User Activity Report

Introduction

Use the Zero Trust API with webhook integration to automatically retrieve a 24-hour snapshot of a user's file activity. This functionality helps security teams quickly assess whether suspicious activity—such as ransomware behavior—is a real threat.

Security platforms (like CrowdStrike or Splunk) that receive Superna webhook events can initiate a follow-up API request for user activity. Superna runs an Easy Auditor job covering the past 24 hours, and the enriched activity report is returned through a webhook update to the same integration endpoint.

Future Enhancement

Currently, the webhook payload for the user activity report does not include a ticket identifier (e.g., from ServiceNow, Splunk, CrowdStrike, etc.). As a result, there's no built-in way to correlate the webhook with the originating request or case in a third-party system.

In a future update, we plan to support passing a ticket number as part of the initial API request, which will then be included in the webhook payload. This will allow external systems to match incoming report data to the correct case and enrich it accordingly.

Requirements

Before you begin. set up API integration with your chosen solution (such as a SOAR or SIEM platform).

If needed, generate a new API token from the API Tokens tab under Integrations in the Superna dashboard.

Configure and use the activity report workflow

Follow these steps to enable and use the 24-hour user activity report feature:

1. Configure the webhook receiver

   1. In the Superna dashboard, go to Integrations. Navigate to the Webhooks tab.
   2. Click the Add New Webhook + button to add a webhook.
   3. Add your webhook URL (e.g., from webhook.site or your SIEM/SOAR platform).
   4. Choose a name, event type, and apply filters (event severity, event state) as needed.
   5. Click Save to add the webhook.

2. Trigger a suspicious event

   Trigger a file access event that matches your webhook filters. This can be done manually (for testing purposes) or automatically as part of real-world user activity.

   For example, uploading a .locky file can simulate ransomware behavior and trigger an event.

3. Review the initial webhook payload

   When a matching event occurs, Superna sends a webhook payload to your configured URL.

   This payload may be inspected manually during testing, or parsed automatically by your integration logic. Look for the following fields:

   • user_name: The user associated with the event
   • cluster_name: The cluster where the event occurred

   These values are required to request the user activity report:

   • user_name → userinitiating
   • cluster_name → cluster

4. Request the user activity report

   To retrieve a 24-hour activity report for the user, send a GET request to the Eyeglass API using the userinitiating and cluster values.

   This request can be made manually (e.g., via curl for testing) or automatically by your integration in response to certain event types:

   curl -k -X GET \
   --header 'Accept: application/json' \
   --header 'api_key: YOUR_API_KEY' \
   'https://<igls-IP>/sera/v1/securityevents-useractivity?userinitiating=DOMAIN%5Cuser&cluster=cluster-name'

   The userinitiating parameter accepts either domain\\user or user@domain. The cluster value must match the name of the storage cluster from the triggering event.

   When called, this endpoint starts an Easy Auditor job that:

   • Scans the most recent 24 hours of user activity, calculated from the time the report is initiated
   • Captures the following event types:
     • FILE_DELETE, FILE_RENAME, FILE_SET_ACL
     • DIR_DELETE, DIR_RENAME, DIR_SET_ACL
     • DIR_CREATE, FILE_READ, FILE_WRITE, FILE_CREATE
   • Sends the resulting report back to the webhook URL

   You can also view the finished report in the Finished Reports tab of Easy Auditor once processing is complete.

5. Review the updated webhook payload

   When the report is complete, a second webhook is sent to the same URL containing the user activity report.

   The payload includes:

   • A list of up to 2,000 of the most recent events, sorted by time (most recent first)
   • A summary of file activity in the last 24 hours, showing totals for deletes, creates, renames, and modifications
   • The user's name and SID

   This summary helps security teams quickly evaluate whether a user's behavior matches the profile of a real threat.

   Payload example:

   {
       "events": [
           {
           "ipAddress": "igls-docs-IP",
           "clusterName": "isi-docs-07",
           "fileName": "two.locky:AFP_AfpInfo",
           "filePath": "\\ifs\\data\\events\\two.locky:AFP_AfpInfo",
           "accessStart": "2025-05-19 10:10:42",
           "accessType": "FILE_DELETE"
           },
           {
           "ipAddress": "igls-docs-IP",
           "clusterName": "isi-docs-07",
           "fileName": "twelve.locky:AFP_AfpInfo",
           "filePath": "\\ifs\\data\\events\\twelve.locky:AFP_AfpInfo",
           "accessStart": "2025-05-19 10:10:40",
           "accessType": "FILE_DELETE"
           },
           {
           "ipAddress": "igls-docs-IP",
           "clusterName": "isi-docs-07",
           "fileName": "three.locky:AFP_AfpInfo",
           "filePath": "\\ifs\\data\\events\\three.locky:AFP_AfpInfo",
           "accessStart": "2025-05-19 10:10:39",
           "accessType": "FILE_DELETE"
           }
       ],
       "filesDeleted": 20,
       "filesRenamed": 0,
       "filesModified": 0,
       "filesCreated": 0,
       "userName": "DOMAIN\\user",
       "userSid": "SID:S-1-5-21-404345670-385487803-234750076-1272"
   }

Additional information

• The activity report excludes events generated by Security Guard and RobotAudit.
• Only NAS activity (SMB and NFS protocols) is included. S3 activity is not supported in this release.
• The report includes a maximum of 2,000 events, sorted by most recent first. If the user has more than 2,000 events in the last 24 hours, only the most recent 2,000 will be returned.
• For access to the full activity history, use the Easy Auditor feature directly.