Help Center/ Host Security Service/ API Reference/ API Description/ Intrusion Detection/ Querying the Alarm Whitelist
Updated on 2024-01-31 GMT+08:00
View PDF

Querying the Alarm Whitelist

Function

This API is used to query the alarm whitelist.

Calling Method

For details, see Calling APIs.

URI

GET /v5/{project_id}/event/white-list/alarm

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

User project ID

Minimum: 20

Maximum: 64
Table 2 Query Parameters

Parameter

Mandatory

Type

Description

enterprise_project_id

No

String

Enterprise project ID. To query all enterprise projects, set this parameter to all_granted_eps.

Minimum: 0

Maximum: 64

hash

No

String

SHA256

Minimum: 64

Maximum: 64

event_type

No

Integer

Event type. Its value can be:

  • 1001: common malware

  • 1002: virus

  • 1003: worm

  • 1004: Trojan

  • 1005: botnet

  • 1006: backdoor

  • 1010 : Rootkit

  • 1011: ransomware

  • 1012: hacker tool

  • 1015: Web shell

  • 1016: mining

  • 1017: reverse shell

  • 2001: common vulnerability exploit

  • 2012: remote code execution

  • 2047: Redis vulnerability exploit

  • 2048: Hadoop vulnerability exploit

  • 2049: MySQL vulnerability exploit

  • 3002: file privilege escalation

  • 3003: process privilege escalation

  • 3004: critical file change

  • 3005: file/directory change

  • 3007: abnormal process behavior

  • 3015: high-risk command execution

  • 3018: abnormal shell

  • 3027: suspicious crontab task

  • 3029: system protection disabled

  • 3030: backup deletion

  • 3031: suspicious registry operations

  • 4002: brute-force attack

  • 4004: abnormal login

  • 4006: invalid system account

  • 4014: account added

  • 4020: password theft

  • 6003: server scan

Minimum: 1000

Maximum: 30000

offset

No

Integer

Offset, which specifies the start position of the record to be returned. The value must be a number no less than 0. The default value is 0.

Minimum: 0

Maximum: 2000000

Default: 0

limit

No

Integer

Number of records displayed on each page.

Minimum: 10

Maximum: 1000

Default: 10

Request Parameters

Table 3 Request header parameters

Parameter

Mandatory

Type

Description

x-auth-token

Yes

String

User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

Minimum: 1

Maximum: 32768

region

Yes

String

region id

Minimum: 0

Maximum: 128

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

total_num

Integer

Total number

event_type_list

Array of integers

Types of events that can be filtered

Minimum: 0

Maximum: 2147483647

Array Length: 0 - 30000

data_list

Array of AlarmWhiteListResponseInfo objects

Alarm whitelist details

Array Length: 0 - 100
Table 5 AlarmWhiteListResponseInfo

Parameter

Type

Description

enterprise_project_name

String

Enterprise project name

hash

String

SHA256

description

String

Description

event_type

Integer

Event type. Its value can be:

  • 1001: common malware

  • 1002: virus

  • 1003: worm

  • 1004: Trojan

  • 1005: botnet

  • 1006: backdoor

  • 1010 : Rootkit

  • 1011: ransomware

  • 1012: hacker tool

  • 1015 : web shell

  • 1016: mining

  • 1017: reverse shell

  • 2001: common vulnerability exploit

  • 2012: remote code execution

  • 2047: Redis vulnerability exploit

  • 2048: Hadoop vulnerability exploit

  • 2049: MySQL vulnerability exploit

  • 3002: file privilege escalation

  • 3003: process privilege escalation

  • 3004: critical file change

  • 3005: file/directory change

  • 3007: abnormal process behavior

  • 3015: high-risk command execution

  • 3018: abnormal shell

  • 3027: suspicious crontab task

  • 3029: system protection disabled

  • 3030: backup deletion

  • 3031: suspicious registry operations

  • 3036: container image blocking

  • 4002: brute-force attack

  • 4004: abnormal login

  • 4006: invalid accounts

  • 4014: account added

  • 4020: password theft

  • 6002: port scan

  • 6003: server scan

  • 13001: Kubernetes event deletion

  • 13002: abnormal pod behavior

  • 13003: enumerating user information

  • 13004: cluster role binding

white_field

String

Whitelist fields. The options are as follows:

  • "file/process hash" # process/file hash

  • "file_path"

  • "process_path"

  • "login_ip" # login IP address

  • "reg_key" # registry key

  • "process_cmdline" # process command line

  • "username"

Minimum: 1

Maximum: 20

field_value

String

Whitelist fields value

Minimum: 1

Maximum: 128

judge_type

String

Wildcard. The options are as follows:

  • "equal"

  • "contain"

Minimum: 1

Maximum: 10

update_time

Integer

Update time, in milliseconds

Example Requests

Query the first 10 alarm whitelists whose enterprise project is xxx.

GET https://{endpoint}/v5/{project_id}/event/white-list/alarm?limit=10&offset=0&enterprise_project_id=xxx

Example Responses

Status code: 200

Alarm whitelist

{
  "data_list" : [ {
    "enterprise_project_name" : "All projects",
    "event_type" : 1001,
    "hash" : "9ab079e5398cba3a368ccffbd478f54c5ec3edadf6284ec049a73c36419f1178",
    "description" : "/opt/cloud/3rdComponent/install/jre-8u201/bin/java",
    "update_time" : 1665715677307,
    "white_field" : "process/file hash",
    "judge_type" : "contain",
    "field_value" : "abcd12345612311112212323"
  } ],
  "event_type_list" : [ 1001 ],
  "total_num" : 1
}

Status Codes

Status Code

Description

200

Alarm whitelist

Error Codes

See Error Codes.

Parent topic: Intrusion Detection