Handling Alarm Events

Updated on 2024-01-31 GMT+08:00

View PDF

Function

This API is used to handle alarm events.

Calling Method

For details, see Calling APIs.

URI

POST /v5/{project_id}/event/operate

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	User project ID Minimum: 20 Maximum: 64

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Enterprise project ID. To query all enterprise projects, set this parameter to all_granted_eps. Minimum: 0 Maximum: 64
container_name	No	String	Container instance name
container_id	No	String	Container ID

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
x-auth-token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token. Minimum: 1 Maximum: 32768
region	Yes	String	region id Minimum: 0 Maximum: 128

**Table 4** Request body parameters
Parameter	Mandatory	Type	Description
operate_type	Yes	String	Handling method. Its value can be: mark_as_handled ignore add_to_alarm_whitelist add_to_login_whitelist isolate_and_kill unhandle do_not_ignore remove_from_alarm_whitelist remove_from_login_whitelist do_not_isolate_or_kill
handler	No	String	Remarks
operate_event_list	Yes	Array of OperateEventRequestInfo objects	Operated event list Array Length: 0 - 100
event_white_rule_list	No	Array of EventWhiteRuleListRequestInfo objects	User-defined alarm whitelist Array Length: 0 - 100

**Table 5** OperateEventRequestInfo
Parameter	Mandatory	Type	Description
event_class_id	Yes	String	Event category. Its value can be: container_1001: Container namespace container_1002: Container open port container_1003: Container security option container_1004: Container mount directory containerescape_0001: High-risk system call containerescape_0002: Shocker attack containerescape_0003: Dirty Cow attack containerescape_0004: Container file escape dockerfile_001: Modification of user-defined protected container file dockerfile_002: Modification of executable files in the container file system dockerproc_001: Abnormal container process fileprotect_0001: File privilege escalation fileprotect_0002: Key file change fileprotect_0003: AuthorizedKeysFile path change fileprotect_0004: File directory change login_0001: Brute-force attack attempt login_0002: Brute-force attack succeeded login_1001: Succeeded login login_1002: Remote login login_1003: Weak password malware_0001: Shell change malware_0002: Reverse shell malware_1001: Malicious program procdet_0001: Abnormal process behavior procdet_0002: Process privilege escalation procreport_0001: High-risk command user_1001: Account change user_1002: Unsafe account vmescape_0001: Sensitive command executed on VM vmescape_0002: Sensitive file accessed by virtualization process vmescape_0003: Abnormal VM port access webshell_0001: Web shell network_1001: Mining network_1002: DDoS attacks network_1003: Malicious scanning network_1004: Attack in sensitive areas ransomware_0001: ransomware attack ransomware_0002: ransomware attack ransomware_0003: ransomware attack fileless_0001: process injection fileless_0002: dynamic library injection fileless_0003: key configuration change fileless_0004: environment variable change fileless_0005: memory file process fileless_0006: VDSO hijacking crontab_1001: suspicious crontab task vul_exploit_0001: Redis vulnerability exploit vul_exploit_0002: Hadoop vulnerability exploit vul_exploit_0003: MySQL vulnerability exploit rootkit_0001: suspicious rootkit file rootkit_0002: suspicious kernel module RASP_0004: web shell upload RASP_0018: fileless web shell blockexec_001: known ransomware attack hips_0001: Windows Defender disabled hips_0002: suspicious hacker tool hips_0003: suspicious ransomware encryption behavior hips_0004: hidden account creation hips_0005: user password and credential reading hips_0006: suspicious SAM file export hips_0007: suspicious shadow copy deletion hips_0008: backup file deletion hips_0009: registry of suspicious ransomware hips_0010: suspicious abnormal process hips_0011: suspicious scan hips_0012: suspicious ransomware script running hips_0013: suspicious mining command execution hips_0014: suspicious windows security center disabling hips_0015: suspicious behavior of disabling the firewall service hips_0016: suspicious system automatic recovery disabling hips_0017: executable file execution in Office hips_0018: abnormal file creation with macros in Office hips_0019: suspicious registry operation hips_0020: Confluence remote code execution hips_0021: MSDT remote code execution portscan_0001: common port scan portscan_0002: secret port scan k8s_1001: Kubernetes event deletion k8s_1002: privileged pod creations k8s_1003: interactive shell used in pod k8s_1004: pod created with sensitive directory k8s_1005: pod created with server network k8s_1006: pod created with host PID space k8s_1007: authentication failure when common pods access API server k8s_1008: API server access from common pod using cURL k8s_1009: exec in system management space k8s_1010: pod created in management space k8s_1011: static pod creation k8s_1012: DaemonSet creation k8s_1013: scheduled cluster task creation k8s_1014: operation on secrets k8s_1015: allowed operation enumeration k8s_1016: high privilege RoleBinding or ClusterRoleBinding k8s_1017: ServiceAccount creation k8s_1018: Cronjob creation k8s_1019: interactive shell used for exec in pods k8s_1020: unauthorized access to API server k8s_1021: access to API server with curl k8s_1022: Ingress vulnerability k8s_1023: man-in-the-middle (MITM) attack k8s_1024: worm, mining, or Trojan k8s_1025: K8s event deletion k8s_1026: SelfSubjectRulesReview imgblock_0001: image blocking based on whitelist imgblock_0002: image blocking based on blacklist imgblock_0003: image tag blocking based on whitelist imgblock_0004: image tag blocking based on blacklist imgblock_0005: container creation blocked based on whitelist imgblock_0006: container creation blocked based on blacklist imgblock_0007: container mount proc blocking imgblock_0008: container seccomp unconfined blocking imgblock_0009: container privilege blocking imgblock_0010: container capabilities blocking
event_id	Yes	String	Event ID
event_type	Yes	Integer	Event type. Its value can be: 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010 : Rootkit 1011: ransomware 1012: hacker tool 1015 : web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid accounts 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: enumerating user information 13004: cluster role binding
occur_time	Yes	Integer	Occurrence time, accurate to milliseconds.
operate_detail_list	Yes	Array of EventDetailRequestInfo objects	Operation details list. If operate_type is set to add_to_alarm_whitelist or remove_from_alarm_whitelist, keyword and hash are mandatory. If operate_type is set to add_to_login_whitelist or remove_from_login_whitelist, the login_ip, private_ip, and login_user_name parameters are mandatory. If operate_type is set to isolate_and_kill or do_not_isolate_or_kill, the agent_id, file_hash, file_path, and process_pid parameters are mandatory. In other cases, the parameters are optional. Array Length: 0 - 100

**Table 6** EventDetailRequestInfo
Parameter	Mandatory	Type	Description
agent_id	No	String	Agent ID
process_pid	No	Integer	Process ID
file_hash	No	String	File hash
file_path	No	String	File path
file_attr	No	String	File attribute
keyword	No	String	Alarm event keyword, which is used only for the alarm whitelist.
hash	No	String	Alarm event hash, which is used only for the alarm whitelist.
private_ip	No	String	Server private IP address
login_ip	No	String	Login source IP address
login_user_name	No	String	Login username
container_id	No	String	Container ID Minimum: 64 Maximum: 64
container_name	No	String	Container name Minimum: 1 Maximum: 128

**Table 7** EventWhiteRuleListRequestInfo
Parameter	Mandatory	Type	Description
event_type	Yes	Integer	Event type. Its value can be: 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010 : Rootkit 1011: ransomware 1012: hacker tool 1015 : web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid accounts 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: enumerating user information 13004: cluster role binding
field_key	Yes	String	Whitelist fields. The options are as follows: "file/process hash" # process/file hash "file_path" "process_path" "login_ip": login IP address "reg_key": registry key "process_cmdline": process command line "username" Minimum: 1 Maximum: 20
field_value	Yes	String	Whitelist field value Minimum: 1 Maximum: 128
judge_type	Yes	String	Wildcard. The options are as follows: "equal" "contain" Minimum: 1 Maximum: 10

Response Parameters

None

Example Requests

Manually handle the intrusion alarms whose alarm event type is Rootkit and alarm event ID is 2a71e1e2-60f4-4d56-b314-2038fdc39de6.

POST https://{endpoint}/v5/{project_id}/event/operate?enterprise_project_id=xxx

{
  "operate_type" : "mark_as_handled",
  "handler" : "test",
  "operate_event_list" : [ {
    "event_class_id" : "rootkit_0001",
    "event_id" : "2a71e1e2-60f4-4d56-b314-2038fdc39de6",
    "occur_time" : 1672046760353,
    "event_type" : 1010,
    "operate_detail_list" : [ {
      "agent_id" : "c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8",
      "file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "file_path" : "/usr/test",
      "process_pid" : 3123,
      "file_attr" : 33261,
      "keyword" : "file_path=/usr/test",
      "hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "login_ip" : "127.0.0.1",
      "private_ip" : "127.0.0.2",
      "login_user_name" : "root",
      "container_id" : "containerid",
      "container_name" : "/test"
    } ]
  } ]
}