Querying the Detected Intrusion List_Host Security Service

Function

This API is used to query the detected intrusion list.

Calling Method

For details, see Calling APIs.

URI

GET /v5/{project_id}/event/events

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	User project ID Minimum: 20 Maximum: 64

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Enterprise project ID of a user Minimum: 0 Maximum: 64
last_days	No	Integer	Number of days to be queried. This parameter is mutually exclusive with begin_time and end_time. Minimum: 1 Maximum: 30
host_name	No	String	Server name Minimum: 1 Maximum: 64
host_id	No	String	Server ID Minimum: 0 Maximum: 64
private_ip	No	String	Server IP address Minimum: 1 Maximum: 256
public_ip	No	String	Server public IP address Minimum: 1 Maximum: 256
container_name	No	String	Container instance name
offset	No	Integer	Offset, which specifies the start position of the record to be returned. The value must be a number no less than 0. The default value is 0. Minimum: 0 Maximum: 2000000 Default: 0
limit	No	Integer	Number of records displayed on each page Minimum: 10 Maximum: 1000 Default: 10
event_types	No	Array	Event type. Its value can be: 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010 :Rootkit 1011: ransomware 1012: hacker tool 1015 : web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3026: crontab privilege escalation 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid accounts 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: enumerating user information 13004: cluster role binding Minimum: 1000 Maximum: 30000 Array Length: 1 - 500
handle_status	No	String	Status. Its value can be: unhandled handled Minimum: 1 Maximum: 32
severity	No	String	Threat level. Its value can be: Security Low Medium High Critical Minimum: 1 Maximum: 32
category	Yes	String	Event category. Its value can be: host: host security event container: container security event Minimum: 0 Maximum: 32
begin_time	No	String	Customized start time of a segment. The timestamp is accurate to seconds. The begin_time should be no more than two days earlier than the end_time. This parameter is mutually exclusive with the queried duration. Minimum: 13 Maximum: 13
end_time	No	String	Customized end time of a segment. The timestamp is accurate to seconds. The begin_time should be no more than two days earlier than the end_time. This parameter is mutually exclusive with the queried duration. Minimum: 13 Maximum: 13
event_class_ids	No	Array	Event ID. Its value can be: container_1001: container namespace container_1002: container port enabled container_1003: container security options container_1004: container mount directory containerescape_0001: high-risk system call containerescape_0002: shocker attack containerescape_0003: Dirty Cow attack containerescape_0004: container file escape dockerfile_001: modification of user-defined protected container file dockerfile_002: modification of executable files in the container file system dockerproc_001: abnormal container process fileprotect_0001: file privilege escalation fileprotect_0002: key file change fileprotect_0003: key file path change fileprotect_0004: file/directory change av_1002: virus av_1003: worm av_1004: Trojan av_1005: botnet av_1006: backdoor av_1007: spyware av_1008: malicious adware av_1009: phishing av_1010 : Rootkit av_1011: ransomware av_1012: hacker tool av_1013: grayware av_1015 : web shell av_1016: mining software login_0001: brute-force cracking login_0002: successful cracking login_1001: successful login login_1002: remote login login_1003: weak password malware_0001: shell change report malware_0002: reverse shell report malware_1001: malicious program procdet_0001: abnormal process behavior detection procdet_0002: process privilege escalation crontab_0001: crontab script privilege escalation crontab_0002: malicious path privilege escalation procreport_0001: risky commands user_1001: account change user_1002: risky account vmescape_0001: VM sensitive command execution vmescape_0002: access from virtualization process to sensitive file vmescape_0003: abnormal VM port access webshell_0001: web shell network_1001: malicious mining network_1002: DDoS attacks network_1003: malicious scan network_1004: attack in sensitive areas ransomware_0001: ransomware attack ransomware_0002: ransomware attack ransomware_0003: ransomware attack fileless_0001: process injection fileless_0002: dynamic library injection fileless_0003: key configuration change fileless_0004: environment variable change fileless_0005: memory file process fileless_0006: VDSO hijacking crontab_1001: suspicious crontab task vul_exploit_0001: Redis vulnerability exploit vul_exploit_0002: Hadoop vulnerability exploit vul_exploit_0003: MySQL vulnerability exploit rootkit_0001: suspicious rootkit file rootkit_0002: suspicious kernel module RASP_0004: web shell upload RASP_0018: fileless web shell blockexec_001: known ransomware attack hips_0001: Windows Defender disabled hips_0002: suspicious hacker tool hips_0003: suspicious ransomware encryption behavior hips_0004: hidden account creation hips_0005: user password and credential reading hips_0006: suspicious SAM file export hips_0007: suspicious shadow copy deletion hips_0008: backup file deletion hips_0009: registry of suspicious ransomware hips_0010: suspicious abnormal process hips_0011: suspicious scan hips_0012: suspicious ransomware script running hips_0013: suspicious mining command execution hips_0014: suspicious windows security center disabling hips_0015: suspicious behavior of disabling the firewall service hips_0016: suspicious system automatic recovery disabling hips_0017: executable file execution in Office hips_0018: abnormal file creation with macros in Office hips_0019: suspicious registry operation hips_0020: Confluence remote code execution hips_0021: MSDT remote code execution portscan_0001: common port scan portscan_0002: secret port scan k8s_1001: Kubernetes event deletion k8s_1002: privileged pod creations k8s_1003: interactive shell used in pod k8s_1004: pod created with sensitive directory k8s_1005: pod created with server network k8s_1006: pod created with host PID space k8s_1007: authentication failure when common pods access API server k8s_1008: API server access from common pod using cURL k8s_1009: exec in system management space k8s_1010: pod created in management space k8s_1011: static pod creation k8s_1012: DaemonSet creation k8s_1013: scheduled cluster task creation k8s_1014: operation on secrets k8s_1015: allowed operation enumeration k8s_1016: high privilege RoleBinding or ClusterRoleBinding k8s_1017: ServiceAccount creation k8s_1018: Cronjob creation k8s_1019: interactive shell used for exec in pods k8s_1020: unauthorized access to API server k8s_1021: access to API server with curl k8s_1022: Ingress vulnerability k8s_1023: man-in-the-middle (MITM) attack k8s_1024: worm, mining, or Trojan k8s_1025: K8s event deletion k8s_1026: SelfSubjectRulesReview imgblock_0001: image blocking based on whitelist imgblock_0002: image blocking based on blacklist imgblock_0003: image tag blocking based on whitelist imgblock_0004: image tag blocking based on blacklist imgblock_0005: container creation blocked based on whitelist imgblock_0006: container creation blocked based on blacklist imgblock_0007: container mount proc blocking imgblock_0008: container seccomp unconfined blocking imgblock_0009: container privilege blocking imgblock_0010: container capabilities blocking Array Length: 1 - 200
severity_list	No	Array	Threat level. The options are as follows: Security Low Medium High Critical Minimum: 0 Maximum: 32 Array Length: 0 - 5
attack_tag	No	String	Indicates the attack flag. The options are as follows: attack_success: attack success attack_attempt: attack attempt attack_blocked: blocked attack abnormal_behavior: abnormal behavior collapsible_host: compromised host system_vulnerability: system vulnerability Minimum: 0 Maximum: 32
asset_value	No	String	Asset importance. The options are as follows: important common test Minimum: 0 Maximum: 128
tag_list	No	Array	Event tag list, for example, ["hot event"]. Minimum: 0 Maximum: 10 Array Length: 0 - 20
att_ck	No	String	ATT&CK attack stage, including: Reconnaissance: Initial Access: Execution: Persistence: Privilege Escalation: Defense Evasion: defense bypass Credential Access: Command and Control: Impact: Damage is affected. Minimum: 0 Maximum: 32
event_name	No	String	Alarm name Minimum: 1 Maximum: 128

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
x-auth-token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token. Minimum: 1 Maximum: 32768
region	Yes	String	region id Minimum: 0 Maximum: 128

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
total_num	Integer	Total number
data_list	Array of EventManagementResponseInfo objects	Event list Array Length: 0 - 1000

**Table 5** EventManagementResponseInfo
Parameter	Type	Description
event_id	String	Event ID
event_class_id	String	Event category. Its value can be: container_1001: Container namespace container_1002: Container open port container_1003: Container security option container_1004: Container mount directory containerescape_0001: High-risk system call containerescape_0002: Shocker attack containerescape_0003: Dirty Cow attack containerescape_0004: Container file escape dockerfile_001: Modification of user-defined protected container file dockerfile_002: Modification of executable files in the container file system dockerproc_001: Abnormal container process fileprotect_0001: File privilege escalation fileprotect_0002: Key file change fileprotect_0003: AuthorizedKeysFile path change fileprotect_0004: File directory change login_0001: Brute-force attack attempt login_0002: Brute-force attack succeeded login_1001: Succeeded login login_1002: Remote login login_1003: Weak password malware_0001: Shell change malware_0002: Reverse shell malware_1001: Malicious program procdet_0001: Abnormal process behavior procdet_0002: Process privilege escalation procreport_0001: High-risk command user_1001: Account change user_1002: Unsafe account vmescape_0001: Sensitive command executed on VM vmescape_0002: Sensitive file accessed by virtualization process vmescape_0003: Abnormal VM port access webshell_0001: Web shell network_1001: Mining network_1002: DDoS attacks network_1003: Malicious scanning network_1004: Attack in sensitive areas ransomware_0001: ransomware attack ransomware_0002: ransomware attack ransomware_0003: ransomware attack fileless_0001: process injection fileless_0002: dynamic library injection fileless_0003: key configuration change fileless_0004: environment variable change fileless_0005: memory file process fileless_0006: VDSO hijacking crontab_1001: suspicious crontab task vul_exploit_0001: Redis vulnerability exploit vul_exploit_0002: Hadoop vulnerability exploit vul_exploit_0003: MySQL vulnerability exploit rootkit_0001: suspicious rootkit file rootkit_0002: suspicious kernel module RASP_0004: web shell upload RASP_0018: fileless web shell blockexec_001: known ransomware attack hips_0001: Windows Defender disabled hips_0002: suspicious hacker tool hips_0003: suspicious ransomware encryption behavior hips_0004: hidden account creation hips_0005: user password and credential reading hips_0006: suspicious SAM file export hips_0007: suspicious shadow copy deletion hips_0008: backup file deletion hips_0009: registry of suspicious ransomware hips_0010: suspicious abnormal process hips_0011: suspicious scan hips_0012: suspicious ransomware script running hips_0013: suspicious mining command execution hips_0014: suspicious windows security center disabling hips_0015: suspicious behavior of disabling the firewall service hips_0016: suspicious system automatic recovery disabling hips_0017: executable file execution in Office hips_0018: abnormal file creation with macros in Office hips_0019: suspicious registry operation hips_0020: Confluence remote code execution hips_0021: MSDT remote code execution portscan_0001: common port scan portscan_0002: secret port scan k8s_1001: Kubernetes event deletion k8s_1002: privileged pod creations k8s_1003: interactive shell used in pod k8s_1004: pod created with sensitive directory k8s_1005: pod created with server network k8s_1006: pod created with host PID space k8s_1007: authentication failure when common pods access API server k8s_1008: API server access from common pod using cURL k8s_1009: exec in system management space k8s_1010: pod created in management space k8s_1011: static pod creation k8s_1012: DaemonSet creation k8s_1013: scheduled cluster task creation k8s_1014: operation on secrets k8s_1015: allowed operation enumeration k8s_1016: high privilege RoleBinding or ClusterRoleBinding k8s_1017: ServiceAccount creation k8s_1018: Cronjob creation k8s_1019: interactive shell used for exec in pods k8s_1020: unauthorized access to API server k8s_1021: access to API server with curl k8s_1022: Ingress vulnerability k8s_1023: man-in-the-middle (MITM) attack k8s_1024: worm, mining, or Trojan k8s_1025: K8s event deletion k8s_1026: SelfSubjectRulesReview imgblock_0001: image blocking based on whitelist imgblock_0002: image blocking based on blacklist imgblock_0003: image tag blocking based on whitelist imgblock_0004: image tag blocking based on blacklist imgblock_0005: container creation blocked based on whitelist imgblock_0006: container creation blocked based on blacklist imgblock_0007: container mount proc blocking imgblock_0008: container seccomp unconfined blocking imgblock_0009: container privilege blocking imgblock_0010: container capabilities blocking
event_type	Integer	Event type. Its value can be: 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010 : Rootkit 1011: ransomware 1012: hacker tool 1015 : web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid accounts 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: enumerating user information 13004: cluster role binding
event_name	String	Event name
severity	String	Threat level. Its value can be: Security Low Medium High Critical
container_name	String	Container instance name
image_name	String	Image name
host_name	String	Server name
host_id	String	Server ID
private_ip	String	Server private IP address
public_ip	String	Elastic IP address
os_type	String	OS type. Its value can be: Linux Windows
host_status	String	Server status. The options are as follows: ACTIVE SHUTOFF BUILDING ERROR Minimum: 1 Maximum: 32
agent_status	String	Agent status. Its value can be: installed not_installed online offline install_failed installing Minimum: 1 Maximum: 32
protect_status	String	Protection status. Its value can be: closed opened Minimum: 1 Maximum: 32
asset_value	String	Asset importance. The options are as follows: important common test Minimum: 0 Maximum: 128
attack_phase	String	Attack phase. Its value can be: reconnaissance weaponization delivery exploit installation command_and_control actions
attack_tag	String	Attack tag. Its value can be: attack_success attack_attempt attack_blocked abnormal_behavior collapsible_host system_vulnerability
occur_time	Integer	Occurrence time, accurate to milliseconds.
handle_time	Integer	Handling time, accurate to milliseconds.
handle_status	String	Processing status. Its value can be: unhandled handled
handle_method	String	Handling method. Its value can be: mark_as_handled ignore add_to_alarm_whitelist add_to_login_whitelist isolate_and_kill
handler	String	Remarks
operate_accept_list	Array of strings	Supported processing operation
operate_detail_list	Array of EventDetailResponseInfo objects	Operation details list (not displayed on the page) Array Length: 0 - 100
forensic_info	Object	Attack information, in JSON format.
resource_info	EventResourceResponseInfo object	Resource information
geo_info	Object	Geographical location, in JSON format.
malware_info	Object	Malware information, in JSON format.
network_info	Object	Network information, in JSON format.
app_info	Object	Application information, in JSON format.
system_info	Object	System information, in JSON format.
extend_info	Object	Extended event information, in JSON format
recommendation	String	Handling suggestions
description	String	Alarm description Minimum: 0 Maximum: 1024
event_abstract	String	Event abstract Minimum: 0 Maximum: 512
process_info_list	Array of EventProcessResponseInfo objects	Process information list Array Length: 0 - 100
user_info_list	Array of EventUserResponseInfo objects	User information list Array Length: 0 - 100
file_info_list	Array of EventFileResponseInfo objects	File information list Array Length: 0 - 100
event_details	String	Brief description of the event. Minimum: 0 Maximum: 204800
tag_list	Array of strings	Tags Minimum: 0 Maximum: 10 Array Length: 0 - 20
event_count	Integer	Event occurrences Minimum: 0 Maximum: 2147483647

**Table 6** EventDetailResponseInfo
Parameter	Type	Description
agent_id	String	Agent ID
process_pid	Integer	Process ID
is_parent	Boolean	Whether a process is a parent process
file_hash	String	File hash
file_path	String	File path
file_attr	String	File attribute
private_ip	String	Server private IP address
login_ip	String	Login source IP address
login_user_name	String	Login username
keyword	String	Alarm event keyword, which is used only for the alarm whitelist.
hash	String	Alarm event hash, which is used only for the alarm whitelist.

**Table 7** EventResourceResponseInfo
Parameter	Type	Description
domain_id	String	User account ID
project_id	String	Project ID
enterprise_project_id	String	Enterprise project ID
region_name	String	Region name
vpc_id	String	VPC ID
cloud_id	String	ECS ID
vm_name	String	VM name
vm_uuid	String	VM UUID
container_id	String	Container ID
container_status	String	Container status
pod_uid	String	pod uid
pod_name	String	pod name
namespace	String	namespace
cluster_id	String	Cluster ID
cluster_name	String	Cluster name
image_id	String	Image ID
image_name	String	Image name
host_attr	String	Host attribute
service	String	Service
micro_service	String	Microservice
sys_arch	String	System CPU architecture
os_bit	String	OS bit version
os_type	String	OS type
os_name	String	OS name
os_version	String	OS version

**Table 8** EventProcessResponseInfo
Parameter	Type	Description
process_name	String	Process name
process_path	String	Process file path
process_pid	Integer	Process ID Minimum: 0 Maximum: 2147483647
process_uid	Integer	Process user ID Minimum: 0 Maximum: 2147483647
process_username	String	Process username
process_cmdline	String	Process file command line
process_filename	String	Process file name
process_start_time	Long	Process start time Minimum: 0 Maximum: 9223372036854775807
process_gid	Integer	Process group ID Minimum: 0 Maximum: 2147483647
process_egid	Integer	Valid process group ID Minimum: 0 Maximum: 2147483647
process_euid	Integer	Valid process user ID Minimum: 0 Maximum: 2147483647
parent_process_name	String	Parent process name
parent_process_path	String	Parent process file path
parent_process_pid	Integer	Parent process ID Minimum: 0 Maximum: 2147483647
parent_process_uid	Integer	Parent process user ID Minimum: 0 Maximum: 2147483647
parent_process_cmdline	String	Parent process file command line
parent_process_filename	String	Parent process file name
parent_process_start_time	Long	Parent process start time Minimum: 0 Maximum: 9223372036854775807
parent_process_gid	Integer	Parent process group ID Minimum: 0 Maximum: 2147483647
parent_process_egid	Integer	Valid parent process group ID Minimum: 0 Maximum: 2147483647
parent_process_euid	Integer	Valid parent process user ID Minimum: 0 Maximum: 2147483647
child_process_name	String	Subprocess name
child_process_path	String	Subprocess file path
child_process_pid	Integer	Subprocess ID Minimum: 0 Maximum: 2147483647
child_process_uid	Integer	Subprocess user ID Minimum: 0 Maximum: 2147483647
child_process_cmdline	String	Subprocess file command line
child_process_filename	String	Subprocess file name
child_process_start_time	Long	Subprocess start time Minimum: 0 Maximum: 9223372036854775807
child_process_gid	Integer	Subprocess group ID Minimum: 0 Maximum: 2147483647
child_process_egid	Integer	Valid subprocess group ID Minimum: 0 Maximum: 2147483647
child_process_euid	Integer	Valid subprocess user ID Minimum: 0 Maximum: 2147483647
virt_cmd	String	Virtualization command
virt_process_name	String	Virtualization process name
escape_mode	String	Escape mode
escape_cmd	String	Commands executed after escape
process_hash	String	Process startup file hash

**Table 9** EventUserResponseInfo
Parameter	Type	Description
user_id	Integer	User UID Minimum: 0 Maximum: 2147483647
user_gid	Integer	User GID Minimum: 0 Maximum: 2147483647
user_name	String	User name
user_group_name	String	User group name
user_home_dir	String	User home directory
login_ip	String	User login IP address
service_type	String	Login service type
service_port	Integer	Login service port Minimum: 0 Maximum: 2147483647
login_mode	Integer	Login mode Minimum: 0 Maximum: 2147483647
login_last_time	Long	Last login time Minimum: 0 Maximum: 9223372036854775807
login_fail_count	Integer	Number of failed login attempts Minimum: 0 Maximum: 2147483647
pwd_hash	String	Password hash
pwd_with_fuzzing	String	Masked password
pwd_used_days	Integer	Password age (days) Minimum: 0 Maximum: 2147483647
pwd_min_days	Integer	Minimum password validity period Minimum: 0 Maximum: 2147483647
pwd_max_days	Integer	Maximum password validity period Minimum: 0 Maximum: 2147483647
pwd_warn_left_days	Integer	Advance warning of password expiration (days) Minimum: 0 Maximum: 2147483647

**Table 10** EventFileResponseInfo
Parameter	Type	Description
file_path	String	File path
file_alias	String	File alias
file_size	Integer	File size Minimum: 0 Maximum: 2147483647
file_mtime	Long	Time when a file was last modified Minimum: 0 Maximum: 9223372036854775807
file_atime	Long	Time when a file was last accessed Minimum: 0 Maximum: 9223372036854775807
file_ctime	Long	Time when the status of a file was last changed Minimum: 0 Maximum: 9223372036854775807
file_hash	String	File hash
file_md5	String	File MD5
file_sha256	String	File SHA256
file_type	String	File type
file_content	String	File content
file_attr	String	File attribute
file_operation	Integer	File operation type Minimum: 0 Maximum: 2147483647
file_action	String	File action
file_change_attr	String	Old/New attribute
file_new_path	String	New file path
file_desc	String	File description
file_key_word	String	File keyword
is_dir	Boolean	Whether it is a directory
fd_info	String	File handle information
fd_count	Integer	Number of file handles Minimum: 0 Maximum: 2147483647

Example Requests

Query the first 50 unprocessed server events whose enterprise project is xxx.

GET https://{endpoint}/v5/{project_id}/event/events?offset=0&limit=50&handle_status=unhandled&category=host&enterprise_project_id=xxx

Example Responses

Status code: 200

Intrusion list

{
  "total_num" : 1,
  "data_list" : [ {
    "attack_phase" : "exploit",
    "attack_tag" : "abnormal_behavior",
    "event_class_id" : "lgin_1002",
    "event_id" : "d8a12cf7-6a43-4cd6-92b4-aabf1e917",
    "event_name" : "different locations",
    "event_type" : 4004,
    "forensic_info" : {
      "country" : "China",
      "city" : "Lanzhou",
      "ip" : "127.0.0.1",
      "user" : "zhangsan",
      "sub_division" : "Gansu",
      "city_id" : 3110
    },
    "handle_status" : "unhandled",
    "host_name" : "xxx",
    "occur_time" : 1661593036627,
    "operate_accept_list" : [ "ignore" ],
    "operate_detail_list" : [ {
      "agent_id" : "c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8",
      "file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "file_path" : "/usr/test",
      "process_pid" : 3123,
      "file_attr" : 33261,
      "keyword" : "file_path=/usr/test",
      "hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "login_ip" : "127.0.0.1",
      "private_ip" : "127.0.0.2",
      "login_user_name" : "root",
      "is_parent" : false
    } ],
    "private_ip" : "127.0.0.1",
    "resource_info" : {
      "region_name" : "",
      "project_id" : "",
      "enterprise_project_id" : "0",
      "os_type" : "Linux",
      "os_version" : "2.5",
      "vm_name" : "",
      "vm_uuid" : "71a15ecc",
      "cloud_id" : "",
      "container_id" : "",
      "container_status" : "running / terminated",
      "image_id" : "",
      "pod_uid" : "",
      "pod_name" : "",
      "namespace" : "",
      "cluster_id" : "",
      "cluster_name" : ""
    },
    "severity" : "Medium",
    "extend_info" : "",
    "os_type" : "Linux",
    "agent_status" : "online",
    "asset_value" : "common",
    "protect_status" : "opened",
    "host_status" : "ACTIVE",
    "event_details" : "file_path:/root/test",
    "user_info_list" : [ {
      "login_ip" : "",
      "service_port" : 22,
      "service_type" : "ssh",
      "user_name" : "zhangsan",
      "login_mode" : 0,
      "login_last_time" : 1661593024,
      "login_fail_count" : 0
    } ],
    "description" : "",
    "event_abstract" : "",
    "tag_list" : [ "Hot Event" ]
  } ]
}

Status Codes

Status Code	Description
200	Intrusion list

Error Codes

See Error Codes.

Querying the Detected Intrusion List