# Active Protect

> Source: https://developers.cloud66.com/v3/webhooks/active-protect/

## ActiveProtect Block

URL: https://developers.cloud66.com/v3/webhooks/active-protect/#block
Event type: active.protect.block
Related models: server, activeprotect-action

This webhook is sent when ActiveProtect blocks an IP address due to suspicious activity. The payload includes server information where the block occurred and details about the blocked activity.

### Payload

```json
{
  "timestamp": 1757011079,
  "event_type": "active.protect.block",
  "server": {
    "uid": "550e8400-e29b-41d4-a716-446655440001",
    "vendor_uid": "i-0123456789abcdef0",
    "name": "web-server-01",
    "address": "203.0.113.10",
    "distro": "ubuntu",
    "distro_version": "20.04",
    "dns_record": "web-01.example.com",
    "user_name": "cloud66",
    "server_type": "aws",
    "server_roles": [
      "web",
      "docker"
    ],
    "server_group_id": 123,
    "stack_uid": "stack-550e8400-e29b-41d4-a716",
    "has_agent": true,
    "params": {
      "size": "t3.medium",
      "region": "us-east-1",
      "subnet": "subnet-12345"
    },
    "created_at": "2024-01-15T10:30:00Z",
    "updated_at": "2024-02-15T14:20:00Z",
    "region": "us-east-1",
    "availability_zone": "us-east-1a",
    "ext_ipv4": "203.0.113.10",
    "int_ipv4": "10.0.1.100",
    "ext_ipv6": "2001:db8::1",
    "int_ipv6": "fd00::1",
    "health_state": 1,
    "personal_key": false,
    "has_deploy_gateway": false,
    "deploy_gateway_address": null,
    "deploy_gateway_user_name": null
  },
  "activeprotect_action": {
    "server": "550e8400-e29b-41d4-a716-446655440000",
    "address": "192.168.1.45",
    "country": "United States",
    "country_code": "US",
    "attack": "SSH",
    "port": 22,
    "banned": true,
    "action_date": "2024-02-15T14:23:41Z"
  }
}
```

---

## ActiveProtect Change

URL: https://developers.cloud66.com/v3/webhooks/active-protect/#change
Event type: active.protect.change
Related models: server, watched-file

This webhook is sent when ActiveProtect detects unauthorized file changes on your servers. The payload includes server information and file change details.

### Payload

```json
{
  "timestamp": 1757011079,
  "event_type": "active.protect.change",
  "server": {
    "uid": "550e8400-e29b-41d4-a716-446655440001",
    "vendor_uid": "i-0123456789abcdef0",
    "name": "web-server-01",
    "address": "203.0.113.10",
    "distro": "ubuntu",
    "distro_version": "20.04",
    "dns_record": "web-01.example.com",
    "user_name": "cloud66",
    "server_type": "aws",
    "server_roles": [
      "web",
      "docker"
    ],
    "server_group_id": 123,
    "stack_uid": "stack-550e8400-e29b-41d4-a716",
    "has_agent": true,
    "params": {
      "size": "t3.medium",
      "region": "us-east-1",
      "subnet": "subnet-12345"
    },
    "created_at": "2024-01-15T10:30:00Z",
    "updated_at": "2024-02-15T14:20:00Z",
    "region": "us-east-1",
    "availability_zone": "us-east-1a",
    "ext_ipv4": "203.0.113.10",
    "int_ipv4": "10.0.1.100",
    "ext_ipv6": "2001:db8::1",
    "int_ipv6": "fd00::1",
    "health_state": 1,
    "personal_key": false,
    "has_deploy_gateway": false,
    "deploy_gateway_address": null,
    "deploy_gateway_user_name": null
  },
  "watched_file": {
    "server": "550e8400-e29b-41d4-a716-446655440001",
    "file_path": "/etc/nginx/nginx.conf",
    "is_changed": false,
    "created_at": "2024-01-15T10:30:00Z",
    "updated_at": "2024-02-15T14:25:00Z"
  }
}
```