name": "allowedAnswers",
"label": "Allowed Answers"
},
{
"name": "countryIsoCode",
"label": "Country Code"
},
{
"name": "countryName",
"label": "Country Name"
},
{
"name": "detectedAt",
"label": "Detected At"
},
{
"name": "domainName",
"label": "Domain Name"
},
{
"name": "nameserverIp",
"label": "Nameserver IP"
},
{
"name": "recordType",
"label": "Record Type"
},
{
"name": "type",
"label": "Hijacking Type"
},
{
"name": "zoneName",
"label": "Zone Name"
}
],
"objectType": "edns",
"objectIds": [
"www.example.com",
"m.example.com",
"blog.example.com",
"example.com",
"testdomain.com",
"testblackhole.com",
"testbanned.com
]
},
"data": [
{
"zoneName": "example.com",
"domainName": "example.com",
"actualAnswer": "10.8.112.1",
"allowedAnswers": "10.8.92.1,10.8.92.2,10.8.92.3",
"countryIsoCode": "US",
"countryName": "United States",
"detectedAt": "2026-01-01T00:00:00Z",
"nameserverIp": "10.8.10.1",
"recordType": "A",
"type": "HIJACK"
},
{
"zoneName": "testdomain.com",
"domainName": "testdomain.com",
"actualAnswer": "10.22.35.2",
"allowedAnswers": "10.22.3.1,10.22.3.2,10.22.3.3",
"countryIsoCode": "CA",
"countryName": "Canada",
"detectedAt": "2026-01-01T00:00:00Z",
"nameserverIp": "10.22.10.1",
"recordType": "A",
"type": "HIJACK"
},
{
"zoneName": "testblackhole.com",
"domainName": "testblackhole.com",
"actualAnswer": "",
"allowedAnswers": "10.22.84.1,10.22.84.2,10.22.84.3",
"countryIsoCode": "DE",
"countryName": "Germany",
"detectedAt": "2026-01-01T00:00:00Z",
"nameserverIp": "10.34.10.1",
"recordType": "A",
"type": "BLACKHOLE"
},
{
"zoneName": "testbanned.com",
"domainName": "testbanned.com",
"actualAnswer": "",
"allowedAnswers": "10.85.40.11,10.85.40.12,10.85.40.13",
"countryIsoCode": "ES",
"countryName": "Spain",
"detectedAt": "2026-01-01T00:00:00Z",
"nameserverIp": "10.85.40.1",
"recordType": "A",
"type": "BLACKHOLE"
}
],
"summaryStatistics": {
"threatCount": {
"value": "2949",
"details": {}
}
}
}Get report details
This sample Get a report type operation gets the same information you need to run the security-analytics-hijacked-domains report as provided in this reference documentation, but available dynamically to your API client application.
GET /reporting-api/v1/reports/security-analytics-hijacked-domains/versions/1
Status 200 application/json
Response body:
{
"name": "security-analytics-hijacked-domains",
"description": "This report shows hijacked domains in Edge DNS zones.",
"businessObjectName": "edns",
"version": 1,
"status": "PUBLISHED",
"deprecated": false,
"timeBased": false,
"supportsPagination": false,
"outputType": "FLAT",
"available": true,
"metrics": [
{
"name": "zoneName",
"description": "Name of the zone.",
"label": "Zone Name",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "domainName",
"description": "Name of hijacked domain.",
"label": "Domain Name",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "recordType",
"description": "Type of DNS record.",
"label": "Record Type",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "countryName",
"description": "Name of the country where the name server is located.",
"label": "Country Name",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "countryIsoCode",
"description": "The ISO 3166-1 alpha-2 country code.",
"label": "Country Code",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "nameserverIp",
"description": "IP address of the name server.",
"label": "Nameserver IP",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "allowedAnswers",
"description": "List of expected IP addresses that the name server should respond with when resolving a domain name.",
"label": "Allowed Answers",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "actualAnswer",
"description": "IP address that the nameserver responds with for the domain name. If the domain name is hijacked, the IP address returned in the `actualAnswer` field does not match one of the IP addresses in the `allowedAnswers` field.",
"label": "Actual Answer",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "type",
"description": "Specific threat type that can be `HIJACK` or `BLACKHOLE`.",
"label": "Hijacking Type",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "detectedAt",
"description": "Date and time when the threat was detected expressed as an ISO-8601 timestamp with optional time zone.",
"label": "Detected At",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "threatCount",
"description": "Total number of hijacked domains that were detected.",
"label": "Total Threats",
"unit": "COUNT",
"summaryStatistic": true
}
],
"groupOutlyingValues": {
"enabled": false
},
"groupBy": [
"zoneName",
"domainName"
],
"intervals": [
"FIVE_MINUTES"
],
"dataRetentionDays": 90,
"links": [
{
"rel": "self",
"href": "/reporting-api/v1/reports/security-analytics-hijacked-domains/versions/1"
},
{
"rel": "versions",
"href": "/reporting-api/v1/reports/security-analytics-hijacked-domains/versions"
},
{
"rel": "all-reports",
"href": "/reporting-api/v1/reports"
},
{
"rel": "execute-report",
"href": "/reporting-api/v1/reports/security-analytics-hijacked-domains/versions/1/report-data"
}
]
}