Activity Report API


Using phonetic algorithms, pattern matching, and machine learning, the Vetting API detects frequency and velocity abuse patterns. As a simple example, sign-ups using similar emails to create multiple accounts such as: jim1@xyz.com, jim15@xyz.com, jim37@xyz.com will be tagged.

If we detect an abuse pattern, an incident is created with all records and data associated with the incident. If the pattern continues, new records are automatically added to the original incident.

These are typically fraudsters that you do not want in your systems. Making an activity/get call to the feed API will report back all incidents and entities associated with your account over the last 24 hours.

Endpoint (6.1)


The API accepts both HTTPS POST and HTTPS GET.

For GET use the format:

When using POST, make sure to have Content-Type: application/x-www-form-urlencoded

CURL POST API call example:

curl -X POST -H Content-Type:application/x-www-form-urlencoded -d 'apikey=your_apikey' https://feed-api.ehawk.net/activity/function/


Using function of:

Returns all activity incidents for the last 24 hours. For example:

Returns all activity incidents. For example:

This report defaults to 100 records, but can be customized with page (start page) and num (1-500 rows) definitions:

After reviewing the incident data, you can confirm or delete incidents with the following functions calls.

Adds incident data as confirmed and removed from list. Same as 'Correct' button in the portal.

Removes incident from your account. Same as 'False' button in the portal.

The Vetting API JSON responses include activity incident IDs if they are part of the call. Incident IDs change when new data is added, so if these detail calls return a 502 status, a following Vetting API call and JSON response will have the updated Incident ID. Use the incident ID from the updated JSON response to get full incident details.

Returns the records of a specific incident

JSON Response

The response from details will be a JSON string with each Incident in a new sub JSON string grouped by data type. As an example, incident id 558 has two emails and one ip:

Status Codes

Status Response
200 OK (no errors)
-6 IP not in ACL
502 Invalid APIKEY or URL

Portal Incident Reporting

The Activity Report in the Portal lists all incidents created by our activity monitor during the last thirty days. To the right of each incident are buttons: Correct to verify the incident as a Repeat Sign-up, False to mark as incorrect (remove from scoring) and Hold to not score until marked correct or false. This report should be checked often because many times the first items in the incident are marked as low risk (no bad pattern yet), and the later ones are marked as high risk. If the incident is Correct, then make sure to take action on all items in the incident so you remove any sleeper accounts.