Querying the Detected Intrusion List

project_id

Yes

String

Project ID

category

Yes

String

Event category. Its value can be:

• host: host security event

• container: container security event

enterprise_project_id

No

String

Enterprise project ID. To query all enterprise projects, set this parameter to all_granted_eps.

last_days

No

Integer

Number of days to be queried. This parameter is mutually exclusive with begin_time and end_time.

host_name

No

String

Server name

host_id

No

String

Host ID

private_ip

No

String

Server IP address

container_name

No

String

Container instance name

offset

No

Integer

Offset, which specifies the start position of the record to be returned. The value must be a number no less than 0.

limit

No

Integer

Number of records displayed on each page

event_types

No

Array of integers

Intrusion type. Its value can be:

• 1001: Malware

• 1010: Rootkit

• 1011: Ransomware

• 1015: Web shell

• 1017: Reverse shell

• 2001: Common vulnerability exploit

• 3002: File privilege escalation

• 3003: Process privilege escalation

• 3004: Important file change

• 3005: File/Directory change

• 3007: Abnormal process behavior

• 3015: High-risk command execution

• 3018: Abnormal shell

• 3027: Suspicious crontab tasks

• 4002: Brute-force attack

• 4004: Abnormal login

• 4006: Invalid system account

handle_status

No

String

Status. Its value can be:

• unhandled

• handled

severity

No

String

Threat level. Its value can be:

• Security

• Low

• Medium

• High

• Critical

begin_time

No

String

Customized start time of a segment. The timestamp is accurate to seconds. The begin_time should be no more than two days earlier than the end_time. This parameter is mutually exclusive with the queried duration.

end_time

No

String

Customized end time of a segment. The timestamp is accurate to seconds. The begin_time should be no more than two days earlier than the end_time. This parameter is mutually exclusive with the queried duration.

X-Auth-Token

Yes

String

IAM token.

It can be obtained by calling the IAM API used to obtain an IAM token. The value of X-Subject-Token in the response header is a token.

region

Yes

String

Region ID

total_num

Integer

Total number of alarm events

data_list

Array of EventManagementResponseInfo objects

Event list

event_id

String

Event ID

event_class_id

String

Event category. Its value can be:

• container_1001: Container namespace

• container_1002: Container open port

• container_1003: Container security option

• container_1004: Container mount directory

• containerescape_0001: High-risk system call

• containerescape_0002: Shocker attack

• containerescape_0003: Dirty Cow attack

• containerescape_0004: Container file escape

• dockerfile_001: Modification of user-defined protected container file

• dockerfile_002: Modification of executable files in the container file system

• dockerproc_001: Abnormal container process

• fileprotect_0001: File privilege escalation

• fileprotect_0002: Key file change

• fileprotect_0003: AuthorizedKeysFile path change

• fileprotect_0004: File directory change

• login_0001: Brute-force attack attempt

• login_0002: Brute-force attack succeeded

• login_1001: Succeeded login

• login_1002: Remote login

• login_1003: Weak password

• malware_0001: Shell change

• malware_0002: Reverse shell

• malware_1001: Malicious program

• procdet_0001: Abnormal process behavior

• procdet_0002: Process privilege escalation

• procreport_0001: High-risk command

• user_1001: Account change

• user_1002: Unsafe account

• vmescape_0001: Sensitive command executed on VM

• vmescape_0002: Sensitive file accessed by virtualization process

• vmescape_0003: Abnormal VM port access

• webshell_0001: Web shell

• network_1001: Mining

• network_1002: DDoS attacks

• network_1003: Malicious scanning

• network_1004: Attack in sensitive areas

• crontab_1001: Suspicious crontab task

event_type

Integer

Intrusion type. Its value can be:

• 1001: Malware

• 1010: Rootkit

• 1011: Ransomware

• 1015: Web shell

• 1017: Reverse shell

• 2001: Common vulnerability exploit

• 3002: File privilege escalation

• 3003: Process privilege escalation

• 3004: Important file change

• 3005: File/Directory change

• 3007: Abnormal process behavior

• 3015: High-risk command execution

• 3018: Abnormal shell

• 3027: Suspicious crontab tasks

• 4002: Brute-force attack

• 4004: Abnormal login

• 4006: Invalid system account

event_name

String

Event name

severity

String

Threat level. Its value can be:

• Security

• Low

• Medium

• High

• Critical

container_name

String

Container instance name. This API is available only for container alarms.

image_name

String

Image name. This API is available only for container alarms.

host_name

String

Server name

host_id

String

Host ID

private_ip

String

Server private IP address

public_ip

String

Elastic IP address

os_type

String

OS type. Its value can be:

• Linux

• Windows

host_status

String

Server status. The options are as follows:

• ACTIVE

• SHUTOFF

• BUILDING

• ERROR

agent_status

String

Agent status. Its value can be:

• installed

• not_installed

• online

• offline

• install_failed

• installing

protect_status

String

Protection status. Its value can be:

• closed

• opened

asset_value

String

Asset importance. The options are as follows:

• important

• common

• test

attack_phase

String

Attack phase. Its value can be:

• reconnaissance

• weaponization

• delivery

• exploit

• installation

• command_and_control

• actions

attack_tag

String

Attack tag. Its value can be:

• attack_success

• attack_attempt

• attack_blocked

• abnormal_behavior

• collapsible_host

• system_vulnerability

occur_time

Integer

Occurrence time, accurate to milliseconds.

handle_time

Integer

Handling time, in milliseconds. This API is available only for handled alarms.

handle_status

String

Processing status. Its value can be:

• unhandled

• handled

handle_method

String

Handling method. This API is available only for handled alarms. The options are as follows:

• mark_as_handled

• ignore

• add_to_alarm_whitelist

• add_to_login_whitelist

• isolate_and_kill

handler

String

Remarks. This API is available only for handled alarms.

operate_accept_list

Array of strings

Supported processing operation

operate_detail_list

Array of EventDetailResponseInfo objects

Operation details list (not displayed on the page)

forensic_info

Object

Attack information, in JSON format.

resource_info

EventResourceResponseInfo object

Resource information

geo_info

Object

Geographical location, in JSON format.

malware_info

Object

Malware information, in JSON format.

network_info

Object

Network information, in JSON format.

app_info

Object

Application information, in JSON format.

system_info

Object

System information, in JSON format.

extend_info

Object

Extended event information, in JSON format

recommendation

String

Handling suggestions

process_info_list

Array of EventProcessResponseInfo objects

Process information list

user_info_list

Array of EventUserResponseInfo objects

User information list

file_info_list

Array of EventFileResponseInfo objects

File information list

event_details

String

Brief description of the event.

agent_id

String

Agent ID

process_pid

Integer

Process ID

is_parent

Boolean

Whether a process is a parent process

file_hash

String

File hash

file_path

String

File path

file_attr

String

File attribute

private_ip

String

Server private IP address

login_ip

String

Login source IP address

login_user_name

String

Login username

keyword

String

Alarm event keyword, which is used only for the alarm whitelist.

hash

String

Alarm event hash, which is used only for the alarm whitelist.

domain_id

String

User account ID

project_id

String

Project ID

enterprise_project_id

String

Enterprise project ID

region_name

String

Region name

vpc_id

String

VPC ID

cloud_id

String

ECS ID

vm_name

String

VM name

vm_uuid

String

Specifies the VM UUID, that is, the server ID.

container_id

String

Container ID

image_id

String

Image ID

image_name

String

Image name

host_attr

String

Host attribute

service

String

Service

micro_service

String

Microservice

sys_arch

String

System CPU architecture

os_bit

String

OS bit version

os_type

String

OS type

os_name

String

OS name

os_version

String

OS version

process_name

String

Process name

process_path

String

Process file path

process_pid

Integer

Process ID

process_uid

Integer

Process user ID

process_username

String

Process username

process_cmdline

String

Process file command line

process_filename

String

Process file name

process_start_time

Long

Process start time

process_gid

Integer

Process group ID

process_egid

Integer

Valid process group ID

process_euid

Integer

Valid process user ID

parent_process_name

String

Parent process name

parent_process_path

String

Parent process file path

parent_process_pid

Integer

Parent process ID

parent_process_uid

Integer

Parent process user ID

parent_process_cmdline

String

Parent process file command line

parent_process_filename

String

Parent process file name

parent_process_start_time

Long

Parent process start time

parent_process_gid

Integer

Parent process group ID

parent_process_egid

Integer

Valid parent process group ID

parent_process_euid

Integer

Valid parent process user ID

child_process_name

String

Subprocess name

child_process_path

String

Subprocess file path

child_process_pid

Integer

Subprocess ID

child_process_uid

Integer

Subprocess user ID

child_process_cmdline

String

Subprocess file command line

child_process_filename

String

Subprocess file name

child_process_start_time

Long

Subprocess start time

child_process_gid

Integer

Subprocess group ID

child_process_egid

Integer

Valid subprocess group ID

child_process_euid

Integer

Valid subprocess user ID

virt_cmd

String

Virtualization command

virt_process_name

String

Virtualization process name

escape_mode

String

Escape mode

escape_cmd

String

Commands executed after escape

process_hash

String

Process startup file hash

user_id

Integer

User UID

user_gid

Integer

User GID

user_name

String

User name

user_group_name

String

User group name

user_home_dir

String

User home directory

login_ip

String

User login IP address

service_type

String

Service type. The options are as follows:

• system

• mysql

• redis

service_port

Integer

Login service port

login_mode

Integer

Login mode

login_last_time

Long

Last login time

login_fail_count

Integer

Number of failed login attempts

pwd_hash

String

Password hash

pwd_with_fuzzing

String

Masked password

pwd_used_days

Integer

Password age (days)

pwd_min_days

Integer

Minimum password validity period

pwd_max_days

Integer

Maximum password validity period

pwd_warn_left_days

Integer

Advance warning of password expiration (days)

file_path

String

File path

file_alias

String

File alias

file_size

Integer

File size

file_mtime

Long

Time when a file was last modified

file_atime

Long

Time when a file was last accessed

file_ctime

Long

Time when the status of a file was last changed

file_hash

String

The hash value calculated using the SHA256 algorithm.

file_md5

String

File MD5

file_sha256

String

File SHA256

file_type

String

File type

file_content

String

File content

file_attr

String

File attribute

file_operation

Integer

File operation type

file_action

String

File action

file_change_attr

String

Old/New attribute

file_new_path

String

New file path

file_desc

String

File description

file_key_word

String

File keyword

is_dir

Boolean

Whether it is a directory

fd_info

String

File handle information

fd_count

Integer

Number of file handles

200

intrusion list