User Activity Report
Introduction
Use the Zero Trust API with webhook integration to retrieve a 24-hour snapshot of user file activity. This feature helps security teams assess whether suspicious activity like ransomware behavior represents a real threat.
Security platforms (like CrowdStrike or Splunk) that receive Superna webhook events can send a follow-up API request for user activity. Superna runs an Easy Auditor job covering the past 24 hours and returns the activity report through a webhook update to the same integration endpoint.
The webhook payload for the user activity report does not include a ticket identifier (from ServiceNow, Splunk, CrowdStrike, etc.). You cannot correlate the webhook with the originating request or case in a third-party system.
In a future update, we plan to support passing a ticket number as part of the initial API request, which will be included in the webhook payload. This will allow external systems to match incoming report data to the correct case.
Requirements
Before you begin, set up API integration with your chosen solution (such as a SOAR or SIEM platform).
If needed, generate a new API token from the API Tokens tab under Integrations in the Superna dashboard.
Configure and Use the Activity Report Workflow
Follow these steps to enable and use the 24-hour user activity report feature:
-
Configure the Webhook Receiver
Set up a webhook endpoint to receive user activity reports.- In the Superna dashboard, go to Integrations and navigate to the Webhooks tab.
- Click the Add New Webhook
+button. - Add your webhook URL (from webhook.site or your SIEM/SOAR platform).
- Choose a name, event type, and apply filters (event severity, event state) as needed.
- Click Save to add the webhook.
-
Trigger a Suspicious Event
Generate a file access event that matches your webhook filters.You can trigger this event manually for testing purposes or let real-world user activity generate it automatically.
For example, uploading a
.lockyfile simulates ransomware behavior and triggers an event. -
Review the Initial Webhook Payload
Examine the webhook payload that Superna sends when a matching event occurs.Superna sends a webhook payload to your configured URL when a matching event occurs. You can inspect this payload manually during testing or parse it automatically with your integration logic.
Look for these fields:
user_name: The user associated with the eventcluster_name: The cluster where the event occurred
You need these values to request the user activity report:
user_name→userinitiatingcluster_name→cluster
-
Request the User Activity Report
Send a GET request to retrieve a 24-hour activity report for the user.Send a GET request to the Eyeglass API using the
userinitiatingandclustervalues. You can make this request manually (usingcurlfor testing) or automatically through your integration in response to certain event types:curl -k -X GET \
--header 'Accept: application/json' \
--header 'api_key: YOUR_API_KEY' \
'https://<igls-IP>/sera/v1/securityevents-useractivity?userinitiating=DOMAIN%5Cuser&cluster=cluster-name'The
userinitiatingparameter accepts eitherdomain\\useroruser@domainformat. Theclustervalue must match the storage cluster name from the triggering event.This endpoint starts an Easy Auditor job that:
- Scans the most recent 24 hours of user activity from when you initiate the report
- Captures these event types:
FILE_DELETE,FILE_RENAME,FILE_SET_ACLDIR_DELETE,DIR_RENAME,DIR_SET_ACLDIR_CREATE,FILE_READ,FILE_WRITE,FILE_CREATE
- Sends the resulting report back to the webhook URL
You can also view the finished report in the Finished Reports tab of Easy Auditor after processing completes.
-
Review the Updated Webhook Payload
Examine the complete user activity report when processing finishes.Superna sends a second webhook to the same URL containing the user activity report when processing completes.
The payload includes:
- A list of up to 2,000 of the most recent events, sorted by time (most recent first)
- A summary of file activity in the last 24 hours, showing totals for deletes, creates, renames, and modifications
- The user's name and SID
This summary helps security teams evaluate whether a user's behavior matches a real threat profile.
Payload example:
{
"events": [
{
"ipAddress": "igls-docs-IP",
"clusterName": "isi-docs-07",
"fileName": "two.locky:AFP_AfpInfo",
"filePath": "\\ifs\\data\\events\\two.locky:AFP_AfpInfo",
"accessStart": "2025-05-19 10:10:42",
"accessType": "FILE_DELETE"
},
{
"ipAddress": "igls-docs-IP",
"clusterName": "isi-docs-07",
"fileName": "twelve.locky:AFP_AfpInfo",
"filePath": "\\ifs\\data\\events\\twelve.locky:AFP_AfpInfo",
"accessStart": "2025-05-19 10:10:40",
"accessType": "FILE_DELETE"
},
{
"ipAddress": "igls-docs-IP",
"clusterName": "isi-docs-07",
"fileName": "three.locky:AFP_AfpInfo",
"filePath": "\\ifs\\data\\events\\three.locky:AFP_AfpInfo",
"accessStart": "2025-05-19 10:10:39",
"accessType": "FILE_DELETE"
}
],
"filesDeleted": 20,
"filesRenamed": 0,
"filesModified": 0,
"filesCreated": 0,
"userName": "DOMAIN\\user",
"userSid": "SID:S-1-5-21-404345670-385487803-234750076-1272"
}
Additional Information
- The activity report excludes events generated by Security Guard and RobotAudit.
- Only NAS activity (SMB and NFS protocols) is included. S3 activity is not supported in this release.
- The report includes a maximum of 2,000 events, sorted by most recent first. If the user has more than 2,000 events in the last 24 hours, the system returns only the most recent 2,000.
- For access to the full activity history, use the Easy Auditor feature directly.