Querying the Alarm Whitelist

Function

This API is used to query the alarm whitelist.

Calling Method

For details, see Calling APIs.

URI

GET /v5/{project_id}/event/white-list/alarm

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID Minimum: 20 Maximum: 64

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Enterprise project ID. To query all enterprise projects, set this parameter to all_granted_eps. Minimum: 0 Maximum: 64
hash	No	String	Hash value of the event whitelist description (SHA256 algorithm) Minimum: 64 Maximum: 64
event_type	No	Integer	Event type. Its value can be: 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010 : Rootkit 1011: ransomware 1012: hacker tool 1015: Web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 4002: brute-force attack 4004: abnormal login 4006: invalid system account 4014: account added 4020: password theft 6003: server scan Minimum: 1000 Maximum: 30000
offset	No	Integer	Offset, which specifies the start position of the record to be returned. Minimum: 0 Maximum: 2000000 Default: 0
limit	No	Integer	Number of records displayed on each page. Minimum: 10 Maximum: 1000 Default: 10

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token. Minimum: 1 Maximum: 32768
region	Yes	String	Region ID Minimum: 0 Maximum: 128

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
total_num	Integer	Total number
event_type_list	Array of integers	Types of events that can be filtered Minimum: 0 Maximum: 2147483647 Array Length: 0 - 30000
data_list	Array of AlarmWhiteListResponseInfo objects	Alarm whitelist details Array Length: 0 - 100

**Table 5** AlarmWhiteListResponseInfo
Parameter	Type	Description
enterprise_project_name	String	Enterprise project name
hash	String	Hash value of the event whitelist description (SHA256 algorithm)
description	String	Description
event_type	Integer	Event type. Its value can be: 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010 : Rootkit 1011: ransomware 1012: hacker tool 1015 : web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid accounts 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: enumerating user information 13004: cluster role binding
white_field	String	Whitelist fields. The options are as follows: "file/process hash" # process/file hash "file_path" "process_path" "login_ip" # login IP address "reg_key" # registry key "process_cmdline" # process command line "username" Minimum: 1 Maximum: 20
field_value	String	Whitelist fields value Minimum: 1 Maximum: 128
judge_type	String	Wildcard. The options are as follows: "equal" "contain" Minimum: 1 Maximum: 10
update_time	Long	Time when the event whitelist is updated, in milliseconds. Minimum: 0 Maximum: 9223372036854775807

Example Requests

Query the first 10 alarm whitelists whose enterprise project is xxx.

GET https://{endpoint}/v5/{project_id}/event/white-list/alarm?limit=10&offset=0&enterprise_project_id=xxx

Example Responses

Status code: 200

Alarm whitelist

{
  "data_list" : [ {
    "enterprise_project_name" : "All projects",
    "event_type" : 1001,
    "hash" : "9ab079e5398cba3a368ccffbd478f54c5ec3edadf6284ec049a73c36419f1178",
    "description" : "/opt/cloud/3rdComponent/install/jre-8u201/bin/java",
    "update_time" : 1665715677307,
    "white_field" : "process/file hash",
    "judge_type" : "contain",
    "field_value" : "abcd12345612311112212323"
  } ],
  "event_type_list" : [ 1001 ],
  "total_num" : 1
}

SDK Sample Code

The SDK sample code is as follows.

      
       
         
         
           package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.hss.v5.region.HssRegion;
import com.huaweicloud.sdk.hss.v5.*;
import com.huaweicloud.sdk.hss.v5.model.*;


public class ListAlarmWhiteListSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new BasicCredentials()
                .withAk(ak)
                .withSk(sk);

        HssClient client = HssClient.newBuilder()
                .withCredential(auth)
                .withRegion(HssRegion.valueOf("<YOUR REGION>"))
                .build();
        ListAlarmWhiteListRequest request = new ListAlarmWhiteListRequest();
        request.withEnterpriseProjectId("<enterprise_project_id>");
        request.withHash("<hash>");
        request.withEventType(<event_type>);
        request.withOffset(<offset>);
        request.withLimit(<limit>);
        try {
            ListAlarmWhiteListResponse response = client.listAlarmWhiteList(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

          

        

      
     

      
       
         
         
           # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkhss.v5.region.hss_region import HssRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkhss.v5 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]

    credentials = BasicCredentials(ak, sk)

    client = HssClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(HssRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ListAlarmWhiteListRequest()
        request.enterprise_project_id = "<enterprise_project_id>"
        request.hash = "<hash>"
        request.event_type = <event_type>
        request.offset = <offset>
        request.limit = <limit>
        response = client.list_alarm_white_list(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

          

        

      
     

      
       
         
         
           package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    hss "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := hss.NewHssClient(
        hss.HssClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ListAlarmWhiteListRequest{}
	enterpriseProjectIdRequest:= "<enterprise_project_id>"
	request.EnterpriseProjectId = &enterpriseProjectIdRequest
	hashRequest:= "<hash>"
	request.Hash = &hashRequest
	eventTypeRequest:= int32(<event_type>)
	request.EventType = &eventTypeRequest
	offsetRequest:= int32(<offset>)
	request.Offset = &offsetRequest
	limitRequest:= int32(<limit>)
	request.Limit = &limitRequest
	response, err := client.ListAlarmWhiteList(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

          

        

      
     