Updated on 2024-11-19 GMT+08:00

Handling Alarm Events

Function

This API is used to handle alarm events.

Calling Method

For details, see Calling APIs.

URI

POST /v5/{project_id}/event/operate

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID

Table 2 Query Parameters

Parameter

Mandatory

Type

Description

enterprise_project_id

No

String

Enterprise project ID. To query all enterprise projects, set this parameter to all_granted_eps.

container_name

No

String

Container instance name

container_id

No

String

Container ID

Request Parameters

Table 3 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token.

It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

region

Yes

String

Region ID

Table 4 Request body parameters

Parameter

Mandatory

Type

Description

operate_type

Yes

String

Handling method. Its value can be:

  • mark_as_handled

  • ignore

  • add_to_alarm_whitelist

  • add_to_login_whitelist

  • isolate_and_kill

  • unhandle

  • do_not_ignore

  • remove_from_alarm_whitelist

  • remove_from_login_whitelist

  • do_not_isolate_or_kill

handler

No

String

Remarks. This parameter is available only for handled alarms.

operate_event_list

Yes

Array of OperateEventRequestInfo objects

Operated event list

event_white_rule_list

No

Array of EventWhiteRuleListRequestInfo objects

User-defined alarm whitelist

Table 5 OperateEventRequestInfo

Parameter

Mandatory

Type

Description

event_class_id

Yes

String

Event category. Its value can be:

  • container_1001: Container namespace

  • container_1002: Container open port

  • container_1003: Container security option

  • container_1004: Container mount directory

  • containerescape_0001: High-risk system call

  • containerescape_0002: Shocker attack

  • containerescape_0003: Dirty Cow attack

  • containerescape_0004: Container file escape

  • dockerfile_001: Modification of user-defined protected container file

  • dockerfile_002: Modification of executable files in the container file system

  • dockerproc_001: Abnormal container process

  • fileprotect_0001: File privilege escalation

  • fileprotect_0002: Key file change

  • fileprotect_0003: AuthorizedKeysFile path change

  • fileprotect_0004: File directory change

  • login_0001: Brute-force attack attempt

  • login_0002: Brute-force attack succeeded

  • login_1001: Succeeded login

  • login_1002: Remote login

  • login_1003: Weak password

  • malware_0001: Shell change

  • malware_0002: Reverse shell

  • malware_1001: Malicious program

  • procdet_0001: Abnormal process behavior

  • procdet_0002: Process privilege escalation

  • procreport_0001: High-risk command

  • user_1001: Account change

  • user_1002: Unsafe account

  • vmescape_0001: Sensitive command executed on VM

  • vmescape_0002: Sensitive file accessed by virtualization process

  • vmescape_0003: Abnormal VM port access

  • webshell_0001: Web shell

  • network_1001: Mining

  • network_1002: DDoS attacks

  • network_1003: Malicious scanning

  • network_1004: Attack in sensitive areas

  • ransomware_0001: ransomware attack

  • ransomware_0002: ransomware attack

  • ransomware_0003: ransomware attack

  • fileless_0001: process injection

  • fileless_0002: dynamic library injection

  • fileless_0003: key configuration change

  • fileless_0004: environment variable change

  • fileless_0005: memory file process

  • fileless_0006: VDSO hijacking

  • crontab_1001: suspicious crontab task

  • vul_exploit_0001: Redis vulnerability exploit

  • vul_exploit_0002: Hadoop vulnerability exploit

  • vul_exploit_0003: MySQL vulnerability exploit

  • rootkit_0001: suspicious rootkit file

  • rootkit_0002: suspicious kernel module

  • RASP_0004: web shell upload

  • RASP_0018: fileless web shell

  • blockexec_001: known ransomware attack

  • hips_0001: Windows Defender disabled

  • hips_0002: suspicious hacker tool

  • hips_0003: suspicious ransomware encryption behavior

  • hips_0004: hidden account creation

  • hips_0005: user password and credential reading

  • hips_0006: suspicious SAM file export

  • hips_0007: suspicious shadow copy deletion

  • hips_0008: backup file deletion

  • hips_0009: registry of suspicious ransomware

  • hips_0010: suspicious abnormal process

  • hips_0011: suspicious scan

  • hips_0012: suspicious ransomware script running

  • hips_0013: suspicious mining command execution

  • hips_0014: suspicious windows security center disabling

  • hips_0015: suspicious behavior of disabling the firewall service

  • hips_0016: suspicious system automatic recovery disabling

  • hips_0017: executable file execution in Office

  • hips_0018: abnormal file creation with macros in Office

  • hips_0019: suspicious registry operation

  • hips_0020: Confluence remote code execution

  • hips_0021: MSDT remote code execution

  • portscan_0001: common port scan

  • portscan_0002: secret port scan

  • k8s_1001: Kubernetes event deletion

  • k8s_1002: privileged pod creations

  • k8s_1003: interactive shell used in pod

  • k8s_1004: pod created with sensitive directory

  • k8s_1005: pod created with server network

  • k8s_1006: pod created with host PID space

  • k8s_1007: authentication failure when common pods access API server

  • k8s_1008: API server access from common pod using cURL

  • k8s_1009: exec in system management space

  • k8s_1010: pod created in management space

  • k8s_1011: static pod creation

  • k8s_1012: DaemonSet creation

  • k8s_1013: scheduled cluster task creation

  • k8s_1014: operation on secrets

  • k8s_1015: allowed operation enumeration

  • k8s_1016: high privilege RoleBinding or ClusterRoleBinding

  • k8s_1017: ServiceAccount creation

  • k8s_1018: Cronjob creation

  • k8s_1019: interactive shell used for exec in pods

  • k8s_1020: unauthorized access to API server

  • k8s_1021: access to API server with curl

  • k8s_1022: Ingress vulnerability

  • k8s_1023: man-in-the-middle (MITM) attack

  • k8s_1024: worm, mining, or Trojan

  • k8s_1025: K8s event deletion

  • k8s_1026: SelfSubjectRulesReview

  • imgblock_0001: image blocking based on whitelist

  • imgblock_0002: image blocking based on blacklist

  • imgblock_0003: image tag blocking based on whitelist

  • imgblock_0004: image tag blocking based on blacklist

  • imgblock_0005: container creation blocked based on whitelist

  • imgblock_0006: container creation blocked based on blacklist

  • imgblock_0007: container mount proc blocking

  • imgblock_0008: container seccomp unconfined blocking

  • imgblock_0009: container privilege blocking

  • imgblock_0010: container capabilities blocking

event_id

Yes

String

Event ID

event_type

Yes

Integer

Event type. Its value can be:

  • 1001: common malware

  • 1002: virus

  • 1003: worm

  • 1004: Trojan

  • 1005: botnet

  • 1006: backdoor

  • 1010 : Rootkit

  • 1011: ransomware

  • 1012: hacker tool

  • 1015 : web shell

  • 1016: mining

  • 1017: reverse shell

  • 2001: common vulnerability exploit

  • 2012: remote code execution

  • 2047: Redis vulnerability exploit

  • 2048: Hadoop vulnerability exploit

  • 2049: MySQL vulnerability exploit

  • 3002: file privilege escalation

  • 3003: process privilege escalation

  • 3004: critical file change

  • 3005: file/directory change

  • 3007: abnormal process behavior

  • 3015: high-risk command execution

  • 3018: abnormal shell

  • 3027: suspicious crontab task

  • 3029: system protection disabled

  • 3030: backup deletion

  • 3031: suspicious registry operations

  • 3036: container image blocking

  • 4002: brute-force attack

  • 4004: abnormal login

  • 4006: invalid accounts

  • 4014: account added

  • 4020: password theft

  • 6002: port scan

  • 6003: server scan

  • 13001: Kubernetes event deletion

  • 13002: abnormal pod behavior

  • 13003: enumerating user information

  • 13004: cluster role binding

occur_time

Yes

Integer

Occurrence time, accurate to milliseconds.

operate_detail_list

Yes

Array of EventDetailRequestInfo objects

Operation details list. If operate_type is set to add_to_alarm_whitelist or remove_from_alarm_whitelist, keyword and hash are mandatory. If operate_type is set to add_to_login_whitelist or remove_from_login_whitelist, the login_ip, private_ip, and login_user_name parameters are mandatory. If operate_type is set to isolate_and_kill or do_not_isolate_or_kill, the agent_id, file_hash, file_path, and process_pid parameters are mandatory. In other cases, the parameters are optional.

Table 6 EventDetailRequestInfo

Parameter

Mandatory

Type

Description

agent_id

No

String

Agent ID

process_pid

No

Integer

Process ID

file_hash

No

String

File hash

file_path

No

String

File path

file_attr

No

String

File attribute

keyword

No

String

Alarm event keyword, which is used only for the alarm whitelist.

hash

No

String

Alarm event hash, which is used only for the alarm whitelist.

private_ip

No

String

Server private IP address

login_ip

No

String

Login source IP address

login_user_name

No

String

Login username

container_id

No

String

Container ID

container_name

No

String

Container name

Table 7 EventWhiteRuleListRequestInfo

Parameter

Mandatory

Type

Description

event_type

Yes

Integer

Event type. Its value can be:

  • 1001: common malware

  • 1002: virus

  • 1003: worm

  • 1004: Trojan

  • 1005: botnet

  • 1006: backdoor

  • 1010 : Rootkit

  • 1011: ransomware

  • 1012: hacker tool

  • 1015 : web shell

  • 1016: mining

  • 1017: reverse shell

  • 2001: common vulnerability exploit

  • 2012: remote code execution

  • 2047: Redis vulnerability exploit

  • 2048: Hadoop vulnerability exploit

  • 2049: MySQL vulnerability exploit

  • 3002: file privilege escalation

  • 3003: process privilege escalation

  • 3004: critical file change

  • 3005: file/directory change

  • 3007: abnormal process behavior

  • 3015: high-risk command execution

  • 3018: abnormal shell

  • 3027: suspicious crontab task

  • 3029: system protection disabled

  • 3030: backup deletion

  • 3031: suspicious registry operations

  • 3036: container image blocking

  • 4002: brute-force attack

  • 4004: abnormal login

  • 4006: invalid accounts

  • 4014: account added

  • 4020: password theft

  • 6002: port scan

  • 6003: server scan

  • 13001: Kubernetes event deletion

  • 13002: abnormal pod behavior

  • 13003: enumerating user information

  • 13004: cluster role binding

field_key

Yes

String

Whitelist fields. The options are as follows:

  • "file/process hash" # process/file hash

  • "file_path"

  • "process_path"

  • "login_ip": login IP address

  • "reg_key": registry key

  • "process_cmdline": process command line

  • "username"

field_value

Yes

String

Whitelist field value

judge_type

Yes

String

Wildcard. The options are as follows:

  • "equal"

  • "contain"

Response Parameters

None

Example Requests

Manually handle the intrusion alarms whose alarm event type is Rootkit and alarm event ID is 2a71e1e2-60f4-4d56-b314-2038fdc39de6.

POST https://{endpoint}/v5/{project_id}/event/operate?enterprise_project_id=xxx

{
  "operate_type" : "mark_as_handled",
  "handler" : "test",
  "operate_event_list" : [ {
    "event_class_id" : "rootkit_0001",
    "event_id" : "2a71e1e2-60f4-4d56-b314-2038fdc39de6",
    "occur_time" : 1672046760353,
    "event_type" : 1010,
    "operate_detail_list" : [ {
      "agent_id" : "c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8",
      "file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "file_path" : "/usr/test",
      "process_pid" : 3123,
      "file_attr" : 33261,
      "keyword" : "file_path=/usr/test",
      "hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "login_ip" : "127.0.0.1",
      "private_ip" : "127.0.0.2",
      "login_user_name" : "root",
      "container_id" : "containerid",
      "container_name" : "/test"
    } ]
  } ]
}

Example Responses

None

SDK Sample Code

The SDK sample code is as follows.

Manually handle the intrusion alarms whose alarm event type is Rootkit and alarm event ID is 2a71e1e2-60f4-4d56-b314-2038fdc39de6.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.hss.v5.region.HssRegion;
import com.huaweicloud.sdk.hss.v5.*;
import com.huaweicloud.sdk.hss.v5.model.*;

import java.util.List;
import java.util.ArrayList;

public class ChangeEventSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        HssClient client = HssClient.newBuilder()
                .withCredential(auth)
                .withRegion(HssRegion.valueOf("<YOUR REGION>"))
                .build();
        ChangeEventRequest request = new ChangeEventRequest();
        ChangeEventRequestInfo body = new ChangeEventRequestInfo();
        [](model.EventDetailRequestInfo) listOperateEventListOperateDetailList = new ArrayList<>();
        listOperateEventListOperateDetailList.add(
            new EventDetailRequestInfo()
                .withAgentId("c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8")
                .withProcessPid(3123)
                .withFileHash("e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d")
                .withFilePath("/usr/test")
                .withFileAttr("33261")
                .withKeyword("file_path=/usr/test")
                .withHash("e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d")
                .withPrivateIp("127.0.0.2")
                .withLoginIp("127.0.0.1")
                .withLoginUserName("root")
                .withContainerId("containerid")
                .withContainerName("/test")
        );
        [](model.OperateEventRequestInfo) listbodyOperateEventList = new ArrayList<>();
        listbodyOperateEventList.add(
            new OperateEventRequestInfo()
                .withEventClassId("rootkit_0001")
                .withEventId("2a71e1e2-60f4-4d56-b314-2038fdc39de6")
                .withEventType(1010)
                .withOccurTime(1672046760353L)
                .withOperateDetailList(listOperateEventListOperateDetailList)
        );
        body.withOperateEventList(listbodyOperateEventList);
        body.withHandler("test");
        body.withOperateType("mark_as_handled");
        request.withBody(body);
        try {
            ChangeEventResponse response = client.changeEvent(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

Manually handle the intrusion alarms whose alarm event type is Rootkit and alarm event ID is 2a71e1e2-60f4-4d56-b314-2038fdc39de6.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkhss.v5.region.hss_region import HssRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkhss.v5 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = HssClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(HssRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ChangeEventRequest()
        listOperateDetailListOperateEventList = [
            EventDetailRequestInfo(
                agent_id="c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8",
                process_pid=3123,
                file_hash="e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
                file_path="/usr/test",
                file_attr="33261",
                keyword="file_path=/usr/test",
                hash="e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
                private_ip="127.0.0.2",
                login_ip="127.0.0.1",
                login_user_name="root",
                container_id="containerid",
                container_name="/test"
            )
        ]
        listOperateEventListbody = [
            OperateEventRequestInfo(
                event_class_id="rootkit_0001",
                event_id="2a71e1e2-60f4-4d56-b314-2038fdc39de6",
                event_type=1010,
                occur_time=1672046760353,
                operate_detail_list=listOperateDetailListOperateEventList
            )
        ]
        request.body = ChangeEventRequestInfo(
            operate_event_list=listOperateEventListbody,
            handler="test",
            operate_type="mark_as_handled"
        )
        response = client.change_event(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

Manually handle the intrusion alarms whose alarm event type is Rootkit and alarm event ID is 2a71e1e2-60f4-4d56-b314-2038fdc39de6.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    hss "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := hss.NewHssClient(
        hss.HssClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ChangeEventRequest{}
	agentIdOperateDetailList:= "c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8"
	processPidOperateDetailList:= int32(3123)
	fileHashOperateDetailList:= "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d"
	filePathOperateDetailList:= "/usr/test"
	fileAttrOperateDetailList:= "33261"
	keywordOperateDetailList:= "file_path=/usr/test"
	hashOperateDetailList:= "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d"
	privateIpOperateDetailList:= "127.0.0.2"
	loginIpOperateDetailList:= "127.0.0.1"
	loginUserNameOperateDetailList:= "root"
	containerIdOperateDetailList:= "containerid"
	containerNameOperateDetailList:= "/test"
	var listOperateDetailListOperateEventList = []model.EventDetailRequestInfo{
        {
            AgentId: &agentIdOperateDetailList,
            ProcessPid: &processPidOperateDetailList,
            FileHash: &fileHashOperateDetailList,
            FilePath: &filePathOperateDetailList,
            FileAttr: &fileAttrOperateDetailList,
            Keyword: &keywordOperateDetailList,
            Hash: &hashOperateDetailList,
            PrivateIp: &privateIpOperateDetailList,
            LoginIp: &loginIpOperateDetailList,
            LoginUserName: &loginUserNameOperateDetailList,
            ContainerId: &containerIdOperateDetailList,
            ContainerName: &containerNameOperateDetailList,
        },
    }
	var listOperateEventListbody = []model.OperateEventRequestInfo{
        {
            EventClassId: "rootkit_0001",
            EventId: "2a71e1e2-60f4-4d56-b314-2038fdc39de6",
            EventType: int32(1010),
            OccurTime: int64(1672046760353),
            OperateDetailList: listOperateDetailListOperateEventList,
        },
    }
	handlerChangeEventRequestInfo:= "test"
	request.Body = &model.ChangeEventRequestInfo{
		OperateEventList: listOperateEventListbody,
		Handler: &handlerChangeEventRequestInfo,
		OperateType: "mark_as_handled",
	}
	response, err := client.ChangeEvent(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

success

400

Invalid parameter.

401

Authentication failed.

403

Insufficient permission.

404

Resource not found.

500

System error.

Error Codes

See Error Codes.