User Activity Report
Introduction
Use the Zero Trust API with webhook integration to automatically retrieve a 24-hour snapshot of a user's file activity. This functionality helps security teams quickly assess whether suspicious activity—such as ransomware behavior—is a real threat.
Security platforms (like CrowdStrike or Splunk) that receive Superna webhook events can initiate a follow-up API request for user activity. Superna runs an Easy Auditor job covering the past 24 hours, and the enriched activity report is returned through a webhook update to the same integration endpoint.
Currently, the webhook payload for the user activity report does not include a ticket identifier (e.g., from ServiceNow, Splunk, CrowdStrike, etc.). As a result, there's no built-in way to correlate the webhook with the originating request or case in a third-party system.
In a future update, we plan to support passing a ticket number as part of the initial API request, which will then be included in the webhook payload. This will allow external systems to match incoming report data to the correct case and enrich it accordingly.
Requirements
Before you begin. set up API integration with your chosen solution (such as a SOAR or SIEM platform).
If needed, generate a new API token from the API Tokens tab under Integrations in the Superna dashboard.
Configure and use the activity report workflow
Follow these steps to enable and use the 24-hour user activity report feature:
-
Configure the webhook receiver
- In the Superna dashboard, go to Integrations. Navigate to the Webhooks tab.
- Click the Add New Webhook
+
button to add a webhook. - Add your webhook URL (e.g., from webhook.site or your SIEM/SOAR platform).
- Choose a name, event type, and apply filters (event severity, event state) as needed.
- Click Save to add the webhook.
-
Trigger a suspicious event
Trigger a file access event that matches your webhook filters. This can be done manually (for testing purposes) or automatically as part of real-world user activity.
For example, uploading a
.locky
file can simulate ransomware behavior and trigger an event. -
Review the initial webhook payload
When a matching event occurs, Superna sends a webhook payload to your configured URL.
This payload may be inspected manually during testing, or parsed automatically by your integration logic. Look for the following fields:
user_name
: The user associated with the eventcluster_name
: The cluster where the event occurred
These values are required to request the user activity report:
user_name
→userinitiating
cluster_name
→cluster
-
Request the user activity report
To retrieve a 24-hour activity report for the user, send a GET request to the Eyeglass API using the
userinitiating
andcluster
values.This request can be made manually (e.g., via
curl
for testing) or automatically by your integration in response to certain event types:curl -k -X GET \
--header 'Accept: application/json' \
--header 'api_key: YOUR_API_KEY' \
'https://<igls-IP>/sera/v1/securityevents-useractivity?userinitiating=DOMAIN%5Cuser&cluster=cluster-name'The
userinitiating
parameter accepts eitherdomain\\user
oruser@domain
. Thecluster
value must match the name of the storage cluster from the triggering event.When called, this endpoint starts an Easy Auditor job that:
- Scans the most recent 24 hours of user activity, calculated from the time the report is initiated
- Captures the following event types:
FILE_DELETE
,FILE_RENAME
,FILE_SET_ACL
DIR_DELETE
,DIR_RENAME
,DIR_SET_ACL
DIR_CREATE
,FILE_READ
,FILE_WRITE
,FILE_CREATE
- Sends the resulting report back to the webhook URL
You can also view the finished report in the Finished Reports tab of Easy Auditor once processing is complete.
-
Review the updated webhook payload
When the report is complete, a second webhook is sent to the same URL containing the user activity report.
The payload includes:
- A list of up to 2,000 of the most recent events, sorted by time (most recent first)
- A summary of file activity in the last 24 hours, showing totals for deletes, creates, renames, and modifications
- The user's name and SID
This summary helps security teams quickly evaluate whether a user's behavior matches the profile of a real threat.
Payload example:
{
"events": [
{
"ipAddress": "igls-docs-IP",
"clusterName": "isi-docs-07",
"fileName": "two.locky:AFP_AfpInfo",
"filePath": "\\ifs\\data\\events\\two.locky:AFP_AfpInfo",
"accessStart": "2025-05-19 10:10:42",
"accessType": "FILE_DELETE"
},
{
"ipAddress": "igls-docs-IP",
"clusterName": "isi-docs-07",
"fileName": "twelve.locky:AFP_AfpInfo",
"filePath": "\\ifs\\data\\events\\twelve.locky:AFP_AfpInfo",
"accessStart": "2025-05-19 10:10:40",
"accessType": "FILE_DELETE"
},
{
"ipAddress": "igls-docs-IP",
"clusterName": "isi-docs-07",
"fileName": "three.locky:AFP_AfpInfo",
"filePath": "\\ifs\\data\\events\\three.locky:AFP_AfpInfo",
"accessStart": "2025-05-19 10:10:39",
"accessType": "FILE_DELETE"
}
],
"filesDeleted": 20,
"filesRenamed": 0,
"filesModified": 0,
"filesCreated": 0,
"userName": "DOMAIN\\user",
"userSid": "SID:S-1-5-21-404345670-385487803-234750076-1272"
}
Additional information
- The activity report excludes events generated by Security Guard and RobotAudit.
- Only NAS activity (SMB and NFS protocols) is included. S3 activity is not supported in this release.
- The report includes a maximum of 2,000 events, sorted by most recent first. If the user has more than 2,000 events in the last 24 hours, only the most recent 2,000 will be returned.
- For access to the full activity history, use the Easy Auditor feature directly.