Help Center/ Host Security Service/ API Reference (Ally Region)/ API Description/ Event Management/ Querying the List of Isolated Files
Updated on 2026-01-12 GMT+08:00
Online Debugging
CLI Examples
View PDF
Share

Querying the List of Isolated Files

Function

This API is used to query the list of isolated files.

URI

GET /v5/{project_id}/event/isolated-file

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID
Table 2 Query Parameters

Parameter

Mandatory

Type

Description

enterprise_project_id

No

String

Enterprise project ID. To query all enterprise projects, set this parameter to all_granted_eps.

file_path

No

String

File path

host_name

No

String

Server name

private_ip

No

String

Server private IP address

public_ip

No

String

Server public IP address

file_hash

No

String

The hash value calculated using the SHA256 algorithm.

asset_value

No

String

Asset importance. The options are as follows:

  • important

  • common

  • test

offset

No

Integer

Offset, which specifies the start position of the record to be returned.

limit

No

Integer

Number of records displayed on each page.

Request Parameters

Table 3 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token.

It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

region

Yes

String

Region ID

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

total_num

Integer

Total number

data_list

Array of IsolatedFileResponseInfo objects

Isolated file details
Table 5 IsolatedFileResponseInfo

Parameter

Type

Description

os_type

String

OS type. Its value can be:

  • Linux

  • Windows

host_id

String

Host ID

host_name

String

Server name

file_hash

String

File hash

file_path

String

File path

file_attr

String

File attribute

isolation_status

String

Isolation status. The options are as follows:

  • isolated

  • restored

  • isolating

  • restoring

private_ip

String

Server private IP address

public_ip

String

Elastic IP address

asset_value

String

Asset importance

update_time

Integer

Update time, in milliseconds

agent_version

String

Agent version

isolate_source

String

Isolation source. The options are as follows:

  • event: security alarm event

  • antivirus: virus scanning and removal

event_name

String

Event name

agent_event_info

IsolateEventResponseInfo object

Isolation event details

antivirus_result_info

AntivirusResultDetailInfo object

Results of virus scanning and removal
Table 6 IsolateEventResponseInfo

Parameter

Type

Description

event_id

String

Event ID

event_class_id

String

Event category. Its value can be:

  • container_1001: Container namespace

  • container_1002: Container open port

  • container_1003: Container security option

  • container_1004: Container mount directory

  • containerescape_0001: High-risk system call

  • containerescape_0002: Shocker attack

  • containerescape_0003: Dirty Cow attack

  • containerescape_0004: Container file escape

  • dockerfile_001: Modification of user-defined protected container file

  • dockerfile_002: Modification of executable files in the container file system

  • dockerproc_001: Abnormal container process

  • fileprotect_0001: File privilege escalation

  • fileprotect_0002: Key file change

  • fileprotect_0003: AuthorizedKeysFile path change

  • fileprotect_0004: File directory change

  • login_0001: Brute-force attack attempt

  • login_0002: Brute-force attack succeeded

  • login_1001: Succeeded login

  • login_1002: Remote login

  • login_1003: Weak password

  • malware_0001: Shell change

  • malware_0002: Reverse shell

  • malware_1001: Malicious program

  • procdet_0001: Abnormal process behavior

  • procdet_0002: Process privilege escalation

  • procreport_0001: High-risk command

  • user_1001: Account change

  • user_1002: Unsafe account

  • vmescape_0001: Sensitive command executed on VM

  • vmescape_0002: Sensitive file accessed by virtualization process

  • vmescape_0003: Abnormal VM port access

  • webshell_0001: Web shell

  • network_1001: Mining

  • network_1002: DDoS attacks

  • network_1003: Malicious scanning

  • network_1004: Attack in sensitive areas

  • ransomware_0001: ransomware attack

  • ransomware_0002: ransomware attack

  • ransomware_0003: ransomware attack

  • fileless_0001: process injection

  • fileless_0002: dynamic library injection

  • fileless_0003: key configuration change

  • fileless_0004: environment variable change

  • fileless_0005: memory file process

  • fileless_0006: VDSO hijacking

  • crontab_1001: suspicious crontab task

  • vul_exploit_0001: Redis vulnerability exploit

  • vul_exploit_0002: Hadoop vulnerability exploit

  • vul_exploit_0003: MySQL vulnerability exploit

  • rootkit_0001: suspicious rootkit file

  • rootkit_0002: suspicious kernel module

  • RASP_0004: web shell upload

  • RASP_0018: fileless web shell

  • blockexec_001: known ransomware attack

  • hips_0001: Windows Defender disabled

  • hips_0002: suspicious hacker tool

  • hips_0003: suspicious ransomware encryption behavior

  • hips_0004: hidden account creation

  • hips_0005: user password and credential reading

  • hips_0006: suspicious SAM file export

  • hips_0007: suspicious shadow copy deletion

  • hips_0008: backup file deletion

  • hips_0009: registry of suspicious ransomware

  • hips_0010: suspicious abnormal process

  • hips_0011: suspicious scan

  • hips_0012: suspicious ransomware script running

  • hips_0013: suspicious mining command execution

  • hips_0014: suspicious windows security center disabling

  • hips_0015: suspicious behavior of disabling the firewall service

  • hips_0016: suspicious system automatic recovery disabling

  • hips_0017: executable file execution in Office

  • hips_0018: abnormal file creation with macros in Office

  • hips_0019: suspicious registry operation

  • hips_0020: Confluence remote code execution

  • hips_0021: MSDT remote code execution

  • portscan_0001: common port scan

  • portscan_0002: secret port scan

  • k8s_1001: Kubernetes event deletion

  • k8s_1002: privileged pod creations

  • k8s_1003: interactive shell used in pod

  • k8s_1004: pod created with sensitive directory

  • k8s_1005: pod created with server network

  • k8s_1006: pod created with host PID space

  • k8s_1007: authentication failure when common pods access API server

  • k8s_1008: API server access from common pod using cURL

  • k8s_1009: exec in system management space

  • k8s_1010: pod created in management space

  • k8s_1011: static pod creation

  • k8s_1012: DaemonSet creation

  • k8s_1013: scheduled cluster task creation

  • k8s_1014: operation on secrets

  • k8s_1015: allowed operation enumeration

  • k8s_1016: high privilege RoleBinding or ClusterRoleBinding

  • k8s_1017: ServiceAccount creation

  • k8s_1018: Cronjob creation

  • k8s_1019: interactive shell used for exec in pods

  • k8s_1020: unauthorized access to API server

  • k8s_1021: access to API server with curl

  • k8s_1022: Ingress vulnerability

  • k8s_1023: man-in-the-middle (MITM) attack

  • k8s_1024: worm, mining, or Trojan

  • k8s_1025: K8s event deletion

  • k8s_1026: SelfSubjectRulesReview

  • imgblock_0001: image blocking based on whitelist

  • imgblock_0002: image blocking based on blacklist

  • imgblock_0003: image tag blocking based on whitelist

  • imgblock_0004: image tag blocking based on blacklist

  • imgblock_0005: container creation blocked based on whitelist

  • imgblock_0006: container creation blocked based on blacklist

  • imgblock_0007: container mount proc blocking

  • imgblock_0008: container seccomp unconfined blocking

  • imgblock_0009: container privilege blocking

  • imgblock_0010: container capabilities blocking

event_type

Integer

Event type. Its value can be:

  • 1001: common malware

  • 1002: virus

  • 1003: worm

  • 1004: Trojan

  • 1005: botnet

  • 1006: backdoor

  • 1010 : Rootkit

  • 1011: ransomware

  • 1012: hacker tool

  • 1015 : web shell

  • 1016: mining

  • 1017: reverse shell

  • 2001: common vulnerability exploit

  • 2012: remote code execution

  • 2047: Redis vulnerability exploit

  • 2048: Hadoop vulnerability exploit

  • 2049: MySQL vulnerability exploit

  • 3002: file privilege escalation

  • 3003: process privilege escalation

  • 3004: critical file change

  • 3005: file/directory change

  • 3007: abnormal process behavior

  • 3015: high-risk command execution

  • 3018: abnormal shell

  • 3027: suspicious crontab task

  • 3029: system protection disabled

  • 3030: backup deletion

  • 3031: suspicious registry operations

  • 3036: container image blocking

  • 4002: brute-force attack

  • 4004: abnormal login

  • 4006: invalid accounts

  • 4014: account added

  • 4020: password theft

  • 6002: port scan

  • 6003: server scan

  • 13001: Kubernetes event deletion

  • 13002: abnormal pod behavior

  • 13003: enumerating user information

  • 13004: cluster role binding

event_name

String

Event name

severity

String

Threat level. Its value can be:

  • Security

  • Low

  • Medium

  • High

  • Critical

container_name

String

Container instance name. This parameter is available only for container alarms.

image_name

String

Image name. This parameter is available only for container alarms.

host_name

String

Server name

host_id

String

Host ID

private_ip

String

Server private IP address

public_ip

String

Elastic IP address

os_type

String

OS type. Its value can be:

  • Linux

  • Windows

host_status

String

Server status. The options are as follows:

  • ACTIVE

  • SHUTOFF

  • BUILDING

  • ERROR

agent_status

String

Agent status. Its value can be:

  • installed

  • not_installed:

  • online

  • offline

  • install_failed

  • installing

protect_status

String

Protection status. Its value can be:

  • closed

  • opened

asset_value

String

Asset importance. The options are as follows:

  • important

  • common

  • test

attack_phase

String

Attack phase. Its value can be:

  • reconnaissance

  • weaponization

  • delivery

  • exploit

  • installation

  • command_and_control

  • actions

attack_tag

String

Attack tag. Its value can be:

  • attack_success

  • attack_attempt

  • attack_blocked

  • abnormal_behavior

  • collapsible_host

  • system_vulnerability

occur_time

Integer

Occurrence time, accurate to milliseconds.

handle_time

Integer

Handling time, in milliseconds. This parameter is available only for handled alarms.

handle_status

String

Processing status. Its value can be:

  • unhandled

  • handled

handle_method

String

Handling method. This parameter is available only for handled alarms. The options are as follows:

  • mark_as_handled

  • ignore

  • add_to_alarm_whitelist

  • add_to_login_whitelist

  • isolate_and_kill

handler

String

Remarks. This parameter is available only for handled alarms.

recommendation

String

Handling suggestion

description

String

Alarm description

event_abstract

String

Alarm summary

event_count

Integer

Event occurrences
Table 7 AntivirusResultDetailInfo

Parameter

Type

Description

result_id

String

The result ID of virus scanning and removal

malware_name

String

Virus name

file_path

String

File path

file_hash

String

File hash

file_size

Integer

File size

file_owner

String

File owner

file_attr

String

File attribute

file_ctime

Integer

File creation time

file_mtime

Integer

File update time

update_time

Integer

Update time, in milliseconds

agent_id

String

Agent ID

Example Requests

Query the first 10 isolated files.

GET https://{endpoint}/v5/{project_id}/event/isolated-file?limit=10&offset=0&enterprise_project_id=xxx

Example Responses

Status code: 200

Request succeeded.

{
  "data_list" : [ {
    "file_attr" : "0",
    "file_hash" : "58693382bc0c9f60ef86e5b37cf3c2f3a9c9ec46936901eaa9131f7ee4a09bde",
    "file_path" : "C:\\Users\\Public\\Public Docker\\system32.exe",
    "os_type" : "Linux",
    "host_id" : "5a41ca47-8ea7-4a65-a8fb-950d03d8638e",
    "host_name" : "ecs-wi-800211",
    "isolation_status" : "isolated",
    "private_ip" : "127.0.0.2",
    "public_ip" : "127.0.0.1",
    "asset_value" : "common",
    "update_time" : 1698304933717,
    "agent_version" : "3.2.10",
    "isolate_source" : "event",
    "event_name" : "Spyware",
    "antivirus_result_info" : {
      "result_id" : "5a41ca47-8ea7-4a65-a8fb-950d03d8638e",
      "malware_name" : "Win32.Virus.Hidrag",
      "file_attr" : "0",
      "file_hash" : "58693382bc0c9f60ef86e5b37cf3c2f3a9c9ec46936901eaa9131f7ee4a09bde",
      "file_path" : "C:\\Users\\Public\\Public Docker\\system32.exe",
      "file_size" : 58460,
      "file_owner" : "Administrators",
      "file_ctime" : 1700039800,
      "file_mtime" : 1700039800,
      "update_time" : 1698304933717,
      "agent_id" : "5a41ca47-8ea7-4a65-a8fb-950d03d8638e"
    },
    "agent_event_info" : {
      "attack_phase" : "exploit",
      "attack_tag" : "abnormal_behavior",
      "event_class_id" : "lgin_1002",
      "event_id" : "d8a12cf7-6a43-4cd6-92b4-aabf1e917",
      "event_name" : "different locations",
      "event_type" : 4004,
      "handle_status" : "unhandled",
      "host_name" : "xxx",
      "occur_time" : 1661593036627,
      "private_ip" : "127.0.0.1",
      "severity" : "Medium",
      "os_type" : "Linux",
      "agent_status" : "online",
      "asset_value" : "common",
      "protect_status" : "opened",
      "host_status" : "ACTIVE",
      "description" : "",
      "event_abstract" : "",
      "image_name" : "image",
      "container_name" : "test",
      "host_id" : "5a41ca47-8ea7-4a65-a8fb-950d03d8638e",
      "public_ip" : "127.0.0.2",
      "handle_time" : 1698304933717,
      "handle_method" : "ignore",
      "recommendation" : "Handling suggestion",
      "event_count" : 1
    }
  } ],
  "total_num" : 1
}

Status Codes

Status Code

Description

200

Request succeeded.

Error Codes

See Error Codes.

Parent topic: Event Management