Querying the Detected Intrusion List

Function

This API is used to query the detected intrusion list.

URI

GET /v5/{project_id}/event/events

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
category	Yes	String	Event category. Its value can be: host: host security event container: container security event
enterprise_project_id	No	String	Enterprise project ID. To query all enterprise projects, set this parameter to all_granted_eps.
last_days	No	Integer	Number of days to be queried. This parameter is mutually exclusive with begin_time and end_time.
host_name	No	String	Server name
host_id	No	String	Host ID
private_ip	No	String	Server IP address
container_name	No	String	Container instance name
offset	No	Integer	Offset, which specifies the start position of the record to be returned. The value must be a number no less than 0.
limit	No	Integer	Number of records displayed on each page
event_types	No	Array of integers	Intrusion type. Its value can be: 1001: Malware 1010: Rootkit 1011: Ransomware 1015: Web shell 1017: Reverse shell 2001: Common vulnerability exploit 3002: File privilege escalation 3003: Process privilege escalation 3004: Important file change 3005: File/Directory change 3007: Abnormal process behavior 3015: High-risk command execution 3018: Abnormal shell 3027: Suspicious crontab tasks 4002: Brute-force attack 4004: Abnormal login 4006: Invalid system account
handle_status	No	String	Status. Its value can be: unhandled handled
severity	No	String	Threat level. Its value can be: Security Low Medium High Critical
begin_time	No	String	Customized start time of a segment. The timestamp is accurate to seconds. The begin_time should be no more than two days earlier than the end_time. This parameter is mutually exclusive with the queried duration.
end_time	No	String	Customized end time of a segment. The timestamp is accurate to seconds. The begin_time should be no more than two days earlier than the end_time. This parameter is mutually exclusive with the queried duration.

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	IAM token. It can be obtained by calling the IAM API used to obtain an IAM token. The value of X-Subject-Token in the response header is a token.
region	Yes	String	Region ID

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
total_num	Integer	Total number of alarm events
data_list	Array of EventManagementResponseInfo objects	Event list

**Table 5** EventManagementResponseInfo
Parameter	Type	Description
event_id	String	Event ID
event_class_id	String	Event category. Its value can be: container_1001: Container namespace container_1002: Container open port container_1003: Container security option container_1004: Container mount directory containerescape_0001: High-risk system call containerescape_0002: Shocker attack containerescape_0003: Dirty Cow attack containerescape_0004: Container file escape dockerfile_001: Modification of user-defined protected container file dockerfile_002: Modification of executable files in the container file system dockerproc_001: Abnormal container process fileprotect_0001: File privilege escalation fileprotect_0002: Key file change fileprotect_0003: AuthorizedKeysFile path change fileprotect_0004: File directory change login_0001: Brute-force attack attempt login_0002: Brute-force attack succeeded login_1001: Succeeded login login_1002: Remote login login_1003: Weak password malware_0001: Shell change malware_0002: Reverse shell malware_1001: Malicious program procdet_0001: Abnormal process behavior procdet_0002: Process privilege escalation procreport_0001: High-risk command user_1001: Account change user_1002: Unsafe account vmescape_0001: Sensitive command executed on VM vmescape_0002: Sensitive file accessed by virtualization process vmescape_0003: Abnormal VM port access webshell_0001: Web shell network_1001: Mining network_1002: DDoS attacks network_1003: Malicious scanning network_1004: Attack in sensitive areas crontab_1001: Suspicious crontab task
event_type	Integer	Intrusion type. Its value can be: 1001: Malware 1010: Rootkit 1011: Ransomware 1015: Web shell 1017: Reverse shell 2001: Common vulnerability exploit 3002: File privilege escalation 3003: Process privilege escalation 3004: Important file change 3005: File/Directory change 3007: Abnormal process behavior 3015: High-risk command execution 3018: Abnormal shell 3027: Suspicious crontab tasks 4002: Brute-force attack 4004: Abnormal login 4006: Invalid system account
event_name	String	Event name
severity	String	Threat level. Its value can be: Security Low Medium High Critical
container_name	String	Container instance name. This API is available only for container alarms.
image_name	String	Image name. This API is available only for container alarms.
host_name	String	Server name
host_id	String	Host ID
private_ip	String	Server private IP address
public_ip	String	Elastic IP address
os_type	String	OS type. Its value can be: Linux Windows
host_status	String	Server status. The options are as follows: ACTIVE SHUTOFF BUILDING ERROR
agent_status	String	Agent status. Its value can be: installed not_installed online offline install_failed installing
protect_status	String	Protection status. Its value can be: closed opened
asset_value	String	Asset importance. The options are as follows: important common test
attack_phase	String	Attack phase. Its value can be: reconnaissance weaponization delivery exploit installation command_and_control actions
attack_tag	String	Attack tag. Its value can be: attack_success attack_attempt attack_blocked abnormal_behavior collapsible_host system_vulnerability
occur_time	Integer	Occurrence time, accurate to milliseconds.
handle_time	Integer	Handling time, in milliseconds. This API is available only for handled alarms.
handle_status	String	Processing status. Its value can be: unhandled handled
handle_method	String	Handling method. This API is available only for handled alarms. The options are as follows: mark_as_handled ignore add_to_alarm_whitelist add_to_login_whitelist isolate_and_kill
handler	String	Remarks. This API is available only for handled alarms.
operate_accept_list	Array of strings	Supported processing operation
operate_detail_list	Array of EventDetailResponseInfo objects	Operation details list (not displayed on the page)
forensic_info	Object	Attack information, in JSON format.
resource_info	EventResourceResponseInfo object	Resource information
geo_info	Object	Geographical location, in JSON format.
malware_info	Object	Malware information, in JSON format.
network_info	Object	Network information, in JSON format.
app_info	Object	Application information, in JSON format.
system_info	Object	System information, in JSON format.
extend_info	Object	Extended event information, in JSON format
recommendation	String	Handling suggestions
process_info_list	Array of EventProcessResponseInfo objects	Process information list
user_info_list	Array of EventUserResponseInfo objects	User information list
file_info_list	Array of EventFileResponseInfo objects	File information list
event_details	String	Brief description of the event.

**Table 6** EventDetailResponseInfo
Parameter	Type	Description
agent_id	String	Agent ID
process_pid	Integer	Process ID
is_parent	Boolean	Whether a process is a parent process
file_hash	String	File hash
file_path	String	File path
file_attr	String	File attribute
private_ip	String	Server private IP address
login_ip	String	Login source IP address
login_user_name	String	Login username
keyword	String	Alarm event keyword, which is used only for the alarm whitelist.
hash	String	Alarm event hash, which is used only for the alarm whitelist.

**Table 7** EventResourceResponseInfo
Parameter	Type	Description
domain_id	String	User account ID
project_id	String	Project ID
enterprise_project_id	String	Enterprise project ID
region_name	String	Region name
vpc_id	String	VPC ID
cloud_id	String	ECS ID
vm_name	String	VM name
vm_uuid	String	Specifies the VM UUID, that is, the server ID.
container_id	String	Container ID
image_id	String	Image ID
image_name	String	Image name
host_attr	String	Host attribute
service	String	Service
micro_service	String	Microservice
sys_arch	String	System CPU architecture
os_bit	String	OS bit version
os_type	String	OS type
os_name	String	OS name
os_version	String	OS version

**Table 8** EventProcessResponseInfo
Parameter	Type	Description
process_name	String	Process name
process_path	String	Process file path
process_pid	Integer	Process ID
process_uid	Integer	Process user ID
process_username	String	Process username
process_cmdline	String	Process file command line
process_filename	String	Process file name
process_start_time	Long	Process start time
process_gid	Integer	Process group ID
process_egid	Integer	Valid process group ID
process_euid	Integer	Valid process user ID
parent_process_name	String	Parent process name
parent_process_path	String	Parent process file path
parent_process_pid	Integer	Parent process ID
parent_process_uid	Integer	Parent process user ID
parent_process_cmdline	String	Parent process file command line
parent_process_filename	String	Parent process file name
parent_process_start_time	Long	Parent process start time
parent_process_gid	Integer	Parent process group ID
parent_process_egid	Integer	Valid parent process group ID
parent_process_euid	Integer	Valid parent process user ID
child_process_name	String	Subprocess name
child_process_path	String	Subprocess file path
child_process_pid	Integer	Subprocess ID
child_process_uid	Integer	Subprocess user ID
child_process_cmdline	String	Subprocess file command line
child_process_filename	String	Subprocess file name
child_process_start_time	Long	Subprocess start time
child_process_gid	Integer	Subprocess group ID
child_process_egid	Integer	Valid subprocess group ID
child_process_euid	Integer	Valid subprocess user ID
virt_cmd	String	Virtualization command
virt_process_name	String	Virtualization process name
escape_mode	String	Escape mode
escape_cmd	String	Commands executed after escape
process_hash	String	Process startup file hash

**Table 9** EventUserResponseInfo
Parameter	Type	Description
user_id	Integer	User UID
user_gid	Integer	User GID
user_name	String	User name
user_group_name	String	User group name
user_home_dir	String	User home directory
login_ip	String	User login IP address
service_type	String	Service type. The options are as follows: system mysql redis
service_port	Integer	Login service port
login_mode	Integer	Login mode
login_last_time	Long	Last login time
login_fail_count	Integer	Number of failed login attempts
pwd_hash	String	Password hash
pwd_with_fuzzing	String	Masked password
pwd_used_days	Integer	Password age (days)
pwd_min_days	Integer	Minimum password validity period
pwd_max_days	Integer	Maximum password validity period
pwd_warn_left_days	Integer	Advance warning of password expiration (days)

**Table 10** EventFileResponseInfo
Parameter	Type	Description
file_path	String	File path
file_alias	String	File alias
file_size	Integer	File size
file_mtime	Long	Time when a file was last modified
file_atime	Long	Time when a file was last accessed
file_ctime	Long	Time when the status of a file was last changed
file_hash	String	The hash value calculated using the SHA256 algorithm.
file_md5	String	File MD5
file_sha256	String	File SHA256
file_type	String	File type
file_content	String	File content
file_attr	String	File attribute
file_operation	Integer	File operation type
file_action	String	File action
file_change_attr	String	Old/New attribute
file_new_path	String	New file path
file_desc	String	File description
file_key_word	String	File keyword
is_dir	Boolean	Whether it is a directory
fd_info	String	File handle information
fd_count	Integer	Number of file handles

Example Requests

Query the first 50 unprocessed server events whose enterprise project is xxx.

GET https://{endpoint}/v5/{project_id}/event/events?offset=0&limit=50&handle_status=unhandled&category=host&enterprise_project_id=xxx

Example Responses

Status code: 200

intrusion list

{
  "total_num" : 1,
  "data_list" : [ {
    "attack_phase" : "exploit",
    "attack_tag" : "abnormal_behavior",
    "event_class_id" : "lgin_1002",
    "event_id" : "d8a12cf7-6a43-4cd6-92b4-aabf1e917",
    "event_name" : "different locations",
    "event_type" : 4004,
    "forensic_info" : {
      "country" : "Country/Region",
      "city" : "State/Province",
      "ip" : "127.0.0.1",
      "user" : "zhangsan",
      "sub_division" : "City",
      "city_id" : 3110
    },
    "handle_status" : "unhandled",
    "host_name" : "xxx",
    "occur_time" : 1661593036627,
    "operate_accept_list" : [ "ignore" ],
    "operate_detail_list" : [ {
      "agent_id" : "c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8",
      "file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "file_path" : "/usr/test",
      "process_pid" : 3123,
      "file_attr" : 33261,
      "keyword" : "file_path=/usr/test",
      "hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "login_ip" : "127.0.0.1",
      "private_ip" : "127.0.0.2",
      "login_user_name" : "root",
      "is_parent" : false
    } ],
    "private_ip" : "127.0.0.1",
    "resource_info" : {
      "region_name" : "",
      "project_id" : "",
      "enterprise_project_id" : "0",
      "os_type" : "Linux",
      "os_version" : "2.5",
      "vm_name" : "",
      "vm_uuid" : "71a15ecc",
      "cloud_id" : ""
    },
    "severity" : "Medium",
    "extend_info" : "",
    "os_type" : "Linux",
    "agent_status" : "online",
    "asset_value" : "common",
    "protect_status" : "opened",
    "host_status" : "ACTIVE",
    "event_details" : "file_path:/root/test",
    "user_info_list" : [ {
      "login_ip" : "",
      "service_port" : 22,
      "service_type" : "ssh",
      "user_name" : "zhangsan",
      "login_mode" : 0,
      "login_last_time" : 1661593024,
      "login_fail_count" : 0
    } ]
  } ]
}

Status Codes

Status Code	Description
200	intrusion list

Error Codes

See Error Codes.

Parent Topic: Intrusion Detection

Previous topic: Intrusion Detection

Next topic: Querying the Alarm Whitelist

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.