Help Center/ Host Security Service/ API Reference/ API Description/ Intrusion Detection/ Handling Alarm Events
Updated on 2026-04-03 GMT+08:00
View PDF
Share

Handling Alarm Events

Function

This API is used to handle alarm events.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

  • If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
  • If you are using identity policy-based authorization, no identity policy-based permission required for calling this API.

URI

POST /v5/{project_id}/event/operate

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID
Table 2 Query Parameters

Parameter

Mandatory

Type

Description

enterprise_project_id

No

String

ID of the enterprise project that a server belongs.

An enterprise project can be configured only after the enterprise project function is enabled.

Enterprise project ID. The value 0 indicates the default enterprise project. To query servers in all enterprise projects, set this parameter to all_granted_eps. If you have only the permission on an enterprise project, you need to transfer the enterprise project ID to query the server in the enterprise project. Otherwise, an error is reported due to insufficient permission.

container_name

No

String

Container instance name

container_id

No

String

Container ID

Request Parameters

Table 3 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token.

It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

region

No

String

Region ID
Table 4 Request body parameters

Parameter

Mandatory

Type

Description

operate_type

Yes

String

Definition

Handling method.

Range

  • mark_as_handled: Mark as handled

  • ignore: Ignore

  • add_to_alarm_whitelist: Add to alarm whitelist

  • add_to_login_whitelist: Add to login whitelist

  • isolate_and_kill: Isolate and kill

  • unhandle: Cancel manual handling

  • do_not_ignore: Unignore

  • remove_from_alarm_whitelist: Remove from the alarm whitelist

  • remove_from_login_whitelist: Remove from the login whitelist

  • do_not_isolate_or_kill: Cancel isolation and killing

handler

No

String

Definition

Remarks. This parameter is available only for handled alarms.

Range

The value can contain 1 to 256 characters.

operate_event_list

Yes

Array of OperateEventRequestInfo objects

Operated event list

event_white_rule_list

No

Array of EventWhiteRuleListRequestInfo objects

User-defined alarm whitelist
Table 5 OperateEventRequestInfo

Parameter

Mandatory

Type

Description

event_class_id

Yes

String

Definition

Event Category

Range

  • container_1001: container namespace

  • container_1002: container open port

  • container_1003: container security option

  • container_1004: container mount directory

  • containerescape_0001: high-risk system call

  • containerescape_0002: shocker attack

  • containerescape_0003: Dirty Cow attack

  • containerescape_0004: container file escape

  • dockerfile_001: modification of user-defined protected container file

  • dockerfile_002: modification of executable files in the container file system

  • dockerproc_001: abnormal container process

  • fileprotect_0001: file privilege escalation

  • fileprotect_0002: critical file change

  • fileprotect_0003: critical file path change

  • fileprotect_0004: file/directory change

  • av_1002: virus

  • av_1003: worm

  • av_1004: Trojan

  • av_1005: botnet

  • av_1006: backdoor

  • av_1007: spyware

  • av_1008: adware

  • av_1009: phishing

  • av_1010: rootkit

  • av_1011: ransomware

  • av_1012: hacker tool

  • av_1013: grayware

  • av_1015: web shell

  • av_1016: mining software

  • login_0001: brute-force attack attempt

  • login_0002: successful brute-force attack

  • login_1001: successful login

  • login_1002: remote login

  • login_1003: weak password

  • malware_0001: shell change event

  • malware_0002: reverse shell event

  • malware_1001: malicious program

  • procdet_0001: abnormal process behavior

  • procdet_0002: process privilege escalation

  • procreport_0001: risky command

  • user_1001: account change

  • user_1002: risky account

  • vmescape_0001: VM sensitive command execution

  • vmescape_0002: access from virtualization process to sensitive file

  • vmescape_0003: abnormal VM port access

  • webshell_0001: web shell

  • network_1001: mining

  • network_1002: servers exploited to launch DDoS attacks

  • network_1003: malicious scan

  • network_1004: attack in sensitive areas

  • ransomware_0001: ransomware attack

  • ransomware_0002: ransomware attack

  • ransomware_0003: ransomware attack

  • fileless_0001: process injection

  • fileless_0002: dynamic library injection

  • fileless_0003: critical configuration change

  • fileless_0004: environment variable change

  • fileless_0005: memory file process

  • fileless_0006: VDSO hijacking

  • crontab_1001: suspicious crontab task

  • vul_exploit_0001: Redis vulnerability exploit

  • vul_exploit_0002: Hadoop vulnerability exploit

  • vul_exploit_0003: MySQL vulnerability exploit

  • rootkit_0001: suspicious rootkit file

  • rootkit_0002: suspicious kernel module

  • RASP_0004: web shell upload

  • RASP_0018: fileless web shell

  • blockexec_001: known ransomware attack

  • hips_0001: Windows Defender disabled

  • hips_0002: suspicious hacker tool

  • hips_0003: suspicious ransomware encryption behavior

  • hips_0004: hidden account creation

  • hips_0005: user password and credential reading

  • hips_0006: suspicious SAM file export

  • hips_0007: suspicious shadow copy deletion

  • hips_0008: backup file deletion

  • hips_0009: registry operation probably performed by ransomware

  • hips_0010: suspicious abnormal process

  • hips_0011: suspicious scan

  • hips_0012: suspicious ransomware script execution

  • hips_0013: suspicious mining command execution

  • hips_0014: suspicious Windows security center disabling

  • hips_0015: suspicious firewall disabling

  • hips_0016: suspicious disabling of system automatic recovery

  • hips_0017: executable file creation in Office

  • hips_0018: abnormal file creation with macros in Office

    • hips_0019: suspicious registry operation

    • hips_0020: Confluence remote code execution

    • hips_0021: MSDT remote code execution

    • portscan_0001: common port scan

    • portscan_0002: secret port scan

    • k8s_1001: Kubernetes event deletion

    • k8s_1002: privileged pod creation

    • k8s_1003: interactive shell used in pod

    • k8s_1004: pod created with sensitive directory

    • k8s_1005: pod created with server network

    • k8s_1006: pod created with host PID space

    • k8s_1007: authentication failure when common pods access API server

    • k8s_1008: API server access from common pod using cURL

    • k8s_1009: exec in system management space

    • k8s_1010: pod created in management space

    • k8s_1011: static pod creation

    • k8s_1012: DaemonSet creation

    • k8s_1013: scheduled cluster task creation

    • k8s_1014: operation on secrets

    • k8s_1015: allowed operation enumeration

    • k8s_1016: high privilege RoleBinding or ClusterRoleBinding

    • k8s_1017: ServiceAccount creation

    • k8s_1018: Cronjob creation

    • k8s_1019: interactive shell used for exec in pods

    • k8s_1020: unauthorized access to API server

    • k8s_1021: access to API server with curl

    • k8s_1022: Ingress vulnerability

    • k8s_1023: man-in-the-middle (MITM) attack

    • k8s_1024: worm, mining, or Trojan

    • k8s_1025: K8s event deletion

    • k8s_1026: SelfSubjectRulesReview

    • imgblock_0001: image blocking based on whitelist

    • imgblock_0002: image blocking based on blacklist

    • imgblock_0003: image tag blocking based on whitelist

    • imgblock_0004: image tag blocking based on blacklist

    • imgblock_0005: container creation blocked based on whitelist

    • imgblock_0006: container creation blocked based on blacklist

    • imgblock_0007: container mount proc

    • imgblock_0008: container seccomp unconfined

    • imgblock_0009: container privilege blocking

    • imgblock_0010: container capabilities blocking

event_id

Yes

String

Definition

Event ID.

Range

The value can contain 1 to 64 characters.

event_type

Yes

Integer

Definition

Event type.

Range

  • 1001: common malware

  • 1002: virus

  • 1003: worm

  • 1004: Trojan

  • 1005: botnet

  • 1006: backdoor

  • 1010: rootkit

  • 1011: ransomware

  • 1012: hacker tool

  • 1015: web shell

  • 1016: mining

  • 1017: reverse shell

  • 2001: common vulnerability exploit

  • 2012: remote code execution

  • 2047: Redis vulnerability exploit

  • 2048: Hadoop vulnerability exploit

  • 2049: MySQL vulnerability exploit

  • 3002: file privilege escalation

  • 3003: process privilege escalation

  • 3004: critical file change

  • 3005: file/directory change

  • 3007: abnormal process behavior

  • 3015: high-risk command execution

  • 3018: abnormal shell

  • 3027: suspicious crontab task

  • 3029: system protection disabled

  • 3030: backup deletion

  • 3031: suspicious registry operations

  • 3036: container image blocking

  • 4002: brute-force attack

  • 4004: abnormal login

  • 4006: invalid accounts

  • 4014: account added

  • 4020: password theft

  • 6002: port scan

  • 6003: server scan

  • 13001: Kubernetes event deletion

  • 13002: abnormal pod behavior

  • 13003: user information enumeration

  • 13004: cluster role binding

occur_time

Yes

Integer

Definition

Occurrence time, accurate to milliseconds

Range

The value ranges from 0 to 9223372036854775807. The time format is a timestamp (UTC time zone, starting from 1970-01-01 00:00:00), in milliseconds.

operate_detail_list

Yes

Array of EventDetailRequestInfo objects

Operation details. If operate_type is set to add_to_alarm_whitelist or remove_from_alarm_whitelist, keyword and hash are mandatory. If operate_type is set to add_to_login_whitelist or remove_from_login_whitelist, login_ip, private_ip, and login_user_name are mandatory. If operate_type is set to isolate_and_kill or do_not_isolate_or_kill, agent_id, file_hash, file_path, and process_pid are mandatory. In other cases, this parameter is optional.
Table 6 EventDetailRequestInfo

Parameter

Mandatory

Type

Description

agent_id

No

String

Definition

Unique ID of the antivirus agent installed on a server, which is used to associate the server with the antivirus service.

Constraints

N/A

Range

The value can contain 1 to 64 characters.

Default Value

N/A

process_pid

No

Integer

Definition

Process ID.

Range

The value range is 0 to 2,147,483,647.

file_hash

No

String

Definition

File hash.

Range

The value can contain 1 to 256 characters.

file_path

No

String

Definition

File path.

Range

The value can contain 1 to 256 characters.

file_attr

No

String

Definition

System attributes of a file (such as read and write permissions, hidden attributes, and execution permissions).

Range

The value can contain 1 to 256 characters.

keyword

No

String

Definition

Alarm event keyword, which is used only for the alarm whitelist.

Range

The value can contain 1 to 256 characters.

hash

No

String

Definition

Alarm event hash, which is used only for the alarm whitelist.

Range

The value can contain 1 to 256 characters.

private_ip

No

String

Definition

Server private IP address.

Range

The value can contain 1 to 128 characters.

login_ip

No

String

Definition

Login source IP address.

Range

The value can contain 1 to 256 characters.

login_user_name

No

String

Definition

Login username.

Range

The value can contain 1 to 256 characters.

container_id

No

String

Container ID

container_name

No

String

Container name
Table 7 EventWhiteRuleListRequestInfo

Parameter

Mandatory

Type

Description

event_type

Yes

Integer

Definition

Event type.

Range

  • 1001: common malware

  • 1002: virus

  • 1003: worm

  • 1004: Trojan

  • 1005: botnet

  • 1006: backdoor

  • 1010: rootkit

  • 1011: ransomware

  • 1012: hacker tool

  • 1015: web shell

  • 1016: mining

  • 1017: reverse shell

  • 2001: common vulnerability exploit

  • 2012: remote code execution

  • 2047: Redis vulnerability exploit

  • 2048: Hadoop vulnerability exploit

  • 2049: MySQL vulnerability exploit

  • 3002: file privilege escalation

  • 3003: process privilege escalation

  • 3004: critical file change

  • 3005: file/directory change

  • 3007: abnormal process behavior

  • 3015: high-risk command execution

  • 3018: abnormal shell

  • 3027: suspicious crontab task

  • 3029: system protection disabled

  • 3030: backup deletion

  • 3031: suspicious registry operations

  • 3036: container image blocking

  • 4002: brute-force attack

  • 4004: abnormal login

  • 4006: invalid accounts

  • 4014: account added

  • 4020: password theft

  • 6002: port scan

  • 6003: server scan

  • 13001: Kubernetes event deletion

  • 13002: abnormal pod behavior

  • 13003: user information enumeration

  • 13004: cluster role binding

field_key

Yes

String

Definition

Whitelist field.

Range

  • file/process hash: file or process hash

  • file_path: file path

  • process_path: process path

  • login_ip: login IP address

  • reg_key: registry key

  • process_cmdline: process command line

  • username: username

field_value

Yes

String

Whitelist field value

judge_type

Yes

String

Definition

Wildcard.

Range

  • equal

  • contain

Response Parameters

Status code: 200

Request succeeded.

None

Example Requests

Manually handle the intrusion alarms whose alarm event type is Rootkit and alarm event ID is 2a71e1e2-60f4-4d56-b314-2038fdc39de6.

POST https://{endpoint}/v5/{project_id}/event/operate?enterprise_project_id=xxx

{
  "operate_type" : "mark_as_handled",
  "handler" : "test",
  "operate_event_list" : [ {
    "event_class_id" : "rootkit_0001",
    "event_id" : "2a71e1e2-60f4-4d56-b314-2038fdc39de6",
    "occur_time" : 1672046760353,
    "event_type" : 1010,
    "operate_detail_list" : [ {
      "agent_id" : "c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8",
      "file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "file_path" : "/usr/test",
      "process_pid" : 3123,
      "file_attr" : 33261,
      "keyword" : "file_path=/usr/test",
      "hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "login_ip" : "127.0.0.1",
      "private_ip" : "127.0.0.2",
      "login_user_name" : "root",
      "container_id" : "containerid",
      "container_name" : "/test"
    } ]
  } ]
}

Example Responses

None

Status Codes

Status Code

Description

200

Request succeeded.

Error Codes

See Error Codes.

Parent Topic: Intrusion Detection