Handling Alarm Events

Function

This API is used to handle alarm events.

URI

POST /v5/{project_id}/event/operate

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Enterprise project ID. To query all enterprise projects, set this parameter to all_granted_eps.

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	IAM token. It can be obtained by calling the IAM API used to obtain an IAM token. The value of X-Subject-Token in the response header is a token.
region	Yes	String	Region ID

**Table 4** Request body parameters
Parameter	Mandatory	Type	Description
operate_type	Yes	String	Handling method. Its value can be: mark_as_handled ignore add_to_alarm_whitelist add_to_login_whitelist isolate_and_kill unhandle do_not_ignore remove_from_alarm_whitelist remove_from_login_whitelist do_not_isolate_or_kill
handler	No	String	Remarks. This API is available only for handled alarms.
operate_event_list	Yes	Array of OperateEventRequestInfo objects	Operated event list

**Table 5** OperateEventRequestInfo
Parameter	Mandatory	Type	Description
event_class_id	Yes	String	Event category. Its value can be: container_1001: Container namespace container_1002: Container open port container_1003: Container security option container_1004: Container mount directory containerescape_0001: High-risk system call containerescape_0002: Shocker attack containerescape_0003: Dirty Cow attack containerescape_0004: Container file escape dockerfile_001: Modification of user-defined protected container file dockerfile_002: Modification of executable files in the container file system dockerproc_001: Abnormal container process fileprotect_0001: File privilege escalation fileprotect_0002: Key file change fileprotect_0003: AuthorizedKeysFile path change fileprotect_0004: File directory change login_0001: Brute-force attack attempt login_0002: Brute-force attack succeeded login_1001: Succeeded login login_1002: Remote login login_1003: Weak password malware_0001: Shell change malware_0002: Reverse shell malware_1001: Malicious program procdet_0001: Abnormal process behavior procdet_0002: Process privilege escalation procreport_0001: High-risk command user_1001: Account change user_1002: Unsafe account vmescape_0001: Sensitive command executed on VM vmescape_0002: Sensitive file accessed by virtualization process vmescape_0003: Abnormal VM port access webshell_0001: Web shell network_1001: Mining network_1002: DDoS attacks network_1003: Malicious scanning network_1004: Attack in sensitive areas crontab_1001: Suspicious crontab task
event_id	Yes	String	Event ID
event_type	Yes	Integer	Intrusion type. Its value can be: 1001: Malware 1010: Rootkit 1011: Ransomware 1015: Web shell 1017: Reverse shell 2001: Common vulnerability exploit 3002: File privilege escalation 3003: Process privilege escalation 3004: Important file change 3005: File/Directory change 3007: Abnormal process behavior 3015: High-risk command execution 3018: Abnormal shell 3027: Suspicious crontab tasks 4002: Brute-force attack 4004: Abnormal login 4006: Invalid system account
occur_time	Yes	Integer	Occurrence time, accurate to milliseconds.
operate_detail_list	Yes	Array of EventDetailRequestInfo objects	Operation details list. If operate_type is set to add_to_alarm_whitelist or remove_from_alarm_whitelist, keyword and hash are mandatory. If operate_type is set to add_to_login_whitelist or remove_from_login_whitelist, the login_ip, private_ip, and login_user_name parameters are mandatory. If operate_type is set to isolate_and_kill or do_not_isolate_or_kill, the agent_id, file_hash, file_path, and process_pid parameters are mandatory. In other cases, the parameters are optional.

**Table 6** EventDetailRequestInfo
Parameter	Mandatory	Type	Description
agent_id	No	String	Agent ID
process_pid	No	Integer	Process ID
file_hash	No	String	File hash
file_path	No	String	File path
file_attr	No	String	File attribute
keyword	No	String	Alarm event keyword, which is used only for the alarm whitelist.
hash	No	String	Alarm event hash, which is used only for the alarm whitelist.
private_ip	No	String	Server private IP address
login_ip	No	String	Login source IP address
login_user_name	No	String	Login username

Response Parameters

Status code: 200

success

None

Example Requests

POST https://{endpoint}/v5/{project_id}/event/operate?enterprise_project_id=xxx

{
  "operate_type" : "mark_as_handled",
  "handler" : "test",
  "operate_event_list" : [ {
    "event_class_id" : "rootkit_0001",
    "event_id" : "2a71e1e2-60f4-4d56-b314-2038fdc39de6",
    "occur_time" : 1672046760353,
    "event_type" : 1010,
    "operate_detail_list" : [ {
      "agent_id" : "c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8",
      "file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "file_path" : "/usr/test",
      "process_pid" : 3123,
      "file_attr" : 33261,
      "keyword" : "file_path=/usr/test",
      "hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "login_ip" : "127.0.0.1",
      "private_ip" : "127.0.0.2",
      "login_user_name" : "root"
    } ]
  } ],
  "x-request-examples-description-1" : "Manually handle the intrusion alarms whose alarm event type is Rootkit and alarm event ID is 2a71e1e2-60f4-4d56-b314-2038fdc39de6."
}