DNSFilter provides cloud-based DNS security and content filtering solutions to protect networks from online threats and manage internet usage.
DNSFilter provides cloud-based DNS security and content filtering solutions to protect networks from online threats and manage internet usage. On Nagent, Dnsfilter is exposed as a fully-configurable security & identity tools integration that any agent can call — 170 actions, and API key authentication. No code is required to wire Dnsfilter into your workflow — connect it once via the External Integrations panel and reuse it across every agent you build.
Agent builders use Dnsfilter to automate the kinds of tasks security & identity tools teams previously handled manually. Concrete examples — each one is a single agent step in Nagent — include:
Every action and trigger is paired with a structured input/output schema (visible in the sections below), so when you wire Dnsfilter into Helix — our agentic agent builder — the editor knows exactly what each step expects and produces. Configure once, deploy anywhere across your Nagent agents.
Every operation an agent can call against Dnsfilter, with input parameters and output schema. Drop these into any step of an agent built in Helix.
DNSFILTER_ADD_ALLOWED_APPLICATIONAdds a single application to the allow list of a policy in DNSFilter. Use this action when you need to permit a specific application through the filtering policy. The application will be added to the policy's allow_applications list and will be allowed regardless of other blocking rules. This is useful for whitelisting specific applications that need to function while maintaining strict filtering policies for other traffic.
Input parameters
Policy ID to add the allowed application to. Use LIST_POLICIES action to retrieve valid policy IDs.
Application name to add to the allow list. This should be a valid application identifier recognized by DNSFilter (e.g., '1password', 'dropbox', 'slack').
Include relationships in the response (organization, etc.). Defaults to true. Set to false for a lighter response payload.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_ADD_ALLOWLIST_DOMAINS_TO_POLICIESTool to bulk add one or more domains to one or more policies' allow lists. Use when you need to permit specific domains across multiple policies efficiently, bypassing filtering rules for trusted sites.
Input parameters
Optional dictionary mapping domain names to explanatory notes. Keys are domain names and values are note strings describing why the domain was added.
List of domain names to add to the allow list. These domains will bypass filtering rules and be permitted for the specified policies.
List of policy IDs to which the domains should be added. Use LIST_POLICIES action to retrieve valid policy IDs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_ADD_BLACKLIST_CATEGORY_TO_POLICYTool to add a single category to a policy's blocklist. Use when you need to block a specific content category for a DNS filtering policy. The category will be added to the existing blacklist categories without affecting other policy settings.
Input parameters
The unique ID of the policy to update. Use LIST_POLICIES or GET_POLICIES actions to retrieve valid policy IDs.
The ID of the category to add to the blocklist. Use LIST_CATEGORIES or LIST_ALL_CATEGORIES actions to retrieve valid category IDs.
Include relationships in the response (organization, etc.). Defaults to true. Set to false for a lighter response payload.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_ADD_BLACKLIST_DOMAIN_TO_POLICYTool to add a single domain to a policy's blocklist. Use when you need to block a specific domain under a DNS filtering policy. The domain will be added to the policy's blacklist and blocked from access for users under that policy.
Input parameters
The unique ID of the policy to add the domain to. Use LIST_POLICIES action to retrieve valid policy IDs.
A note or comment explaining why this domain is being blocked. Useful for documentation and auditing purposes.
The domain name to add to the blocklist. Should be a fully qualified domain name (FQDN) without protocol prefix (e.g., 'malicious-domain.com', not 'https://malicious-domain.com').
Include relationships in the response (organization, etc.). Defaults to true. Set to false for a lighter response payload.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_ADD_BLOCKED_APPLICATIONAdds a single application to the block list of a policy in DNSFilter. Use this action when you need to block a specific application through the filtering policy. The application will be added to the policy's block_applications list and will be blocked regardless of other allow rules. This is useful for blocking specific applications that should not be accessible while maintaining other filtering policies.
Input parameters
Policy ID to add the blocked application to. Use LIST_POLICIES action to retrieve valid policy IDs.
Application name to add to the block list. This should be a valid application identifier recognized by DNSFilter (e.g., '101domains', 'tiktok', 'snapchat').
Include relationships in the response (organization, etc.). Defaults to true. Set to false for a lighter response payload.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_ADD_BLOCKLIST_DOMAINS_TO_POLICIESTool to add one or more domains to the blocklist of multiple policies at once. Use when you need to block specific domains across multiple filtering policies efficiently. The operation applies all specified domains to all specified policies in a single API call.
Input parameters
Optional key-value pairs mapping domain names to notes/comments. Keys should match domains from the 'domains' field. Useful for documenting why specific domains are blocked.
List of domain names to add to the blocklist. Each domain should be a fully qualified domain name (FQDN) without protocol prefix (e.g., 'malicious-domain.com', not 'https://malicious-domain.com').
List of policy IDs to add the domains to. Each policy will have all specified domains added to its blocklist. Use LIST_POLICIES action to retrieve valid policy IDs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_ADD_WHITELIST_DOMAINTool to add a single domain to a policy's allowlist. Use when you need to permit a specific domain for a policy, bypassing filtering rules for that trusted site.
Input parameters
Policy ID to which the domain should be added. Use LIST_POLICIES action to retrieve valid policy IDs.
Explanatory note describing why this domain was added to the allowlist. Helps document the reason for allowlisting this domain.
Domain name to add to the allowlist. This domain will bypass filtering rules and be permitted for the specified policy. Domain should be in standard format without protocol (e.g., 'example.com').
Include relationships in the response. Defaults to true. Set to false for a lighter response payload.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CANCEL_ORGANIZATIONSets an organization as 'Canceled' in DNSFilter by its unique ID. Use this action when you need to cancel an organization's service. The organization will be marked as canceled but may not be immediately deleted depending on billing cycles.
Input parameters
The unique ID of the organization to cancel. Use the List Organizations action to find valid organization IDs. This sets the organization status to 'Canceled'.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CHECK_USER_AGENT_BULK_UPDATES_HAS_MIXEDCheck if user agent attributes are mixed in a bulk selection. Use this to determine whether block pages, policies, sites, or tags differ across the selected user agents before performing bulk updates. This helps identify configuration inconsistencies and plan bulk update operations.
Input parameters
List of user agent IDs to check for mixed attributes. If empty, the check applies to all agents matching the filter parameters.
Filter user agents by tags. Agents matching any of the specified tags will be included.
User agent type filter. Defaults to non-proxy/non-relay user agents if not specified.
Filter user agents by their online/offline state.
Search user agents by keywords (space-delimited). Searches across hostname and friendly name fields.
Filter user agents by status. Valid values: active, disabled, uninstalled.
Filter user agents by their protection state: protected, unprotected, bypassed, or uninstalled.
Search term to filter clients by hostname or friendly_name fields. Case-insensitive partial matching.
List of network IDs to filter user agents. If not specified, defaults to all networks.
List of organization IDs to filter user agents. Defaults to user organization ID if not specified.
Filter to include only agents that have received traffic in the last 15 minutes.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_API_KEYSCreates a new API key in DNSFilter for authentication and API access. This action generates a new API key that can be used to authenticate API requests to DNSFilter. The API key is returned only once upon creation and should be stored securely. You can optionally set an expiration date to enforce key rotation policies. Use cases include: - Creating keys for automated integrations - Generating keys for third-party service access - Setting up keys with specific expiration policies IMPORTANT: The API key value is only returned in the creation response. Store it securely as it cannot be retrieved later.
Input parameters
A descriptive name for the API key to help identify its purpose or usage (e.g., 'Production API Key', 'Integration with Service X'). This helps with organization and management of multiple API keys.
Expiration date and time for the API key in ISO 8601 format (e.g., '2026-12-31T23:59:59.000Z'). The expiry date must be in the future and cannot be more than 1 year from the current date. Use this to enforce key rotation policies.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_CYBER_SIGHT_CSV_EXPORTCreates a CyberSight CSV export record to track export of CyberSight report information. This action initiates an export of CyberSight activity logs to CSV format. The export is processed asynchronously - the response includes a UUID to track the export status. Once processing is complete, the response will contain a presigned S3 URL to download the CSV file. Common use cases: - Exporting activity logs for compliance reporting - Downloading filtered CyberSight data for analysis - Creating scheduled reports of network activity The export can be filtered by organization, time range, activity type, and various other criteria. Required fields are report_type, start_at, and end_at. The export URL will be available once processing is complete (usually within a few minutes depending on data volume).
Input parameters
End date/time for the report query in ISO8601 format (e.g., '2026-02-13T23:59:59Z'). This defines the end of the time range for the exported data.
Search term for filtering results. General search across CyberSight data.
Filter by application name using regex pattern. Use this to export activities from applications matching the pattern.
MSP UUID to filter by in UUIDv7 format. Limits the export to data from a specific Managed Service Provider.
Start date/time for the report query in ISO8601 format (e.g., '2026-02-06T00:00:00Z'). This defines the beginning of the time range for the exported data.
Filter by web host using regex pattern. Use this to export web activities from specific hosts.
IP address to search for. Use this to export activities from a specific IP address.
Organization UUIDs to filter by in UUIDv7 format. Limits the export to data from specified organizations only.
Type of CyberSight Report to export. Currently only 'activity_logs' is supported.
Category IDs to filter by. Limits the export to activities in specific categories.
Filter by web full URL using regex pattern. Use this to export web activities matching specific URL patterns.
Only include weekdays in results (Monday-Friday). Defaults to false if not specified.
Filter by application window title using regex pattern. Use this to export activities from applications with specific window titles.
Specific columns to include in the exported CSV report. If not specified, all available columns will be included.
User agent UUIDs to filter by in UUIDv7 format. Limits the export to activities from specific user agents.
Activity type IDs to filter by. Use this to export only specific types of activity logs.
Organization UUIDs to exclude from results in UUIDv7 format. Use this to filter out specific organizations from the export.
Filter by application executable path using regex pattern. Use this to export activities from applications at specific paths.
Agent local user UUIDs to filter by in UUIDv7 format. Limits the export to activities from specific agent users.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_IP_ADDRESSCreates a new IP address entry in DNSFilter for network filtering and policy enforcement. This action registers an IPv4 or IPv6 address with a specific network in DNSFilter, allowing that IP to be subject to the network's filtering policies. Common use cases include: - Adding gateway or router IP addresses - Registering office or branch location IPs - Including failover or WAN link IPs Prerequisites: - Must have a valid network_id (use LIST_NETWORKS to retrieve available networks) - The IP address must be a valid IPv4 or IPv6 format - User must have authorization to create IP addresses in the target network Returns the created IP address details including its unique ID and UUID for future reference.
Input parameters
The IPv4 or IPv6 address to register. Must be a valid IP address format (e.g., '192.0.2.1' for IPv4 or '2001:db8::1' for IPv6). This IP will be associated with the specified network for filtering purposes.
The unique identifier of the network where this IP address should be registered. Use the LIST_NETWORKS action to retrieve valid network IDs from your DNSFilter account.
Optional human-readable label or note to identify this IP address (e.g., purpose, location, or device name). Helps with organization and management of multiple IPs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_MAC_ADDRESSCreates a new MAC address entry in DNSFilter with the specified data. This action registers a MAC address with a specific organization in DNSFilter, allowing that MAC address to be subject to custom filtering policies and block pages. Common use cases include: - Adding device MAC addresses for network access control - Assigning custom policies to specific devices - Managing device-level filtering in BYOD environments Prerequisites: - Must have a valid organization_id (use LIST_ORGANIZATIONS to retrieve available organizations) - The MAC address should be in valid format with colons (e.g., '00:11:22:33:44:55') - User must have authorization to create MAC addresses in the target organization Returns the created MAC address details including its unique ID for future reference.
Input parameters
MAC address creation request parameters containing the organization ID and optional MAC address details.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_NETWORKSCreates a new network with the specified configuration in DNSFilter. Networks represent locations or groups of devices that will be protected by DNSFilter's DNS filtering policies. Use this action to set up filtering for office locations, remote workers, or any group of devices that need DNS security. Required fields are network name and organization_id. Optional settings include custom block pages, IP addresses, local domain handling, and policy assignments. The action returns the complete network details including its unique ID and UUID for future operations.
Input parameters
Network data with required and optional attributes for network creation. At minimum, you must provide a name and organization_id.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_NETWORKS_BULKBulk create multiple networks in DNSFilter with a single API call. Use when you need to create multiple networks at once for efficiency. Each network requires at minimum a name; optional fields like physical address, coordinates, description, and policy assignment can be included for better organization.
Input parameters
Array of network objects to create. Each network must have at minimum a 'name' field. All networks will be created in a single bulk operation.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_ORGANIZATION_USERAdds a new or existing user with the specified email to an organization in DNSFilter. This action creates a user association with a specific organization, assigning them a role (administrator or read_only). If the user email already exists in DNSFilter, it adds that existing user to the organization. If the email is new, it creates a new user account. Common use cases: - Adding administrators to manage organization settings - Granting read-only access to stakeholders or auditors - Managing multi-organization access with permission lists Prerequisites: - Must have a valid organization_id (use LIST_ORGANIZATIONS to retrieve) - User must have administrator permissions in the organization - Email must be valid and unique within the organization Returns the created user details including their ID, role, and contact information.
Input parameters
User creation request parameters containing the email, name, role, and optional permissions.
The ID of the organization to add the user to. Use the LIST_ORGANIZATIONS action to retrieve valid organization IDs from your DNSFilter account.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_POLICIESCreates a new DNS filtering policy with the specified configuration in DNSFilter. Policies define filtering rules including blocked/allowed categories, domain lists, safe search enforcement, and application controls. Use this action to create filtering policies that can be applied to networks, IP addresses, or MAC addresses for content filtering and security enforcement. Required fields are policy name and organization_id. Optional settings include category blocking, domain allow/block lists, safe search enforcement for multiple search engines, application controls, and YouTube restrictions.
Input parameters
Policy creation request parameters containing the policy name, organization ID, and optional filtering settings.
Option to append allowlist/blocklist domains to the existing ones rather than replacing them. Default: false. Use true when adding to existing domain lists.
Include relationships in the response (organization, etc.). Defaults to true. Set to false for a lighter response payload.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_SCHEDULED_POLICYCreates a new scheduled (time-based) policy in DNSFilter. Scheduled policies allow different filtering policies to be applied during different times of the week based on a weekly schedule divided into 15-minute intervals. Use this action to implement time-based filtering rules such as stricter policies during school/work hours and relaxed policies during evenings or weekends. The policy_ids array must contain exactly 672 integers representing each 15-minute block of the week starting from Monday 12:01am. Each policy ID can be reused for multiple time blocks to create consistent filtering periods.
Input parameters
Human-readable name for the scheduled policy. Use a descriptive name that helps identify the policy's purpose or schedule (e.g., 'School Hours Policy', 'Weekend Filtering').
The timezone string in IANA timezone database format (e.g., 'America/New_York', 'Europe/London', 'Asia/Tokyo') for localizing the scheduled policy. This determines when each 15-minute block applies based on local time.
Array of exactly 672 policy IDs representing 15-minute time blocks for the entire week, starting Monday morning 12:01am. Each element corresponds to a 15-minute interval (4 blocks per hour × 24 hours × 7 days = 672 blocks). Use policy IDs from LIST_POLICIES action. The same policy ID can be repeated for multiple time blocks.
The unique identifier of the organization where this scheduled policy should be created. Use LIST_ORGANIZATIONS action to retrieve valid organization IDs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_SCHEDULED_REPORT_PREVIEWSCreates a scheduled report preview for an organization, triggering background generation of the report. This action initiates the generation of a preview for scheduled reports in DNSFilter. The preview includes filtered content statistics and threat summaries based on the organization's DNS filtering activity. Use this when you need to generate a sample report to review filtering effectiveness or prepare regular scheduled reports. The report generation happens asynchronously in the background after creation.
Input parameters
Scheduled report preview configuration containing organization ID and report display options.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_SCHEDULED_REPORTSCreates a scheduled report in DNSFilter to automate regular delivery of network activity and security summaries. Use this to set up periodic reports that track web traffic, threats, and content filtering patterns for your organization. Required fields are organization_id and frequency. Optional settings include threat summaries, content category breakdowns, delivery schedules, and recipient lists. The scheduled report will be generated and sent automatically according to the specified frequency. Use this when you need regular visibility into network filtering activity without manual report generation.
Input parameters
Configuration details for the scheduled report including frequency, content options, and recipients. At minimum, you must provide organization_id and frequency.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_USER_AGENT_BULK_DELETESCreate a user agent bulk delete operation in DNSFilter. Use when you need to delete multiple user agents at once based on explicit IDs or filter criteria. This action allows you to either: 1. Delete specific agents by providing their IDs in the 'ids' parameter 2. Delete agents matching filter criteria (agent_state, network_ids, tags, etc.) 3. Combine filters with exclude_ids to protect specific agents from bulk deletion The 'queue_uninstall' parameter determines deletion behavior: - True: Hard delete with agent uninstallation - False: Soft delete (agent deactivation) Common use cases: - Remove all unprotected agents from a specific network - Delete agents that haven't received traffic recently - Clean up agents with a specific version or status - Bulk remove agents by tags or organization
Input parameters
List of user agent IDs to delete. When provided, this overrides any lookups based on filter parameters. If empty or not provided, agents will be selected based on the filter parameters below.
Filter user agents by tags. Agents matching any of the specified tags will be included.
User agent type filter. Defaults to non-proxy/non-relay user agents if not specified.
Filter user agents by their online/offline state.
Search user agents by keywords (space-delimited). Searches across hostname and friendly name fields.
Filter user agents by status: active, disabled, or uninstalled.
Filter user agents by their assigned policy ID.
Filter user agents by their protection state: protected, unprotected, bypassed, or uninstalled.
List of user agent IDs to exclude from deletion when using filter parameters. This allows you to apply broad filters while protecting specific agents from deletion.
Search term to filter clients by hostname or friendly_name fields. Case-insensitive partial matching.
List of network IDs to filter user agents. If not specified, defaults to all networks.
Filter user agents by specific agent version string.
Filter user agents by the ID of their assigned block page.
Organization ID to filter user agents. Required when using filter parameters without explicit IDs.
Filter user agents by policy or schedule name.
If true, the operation will uninstall the agents (hard delete). If false, performs a soft delete. Determines whether agents are marked for uninstallation or just deactivated.
List of organization IDs to filter user agents across multiple organizations.
Filter user agents by their assigned scheduled policy ID.
Filter to include only agents that have received traffic in the last 15 minutes.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_CREATE_USER_AGENT_CLEANUPCreates a user agent cleanup to track bulk deletion of inactive user agents in DNSFilter. This action initiates a cleanup process that identifies and deletes user agents that have been inactive for a specified number of days across one or more organizations. The cleanup helps maintain an accurate inventory by removing stale agent entries that are no longer in use. Use cases: - Removing outdated agents from decommissioned devices - Cleaning up test agents after evaluation periods - Maintaining accurate license counts by removing inactive agents Returns details about the cleanup operation including which agents will be deleted and the status of the cleanup process.
Input parameters
Number of days an agent must be inactive to be included in the cleanup. For example, setting this to 30 will target agents that have not been active for 30 or more days.
List of organization IDs to perform cleanup on. Use LIST_ORGANIZATIONS action to retrieve valid organization IDs. The cleanup will identify and delete inactive user agents across the specified organizations.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_DELETE_API_KEYTool to remove an API key by its ID. Use when you need to revoke or delete an existing API key from the DNSFilter system. Returns success on 204 No Content.
Input parameters
The unique ID of the API key to delete.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_DELETE_IP_ADDRESSRemoves an IP address from DNSFilter by its unique ID. Use this action when you need to unregister an IP address from a network, such as when decommissioning equipment or removing access.
Input parameters
The unique identifier of the IP address to delete. Use LIST_IP_ADDRESSES or GET_IP_ADDRESS actions to retrieve valid IP address IDs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_DELETE_MAC_ADDRESSDeletes a MAC address entry from DNSFilter by its ID. Use this action when you need to remove a MAC address from your network filtering configuration. You must provide the numeric ID of the MAC address to delete. The action returns the deleted resource information in JSON:API format, including the ID, type, and UUID of the removed MAC address.
Input parameters
The unique ID of the MAC address to delete. Use the List All MAC Addresses or List MAC Addresses action to find valid MAC address IDs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_DELETE_NETWORKS_BULKBulk destroy multiple networks in DNSFilter. Use when you need to delete multiple networks at once or all networks in an organization.
Input parameters
Comma-delimited list of network IDs to delete (e.g., '10626258,10626259') or the keyword 'all' to delete all networks. When using 'all', the organization_id parameter is required.
Organization ID. This parameter is required when ids is set to 'all' to specify which organization's networks should be deleted. Not needed when specific network IDs are provided.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_DELETE_POLICIESDeletes a DNS filtering policy from DNSFilter by its unique ID. Use this action when you need to remove a policy that is no longer needed. Note that the API performs a soft deletion, setting a deleted_at timestamp on the policy record.
Input parameters
The unique ID of the policy to delete. Use the List Policies action to find valid policy IDs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_DELETE_SCHEDULED_POLICIESRemoves a scheduled policy from the DNSFilter database by its unique ID. Use this action when you need to delete a scheduled policy that is no longer needed or was created in error.
Input parameters
The unique ID of the scheduled policy to delete. Use the List Scheduled Policies action to find valid scheduled policy IDs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_DELETE_SCHEDULED_REPORTTool to delete a scheduled report by its ID. Use when you need to remove a scheduled report from the DNSFilter system. Returns the deleted report data.
Input parameters
The unique ID of the scheduled report to delete.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_API_KEYSTool to retrieve detailed information about a specific API key by its ID. Use when you need to display or verify the details of an existing API key.
Input parameters
The unique identifier of the API key to retrieve.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_APPLICATION_CATEGORYRetrieves detailed information about a specific DNSFilter application category by its ID. Application categories group applications for filtering policies (e.g., Business, VPN And Proxy, GenAI & ML). Use LIST_APPLICATION_CATEGORIES to discover available category IDs first.
Input parameters
The unique identifier of the application category to retrieve. Use LIST_APPLICATION_CATEGORIES to get valid IDs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_BILLING_ADDRESSRetrieves the billing address for a specific DNSFilter organization. Use when you need to access or verify billing contact information, shipping addresses, or organization location details for invoicing purposes.
Input parameters
The unique identifier of the organization to retrieve billing address for.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_BILLING_INFORMATIONRetrieves billing records for a specific DNSFilter organization. Returns a list of billing records including amounts, payment status, and billing periods. Returns an empty list if no billing records exist for the organization. Use this when you need to access billing history, verify payment status, or generate billing reports.
Input parameters
Unique identifier of the organization. Can be either the numeric ID or UUID format.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_CATEGORYTool to get basic information of a specific category. Use when you need to retrieve details for a category by its ID.
Input parameters
Unique identifier of the category to retrieve
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_IP_ADDRESSRetrieves detailed information for a specific IP address record by its ID. Use this action when you need to fetch complete metadata, network relationships, and attributes for a particular IP address that you've already identified (e.g., from the List IP Addresses action). The response includes the IP address in both short and full notation, along with associated network and organization IDs.
Input parameters
The unique ID of the IP address record to retrieve (e.g., from the List IP Addresses action).
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_MAC_ADDRESSRetrieves detailed information for a specific MAC address record by its ID. Use this action when you need to fetch complete metadata and attributes for a particular MAC address that you've already identified (e.g., from the List MAC Addresses action). The response includes the MAC address value, name/label, organization and location associations, and timestamps in JSON:API format.
Input parameters
The unique ID of the MAC address record to retrieve (e.g., from the List MAC Addresses action).
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_METRICS_ORGANIZATION_USAGERetrieves usage metrics for a DNSFilter organization over a specified date range. Returns DNS query counts, user statistics, and billing information. The maximum allowed date range is 365 days. Use this when you need to analyze organization activity, generate usage reports, or monitor DNS request volumes.
Input parameters
End date for the usage metrics in ISO 8601 format (YYYY-MM-DD). The maximum date range is 365 days.
Start date for the usage metrics in ISO 8601 format (YYYY-MM-DD). The maximum date range is 365 days.
Unique identifier of the organization. Obtain this from the List Organizations action.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_METRICS_ORGANIZATION_USAGE_DETAILEDRetrieves detailed usage metrics for a specific DNSFilter organization. Use this when you need comprehensive usage statistics including user counts, WiFi networks, roaming clients, and DNS request volumes for a given time period. This endpoint fetches user_count and wifi_count directly from the database and includes roaming client counts.
Input parameters
Organization ID to retrieve usage metrics for.
End date for the usage period in ISO8601 format (e.g., "2023-12-31"). If not provided, defaults to the current date.
Start date for the usage period in ISO8601 format (e.g., "2023-12-01"). If not provided, defaults to the beginning of the current billing period.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_MY_IP_ADDRESSTool to retrieve the requester's IP address as reported by DNSFilter API. Use when you need to determine the public IP address from which API requests are being made.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_NETWORKS_BULK_CREATETool to check the status of a bulk network creation job. Use when you need to monitor the progress or completion of a bulk network creation operation, or to retrieve the results (successful, failed, and skipped counts) of a completed bulk job.
Input parameters
The unique ID of the bulk create job to check status on. This ID is returned when you initiate a bulk network creation operation.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_NETWORKS_BULK_DESTROYCheck the status of a bulk network destroy operation. Use this action after initiating a bulk destroy to monitor progress and see which networks were successfully destroyed, failed, or skipped.
Input parameters
The ID of the bulk destroy job to check status on (UUID format). This ID is returned when initiating a bulk destroy operation.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_NETWORKS_BULK_UPDATE_STATUSCheck the status of a bulk network update job. Use this action to monitor the progress and results of a bulk update operation after initiating it. The response indicates completion status, success/failure counts, and IDs of affected networks.
Input parameters
The ID of the bulk update job to check status on. This ID is returned when you create a bulk update job.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_NETWORKS_CSV_EXPORTRetrieves a networks CSV export by its ID. Use this action when you need to check the status of a CSV export or get the download URL for the exported data.
Input parameters
The unique ID of the network CSV export to retrieve.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_NOTESTool to retrieve notes associated with a specific resource (policy, MSP, or organization) and domain. Use when you need to fetch allow/block notes for a particular domain within a given resource context.
Input parameters
The unique identifier of the resource (policy ID, MSP ID, or organization ID).
The domain name to retrieve notes for (e.g., 'example.com', 'google.com').
The resource type to retrieve notes for. Valid values: policies, msps, or organizations.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_ORGANIZATIONTool to get basic information of a specific organization by ID. Use when you need to retrieve detailed organization configuration, billing details, feature flags, and network relationships for a particular organization.
Input parameters
Organization ID to retrieve
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_ORGANIZATIONS_USERSTool to retrieve user details and permissions for a specific organization. Use when you need to fetch information about a particular user within an organization, including their role, contact details, and permission settings.
Input parameters
The ID of the user to return
The ID of the organization to search
Return user's authentication providers if true (default: false)
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_POLICIESTool to get basic information of the specified policy. Use when you need to retrieve details for a specific policy by its ID.
Input parameters
The unique ID of the policy to retrieve.
Include relationships in the response. Defaults to true.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_POLICIES_PERMISSIVE_MODETool to retrieve the permissive mode setting for a specific policy. Use when you need to check if a policy has permissive mode enabled or disabled.
Input parameters
The unique ID of the policy to retrieve permissive mode for.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_POLICY_IPRetrieves basic information for a specific Policy IP by its ID. Use this action when you need to fetch DNS server IP addresses (primary and secondary) associated with a particular policy. The response includes the Policy IP's UUID and the DNS server addresses that can be used for DNS filtering.
Input parameters
The unique ID of the Policy IP to retrieve.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_SCHEDULED_REPORT_PREVIEWSTool to retrieve a specific scheduled report preview by its ID. Use when you need to view the preview data for a scheduled report before it's sent.
Input parameters
The unique identifier of the scheduled report preview to retrieve.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_USERTool to get basic information of a specified user by ID. Use when you need to retrieve user details such as email, name, role, and verification status.
Input parameters
The unique identifier of the user to retrieve.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_USER_AGENT_CLEANUPTool to get the specific user agent cleanup by ID. Use when you need to retrieve the status and details of a user agent cleanup process, including which agents are marked for deletion and whether the cleanup has completed.
Input parameters
Id of user agent cleanup
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_USER_AGENT_CSV_EXPORTSTool to retrieve a specific user agent CSV export by its ID. Use when you need to check the status of a CSV export and obtain the download URL once ready.
Input parameters
ID of the user agent CSV export to retrieve
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_GET_USER_AGENTS_UNINSTALL_PINTool to get the uninstall PIN for an organization's user agents. Use when you need to retrieve the PIN required to uninstall user agents protected by PIN authentication.
Input parameters
Organization ID to get the uninstall PIN for
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_ALL_AGENT_LOCAL_USERSGet all agent local users associated with a user organization. Returns basic information about agent local users including their IDs, types, and relationships. Use filters to narrow results by collection membership, name, or organization.
Input parameters
Filter by name. If friendly_name not found, will search by user_name
Sort options, valid attributes: name
Number of items per page. Maps to page\[size\] in the API
Page number for pagination. Maps to page\[number\] in the API
Filter by agent local users in a collection
Organization IDs to filter by, defaults to user organization ID
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_ALL_BLOCK_PAGESRetrieves all block pages associated with the current user. Block pages are custom HTML pages displayed when users attempt to access blocked websites. Use this when you need a complete list of all configured block pages without pagination.
Input parameters
Filter block pages by organization ID
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_ALL_IP_ADDRESSESRetrieves all IP addresses across all networks in your organization. This tool automatically handles pagination to fetch complete results. Use this when you need a comprehensive list of all IP address entries without filtering.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_API_KEYSRetrieves the list of API keys associated with the authenticated user. Use this to view all API keys, check their expiration status, or filter by specific criteria such as name or organization. Supports filtering by expiration, ID, name, organization, and last four characters of the token.
Input parameters
Filter by API key ID. Returns only the API key with this specific ID.
Filter by API key name. Returns keys matching this name.
Filter by expiration status. Set to true to return only expired keys, false for non-expired keys. If not specified, returns all keys.
Filter by last four characters of the API key token. Useful for identifying a specific key.
Filter by organization ID. Returns API keys associated with this organization.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_APPLICATION_CATEGORIESRetrieves all available application categories from DNSFilter. Application categories group SaaS applications and services (e.g., Business, Messaging, File Sharing, VPN And Proxy) and are used to apply filtering policies. Returns a list of categories with their IDs, names, UUIDs, and descriptions. Use this to discover available categories before configuring policies or filtering rules.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_APPLICATIONS_ALLTool to list all applications basic information including deleted ones. Use when you need a comprehensive list of all application entries without filtering out deleted applications.
Input parameters
Number of records per page to return. If not specified, the API determines the default page size.
Page number to retrieve (1-indexed). If not specified, returns the first page.
Category IDs to filter applications by. If not specified, returns applications from all categories.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_BILLINGRetrieve payment method information from Stripe for a DNSFilter organization. Returns details about the registered payment method including card information, billing address, and expiration dates. Returns empty response if no payment method is configured. Use this when you need to verify payment method setup or check billing details.
Input parameters
User organization ID. Obtain this from the List Organizations action.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_CATEGORIES_ALLTool to list all categories including internal categories from DNSFilter. Returns comprehensive category information with pagination support. Use when you need the complete set of categories including system/internal categories.
Input parameters
Pagination parameters for listing categories.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_CURRENT_USERTool to fetch information about the currently authenticated user. Use when you need to retrieve the profile details of the user associated with the current API credentials, including their name, email, and contact information.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_DICTIONARY_CYBER_SIGHT_ACTIVITY_TYPESTool to retrieve all available CyberSight activity types. Use when you need the complete dictionary of activity types for CyberSight reports.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_DOMAINS_BULK_LOOKUPRetrieves domain information and category classifications for multiple FQDNs in a single request. Use this action to perform bulk lookups of domain categories and classifications. This is useful when you need to check the category status of multiple domains at once, rather than making individual requests for each domain. The response includes category information and other domain attributes for each requested FQDN.
Input parameters
Comma-separated list of fully qualified domain names (FQDNs) to lookup. Each FQDN should be a valid domain name format (e.g., 'google.com,facebook.com,amazon.com').
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_DOMAINS_USER_LOOKUPTool to look up all domains associated with a particular FQDN. Returns domain information including category classification, identifiers, and related metadata. Use when you need to retrieve domain details or check the categorization status of a specific fully qualified domain name.
Input parameters
Fully Qualified Domain Name (FQDN) to lookup, e.g., 'google.com' or 'example.org'
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_ENTERPRISE_CONNECTIONSList all enterprise connections for a DNSFilter organization. Use this to retrieve information about external identity provider integrations and enterprise authentication connections configured for the specified organization.
Input parameters
Organization ID to retrieve enterprise connections for
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_INVOICESRetrieves billing invoices for a DNSFilter organization with pagination and sorting support. Returns invoice details including amounts, statuses, creation dates, and due dates. Use this when you need to view billing history, check payment status, or retrieve invoice information for accounting purposes.
Input parameters
Page number for pagination. Must be >= 1.
Field to sort by (e.g., 'created_at', 'amount', 'status'). If not specified, API uses its default sorting.
Number of results per page. Must be >=1.
Sort direction: 'asc' (ascending/oldest first) or 'desc' (descending/newest first). If not specified, API uses its default.
The unique identifier of the DNSFilter organization. Obtain this from the List Organizations action.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_IP_ADDRESSES_ALLTool to retrieve all user-associated IP addresses with basic information. Use when you need to get the complete list of IP addresses using the dedicated /all endpoint with optional pagination.
Input parameters
Number of items per page (default: 1500, max: 1500). Maps to page\[size\] in the API.
Page number for pagination (default: 1). Maps to page\[number\] in the API.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_MAC_ADDRESSESTool to list MAC addresses associated with an organization. Use when you need to retrieve basic MAC address information, optionally filtered by organization or paginated.
Input parameters
Number of items per page
Page number for pagination (1-based)
Filter MAC addresses by organization ID
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_NETWORKS_ALLTool to retrieve ALL networks associated with the user with basic information. Use when you need a comprehensive list of all networks with optional filtering by protection status or search terms. Supports pagination and various options to control the level of detail returned.
Input parameters
Search for the given value among the network name, hostname, ip address, etc.
Number of results per page
Filter networks with assigned policy
Return most basic Network Info only. Defaults to False
Page number for pagination
Filter networks without assigned policy
Return count of IP Addresses. Defaults to False
Return Network info without IP Addresses. Defaults to False
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_NETWORKS_GEOTool to retrieve networks with geographical information only. Use when you need location data (latitude, longitude, physical address) for networks in your DNSFilter organization. This action returns a simplified view focused on network location data without full configuration details.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_NETWORKS_MSP_ALLTool to retrieve ALL networks associated with the MSP user with basic information. Use when you need a comprehensive list of all MSP-managed networks for a specific organization ID. Supports pagination and various options to control IP address details.
Input parameters
Number of results per page
Filter networks with assigned policy
Page number for pagination
Filter networks without assigned policy
Organization ID to retrieve networks for
Return count of IP Addresses. Defaults to False
Return Network info without IP Addresses. Defaults to False
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_NETWORK_SUBNETSTool to retrieve subnets associated with a specific network. Use when you need to get subnet information for a particular network ID.
Input parameters
Page number for pagination (default: 1). Maps to page\[number\] in the API.
Number of items per page. Maps to page\[size\] in the API.
Network ID to retrieve subnets for
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_ORGANIZATIONS_ALLTool to get all organizations with optional filtering by type, MSP relationships, or name. Use when you need to retrieve organizations with specific criteria or pagination. Supports filtering by organization type (normal, msp, sub_organization), MSP ownership, and name patterns.
Input parameters
Filter organizations by name using case-insensitive pattern matching
Pagination parameters for the request.
Organization type values.
Return only basic organization information (true) or full details (false). Defaults to false.
Filter to return only parent organizations whose MSP ID matches this value
Filter to return only MSP sub-organizations whose MSP ID matches this value
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_ORGANIZATIONS_SETTINGSTool to get basic information and settings of the specified organization. Use when you need to retrieve organization configuration, settings, or details.
Input parameters
Filter organizations by name. Partial matches may be supported.
MSP ID to set scope for the request. Filter organizations by MSP.
Organization ID to set scope for the request. Filter to a specific organization.
Multiple organization IDs to set scope. Comma-separated list of organization IDs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_ORGANIZATIONS_USERSTool to get the users for a specified organization. Use when you need to retrieve a list of all users associated with an organization, including their roles, permissions, and authentication details.
Input parameters
The ID of the organization to search
Return user's authentication providers if true (default: false)
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_POLICIESTool to retrieve basic information about user-associated policies. Use when you need to list all available policies for filtering configuration or policy management tasks.
Input parameters
Filter policies by organization ID
Include global policies in the listing
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_POLICIES_ALLTool to retrieve ALL user-associated policies with basic information. Use when you need a comprehensive list of all policies associated with the user account, with optional filtering by organization or inclusion of global policies. Supports pagination for large datasets.
Input parameters
Number of results per page
Page number for pagination
Organization ID to filter policies by organization
Include global policies in the listing
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_POLICIES_APPLICATIONTool to retrieve policies information for a specific application. Use when you need to see which policies allow or block a particular application, along with application and organization details.
Input parameters
Name or partial name of a policy to query
List of specific policy IDs to retrieve
Application ID to retrieve policies for
Organization ID
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_POLICY_IPSList policy IPs in your DNSFilter organization. Retrieves basic information about user-associated policy IPs including their DNS server addresses (primary and secondary). Use when you need to view all available policy IP configurations for DNS filtering.
Input parameters
Page number for pagination (default: 1). Maps to page\[number\] in the API.
Number of items per page (default: 1500, max: 1500). Maps to page\[size\] in the API.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_QP_METHODSTool to list all QP (Query Protection) methods available in DNSFilter. Use when you need to retrieve the dictionary of query protection methods.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_SCHEDULED_POLICIES_ALLTool to retrieve ALL scheduled policies associated with the current user. Use when you need a comprehensive list of all time-based policies with pagination support.
Input parameters
Number of results per page
Page number for pagination
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_QPSGet queries per second (QPS) metrics for DNS traffic over a specified time period. Returns time-series data showing DNS query volume aggregated by configurable time buckets (1 minute, 15 minutes, or 1 day). Use this to analyze traffic patterns, identify peak usage times, and monitor DNS query volumes. Supports extensive filtering by networks, organizations, agents, applications, IP addresses, and traffic type (allowed/blocked/threats).
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
MSP ID to filter by. Only applicable for MSP accounts.
Comma separated list of desired traffic sources to include in the report. Options: all, networks, agents, proxies. Defaults to all if not specified.
Comma separated list of NAT IPs to filter by. Valid values are integers from 101 to 106. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by network ID. When true, results are broken down by individual networks. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_QPS_ACTIVE_AGENTSGet queries per second (QPS) statistics for roaming clients over a time period. Returns the total number of DNS queries per second for active agents (roaming clients) with optional filtering by agent, organization, application, network, and other criteria. The maximum time range is 20 minutes. Use this action to monitor real-time DNS query loads and analyze traffic patterns for roaming clients.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or format is not recognized. Maximum time range is 20 minutes.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or format is not recognized. Maximum time range is 20 minutes.
Type of traffic report to retrieve.
Traffic source types for filtering.
Comma separated list of NAT IPs to filter by (valid integer list from 101 to 106). If not specified, returns data for all NAT IPs.
Comma separated list of local user IDs to filter by. If not specified, returns data for all users.
Comma separated list of user agent UUIDs to filter by. If not specified, returns data for all agents.
Filter by specific private LAN IP address.
Comma separated list of user agent types to filter by. If not specified, returns data for all agent types.
Comma separated list of network IDs to filter by. If not specified, returns data for all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, returns data for all MAC addresses.
Private LAN IP range upper limit. Use together with private_ip_from to specify an IP range.
Comma separated list of collection IDs to filter by. If not specified, returns data for all collections.
Comma separated list of application IDs to filter by. If not specified, returns data for all applications.
Private LAN IP range lower limit. Use together with private_ip_to to specify an IP range.
Filter by security threats. Set to true for threats only, false for non-threats only, or omit for both threats and non-threats.
Comma separated list of organization IDs to filter by. Defaults to user's organization ID if not specified.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_QPS_ACTIVE_COLLECTIONSTool to retrieve queries per second (QPS) metrics for active collections over a specified time period. Returns the total number of DNS queries per second grouped by collections. The maximum time range is 20 minutes. Use this to monitor query volume and traffic patterns across different collections in your DNSFilter organization.
Input parameters
Report UTC upper limit, format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or if format is not recognized. Maximum time range is 20 minutes.
Report UTC lower limit, format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or if format is not recognized. Maximum time range is 20 minutes.
Type of traffic report filtering.
Source of traffic for the report.
Comma separated list of NAT IPs. Defaults to all NAT IPs if not specified. Valid integer list from 101 to 106.
Comma separated list of local user IDs. Defaults to all users if not specified.
Comma separated list of user agent UUIDs. Defaults to all agents if not specified.
Private LAN IP address to filter by.
Comma separated list of user agent types. Defaults to all types if not specified.
Comma separated list of network IDs. Defaults to all networks if not specified.
Comma separated list of MAC addresses (without colons) or filter values. Defaults to all MAC addresses if not specified.
Private LAN IP range upper limit.
Comma separated list of collection IDs. Defaults to all collections if not specified.
Comma separated list of application IDs. Defaults to all applications if not specified.
Private LAN IP range lower limit.
Filter by threats: true for threats only, false for non-threats only. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs. Defaults to user organization ID if not specified.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_QPS_ACTIVE_ORGANIZATIONSRetrieves the total number of queries per second (QPS) over a time period for active organizations. Use this action to analyze DNS query traffic patterns and volume for organizations. The maximum time range is 20 minutes between the from and to parameters.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or format is not recognized. Maximum time range is 20 minutes.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or format is not recognized. Maximum time range is 20 minutes.
Type of traffic report.
MSP (Managed Service Provider) ID to filter by.
Traffic source types for filtering.
Comma separated list of NAT IPs. Valid integer list from 101 to 106. Defaults to all if not provided.
Comma separated list of local user IDs to filter by. Defaults to all if not provided.
Comma separated list of user agent UUIDs to filter by. Defaults to all if not provided.
Private LAN IP address to filter by.
Comma separated list of user agent types to filter by. Defaults to all if not provided.
Comma separated list of network IDs to filter by. Defaults to all if not provided.
Comma separated list of MAC addresses (without colons) or filter values. Defaults to all if not provided.
Private LAN IP range upper limit for filtering.
Comma separated list of collection IDs to filter by. Defaults to all if not provided.
Comma separated list of application IDs to filter by. Defaults to all if not provided.
Private LAN IP range lower limit for filtering.
Filter for threats report. Set to true for threats only, false for non-threats only, or omit for both threats and non-threats.
Comma separated list of organization IDs to filter by. Defaults to user organization ID if not provided.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_QPS_ACTIVE_USERSGet the total number of queries per second (QPS) in a time period (maximum 20 minutes) for active users. Use this to monitor traffic patterns and identify high-activity users. Supports filtering by user agents, networks, organizations, IP addresses, and traffic types (allowed/blocked/threats).
Input parameters
Report UTC upper limit, format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ, defaults to current UTC datetime or if format is not recognized
Report UTC lower limit, format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ, defaults to current UTC datetime minus 1 day or if format is not recognized
Type of traffic report.
Traffic source types.
Comma separated list of NAT IPs, defaults to all (valid integer list from 101 to 106)
Comma separated list of local user IDs, defaults to all
Comma separated list of user agent UUIDs, defaults to all
Private LAN IP
Comma separated list of user agent types, defaults to all
Comma separated list of networks IDs, defaults to all
Comma separated list of MAC addresses (without colons) or filter values, defaults to all
Private LAN IP range, upper limit
Comma separated list of collection IDs, defaults to all
Comma separated list of application IDs, defaults to all
Private LAN IP range, lower limit
Threats report true/false, *both* (threats and non-threats) if it is empty or not sent
Comma separated list of organization IDs, defaults to user organization ID
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_QUERY_LOGSGet query raw logs from DNSFilter traffic reports in a specified period of time. Use this to retrieve detailed DNS query logs with extensive filtering options including time range, domains, networks, user agents, IP addresses, and query results (allowed/blocked). Supports pagination for large result sets.
Input parameters
Report UTC upper limit, format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ, defaults to current UTC datetime or if format is not recognized
Search for FQDNs that contains this value
Report UTC lower limit, format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ, defaults to current UTC datetime minus 1 day or if format is not recognized
Page number for pagination (defaults to 1)
Only search for domains that starts with this value
Filter for the type of query results to retrieve.
Filter for traffic source types.
Comma separated list of NAT IPs, defaults to all (valid integer list from 101 to 106)
User local ID to filter by
User agent UUID to filter by
Comma separated list of User local IDs
Comma separated list of User agent UUIDs
Number of items per page (defaults to 10, maximum 100)
Network ID to filter by
Private LAN IP to filter by
Comma separated list of networks IDs
Comma separated list of category IDs, defaults to all
Collection ID to filter by
Comma separated list of MAC addresses (without colons) or filter values, defaults to all
Private LAN IP range, upper limit
Question Type of queries, defaults to all
Comma separated list of Collection IDs
Comma separated list of application IDs, defaults to all
Organization ID, defaults to user organization ID
Private LAN IP range, lower limit
Threats report true/false, *both* (threats and non-threats) if it is empty or not sent
Comma separated list of application category IDs, defaults to all
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOP_AGENTSGet the top user agents by DNS traffic volume in a specified time period. Returns ranked list of agents with associated traffic metrics. Use this to identify most active agents, analyze agent-level usage patterns, and monitor individual device or user traffic. Supports filtering by agent attributes, networks, organizations, IP addresses, and traffic type. Results are paginated for large datasets.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Only user agents whose name contains this value will be included in the results. Case-insensitive substring match.
Page number for pagination (defaults to 1).
Number of records per page (defaults to 10, maximum 100).
Type of traffic report to generate.
MSP ID to filter by. Only applicable for MSP accounts.
Traffic source options for filtering.
Comma separated list of NAT IPs to filter by. Valid values are integers from 101 to 106. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOP_APPLICATION_CATEGORIESGet the top application categories domains in a period of time. Returns a paginated list of application categories ranked by DNS query volume, with support for filtering by networks, organizations, agents, time range, and traffic type. Use this to analyze which application categories (e.g., social media, streaming, productivity) are most frequently accessed in your network.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Filter to only include applications whose name contains this value.
Pagination information for the request.
Type of traffic report to generate.
MSP ID to filter by. Only applicable for MSP accounts.
Comma separated list of desired traffic sources to include in the report. Options: all, networks, agents, proxies. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Security report filter options.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOP_CATEGORIESGet the top domain categories accessed during a specified time period. Returns category-level statistics showing which website categories (e.g., Social Networking, News, Streaming) are most frequently accessed. Use this to understand browsing patterns, identify potential policy needs, and analyze category-level traffic trends across your organization.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Filter to include only categories whose name contains this value (case-insensitive substring match).
Page number to retrieve (defaults to 1 if not specified).
Number of records per page to return (defaults to 10, maximum 100).
Type of traffic report to generate.
MSP ID to filter by. Only applicable for MSP accounts.
Traffic source options for filtering.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Security report filter options.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOP_COLLECTIONSTool to retrieve the top collections by traffic volume over a specified time period. Returns collection-level metrics showing which collections have the most DNS query activity. Use this to identify the most active collections in your DNSFilter organization and analyze traffic distribution across collections.
Input parameters
Report UTC upper limit, format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or if format is not recognized.
Report UTC lower limit, format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or if format is not recognized.
Only local users whose name contains this value will be included in the report.
Type of traffic report filtering.
MSP ID for filtering. Only applicable for MSP accounts.
Source of traffic for the report.
Comma separated list of NAT IPs. Defaults to all NAT IPs if not specified. Valid integer list from 101 to 106.
Comma separated list of local user IDs. Defaults to all users if not specified.
Comma separated list of user agent UUIDs. Defaults to all agents if not specified.
Number of items per page for pagination. Defaults to 10 if not specified, maximum is 100. Maps to page\[size\] in the API.
Private LAN IP address to filter by.
Comma separated list of user agent types. Defaults to all types if not specified.
Comma separated list of network IDs. Defaults to all networks if not specified.
Page number for pagination. Defaults to 1 if not specified. Maps to page\[number\] in the API.
Comma separated list of MAC addresses (without colons) or filter values. Defaults to all MAC addresses if not specified.
Private LAN IP range upper limit.
Comma separated list of collection IDs. Defaults to all collections if not specified.
Comma separated list of application IDs. Defaults to all applications if not specified.
Private LAN IP range lower limit.
Filter by threats: true for threats only, false for non-threats only. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs. Defaults to user organization ID if not specified.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOP_DOMAINSGet the top requested domains over a specified time period. Returns a list of the most frequently queried domains with request counts, helping identify popular sites, potential issues, or security concerns. Use this to analyze domain access patterns, monitor bandwidth usage, and detect anomalous traffic. Supports extensive filtering by networks, organizations, agents, applications, IP addresses, and traffic type (allowed/blocked/threats). Results are paginated and can be filtered by domain prefix or FQDN substring.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Search for fully qualified domain names (FQDNs) that contain this value. Used for substring matching within domains.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Page number for pagination. Defaults to 1 if not specified.
Type of traffic report to retrieve.
Only search for domains that start with this value. Used for domain prefix filtering.
MSP ID to filter by. Only applicable for MSP accounts.
Traffic source types for filtering.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Number of items per page. Defaults to 10 if not specified. Maximum value is 100.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of category IDs to filter by. If not specified, defaults to all categories.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Security report filter options.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOP_NETWORKSGet the top networks ranked by DNS traffic volume over a specified time period. Returns network traffic metrics showing which networks generated the most DNS queries. Use this to identify high-traffic networks, monitor network activity levels, and analyze traffic distribution across your organization.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Only networks whose name contains this value will be included in the results.
Pagination information for page parameter.
Type of traffic report to generate.
Traffic source options for filtering.
Comma separated list of NAT IPs to filter by. Valid values are integers from 101 to 106. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOP_ORGANIZATIONSGets the top organizations by DNS traffic volume over a specified time period. Use this action to identify which organizations are generating the most DNS queries. Supports pagination and extensive filtering by time range, networks, agents, applications, IP addresses, and traffic type.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or format is not recognized.
Filter for organizations whose name contains this value (and are included in the organization_ids list).
Page number for pagination. Defaults to 1 if not provided.
Number of results per page. Defaults to 10, maximum 100.
Type of traffic report.
Traffic source types for filtering.
Comma separated list of NAT IPs. Valid integer list from 101 to 106. Defaults to all if not provided.
Comma separated list of local user IDs to filter by. Defaults to all if not provided.
Comma separated list of user agent UUIDs to filter by. Defaults to all if not provided.
Private LAN IP address to filter by.
Comma separated list of user agent types to filter by. Defaults to all if not provided.
Comma separated list of network IDs to filter by. Defaults to all if not provided.
Comma separated list of MAC addresses (without colons) or filter values. Defaults to all if not provided.
Private LAN IP range upper limit for filtering.
Comma separated list of collection IDs to filter by. Defaults to all if not provided.
Comma separated list of application IDs to filter by. Defaults to all if not provided.
Private LAN IP range lower limit for filtering.
Filter for threats report. Set to true for threats only, false for non-threats only, or omit for both threats and non-threats.
Comma separated list of organization IDs to filter by. Defaults to user organization ID if not provided.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOP_ORGANIZATIONS_REQUESTSGet the top organizations ranked by total number of DNS requests over a specified time period. Returns organizations with the highest request volumes, useful for identifying most active organizations and analyzing usage patterns. Results are paginated with configurable page size (max 100 per page).
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or format is not recognized.
Page number for pagination. Defaults to 1 if not provided.
Number of results per page. Defaults to 10 if not provided. Maximum is 100.
MSP ID to filter by. Only applicable for MSP accounts.
Bucket size options for traffic report time aggregation.
Organization ID to filter by. Defaults to user's organization ID if not provided.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOP_USERSGet the top users by DNS query volume over a specified time period. Returns user activity metrics showing which users generated the most DNS traffic, with support for pagination and extensive filtering. Use this to identify high-volume users, analyze user behavior patterns, and monitor individual user activity across networks and organizations.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Filter to only include local users whose name contains this value. Case-insensitive partial match.
Pagination parameters for traffic reports.
Type of traffic report to generate.
MSP ID to filter by. Only applicable for MSP accounts.
Comma separated list of desired traffic sources to include in the report. Options: all, networks, agents, proxies. Defaults to all if not specified.
Comma separated list of NAT IPs to filter by. Valid values are integers from 101 to 106. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_APPLICATIONS_STATSGet statistics of number of requests by application in a time period. Returns aggregated data showing how many requests were made to each application, useful for understanding traffic patterns and application usage across your DNSFilter deployment. Use when you need to analyze application-level traffic patterns or generate usage reports.
Input parameters
Report UTC upper limit. Format: YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. If not specified or format is not recognized, defaults to current UTC datetime.
Report UTC lower limit. Format: YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. If not specified or format is not recognized, defaults to current UTC datetime minus 1 day.
Filter to only include applications whose display name contains this value (case-insensitive substring match).
Report type options.
MSP (Managed Service Provider) ID to filter results by specific MSP.
Traffic source types.
Comma separated list of NAT IPs. Valid values are integers from 101 to 106. If not specified, defaults to all NAT IPs.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs. If not specified, defaults to all agents.
Filter by a specific private LAN IP address.
Comma separated list of user agent types. If not specified, defaults to all agent types.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values. If not specified, defaults to all MAC addresses.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. Set to true for threats only, false for non-threats only, or leave empty/null for both threats and non-threats.
Comma separated list of organization IDs. If not specified, defaults to the user's organization ID.
Comma separated list of application category IDs to filter by. If not specified, defaults to all categories.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_APPS_AGENTS_STATSGet statistics of number of requests for roaming clients by application in a period of time. Returns aggregated request counts grouped by application for active agents (roaming clients) with optional filtering by agent, organization, application, network, and other criteria. Use this action to analyze which applications are generating the most DNS traffic from roaming clients.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or format is not recognized.
Filter to only include user agents whose name contains this value.
Type of traffic report to retrieve.
Comma separated list of desired traffic sources to filter by. Options are 'all', 'networks', 'agents', or 'proxies'. Defaults to all if not specified.
Comma separated list of NAT IPs to filter by. Valid integer list from 101 to 106. Defaults to all NAT IPs if not specified.
Comma separated list of local user IDs to filter by. Defaults to all users if not specified.
Comma separated list of user agent UUIDs to filter by. Defaults to all agents if not specified.
Filter by specific private LAN IP address.
Comma separated list of user agent types to filter by. Defaults to all agent types if not specified.
Comma separated list of network IDs to filter by. Defaults to all networks if not specified.
Comma separated list of MAC addresses (without colons) or filter values to filter by. Defaults to all MAC addresses if not specified.
Private LAN IP range upper limit. Use together with private_ip_from to specify an IP range.
Comma separated list of collection IDs to filter by. Defaults to all collections if not specified.
Comma separated list of application IDs to filter by. Defaults to all applications if not specified.
Private LAN IP range lower limit. Use together with private_ip_to to specify an IP range.
Filter by security threats. Set to true for threats only, false for non-threats only, or omit for both threats and non-threats.
Comma separated list of organization IDs to filter by. Defaults to user's organization ID if not specified.
Comma separated list of application category IDs to filter by. Defaults to all categories if not specified.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_APPS_COLLECTIONS_STATSGet statistics of number of requests for collections by application over a specified time period. Returns aggregated data showing how many DNS requests were made for each application within different collections. Use this to analyze application usage patterns across collections and understand which applications are generating the most traffic.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Only local users whose name contains this value will be included in the report.
Type of traffic report to generate.
Traffic source options for filtering.
Comma separated list of NAT IPs to filter by. Valid values are integers from 101 to 106. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Comma separated list of application category IDs to filter by. If not specified, defaults to all application categories.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_APPS_NETWORKS_STATSGet statistics showing the number of requests for sites by application across networks over a specified time period. Use this to analyze application usage patterns and DNS query volumes per application across your network infrastructure. Supports extensive filtering by networks, organizations, agents, applications, application categories, IP addresses, and traffic type (allowed/blocked/threats).
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Filter to include only networks whose name contains this value.
Type of traffic report to generate.
Traffic source options for filtering.
Comma separated list of NAT IPs to filter by. Valid values are integers from 101 to 106. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. Defaults to all if not specified.
Comma separated list of user agent UUIDs to filter by. Defaults to all if not specified.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. Defaults to all if not specified.
Comma separated list of network IDs to filter by. Defaults to all if not specified.
Comma separated list of MAC addresses (without colons) or filter values to filter by. Defaults to all if not specified.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. Defaults to all if not specified.
Comma separated list of application IDs to filter by. Defaults to all if not specified.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. Defaults to user organization ID if not specified.
Comma separated list of application category IDs to filter by. Defaults to all if not specified.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_APPS_ORGANIZATIONSTool to get statistics of number of requests for organizations by application in a period of time. Use when you need to analyze application usage patterns across different organizations within a specified time range.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or format is not recognized.
Only organizations whose name contains this value will be included in the report.
Type of traffic report.
MSP (Managed Service Provider) ID to filter by.
Traffic source types for filtering.
Comma separated list of NAT IPs. Valid integer list from 101 to 106. Defaults to all if not provided.
Comma separated list of local user IDs. Defaults to all if not provided.
Comma separated list of user agent UUIDs. Defaults to all if not provided.
Private LAN IP address to filter by.
Comma separated list of user agent types. Defaults to all if not provided.
Comma separated list of network IDs. Defaults to all if not provided.
Comma separated list of MAC addresses (without colons) or filter values. Defaults to all if not provided.
Private LAN IP range upper limit for filtering.
Comma separated list of collection IDs. Defaults to all if not provided.
Comma separated list of application IDs. Defaults to all if not provided.
Private LAN IP range lower limit for filtering.
Filter for threats report. Set to true for threats only, false for non-threats only, or omit for both threats and non-threats.
Comma separated list of organization IDs to filter by. Defaults to user organization ID if not provided.
Comma separated list of application category IDs. Defaults to all if not provided.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_APPS_USERS_STATSGet statistics of the number of requests for users by application within a specified time period. Returns detailed application usage data broken down by user, showing which users are accessing which applications and how frequently. Use this to understand application usage patterns across users, identify heavy application users, and analyze user-level application access trends.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Filter to include only local users whose name contains this value (case-insensitive substring match).
Type of traffic report to generate.
Traffic source options for filtering.
Comma separated list of NAT IPs to filter by. Valid integer list from 101 to 106. If not specified, defaults to all.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not provided or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Comma separated list of application category IDs to filter by. If not specified, defaults to all application categories.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_CATEGORIESGet the total number of requests by category for sites in a period of time. Returns aggregated statistics showing how many DNS requests were made to each website category during the specified time range. Use this to understand category-level traffic patterns and analyze DNS request volumes across different website categories.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
MSP ID to filter by. Only applicable for MSP accounts.
Traffic source options for filtering.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by network ID. When true, results are broken down by individual networks. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_CATEGORIES_AGENTSGet the total number of requests by category for roaming clients (user agents) during a specified time period. Use this to analyze category-level traffic patterns for roaming/mobile users, understand which website categories roaming users access most, and track security threats by category across your roaming user base.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
Traffic source options for filtering.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for time-based aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats, omit or null for both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report result by agent ID. If true, results are grouped by individual agents. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_CATEGORIES_COLLECTIONSGet the total number of DNS requests by category for collections over a specified time period. Returns aggregated statistics showing request counts grouped by website categories across collections. Use this to analyze category-level traffic patterns for collection-based deployments and identify browsing trends.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
Traffic source options for filtering.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for grouping results.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or None, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report result by collection ID. Set to True to see results broken down by individual collections. Defaults to False if not specified.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_CATEGORIES_ORGSGet the total number of DNS requests by category for organizations over a specified time period. Returns aggregated statistics showing how many requests were made to each category (e.g., Social Networking, News, Streaming) across one or more organizations. Use this to analyze category-level traffic distribution, understand which content types are most accessed, and track trends across organizational boundaries.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
Traffic source options for filtering.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by organization ID. When true, results are broken down by individual organizations. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_CATEGORIES_USERSGets the total number of DNS requests by category for users in a specified time period. Returns aggregated traffic data showing which content categories were accessed and by which users. Use this to analyze user browsing patterns, identify high-traffic categories, or generate security reports for a given time range.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of report to generate.
Traffic source types for filtering.
Comma separated list of local user IDs. Defaults to all users if not specified.
Comma separated list of user agent UUIDs. Defaults to all agents if not specified.
Private LAN IP address to filter by.
Comma separated list of user agent types. Defaults to all types if not specified.
Bucket size for grouping traffic data.
Comma separated list of network IDs. Defaults to all networks if not specified.
Comma separated list of MAC addresses (without colons) or filter values. Defaults to all if not specified.
Private LAN IP range upper limit. Use with private_ip_from to define a range.
Comma separated list of collection IDs. Defaults to all collections if not specified.
Comma separated list of application IDs. Defaults to all applications if not specified.
Private LAN IP range lower limit. Use with private_ip_to to define a range.
Filter by threats: true for threats only, false for non-threats only, omit for both.
Comma separated list of organization IDs. Defaults to user organization ID if not specified.
Group report result by user ID. Defaults to false if not specified.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_CATEGORY_STATSTool to get the total number of stats for a category in a period of time. Use when you need to analyze category-level request statistics including allowed, blocked, and threat requests within a specified time range.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or format is not recognized.
MSP (Managed Service Provider) ID to filter by.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of category IDs to filter by. If not specified, defaults to all categories.
Organization ID to filter by. If not specified, defaults to user organization ID.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_CLIENT_STATSGets the organization network, users and client stats from traffic reports. Returns total and active counts for sites, users, roaming clients, and relays. Use this when you need to understand the deployment scale and active usage of DNSFilter protection across an organization. Note: The time period between 'from' and 'to' parameters must not exceed 20 minutes.
Input parameters
Report UTC upper limit, format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or format is not recognized. Note: The time period between 'from' and 'to' must not exceed 20 minutes.
Report UTC lower limit, format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or format is not recognized. Note: The time period between 'from' and 'to' must not exceed 20 minutes.
MSP (Managed Service Provider) ID to filter statistics by. If not specified, statistics for all MSPs will be included.
Comma-separated list of network IDs to filter statistics by. Defaults to all networks if not specified.
Organization ID to filter statistics by. Defaults to the authenticated user's organization ID if not specified.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_COLLECTIONSGet the total number of DNS requests by collection for sites over a specified time period. Returns aggregated data showing how many requests were made for each collection, optionally grouped by network. Use this to analyze DNS query volume across collections and understand which collections are receiving the most traffic.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
Traffic source options for filtering.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for traffic report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by network ID. When true, includes network_ids and network_names in the response. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_COLLECTIONS_AGENTSGet the total number of requests by collection for roaming clients over a specified time period. Returns aggregated request counts grouped by collection with support for extensive filtering by agents, organizations, networks, applications, IP addresses, and traffic type. Use this action to analyze DNS traffic patterns for roaming clients across different collections.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or format is not recognized.
Type of traffic report to retrieve.
Traffic source types for filtering.
Comma separated list of local user IDs to filter by. Defaults to all users if not specified.
Comma separated list of user agent UUIDs to filter by. Defaults to all agents if not specified.
Filter by specific private LAN IP address.
Comma separated list of user agent types to filter by. Defaults to all agent types if not specified.
Bucket size options for traffic report time aggregation.
Comma separated list of network IDs to filter by. Defaults to all networks if not specified.
Comma separated list of MAC addresses (without colons) or filter values to filter by. Defaults to all MAC addresses if not specified.
Private LAN IP range upper limit. Use together with private_ip_from to specify an IP range.
Comma separated list of collection IDs to filter by. Defaults to all collections if not specified.
Comma separated list of application IDs to filter by. Defaults to all applications if not specified.
Private LAN IP range lower limit. Use together with private_ip_to to specify an IP range.
Filter by security threats. Set to true for threats only, false for non-threats only, or omit for both threats and non-threats.
Comma separated list of organization IDs to filter by. Defaults to user's organization ID if not specified.
Group report results by agent ID. When true, results are broken down by individual roaming client agents. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_COLLECTIONS_ORGSGet the total number of DNS requests by collection for organizations over a specified time period. Returns aggregated data showing how many DNS requests were made for each collection within different organizations. Use this to analyze collection usage patterns across organizations and understand which collections are generating the most traffic.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
Comma separated list of desired traffic sources to include in the report. Options: all, networks, agents, proxies. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for traffic report time aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report result by organization ID. If True, results are grouped by organization. Defaults to False.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_COLLECTIONS_USERSGet the total number of DNS requests by collection for users over a specified time period. Returns aggregated request counts grouped by collections and users, with support for time bucketing and extensive filtering. Use this to analyze collection-level traffic patterns per user, identify high-volume collections for specific users, and generate detailed usage reports across organizations.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
Comma separated list of desired traffic sources to include in the report. Options: all, networks, agents, proxies. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for traffic reports.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report result by user ID. If True, breaks down results by individual users. Defaults to False.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_DEPLOYMENTSGets the organization deployments information including collections, relays, sync tools, user agents, and users. Use this to retrieve deployment metrics and statistics for an organization or filtered by MSP/networks.
Input parameters
MSP ID to filter deployments by. Only include if you need to filter by a specific MSP.
Comma separated list of network IDs to filter by. Defaults to all networks if not specified.
Organization ID to filter by. Defaults to the authenticated user's organization ID if not specified.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_DOMAIN_REQUESTSGet the total number of requests for a domain over a specified time period. Returns aggregate request counts for domains, helping analyze domain access patterns and traffic volumes. Supports filtering by domain prefix, networks, organizations, and MSP accounts.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Only search for domains that start with this value. Used for domain prefix filtering.
MSP ID to filter by. Only applicable for MSP accounts.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Organization ID to filter by. Defaults to user's organization ID if not specified.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_DOMAINSGet the total number of requests by domain for sites in a period of time. Returns aggregated statistics showing how many DNS requests were made to each domain during the specified time range. Use this to understand domain-level traffic patterns and analyze DNS request volumes across different domains.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
Only search for domains that start with this value. Used for domain prefix filtering.
Traffic source options for filtering.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of category IDs to filter by. If not specified, defaults to all categories.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by network ID. When true, results are broken down by individual networks. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_DOMAINS_COLLECTIONSTool to retrieve the total number of DNS requests by domain for collections within a specified time period. Use when you need to analyze which domains are being accessed most frequently, track collection-level traffic patterns, or generate domain usage reports. Supports extensive filtering by agents, networks, organizations, collections, time ranges, and traffic types (allowed/blocked). Results can be grouped by individual collections or aggregated across all collections.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is invalid.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is invalid.
Type of report filter.
Filter to only search for domains that start with this value. Partial domain matching from the beginning.
Traffic source options.
Comma separated list of user IDs to filter by. Defaults to all users if not specified.
Comma separated list of user agent UUIDs to filter by. Defaults to all agents if not specified.
Filter by a specific private LAN IP address.
Comma separated list of user agent types to filter by. Defaults to all types if not specified.
Bucket size options for traffic reports.
Comma separated list of network IDs to filter by. Defaults to all networks if not specified.
Comma separated list of category IDs to filter by. Defaults to all categories if not specified.
Comma separated list of MAC addresses (without colons) or filter values. Defaults to all if not specified.
Private LAN IP range filter, upper limit. Use with private_ip_from to define a range.
Comma separated list of collection IDs to filter by. Defaults to all collections if not specified.
Comma separated list of application IDs to filter by. Defaults to all applications if not specified.
Private LAN IP range filter, lower limit. Use with private_ip_to to define a range.
Filter by threat status: true for threats only, false for non-threats only, or omit for both threats and non-threats.
Comma separated list of organization IDs to filter by. Defaults to the authenticated user's organization ID if not specified.
When true, groups report results by collection ID. When false or omitted, returns aggregated results across all collections.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_DOMAINS_ORGANIZATIONSGet the total number of DNS requests by domain for organizations over a specified time period. Returns aggregated statistics showing how many requests were made to each domain across one or more organizations. Use this to analyze domain-level traffic distribution, understand which domains are most accessed, and track trends across organizational boundaries.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
Only search for domains that start with this value. Used for domain prefix filtering.
Traffic source options for filtering.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of category IDs to filter by. If not specified, defaults to all categories.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by organization ID. When true, results are broken down by individual organizations. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_DOMAIN_STATSTool to get the total number of stats for a domain in a period of time. Use when you need to analyze domain-level request statistics including allowed, blocked, and threat requests within a specified time range.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or format is not recognized.
Only search for FQDNs that contains this value
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or format is not recognized.
Only search for domains that starts with this value
MSP (Managed Service Provider) ID to filter by.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Organization ID to filter by. If not specified, defaults to user organization ID.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_DOMAINS_USERSGets the total number of DNS requests by domain for users in a period of time. Use this when you need to analyze domain traffic patterns across users or generate traffic reports. At least one query parameter must be provided for the endpoint to work successfully.
Input parameters
Group report result by user id. Defaults to false. NOTE: While marked as optional, at least one query parameter must be provided for the endpoint to work successfully. This parameter is recommended as a minimal requirement.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_ORGANIZATIONS_REQUESTSGet the total number of DNS requests for organizations in a specified time period. Returns time-series data showing request volumes aggregated by configurable time buckets. Use this to analyze overall traffic patterns and monitor DNS query volumes across organizations. Supports extensive filtering by agents, applications, categories, networks, domains, and traffic type.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Search for FQDNs (fully qualified domain names) that contain this value. Used for substring-based domain filtering.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Only include applications whose display name contains this value. Used for filtering by application name.
Type of traffic report to generate.
Only search for domains that start with this value. Used for prefix-based domain filtering.
MSP ID to filter by. Only applicable for MSP accounts.
Comma separated list of user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of category IDs to filter by. If not specified, defaults to all categories.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Organization ID to filter by. Defaults to user's organization ID if not provided.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to user's organization ID.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_ORGANIZATIONS_STATSRetrieves aggregated DNS traffic statistics across organizations for a specified time period. Returns total request counts (allowed, blocked, threats) and the organizations included in the report. Use this to monitor overall traffic patterns, identify security threats, and analyze DNS filtering effectiveness across your DNSFilter deployment.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified.
Filter to only include applications whose display name contains this value (case-insensitive substring match).
Type of traffic report to generate.
MSP (Managed Service Provider) ID to filter statistics for a specific MSP.
Comma separated list of local user IDs to filter by. If not specified, includes all users.
Comma separated list of user agent UUIDs to filter by. If not specified, includes all agents.
Comma separated list of user agent types to filter by. If not specified, includes all agent types.
Bucket size for aggregating traffic statistics.
Comma separated list of collection IDs to filter by. If not specified, includes all collections.
Organization ID to filter statistics. Defaults to the authenticated user's organization ID if not specified.
Filter by threat status: true for threats only, false for non-threats only, or omit for both threats and non-threats.
Comma separated list of application category IDs to filter by. If not specified, includes all categories.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_REQUESTSGet the total number of DNS requests over a specified time period. Returns time-series data showing DNS request volumes aggregated by configurable time buckets (15 minutes or 1 day). Use this to analyze traffic patterns, identify peak usage times, and monitor DNS request volumes broken down by allowed, blocked, and total counts.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
MSP ID to filter by. Only applicable for MSP accounts.
Traffic source options for filtering.
Comma separated list of NAT IPs to filter by. Valid values are integers from 101 to 106. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by network ID. When true, results are broken down by individual networks. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_REQUESTS_AGENTSGet the total number of requests for roaming clients (user agents) during a specified time period. Use this to analyze overall traffic volume from roaming/mobile users, track request patterns over time, and monitor total DNS query activity across your roaming user base.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
MSP (Managed Service Provider) ID to filter by.
Traffic source options for filtering.
Comma separated list of NAT IPs to filter by. Valid integer list from 101 to 106. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for time-based aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats, omit or null for both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report result by agent ID. If true, results are grouped by individual agents. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_REQUESTS_COLLECTIONSGet the total number of requests for collections over a specified time period. Returns time-series data showing collection request volumes aggregated by configurable time buckets. Use this to analyze collection-specific traffic patterns and identify which collections are being used most frequently.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
Comma separated list of desired traffic sources to include in the report. Options: all, networks, agents, proxies. Defaults to all if not specified.
Comma separated list of NAT IPs to filter by. Valid values are integers from 101 to 106. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by collection ID. When true, results are broken down by individual collections. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_REQUESTS_GEOGets the total number of DNS requests by geographic location for organizations in a specified time period. Used for generating heatmap visualizations on the overview dashboard. Returns network IDs, organization IDs, and request counts grouped by geographic location.
Input parameters
Report UTC upper limit, format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not provided or if format is not recognized.
Report UTC lower limit, format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not provided or if format is not recognized.
Limit the size of the response. This is a required parameter that determines how many geographic locations are returned.
MSP ID to filter results by managed service provider
Comma separated list of organization IDs. Defaults to user organization ID if not provided.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_REQUESTS_ORGANIZATIONSGet the total number of DNS requests for organizations in a specified time period. Returns time-series data showing request volumes aggregated by configurable time buckets (15 minutes or 1 day). Use this to analyze traffic patterns by organization, identify peak usage times, and monitor DNS request volumes broken down by allowed, blocked, and total counts.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
MSP ID to filter by. Only applicable for MSP accounts.
Traffic source options for filtering.
Comma separated list of NAT IPs to filter by. Valid values are integers from 101 to 106. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Filter by threat status. True returns only threats, False returns only non-threats. If not specified or empty, returns both threats and non-threats.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by organization ID. When true, results are broken down by individual organizations. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_REQUESTS_USERSGets the total number of requests for users in a period of time. Use this to analyze DNS traffic patterns, monitor user activity, and generate reports on request volume. Supports extensive filtering by time range, user agents, networks, applications, and more. Results can be aggregated by different time buckets (15min or 1day) and optionally grouped by individual users.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format not recognized.
Report type options for filtering traffic.
MSP (Managed Service Provider) ID for filtering.
Traffic source options for filtering reports.
Comma separated list of NAT IPs. Valid integer list from 101 to 106. Defaults to all if not specified.
Comma separated list of local user IDs. If not specified, defaults to all users.
Comma separated list of user agent UUIDs. If not specified, defaults to all user agents.
Private LAN IP address for filtering.
Comma separated list of user agent types. If not specified, defaults to all agent types.
Bucket size options for traffic report aggregation.
Comma separated list of network IDs. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values. If not specified, defaults to all MAC addresses.
Private LAN IP range upper limit for filtering.
Comma separated list of collection IDs. If not specified, defaults to all collections.
Comma separated list of application IDs. If not specified, defaults to all applications.
Private LAN IP range lower limit for filtering.
Filter by threats. True for threats only, false for non-threats only. If not specified or null, returns both threats and non-threats.
Comma separated list of organization IDs. If not specified, defaults to user's organization ID.
Group report result by user ID. Set to true to see individual user breakdown, false for aggregated data. Defaults to false if not specified.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_ROAMING_CLIENTSGets the roaming clients information for the specified organization. Use this to retrieve roaming client statistics and deployment information across organizations.
Input parameters
MSP ID to filter by. Only applicable for MSP accounts.
Organization ID to filter by. Defaults to the authenticated user's organization ID if not specified.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_THREATSGet the total number of threats detected over a specified time period. Returns time-series data showing threat volumes aggregated by configurable time buckets (15 minutes or 1 day). Use this to monitor security threats, analyze threat patterns over time, and identify when threat activity is highest across networks and organizations.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
Comma separated list of desired traffic sources to include in the report. Options: all, networks, agents, proxies. Defaults to all if not specified.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by network ID. When true, results are broken down by individual networks. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_THREATS_AGENTSGet the total number of threats for roaming clients in a period of time. Returns time-series data showing threat counts aggregated by configurable time buckets for agents (roaming clients). Use this to analyze security threat patterns and monitor blocked malicious domains or categories detected for roaming clients.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
Traffic source options for filtering.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by agent ID. When true, results are broken down by individual agents. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_THREATS_COLLECTIONSTool to retrieve the total number of threats for collections over a specified time period. Use when you need to analyze threat patterns, generate security reports, or monitor DNS-based threats blocked by DNSFilter across different collections.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day.
Type of traffic report.
Traffic source filter options.
Comma separated list of local user IDs to filter by. Defaults to all users.
Comma separated list of user agent UUIDs to filter by. Defaults to all agents.
Filter by a specific private LAN IP address.
Comma separated list of user agent types to filter by. Defaults to all types.
Bucket size options for grouping traffic report data.
Comma separated list of network IDs to filter by. Defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values. Defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define a range.
Comma separated list of collection IDs to filter by. Defaults to all collections.
Comma separated list of application IDs to filter by. Defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define a range.
Comma separated list of organization IDs. Defaults to user's organization ID.
Whether to group report result by collection ID. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_THREATS_ORGANIZATIONSGet the total number of threats detected for organizations over a specified time period. Returns aggregated threat statistics showing how many malicious or dangerous DNS requests were identified across one or more organizations. Use this to monitor security posture, identify at-risk organizations, and track threat trends over time.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized.
Type of traffic report to generate.
Traffic source options for filtering.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by organization ID. When true, results are broken down by individual organizations. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_TRAFFIC_REPORTS_TOTAL_THREATS_USERSGet the total number of threats for users in a period of time. Returns aggregated statistics showing security threats detected across users during the specified time range. Use this to monitor user-level threat activity and identify users encountering security issues.
Input parameters
Report UTC upper limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime if not specified or format is not recognized. Note: While marked as optional, this parameter should be provided for successful API responses.
Report UTC lower limit in format YYYY-MM-DDThh:mm:ss or YYYY-MM-DDThh:mm:ssZ. Defaults to current UTC datetime minus 1 day if not specified or format is not recognized. Note: While marked as optional, this parameter should be provided for successful API responses.
Type of traffic report to generate.
Traffic source options for filtering.
Comma separated list of local user IDs to filter by. If not specified, defaults to all users.
Comma separated list of user agent UUIDs to filter by. If not specified, defaults to all agents.
Private LAN IP address to filter by. Filters traffic from a specific private IP.
Comma separated list of user agent types to filter by. If not specified, defaults to all types.
Bucket size options for report aggregation.
Comma separated list of network IDs to filter by. If not specified, defaults to all networks.
Comma separated list of MAC addresses (without colons) or filter values to filter by. If not specified, defaults to all.
Private LAN IP range upper limit. Use with private_ip_from to define an IP range.
Comma separated list of collection IDs to filter by. If not specified, defaults to all collections.
Comma separated list of application IDs to filter by. If not specified, defaults to all applications.
Private LAN IP range lower limit. Use with private_ip_to to define an IP range.
Comma separated list of organization IDs to filter by. If not specified, defaults to the user's organization ID.
Group report results by user ID. When true, results are broken down by individual users. Defaults to false.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_USER_AGENT_BULK_DELETES_COUNTSTool to get user agent bulk delete counts by filtering criteria. Use when you need to determine how many user agents can be deleted or uninstalled and deleted based on various filters like agent state, network, tags, or online/offline status.
Input parameters
User agent list by tags
Enumeration of possible user agent types.
Enumeration of possible online/offline states.
User agent list by keyword(s) (space delimited), this could be: hostname, friendly name
Filter by user agent status, valid attributes: active, disabled, uninstalled
Enumeration of possible agent states.
A search term to search client name fields (i.e. hostname and friendly_name)
Network IDs to filter by, defaults to all networks if not specified
Organization ID to filter by
Filter by agents that have received traffic in last 15 minutes
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_USER_AGENT_BULK_UPDATES_COUNTSTool to get user agent bulk delete counts by filters. Use when you need to determine how many user agents match certain criteria and whether they support remote uninstall. Returns counts of agents that can be deleted vs agents that can be both uninstalled and deleted.
Input parameters
User agent list by tags
Enumeration of user agent types.
Enumeration of online/offline states for filtering.
User agent list by keyword(s) (space delimited), this could be: hostname, friendly name
Filter by user agent status, valid attributes: active, disabled, uninstalled
Filter user agents by policy ID
Enumeration of possible agent states for filtering.
A search term to search client name fields (i.e. hostname and friendly_name)
Network IDs to filter by, defaults to all networks
Filter user agents by block page ID
Organization ID to filter by
Filter user agents by release channel. Valid values: stable, beta, preview
Filter user agents by scheduled policy ID
Filter by agents that have received traffic in last 15 minutes
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_USER_AGENT_RELEASESGets a list of latest user agent releases for each unique combination of agent_type, architecture, release_channels, and white label. Use this to discover available agent versions for deployment across different platforms and release channels.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_USER_AGENT_RELEASES_RELAYTool to get a list of latest relay releases for each unique combination of architecture, release channels, and white label. Use when you need to retrieve available relay agent versions for deployment or updates.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_USER_AGENTS_ALLTool to retrieve ALL user agents with basic information. Use when you need a comprehensive list of all user agents, optionally filtered by network, organization, state, status, or tags. Supports pagination and sorting.
Input parameters
Sort options, valid attributes: hostname, friendly_name, agent_version, last_sync. Prefix with '-' for descending order.
User agent list by tags
User agent type enumeration.
User agent state enumeration.
User agent list by keyword(s) (space delimited), this could be: status, hostname, friendly name, current logged in user
Filter by user agent status, valid attributes: active, disabled, uninstalled, uninstall_queued, uninstalling
Number of items per page. Maps to page\[size\] in the API.
Networks IDs, defaults to all
Page number for pagination (1-based). Maps to page\[number\] in the API.
Organization IDs, defaults to user organization ID
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_USER_AGENTS_COUNTSTool to get counts of user agents for each status. Use when you need to retrieve statistics about user agents grouped by their protection status (protected, unprotected, bypassed, etc.). Supports filtering by organization, network, tags, and various other criteria.
Input parameters
User agent list by tags
User agent type.
User agent online/offline state.
MSP ID, set scope to all sub-orgs
User agent list by keyword(s) (space delimited), this could be: tags, status, hostname, friendly name, current logged in user
Filter by user agent status, valid attributes: active, disabled, uninstalled
A search term to search client name fields (i.e. hostname and friendly_name)
Networks IDs, defaults to all
Get counts for new agent states: Protected, Unprotected, Offline
Organization IDs, defaults to user organization ID
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_USER_AGENTS_CSVTool to export user agents as CSV data for a specific organization. Use when you need to retrieve a CSV-formatted list of user agents, optionally including suborg data.
Input parameters
Timezone string for localizing the filename (e.g., 'America/New_York'). Defaults to 'UTC'
Include suborgs when organization_id is MSP owner org (defaults to false)
Organization ID to retrieve user agents for
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_USER_AGENTS_TAGSRetrieves all tags used by user agents on a network or organization. Tags help categorize and organize user agents for easier management and policy application. Use when you need to view available tags for filtering or grouping user agents.
Input parameters
MSP ID to set scope to all sub-organizations. Use this to retrieve tags across managed service provider sub-organizations.
List of network IDs to filter tags by. Defaults to all networks if not specified. Use to scope tags to specific networks.
List of organization IDs to filter tags by. Defaults to the user's organization ID if not specified.
Filters out tags that aren't currently used on any user agents. Set to true to only return tags actively in use.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LIST_USERS_ALLTool to get all users basic information with optional pagination. Use when you need to retrieve a list of users in the organization with their profile details including name, email, and contact information.
Input parameters
Pagination parameters for the request.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_LOOKUP_NETWORK_BY_IPTool to get basic network information based on an IP address lookup. Use when you need to identify which network an IP belongs to and retrieve its block page configuration settings.
Input parameters
IP address to lookup. Use this to find which network a specific IP belongs to and retrieve its basic configuration.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_REMOVE_ALLOWED_APPLICATIONRemoves a single application from the allow list of a policy in DNSFilter. Use this action when you need to revoke access for a specific application that was previously allowed. The application will be removed from the policy's allow_applications list and will no longer bypass filtering rules. This is useful for tightening security policies or removing applications that are no longer needed while maintaining the rest of the filtering configuration.
Input parameters
Policy ID to remove the allowed application from. Use LIST_POLICIES action to retrieve valid policy IDs.
Application name to remove from the allow list. This should be a valid application identifier currently in the policy's allow list (e.g., '101domains', 'dropbox', 'slack').
Include relationships in the response (organization, etc.). Defaults to true. Set to false for a lighter response payload.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_REMOVE_ALLOWLIST_DOMAINS_FROM_POLICIESTool to remove one or more domains from one or more policies' allow lists. Use when you need to bulk remove previously allowed domains from multiple policies at once, useful for security updates or policy cleanup.
Input parameters
Optional domain/note key-value pairs to associate notes with specific domains being removed.
List of domain names to remove from the allow list. Domains should be in standard format without protocol (e.g., 'example.com').
List of policy IDs to remove the domains from. Use LIST_POLICIES action to retrieve valid policy IDs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_REMOVE_BLACKLIST_CATEGORYTool to remove a single category from a policy's blocklist. Use when you need to unblock a specific content category that was previously restricted in a DNS filtering policy. The category will be removed from the policy's blacklist_categories array, allowing domains in that category to be accessed.
Input parameters
The unique ID of the policy to modify. Use LIST_POLICIES action to retrieve valid policy IDs.
The category ID to remove from the blocklist. Use LIST_CATEGORIES or LIST_ALL_CATEGORIES actions to retrieve valid category IDs.
Include relationships in the response (organization, etc.). Defaults to true. Set to false for a lighter response payload.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_REMOVE_BLACKLIST_DOMAIN_FROM_POLICYTool to remove a single domain from a policy's blocklist. Use when you need to unblock a specific domain that was previously blocked by a policy, such as when correcting false positives or updating filtering rules. The domain will be removed from the specified policy's blacklist_domains list.
Input parameters
The unique identifier of the policy to remove the domain from. Use LIST_POLICIES action to retrieve valid policy IDs.
Note or comment explaining why this domain is being removed from the blocklist. Useful for audit trails and documentation.
The domain name to remove from the blocklist. Should be a valid domain name without protocol prefix (e.g., 'example.com', not 'https://example.com').
Include relationships in the response (organization, etc.). Defaults to true. Set to false for a lighter response payload.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_REMOVE_BLOCKED_APPLICATIONRemoves a single application from the block list of a policy in DNSFilter. Use this action when you need to unblock a specific application that was previously blocked by the filtering policy. The application will be removed from the policy's block_applications list and will no longer be blocked by this policy. This is useful for allowing previously blocked applications while maintaining other filtering rules.
Input parameters
Policy ID to remove the blocked application from. Use LIST_POLICIES action to retrieve valid policy IDs.
Application name to remove from the block list. This should be a valid application identifier that exists in the policy's blocked applications list (e.g., '101domains', 'facebook', 'twitter').
Include relationships in the response (organization, etc.). Defaults to true. Set to false for a lighter response payload.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_REMOVE_BLOCKLIST_DOMAINSTool to remove one or more domains from one or more policy block lists in bulk. Use when you need to unblock domains across multiple policies simultaneously, such as when removing false positives or updating block list policies.
Input parameters
Optional key-value pairs mapping domain names to notes. Use this to document the reason for removal or provide context for each domain.
List of domain names to remove from the block lists. Each domain should be a valid domain name (e.g., 'example.com', 'malicious-site.net'). These domains will be removed from all specified policies.
List of policy IDs to remove the domains from. Use LIST_POLICIES to retrieve valid policy IDs. The domains will be removed from the block lists of all specified policies.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_REMOVE_WHITELIST_DOMAIN_FROM_POLICYTool to remove a single domain from a policy's whitelist/allowlist. Use when you need to revoke access for a previously allowed domain, useful for security updates or policy cleanup.
Input parameters
Policy ID from which to remove the domain. Use LIST_POLICIES action to retrieve valid policy IDs.
Explanatory note describing why the domain is being removed from the allowlist.
Domain name to remove from the whitelist/allowlist. Should be in standard format without protocol (e.g., 'example.com').
Include relationships in the response (organization, etc.). Defaults to true. Set to false for a lighter response payload.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_RESEND_USER_INVITETool to resend an invitation email to a user in a DNSFilter organization. Use when a user hasn't received their original invitation or needs a new invitation link. The invitation will be sent to the user's registered email address.
Input parameters
The unique ID of the user to resend the invitation to
The unique ID of the organization that the user belongs to
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_SUGGEST_DOMAIN_THREATSubmit a domain threat report to DNSFilter for review and potential threat categorization. Use this action when you have identified a suspicious or malicious domain that should be reported to DNSFilter. The submission will be reviewed by DNSFilter's security team and may result in the domain being categorized as a threat, which will improve protection for all DNSFilter users. This is typically used for reporting newly discovered phishing sites, malware distribution domains, spam sources, or other malicious domains that are not yet properly categorized.
Input parameters
Fully qualified domain name (FQDN) to report as a potential threat. Must be a valid domain name format (e.g., 'malicious-site.example.com').
Detailed explanation describing why this domain is considered a threat. Include specific observations such as phishing attempts, malware distribution, spam campaigns, or other malicious activity.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_BILLING_ADDRESSUpdates the billing address for a DNSFilter organization. Use this when you need to modify billing contact information, shipping addresses, or invoice recipient details for an organization.
Input parameters
Billing address details to update. All fields are optional; only provided fields will be updated.
Unique numeric identifier of the organization whose billing address is being updated
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_CURRENT_USERUpdates profile attributes for the currently authenticated DNSFilter user. Use this action to modify the user's first name, last name, or phone number. At least one field must be provided in the update request. Common use cases include updating contact information or correcting profile details.
Input parameters
User attributes to update. At least one field (first_name, last_name, or phone) should be provided.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_ENTERPRISE_CONNECTIONUpdates an existing enterprise connection for SSO authentication in DNSFilter. Use this action to modify enterprise connection settings such as display name, identity provider configuration, authorized domains, role mappings, and OAuth credentials. Commonly used for updating OIDC, Okta, Azure AD, or Google Workspace SSO integrations. Note: To set a custom login URL, update the organization's 'unique_id' attribute using the PATCH /v1/organizations endpoint.
Input parameters
The unique identifier of the enterprise connection to update.
Identity provider types for enterprise connections.
Options for the enterprise connection, dependent on the IDP strategy.
List of mappings from identity provider groups to DNSFilter roles. Allows fine-grained role assignment based on IDP group membership.
The UI-visible name of the enterprise connection. Helps users identify the connection in the dashboard.
Default role options for enterprise connection users.
The ID of the organization that owns this enterprise connection.
List of email domains that are authorized to connect via this enterprise connection. Users with these email domains can authenticate.
The ID of the default organization to assign users upon authentication through this connection.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_IP_ADDRESSUpdates an existing IP address record in DNSFilter with new data. This action modifies an IP address entry by its ID, allowing you to change the IP address itself, reassign it to a different network or organization, or update its dynamic hostname. Common use cases include: - Updating an IP address when your gateway IP changes - Moving an IP address to a different network - Setting or updating the dynamic hostname for better identification Prerequisites: - Must have a valid IP address ID (use GET_IP_ADDRESS or LIST_IP_ADDRESSES to retrieve IDs) - Must provide all required fields (address, organization_id, network_id) even if only changing one - User must have authorization to update IP addresses in the target network
Input parameters
The unique identifier of the IP address record to update. Use GET_IP_ADDRESS or LIST_IP_ADDRESSES to retrieve valid IDs.
The IP address data to update.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_MAC_ADDRESSESUpdates an existing MAC address entry in DNSFilter with new configuration. This action allows you to modify MAC address settings including the physical address itself, organization assignment, filtering policies, block pages, and custom filter values. Common use cases include: - Correcting a MAC address that was entered incorrectly - Reassigning a MAC address to a different organization - Applying custom filtering policies to specific devices - Setting custom block pages for certain MAC addresses Prerequisites: - Must have a valid MAC address ID (use LIST_MAC_ADDRESSES or LIST_ALL_MAC_ADDRESSES to retrieve) - Must provide organization_id in the update payload - User must have authorization to update MAC addresses Notes: - If both policy_id and scheduled_policy_id are provided, scheduled_policy_id takes precedence - The filter_value defaults to the MAC address without colons if not specified - Returns HTTP 422 if the update cannot be processed with the specified data
Input parameters
The unique identifier of the MAC address entry to update. Use LIST_MAC_ADDRESSES or LIST_ALL_MAC_ADDRESSES to retrieve valid MAC address IDs.
MAC address update parameters including organization_id (required) and optional fields for address, policies, and block pages.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_NETWORKS_BULKTool to bulk update multiple networks with specified configuration changes. Use when you need to apply the same settings (policy, block page, VPN status) to multiple networks simultaneously instead of updating them one by one. This action creates an asynchronous bulk update job that processes multiple networks. Common use cases include: - Applying a new policy to multiple branch office networks - Enabling/disabling legacy VPN across multiple locations - Standardizing block page settings for multiple networks - Updating scheduled policies for multiple sites The operation returns a job ID immediately and processes updates in the background. For updating all networks in an organization, use ids='all' and provide organization_id.
Input parameters
Comma-delimited network IDs to update (e.g., '10626258,9219250'), or the keyword 'all' to update all networks in an organization. Use LIST_NETWORKS action to retrieve valid network IDs.
Policy ID to assign to the specified networks. Use to update the filtering policy for multiple networks at once.
Block Page ID to assign to the networks. Use to customize the block page displayed when filtering blocks a request.
Organization ID. Required when ids is 'all', specifying which organization's networks to update. Optional when specific network IDs are provided.
Scheduled Policy ID to assign to the networks. Use to set or update time-based policy schedules across multiple networks.
Whether to enable or disable legacy VPN for the specified networks. Set to true to activate, false to deactivate.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_ORGANIZATIONSUpdates an existing organization with the specified data in DNSFilter. Use this action to modify organization information such as name, billing contacts, address, licensing, MSP management settings, or custom login configurations. Common use cases include updating billing information, changing the organization name, adjusting license quantities, or configuring enterprise SSO settings.
Input parameters
The unique identifier of the organization to update. Use LIST_ORGANIZATIONS action to retrieve valid organization IDs.
The organization data to update. At minimum, you must provide the organization name.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_ORGANIZATIONS_USERSUpdates a user or permissions within an organization in DNSFilter. Use this action to modify user details such as email, name, phone, role, or organization permissions. Common use cases include updating contact information, changing user roles between administrator and read-only, or modifying organization access permissions.
Input parameters
The OrganizationUser ID to update. This is the unique identifier of the user within the organization.
User update parameters including email, name, phone, role, and permission settings. At least one field should be provided.
The ID of the organization where the user belongs. Use LIST_ORGANIZATIONS to retrieve valid organization IDs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_POLICIESUpdates an existing DNS filtering policy with the specified configuration in DNSFilter. Use this action to modify filtering rules including blocked/allowed categories, domain lists, safe search enforcement, and application controls for an existing policy. Only include fields you want to update - all fields are optional except the policy ID. Common use cases include enabling/disabling safe search, updating domain allow/block lists, modifying category blocking rules, and changing application controls. Use the append_domains parameter to add to existing domain lists rather than replacing them.
Input parameters
The unique identifier of the policy to update. Use LIST_POLICIES or GET_POLICY to retrieve valid policy IDs.
Policy update request parameters containing the fields to modify. Only include fields you want to update.
Option to append allowlist/blocklist domains to the existing ones rather than replacing them. Default: false. Use true when adding to existing domain lists.
Include relationships in the response (organization, etc.). Defaults to true. Set to false for a lighter response payload.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_POLICIES_APPLICATIONUpdates a policy with the specified application data, configuring which policies allow or block access to an application. This action assigns allow and block policy rules to a specific application, controlling which users (based on their assigned policies) can access the application. Common use cases include: - Setting up application-level filtering rules for specific user groups - Blocking access to certain applications for specific policies - Allowing access to applications only for designated policies Prerequisites: - Must have a valid organization_id - Must have a valid application_id (use LIST_APPLICATIONS to retrieve available applications) - Must provide both allow_policies and block_policies lists (can be empty arrays) - User must have authorization to update policies in the target organization
Input parameters
List of Policy IDs that should allow access to this application. Users under these policies will be granted access.
The unique identifier of the application to be configured with policy rules.
List of Policy IDs that should block access to this application. Users under these policies will be denied access.
The unique identifier of the organization. This determines which organization's policies will be updated.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_POLICIES_PERMISSIVE_MODETool to update the permissive mode setting for a specific policy. Use when you need to enable or disable permissive mode for a DNS filtering policy.
Input parameters
The unique ID of the policy to update permissive mode for.
The new permissive mode value for the policy. Set to true to enable permissive mode, false to disable it.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_SCHEDULED_POLICIESUpdates an existing scheduled policy in DNSFilter with the specified data. Use this action to modify time-based policy configurations that control filtering rules based on schedules throughout the week. Only include fields you want to update - all fields except the ID are optional. Scheduled policies allow you to apply different filtering policies at different times. Common use cases include stricter filtering during work hours, relaxed filtering during breaks, or different policies for weekdays vs weekends.
Input parameters
The unique identifier of the scheduled policy to update. Use LIST_SCHEDULED_POLICIES action to retrieve valid scheduled policy IDs.
Human-readable name for the scheduled policy. Use a descriptive name that helps identify the policy's purpose or schedule.
The timezone string for localizing the policy schedule (e.g., 'America/New_York', 'UTC', 'Europe/London'). This determines how the time blocks in policy_ids are interpreted.
Array of 672 policy IDs representing 15-minute time blocks starting Monday morning 12:01am. Each index corresponds to a 15-minute block throughout the week, allowing you to assign different policies for different time periods.
The unique identifier of the organization that owns the scheduled policy. This must match the organization that owns the policy.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_SCHEDULED_REPORTSUpdates an existing scheduled report configuration in DNSFilter. Use this action to modify report frequency, delivery schedule, content options, or recipient settings. Common use cases include changing the day of the week for report delivery, adjusting which content categories are included, or enabling/disabling threat summaries.
Input parameters
The unique identifier of the scheduled report to update. Use LIST_SCHEDULED_REPORTS action to retrieve valid scheduled report IDs.
The scheduled report data to update. You can modify any combination of frequency, day of week, content settings, and recipient options.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_UPDATE_USER_AGENT_CLEANUPSUpdates a user agent cleanup operation in DNSFilter. Use this to modify the inactivity threshold or start/restart a cleanup job. This action allows you to: 1. Change the 'inactive_for' threshold to adjust which agents are included in the cleanup (automatically restarts the job) 2. Start the cleanup process by setting 'start' to true (only works if 'inactive_for' is not provided) Common use cases: - Adjust the inactivity threshold from 30 to 45 days to be more conservative about deletions - Start a previously configured cleanup job that hasn't been started yet - Restart a cleanup job with a new threshold to recalculate which agents should be deleted Note: When 'inactive_for' is provided, it takes precedence and restarts the job, making 'start' parameter ineffective.
Input parameters
The unique identifier of the user agent cleanup operation to update. This ID is returned when creating a cleanup or can be retrieved from listing operations.
Start the cleanup process. Note: This will do nothing if 'inactive_for' is also included in the request, as updating inactive_for automatically restarts the job.
The number of inactive days for user agents to be included in cleanup. Setting this value restarts the job to find agents to delete based on the new inactivity threshold.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
DNSFILTER_VALIDATE_AUTH0_JWTTool to validate a JWT with Auth0. Use when you need to confirm token validity before making DNSFilter API calls.
Input parameters
Auth0 JSON Web Token (JWT) string to validate.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
No publicly available marketplace agent is found using this tool yet. There are 39 agents privately built on Nagent that already use Dnsfilter.
Build on Nagent
Connect Dnsfilter to any Nagent agent in minutes — no API key management, no boilerplate. Just configure and deploy.
The five questions agent builders ask before adopting a new integration.
Open the External Integrations panel inside Nagent (app.nagent.ai/externalIntegration), find Dnsfilter, and click "Connect Now." You'll authenticate with an API key — Nagent handles credential storage and refresh automatically. Once connected, Dnsfilter is available to any agent in your workspace.
No. Nagent provides no-code integration for every tool. Once Dnsfilter is connected, you configure its 170 actions directly in the agent builder UI — no API calls, no boilerplate, no schema management.
Helix — Nagent's agentic agent builder — lets you drop Dnsfilter steps into any workflow visually. Pick an action (e.g., one of those listed above), fill in the inputs (Helix knows the required vs. optional schema for each parameter), and connect it to upstream/downstream steps. Triggers run as the entry point of an agent, so when a Dnsfilter event fires, the agent kicks off automatically.
Every Dnsfilter action and trigger ships with a fully-typed schema — input parameters with name, type, required flag, and description, plus the output payload shape. The schemas are documented in the sections above. Helix uses these schemas to validate your configuration at build time and to type-check the data flowing between steps.
Yes. While Dnsfilter ships with 170 pre-built security & identity tools actions, you can layer custom logic around them inside Helix — pre/post-processing steps, conditional branches, retries, or stitching Dnsfilter together with other connected tools. For deeper customization, talk to our team about Nagent's Agentic AI Lab — forward-deployed engineers who build Dnsfilter-based workflows tailored to your business.