Querying the Associated Data Object List
Function
Querying the Associated Data Object List
Calling Method
For details, see Calling APIs.
URI
POST /v1/{project_id}/workspaces/{workspace_id}/soc/{dataclass_type}/{data_object_id}/{related_dataclass_type}/search
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
project_id |
Yes |
String |
Project ID. |
|
workspace_id |
Yes |
String |
Workspace ID |
|
dataclass_type |
Yes |
String |
Data class to which the associated subject data object belongs. The value is plural in lowercase, for example, "alerts" and "incidents". |
|
data_object_id |
Yes |
String |
ID of the associated data object. |
|
related_dataclass_type |
Yes |
String |
Data class to which the associated subject data object belongs. The value is plural in lowercase, for example, "alerts" and "incidents". |
Request Parameters
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
X-Auth-Token |
Yes |
String |
User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token. |
|
content-type |
Yes |
String |
Content type. |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
limit |
No |
Integer |
Number of records displayed on each page. |
|
offset |
No |
Integer |
Offset |
|
sort_by |
No |
String |
Sorting field -- create_time | update_time |
|
order |
No |
String |
Sort by -- DESC | ASC |
|
from_date |
No |
String |
Search start time, for example, 2023-02-20T00:00:00.000Z |
|
to_date |
No |
String |
Search end time, for example, 2023-02-27T23:59:59.999Z |
|
condition |
No |
condition object |
Search condition expression. |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
conditions |
No |
Array of conditions objects |
Expression list. |
|
logics |
No |
Array of strings |
Expression logic. |
Response Parameters
Status code: 200
|
Parameter |
Type |
Description |
|---|---|---|
|
X-request-id |
String |
Request ID, in the format request_uuid-timestamp-hostname. |
|
Parameter |
Type |
Description |
|---|---|---|
|
code |
String |
Error code |
|
message |
String |
Error Message |
|
total |
Integer |
Total number of alerts. |
|
limit |
Integer |
Number of records displayed on each page. |
|
offset |
Integer |
Offset |
|
success |
Boolean |
Successful or not. |
|
data |
Array of DataObjectDetail objects |
Alert list. |
|
Parameter |
Type |
Description |
|---|---|---|
|
create_time |
String |
Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
data_object |
DataObject object |
Alert entity information. |
|
dataclass_ref |
dataclass_ref object |
Data class object. |
|
format_version |
Integer |
Format version. |
|
id |
String |
Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters. |
|
project_id |
String |
ID of the current project. |
|
update_time |
String |
Update time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
version |
Integer |
Version. |
|
workspace_id |
String |
ID of the current workspace. |
|
Parameter |
Type |
Description |
|---|---|---|
|
version |
String |
Version of the data source of the alert. The value must be one officially released by the Cloud SSA service. |
|
id |
String |
Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters. |
|
domain_id |
String |
ID of the account (domain_id) to whom the data is delivered and hosted. |
|
region_id |
String |
ID of the region where the account to whom the data is delivered and hosted belongs to. |
|
workspace_id |
String |
ID of the current workspace. |
|
environment |
environment object |
Coordinates of the environment where the alert was generated. |
|
datasource |
datasource object |
Source the data is first reported. |
|
first_observed_time |
String |
First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
last_observed_time |
String |
First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
create_time |
String |
Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
arrive_time |
String |
Data receiving time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
title |
String |
Alert title. |
|
description |
String |
Alert description. |
|
source_url |
String |
Alert URL, which points to the page of the current incident description in the data source product. |
|
count |
Integer |
Incident occurrences |
|
confidence |
Integer |
Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or incident. Value range -- 0-100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%. |
|
severity |
String |
Severity level. Value range: Tips | Low | Medium | High | Fatal Description:
|
|
criticality |
Integer |
Criticality, which specifies the importance level of the resources involved in an incident. Value range -- 0 to 100. The value 0 indicates that the resource is not critical, and 100 indicates that the resource is critical. |
|
alert_type |
alert_type object |
Alert classification. For details, see the Alert Type Definition. |
|
network_list |
Array of network_list objects |
Network Information |
|
resource_list |
Array of resource_list objects |
Affected resources. |
|
remediation |
remediation object |
Remedy measure. |
|
verification_state |
String |
Verification status, which identifies the accuracy of an incident. The options are as follows: – Unknown – True_Positive – False_Positive Enter Unknown by default. |
|
handle_status |
String |
Incident handling status. The options are as follows:
|
|
sla |
Integer |
Risk close time -- Set the acceptable risk duration. Unit -- Hour |
|
update_time |
String |
Update time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the alert occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
close_time |
String |
Closing time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
ipdrr_phase |
String |
Period/Handling phase No. Prepartion|Detection and Analysis|Containm,Eradication& Recovery|Post-Incident-Activity |
|
simulation |
String |
Debugging field. |
|
actor |
String |
Alert investigator. |
|
owner |
String |
Owner and service owner. |
|
creator |
String |
Creator |
|
close_reason |
String |
Close reason.
|
|
close_comment |
String |
Whether to close comment. |
|
malware |
malware object |
Malware |
|
system_info |
Object |
System information. |
|
process |
Array of process objects |
Process information. |
|
user_info |
Array of user_info objects |
User Details |
|
file_info |
Array of file_info objects |
File Information |
|
Parameter |
Type |
Description |
|---|---|---|
|
vendor_type |
String |
Environment provider. |
|
domain_id |
String |
Tenant ID. |
|
region_id |
String |
Region ID. global is returned for global services. |
|
cross_workspace_id |
String |
ID of the source workspace for the data delivery. If the source workspace ID is null, then the destination workspace account ID is used. |
|
project_id |
String |
Project ID. The default value is null for global services. |
|
Parameter |
Type |
Description |
|---|---|---|
|
source_type |
Integer |
Data source type. The options are as follows-- 1- cloud product 2- Third-party product 3- Tenant product |
|
domain_id |
String |
Account ID to which the data source product belongs. |
|
project_id |
String |
ID of the project to which the data source product belongs. |
|
region_id |
String |
Region where the data source is located, for example, cn-north1. For details about the value range, see Regions and Endpoints. |
|
company_name |
String |
Name of the company to which a data source belongs. |
|
product_name |
String |
Name of the data source. |
|
product_feature |
String |
Name of the feature of the product that detects the incident. |
|
product_module |
String |
Threat detection module list. |
|
Parameter |
Type |
Description |
|---|---|---|
|
direction |
String |
Direction. The value can be IN or OUT. |
|
protocol |
String |
Protocol, including Layer 7 and Layer 4 protocols. For details, see IANA registered name. https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml. |
|
src_ip |
String |
Source IP address |
|
src_port |
Integer |
Source port. The value ranges from 0 to 65535. |
|
src_domain |
String |
Source domain name. |
|
src_geo |
src_geo object |
Geographical location of the source IP address. |
|
dest_ip |
String |
Destination IP address |
|
dest_port |
String |
Destination port. The value ranges from 0 to 65535. |
|
dest_domain |
String |
Destination domain name |
|
dest_geo |
dest_geo object |
Geographical location of the destination IP address. |
|
Parameter |
Type |
Description |
|---|---|---|
|
latitude |
Number |
Latitude |
|
longitude |
Number |
Longitude |
|
city_code |
String |
City code. For example, Beijing or Shanghai. |
|
country_code |
String |
Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG. |
|
Parameter |
Type |
Description |
|---|---|---|
|
latitude |
Number |
Latitude |
|
longitude |
Number |
Longitude |
|
city_code |
String |
City code. For example, Beijing or Shanghai. |
|
country_code |
String |
Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG. |
|
Parameter |
Type |
Description |
|---|---|---|
|
id |
String |
Cloud service resource ID. |
|
name |
String |
Resource name. |
|
type |
String |
Resource type. This parameter references the value of RMS type on Cloud. |
|
provider |
String |
Cloud service name, which is the same as the provider field in the RMS service. |
|
region_id |
String |
Region ID in Cloud, for example, cn-north-1. |
|
domain_id |
String |
ID of the account to which the resource belongs, in UUID format. |
|
project_id |
String |
ID of the account to which the resource belongs, in UUID format. |
|
ep_id |
String |
Specifies the enterprise project ID. |
|
ep_name |
String |
Enterprise Project Name |
|
tags |
String |
Resource tag.
|
|
Parameter |
Type |
Description |
|---|---|---|
|
recommendation |
String |
Recommended solution. |
|
url |
String |
Link to the general fix information for the incident. The URL must be accessible from the public network with no credentials required. |
|
Parameter |
Type |
Description |
|---|---|---|
|
malware_family |
String |
Malicious family. |
|
malware_class |
String |
Malware category. |
|
Parameter |
Type |
Description |
|---|---|---|
|
process_name |
String |
Process name. |
|
process_path |
String |
Process execution file path. |
|
process_pid |
Integer |
Process ID. |
|
process_uid |
Integer |
Process user ID. |
|
process_cmdline |
String |
Process command line. |
|
process_parent_name |
String |
Parent process name. |
|
process_parent_path |
String |
Parent process execution file path. |
|
process_parent_pid |
Integer |
Parent process ID. |
|
process_parent_uid |
Integer |
Parent process user ID. |
|
process_parent_cmdline |
String |
Parent process command line. |
|
process_child_name |
String |
Subprocess name. |
|
process_child_path |
String |
Subprocess execution file path. |
|
process_child_pid |
Integer |
Subprocess ID. |
|
process_child_uid |
Integer |
Subprocess user ID. |
|
process_child_cmdline |
String |
Subprocess command line |
|
process_launche_time |
String |
Incident start time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
process_terminate_time |
String |
Process end time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
Parameter |
Type |
Description |
|---|---|---|
|
file_path |
String |
File path/name. |
|
file_content |
String |
File path/name. |
|
file_new_path |
String |
New file path/name. |
|
file_hash |
String |
File Hash |
|
file_md5 |
String |
File MD5 |
|
file_sha256 |
String |
File SHA256 |
|
file_attr |
String |
File attribute. |
|
Parameter |
Type |
Description |
|---|---|---|
|
id |
String |
Unique identifier of a data class. The value is in UUID format and can contain a maximum of 36 characters. |
|
name |
String |
Data class name. |
Status code: 400
|
Parameter |
Type |
Description |
|---|---|---|
|
X-request-id |
String |
Request ID, in the format request_uuid-timestamp-hostname. |
|
Parameter |
Type |
Description |
|---|---|---|
|
code |
String |
Error Code |
|
message |
String |
Error Description |
Example Requests
Query the data object relationship list. The offset is 10, and three alerts are queried.
{
"limit" : 3,
"offset" : 10
}
Example Responses
Status code: 200
Response body for querying associating data objects.
{
"code" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"message" : "Error message",
"total" : 41,
"limit" : 3,
"offset" : 10,
"data" : null
}
Status Codes
|
Status Code |
Description |
|---|---|
|
200 |
Response body for querying associating data objects. |
|
400 |
Response body for failed requests for querying associating data objects. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
