Obtaining Details of an Incident
Function
This API is used to obtain details of an incident.
Calling Method
For details, see Calling APIs.
URI
GET /v1/{project_id}/workspaces/{workspace_id}/soc/incidents/{incident_id}
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
project_id |
Yes |
String |
Project ID. |
|
workspace_id |
Yes |
String |
Workspace ID |
|
incident_id |
Yes |
String |
Incident ID. |
Request Parameters
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
X-Auth-Token |
Yes |
String |
User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token. |
|
content-type |
Yes |
String |
Content type. |
Response Parameters
Status code: 200
|
Parameter |
Type |
Description |
|---|---|---|
|
code |
String |
Error code |
|
message |
String |
Error Message |
|
data |
IncidentDetail object |
Incident Detail |
|
Parameter |
Type |
Description |
|---|---|---|
|
create_time |
String |
Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
data_object |
Incident object |
Incident entity information. |
|
dataclass_ref |
dataclass_ref object |
Data class object. |
|
format_version |
Integer |
Format version. |
|
id |
String |
Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters. |
|
project_id |
String |
ID of the current project. |
|
update_time |
String |
Update time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the alert occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
version |
Integer |
Version. |
|
workspace_id |
String |
ID of the current workspace. |
|
Parameter |
Type |
Description |
|---|---|---|
|
version |
String |
Version of the data source of an incident. The version must be one officially released by the Cloud SSA service. |
|
id |
String |
Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters. |
|
domain_id |
String |
ID of the account (domain_id) to whom the data is delivered and hosted. |
|
region_id |
String |
ID of the region where the account to whom the data is delivered and hosted belongs to. |
|
workspace_id |
String |
ID of the current workspace. |
|
labels |
String |
Tag (display only) |
|
environment |
environment object |
Coordinates of the environment where the incident was generated. |
|
data_source |
data_source object |
Source the data is first reported. |
|
first_observed_time |
String |
First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
last_observed_time |
String |
First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
create_time |
String |
Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
arrive_time |
String |
Data receiving time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
title |
String |
Incident title. |
|
description |
String |
Event Description |
|
source_url |
String |
Incident URL, which points to the page of the current incident description in the data source product. |
|
count |
Integer |
Incident occurrences |
|
confidence |
Integer |
Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or incident. Value range -- 0-100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%. |
|
severity |
String |
Severity level. Value range: Tips | Low | Medium | High | Fatal Description:
|
|
criticality |
Integer |
Criticality, which specifies the importance level of the resources involved in an incident. Value range -- 0 to 100. The value 0 indicates that the resource is not critical, and 100 indicates that the resource is critical. |
|
incident_type |
incident_type object |
Incident categories. For details, see the Alert Incident Type Definition. |
|
network_list |
Array of network_list objects |
Network Information |
|
resource_list |
Array of resource_list objects |
Affected resources. |
|
remediation |
remediation object |
Remedy measure. |
|
verification_state |
String |
Verification status, which identifies the accuracy of an incident. The options are as follows: – Unknown – True_Positive – False_Positive Enter Unknown by default. |
|
handle_status |
String |
Incident handling status. The options are as follows:
|
|
sla |
Integer |
Risk close time -- Set the acceptable risk duration. Unit -- Hour |
|
update_time |
String |
Update time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the alert occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
close_time |
String |
Closing time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
ipdrr_phase |
String |
Period/Handling phase No. Prepartion|Detection and Analysis|Containm,Eradication& Recovery|Post-Incident-Activity |
|
simulation |
String |
Debugging field. |
|
actor |
String |
Incident investigator. |
|
owner |
String |
Owner and service owner. |
|
creator |
String |
Creator |
|
close_reason |
String |
Close reason.
|
|
close_comment |
String |
Whether to close comment. |
|
malware |
malware object |
Malware |
|
system_info |
Object |
System information. |
|
process |
Array of process objects |
Process information. |
|
user_info |
Array of user_info objects |
User Details |
|
file_info |
Array of file_info objects |
Document Information |
|
system_alert_table |
Object |
Layout fields in the incident list. |
|
Parameter |
Type |
Description |
|---|---|---|
|
vendor_type |
String |
Environment provider. |
|
domain_id |
String |
Tenant ID. |
|
region_id |
String |
Region ID. global is returned for global services. |
|
cross_workspace_id |
String |
ID of the source workspace for the data delivery. If the source workspace ID is null, then the destination workspace account ID is used. |
|
project_id |
String |
Project ID. The default value is null for global services. |
|
Parameter |
Type |
Description |
|---|---|---|
|
source_type |
Integer |
Data source type. The options are as follows-- 1- cloud product 2- Third-party product 3- Tenant product |
|
domain_id |
String |
Account ID to which the data source product belongs. |
|
project_id |
String |
ID of the project to which the data source product belongs. |
|
region_id |
String |
Region where the data source is located, for example, cn-north1. For details about the value range, see Regions and Endpoints. |
|
company_name |
String |
Name of the company to which a data source belongs. |
|
product_name |
String |
Name of the data source. |
|
product_feature |
String |
Name of the feature of the product that detects the incident. |
|
product_module |
String |
Threat detection module list. |
|
Parameter |
Type |
Description |
|---|---|---|
|
category |
String |
Type |
|
incident_type |
String |
Incident type. |
|
Parameter |
Type |
Description |
|---|---|---|
|
direction |
String |
Direction. The value can be IN or OUT. |
|
protocol |
String |
Protocol, including Layer 7 and Layer 4 protocols. For details, see IANA registered name. https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml. |
|
src_ip |
String |
Source IP address |
|
src_port |
Integer |
Source port. The value ranges from 0 to 65535. |
|
src_domain |
String |
Source domain name. |
|
src_geo |
src_geo object |
Geographical location of the source IP address. |
|
dest_ip |
String |
Destination IP address |
|
dest_port |
String |
Destination port. The value ranges from 0 to 65535. |
|
dest_domain |
String |
Destination domain name |
|
dest_geo |
dest_geo object |
Geographical location of the destination IP address. |
|
Parameter |
Type |
Description |
|---|---|---|
|
latitude |
Number |
Latitude |
|
longitude |
Number |
Longitude |
|
city_code |
String |
City code. For example, Beijing or Shanghai. |
|
country_code |
String |
Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG. |
|
Parameter |
Type |
Description |
|---|---|---|
|
latitude |
Number |
Latitude |
|
longitude |
Number |
Longitude |
|
city_code |
String |
City code. For example, Beijing or Shanghai. |
|
country_code |
String |
Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG. |
|
Parameter |
Type |
Description |
|---|---|---|
|
id |
String |
Cloud service resource ID. |
|
name |
String |
Resource name. |
|
type |
String |
Resource type. This parameter references the value of RMS type on Cloud. |
|
provider |
String |
Cloud service name, which is the same as the provider field in the RMS service. |
|
region_id |
String |
Region ID in Cloud, for example, cn-north-1. |
|
domain_id |
String |
ID of the account to which the resource belongs, in UUID format. |
|
project_id |
String |
ID of the account to which the resource belongs, in UUID format. |
|
ep_id |
String |
Specifies the enterprise project ID. |
|
ep_name |
String |
Enterprise Project Name |
|
tags |
String |
Resource tag.
|
|
Parameter |
Type |
Description |
|---|---|---|
|
recommendation |
String |
Recommended solution. |
|
url |
String |
Link to the general fix information for the incident. The URL must be accessible from the public network with no credentials required. |
|
Parameter |
Type |
Description |
|---|---|---|
|
malware_family |
String |
Malicious family. |
|
malware_class |
String |
Malware category. |
|
Parameter |
Type |
Description |
|---|---|---|
|
process_name |
String |
Process name. |
|
process_path |
String |
Process execution file path. |
|
process_pid |
Integer |
Process ID. |
|
process_uid |
Integer |
Process user ID. |
|
process_cmdline |
String |
Process command line. |
|
process_parent_name |
String |
Parent process name. |
|
process_parent_path |
String |
Parent process execution file path. |
|
process_parent_pid |
Integer |
Parent process ID. |
|
process_parent_uid |
Integer |
Parent process user ID. |
|
process_parent_cmdline |
String |
Parent process command line. |
|
process_child_name |
String |
Subprocess name. |
|
process_child_path |
String |
Subprocess execution file path. |
|
process_child_pid |
Integer |
Subprocess ID. |
|
process_child_uid |
Integer |
Subprocess user ID. |
|
process_child_cmdline |
String |
Subprocess command line |
|
process_launche_time |
String |
Incident start time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
process_terminate_time |
String |
Process end time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
|
Parameter |
Type |
Description |
|---|---|---|
|
file_path |
String |
File path/name. |
|
file_content |
String |
File path/name. |
|
file_new_path |
String |
New file path/name. |
|
file_hash |
String |
File Hash |
|
file_md5 |
String |
File MD5 |
|
file_sha256 |
String |
File SHA256 |
|
file_attr |
String |
File attribute. |
|
Parameter |
Type |
Description |
|---|---|---|
|
id |
String |
Unique identifier of a data class. The value is in UUID format and can contain a maximum of 36 characters. |
|
name |
String |
Data class name. |
Status code: 400
|
Parameter |
Type |
Description |
|---|---|---|
|
code |
String |
Error Code |
|
message |
String |
Error Description |
Example Requests
None
Example Responses
Status code: 200
Response body for requests for obtaining incident details.
{
"code" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"message" : "Error message",
"data" : {
"data_object" : {
"version" : "1.0",
"environment" : {
"vendor_type" : "MyXXX",
"domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
},
"data_source" : {
"source_type" : 3,
"domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
},
"first_observed_time" : "2021-01-30T23:00:00Z+0800",
"last_observed_time" : "2021-01-30T23:00:00Z+0800",
"create_time" : "2021-01-30T23:00:00Z+0800",
"arrive_time" : "2021-01-30T23:00:00Z+0800",
"title" : "MyXXX",
"description" : "This my XXXX",
"source_url" : "http://xxx",
"count" : "4",
"confidence" : 4,
"severity" : "TIPS",
"criticality" : 4,
"incident_type" : { },
"network_list" : [ {
"direction" : {
"IN" : null
},
"protocol" : "TCP",
"src_ip" : "192.168.0.1",
"src_port" : "1",
"src_domain" : "xxx",
"dest_ip" : "192.168.0.1",
"dest_port" : "1",
"dest_domain" : "xxx",
"src_geo" : {
"latitude" : 90,
"longitude" : 180
},
"dest_geo" : {
"latitude" : 90,
"longitude" : 180
}
} ],
"resource_list" : [ {
"id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"name" : "MyXXX",
"type" : "MyXXX",
"domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"ep_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"ep_name" : "MyXXX",
"tags" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
} ],
"remediation" : {
"recommendation" : "MyXXX",
"url" : "MyXXX"
},
"verification_state" : "Unknown,True_Positive,False_Positive The default value is Unknown.",
"handle_status" : "Open – enabled.Block – blocked.Closed – closed.The default value is Open.",
"sla" : 60000,
"update_time" : "2021-01-30T23:00:00Z+0800",
"close_time" : "2021-01-30T23:00:00Z+0800",
"ipdrr_phase" : "Prepartion|Detection and Analysis|Containm,Eradication& Recovery| Post-Incident-Activity",
"simulation" : "false",
"actor" : "Tom",
"owner" : "MyXXX",
"creator" : "MyXXX",
"close_reason" : "False positive; Resolved; Duplicate; Others",
"close_comment" : "False positive; Resolved; Duplicate; Others",
"malware" : {
"malware_family" : "family",
"malware_class" : "Malicious memory occupation."
},
"system_info" : { },
"process" : [ {
"process_name" : "MyXXX",
"process_path" : "MyXXX",
"process_pid" : 123,
"process_uid" : 123,
"process_cmdline" : "MyXXX"
} ],
"user_info" : [ {
"user_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"user_name" : "MyXXX"
} ],
"file_info" : [ {
"file_path" : "MyXXX",
"file_content" : "MyXXX",
"file_new_path" : "MyXXX",
"file_hash" : "MyXXX",
"file_md5" : "MyXXX",
"file_sha256" : "MyXXX",
"file_attr" : "MyXXX"
} ],
"id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca620"
},
"create_time" : "2021-01-30T23:00:00Z+0800",
"update_time" : "2021-01-30T23:00:00Z+0800",
"project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
}
}
Status Codes
|
Status Code |
Description |
|---|---|
|
200 |
Response body for requests for obtaining incident details. |
|
400 |
Response body for failed requests for obtaining incident details. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
