The following shows how to generate the security-analytics-zone-nxdomain-spikes report using either the Reporting API's Generate a report POST operation or the Get a cacheable report GET operation. Details about each report's supported products, metrics, filters, and available data intervals are also available dynamically by running the API's Get a report type operation, also shown below. See also other available reports.
Report definition
This report shows NXDOMAIN spikes within a specific zone.
Business object: edns
Data available for: 90 days
Available metrics
| Metric | Description | |
|---|---|---|
| Data metrics | ||
algo | algo is either DYNAMIC or ABSOLUTE. ABSOLUTE is shown if NXDOMAIN responses/sec is greater than the threshold value configured in infrastructure security analytics as a spike. DYNAMIC is shown if NXDOMAIN responses/sec is greater than the threshold value (x standard deviations) from the 24 hour moving average that was configured in infrastructure security analytics. | |
duration | Duration of the NXDOMAIN spike. | |
endTime | Date and time when the NXDOMAIN spike ended in ISO-8601 timestamp format with a UTC offset. | |
investigateLink | Link to the Infrastructure Security Analytics - NXDOMAIN Spike Details report in Control Center. | |
startTime | Date and time when the NXDOMAIN spike started in ISO-8601 timestamp format with a UTC offset. | |
threshold | Threshold for NXDOMAINs that has been reached. | |
topCountryIsoCode | The ISO 3166-1 alpha-2 country code where the most NXDOMAIN responses originated from. | |
totalNxdomains | Total number of NXDOMAIN responses. | |
totalQueries | Total number of DNS queries. | |
zoneName | Name of the zone. |
POST request
POST /reporting-api/v1/reports/security-analytics-zone-nxdomain-spikes/versions/1/report-data{?start,end}
Sample: /reporting-api/v1/reports/security-analytics-zone-nxdomain-spikes/versions/1/report-data?start=2026-02-01T00%3A00%3A00Z&end=2026-03-01T00%3A00%3A00Z
Query parameters
| Parameter | Type | Sample | Description |
|---|---|---|---|
| Required | |||
start | String | 2026-02-01T00:00:00Z | Specifies the start of the reported period as an ISO-8601 timestamp with optional time zone. The report includes data that matches the start value’s timestamp. |
end | String | 2026-03-01T00:00:00Z | Specifies the end of the reported period as an ISO-8601 timestamp with optional time zone. The report excludes any data that matches the end value’s timestamp. |
JSON request members
| Member | Type | Description |
|---|---|---|
objectIds | Array | Specifies the set of edns values you want to report on. |
objectIds | Enumeration | As an alternative to an array of ID values, specify all as a string for unfiltered data. Either way, objectIds is required. |
metrics | Array | The set of desired metrics. If omitted, the report includes all available metrics. |
Request body:
{
"objectIds": [
"www.example.com",
"m.example.com",
"example1.com",
"example2.com",
"example3.com",
"example4.com",
"blog.example.com"
],
"metrics": [
"algo",
"duration",
"endTime",
"investigateLink",
"startTime",
"threshold",
"topCountryIsoCode",
"totalNxdomains",
"totalQueries",
"zoneName"
]
}GET request
GET /reporting-api/v1/reports/security-analytics-zone-nxdomain-spikes/versions/1/report-data{?start,end,objectIds,allObjectIds,metrics}
Sample: /reporting-api/v1/reports/security-analytics-zone-nxdomain-spikes/versions/1/report-data?start=2026-02-01T00%3A00%3A00Z&end=2026-03-01T00%3A00%3A00Z&objectIds=www.example.com,m.example.com,blog.example.com,example1.com,example2.com,example3.com,example4.com&metrics=algo%2Cduration
Query parameters
| Parameter | Type | Sample | Description |
|---|---|---|---|
| Required | |||
start | String | 2026-02-01T00:00:00Z | Specifies the start of the reported period as an ISO-8601 timestamp with optional time zone. The report includes data that matches the start value’s timestamp. |
end | String | 2026-03-01T00:00:00Z | Specifies the end of the reported period as an ISO-8601 timestamp with optional time zone. The report excludes any data that matches the end value’s timestamp. |
| Optional | |||
allObjectIds | Boolean | true | As an alternative to objectIds, enabling this generates a report that includes all IDs available for the edns objectType. This parameter is ignored if the request also specifies a set of objectIds. |
objectIds | String | www.example.com,m.example.com,blog.example.com,example1.com, example2.com, example3.com,example4.com | As an alternative to allObjectIds, specifies the set of unique IDs for the edns objectType you want to report on, formatted as a comma-delimited list. |
metrics | String | algo,duration | Specifies a comma-separated list of metrics to include in the report, otherwise all metrics if omitted. The set of available metrics depends on the type of report. URL-encode the entire value in the GET request. |
JSON response
Status 200 application/json
Response body:
{
"metadata": {
"name": "security-analytics-zone-nxdomain-spikes",
"version": "1",
"outputType": "FLAT",
"groupBy": [
"zoneName",
"startTime"
],
"start": "2026-02-01T00:00:00Z",
"end": "2026-03-01T00:00:00Z",
"availableDataEnds": null,
"suggestedRetryTime": null,
"rowCount": 4,
"filters": [],
"columns": [
{
"name": "groupBy",
"label": "zoneName"
},
{
"name": "groupBy",
"label": "startTime"
},
{
"name": "algo",
"label": "Algorithm"
},
{
"name": "duration",
"label": "Duration"
},
{
"name": "endTime",
"label": "End Time"
},
{
"name": "investigateLink",
"label": "Investigate Link"
},
{
"name": "startTime",
"label": "Start Time"
},
{
"name": "threshold",
"label": "Threshold"
},
{
"name": "topCountryIsoCode",
"label": "Top Country Code by NXDOMAIN responses"
},
{
"name": "totalNxdomains",
"label": "Total NXDOMAIN Responses"
},
{
"name": "totalQueries",
"label": "Total Queries"
},
{
"name": "zoneName",
"label": "Zone Name"
}
],
"objectType": "edns",
"objectIds": [
"www.example.com",
"m.example.com",
"blog.example.com",
"example1.com",
"example2.com",
"example3.com",
"example4.com
]
},
"data": [
{
"zoneName": "example1.com",
"startTime": "2026-01-23 07:00:00 +00:00",
"algo": "DYNAMIC",
"duration": "15 minutes",
"endTime": "2026-01-23 07:15:00 +00:00",
"investigateLink": "/apps/reports/#/predefined/dns-analytics-threat-details?edns=example.com&&start=2023-04-01T10:00:00Z&end=2023-04-01T12:00:00Z",
"threshold": "2190",
"topCountryIsoCode": "IT",
"totalNxdomains": "2290",
"totalQueries": "16600"
},
{
"zoneName": "example2.com",
"startTime": "2026-01-23 09:00:00 +00:00",
"algo": "ABSOLUTE",
"duration": "15 minutes",
"endTime": "2026-01-23 09:15:00 +00:00",
"investigateLink": "/apps/reports/#/predefined/dns-analytics-threat-details?edns=example1.com&&start=2023-04-01T10:00:00Z&end=2023-04-01T12:00:00Z",
"threshold": "2074",
"topCountryIsoCode": "BR",
"totalNxdomains": "567",
"totalQueries": "36020"
},
{
"zoneName": "example3.com",
"startTime": "2026-01-23 10:00:00 +00:00",
"algo": "DYNAMIC",
"duration": "20 minutes",
"endTime": "2026-01-23 10:20:00 +00:00",
"investigateLink": "/apps/reports/#/predefined/dns-analytics-threat-details?edns=example2.com&&start=2023-04-01T10:00:00Z&end=2023-04-01T12:00:00Z",
"threshold": "3075",
"topCountryIsoCode": "Other",
"totalNxdomains": "4413",
"totalQueries": "25405"
},
{
"zoneName": "example4.com",
"startTime": "2026-01-23 11:00:00 +00:00",
"algo": "ABSOLUTE",
"duration": "25 minutes",
"endTime": "2026-01-23 11:25:00 +00:00",
"investigateLink": "/apps/reports/#/predefined/dns-analytics-threat-details?edns=example3.com&&start=2023-04-01T10:00:00Z&end=2023-04-01T12:00:00Z",
"threshold": "3634",
"topCountryIsoCode": "GB",
"totalNxdomains": "2536",
"totalQueries": "3446"
}
],
"summaryStatistics": {}
}Get report details
This sample Get a report type operation gets the same information you need to run the security-analytics-zone-nxdomain-spikes report as provided in this reference documentation, but available dynamically to your API client application.
GET /reporting-api/v1/reports/security-analytics-zone-nxdomain-spikes/versions/1
Status 200 application/json
Response body:
{
"name": "security-analytics-zone-nxdomain-spikes",
"description": "This report shows NXDOMAIN spikes within a specific zone.",
"businessObjectName": "edns",
"version": 1,
"status": "PUBLISHED",
"deprecated": false,
"timeBased": false,
"supportsPagination": false,
"outputType": "FLAT",
"available": true,
"metrics": [
{
"name": "zoneName",
"description": "Name of the zone.",
"label": "Zone Name",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "startTime",
"description": "Date and time when the NXDOMAIN spike started in ISO-8601 timestamp format with a UTC offset.",
"label": "Start Time",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "endTime",
"description": "Date and time when the NXDOMAIN spike ended in ISO-8601 timestamp format with a UTC offset.",
"label": "End Time",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "duration",
"description": "Duration of the NXDOMAIN spike.",
"label": "Duration",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "totalQueries",
"description": "Total number of DNS queries.",
"label": "Total Queries",
"unit": "COUNT",
"summaryStatistic": false
},
{
"name": "totalNxdomains",
"description": "Total number of NXDOMAIN responses.",
"label": "Total NXDOMAIN Responses",
"unit": "COUNT",
"summaryStatistic": false
},
{
"name": "topCountryIsoCode",
"description": "The ISO 3166-1 alpha-2 country code where the most NXDOMAIN responses originated from.",
"label": "Top Country Code by NXDOMAIN responses",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "investigateLink",
"description": "Link to the Infrastructure Security Analytics - NXDOMAIN Spike Details report in Control Center.",
"label": "Investigate Link",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "algo",
"description": "`algo` is either `DYNAMIC` or `ABSOLUTE`. `ABSOLUTE` is shown if NXDOMAIN responses/sec is greater than the threshold value configured in infrastructure security analytics as a spike. `DYNAMIC` algo considers any moment where the is shown if NXDOMAIN responses/sec is greater than the threshold value (x standard deviations) from the 24 hour moving average that was configured in infrastructure security analytics.",
"label": "Algorithm",
"unit": "STRING",
"summaryStatistic": false
},
{
"name": "threshold",
"description": "Threshold for NXDOMAINs that has been reached.",
"label": "Threshold",
"unit": "COUNT",
"summaryStatistic": false
}
],
"groupOutlyingValues": {
"enabled": false
},
"groupBy": [
"zoneName",
"startTime"
],
"intervals": [
"FIVE_MINUTES"
],
"dataRetentionDays": 90,
"links": [
{
"rel": "self",
"href": "/reporting-api/v1/reports/security-analytics-zone-nxdomain-spikes/versions/1"
},
{
"rel": "versions",
"href": "/reporting-api/v1/reports/security-analytics-zone-nxdomain-spikes/versions"
},
{
"rel": "all-reports",
"href": "/reporting-api/v1/reports"
},
{
"rel": "execute-report",
"href": "/reporting-api/v1/reports/security-analytics-zone-nxdomain-spikes/versions/1/report-data"
}
]
}