Querying the List of Isolated Files
Function
This API is used to query the list of isolated files.
Calling Method
For details, see Calling APIs.
URI
GET /v5/{project_id}/event/isolated-file
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
project_id |
Yes |
String |
Project ID |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
enterprise_project_id |
No |
String |
ID of the enterprise project that a server belongs. An enterprise project can be configured only after the enterprise project function is enabled. Enterprise project ID. The value 0 indicates the default enterprise project. To query servers in all enterprise projects, set this parameter to all_granted_eps. If you have only the permission on an enterprise project, you need to transfer the enterprise project ID to query the server in the enterprise project. Otherwise, an error is reported due to insufficient permission. |
|
file_path |
No |
String |
File path |
|
host_name |
No |
String |
Server name |
|
private_ip |
No |
String |
Server private IP address |
|
public_ip |
No |
String |
Server public IP address |
|
file_hash |
No |
String |
The hash value calculated using the SHA256 algorithm. |
|
asset_value |
No |
String |
Asset importance. The options are as follows:
|
|
offset |
No |
Integer |
Offset, which specifies the start position of the record to be returned. |
|
limit |
No |
Integer |
Number of records displayed on each page. |
|
isolation_status |
No |
String |
Isolation status. The options are as follows:
|
|
last_days |
No |
Integer |
Number of days to be queried. This parameter is manually exclusive with begin_time and end_time. |
|
begin_time |
No |
Long |
Customized start time of a segment. The timestamp is accurate to seconds. The end_time should be no more than two days earlier than the begin_time. This parameter is manually exclusive with the queried duration. |
|
end_time |
No |
Long |
Customized end time of a segment. The timestamp is accurate to seconds. The end_time should be no more than two days earlier than the begin_time. This parameter is manually exclusive with the queried duration. |
Request Parameters
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
X-Auth-Token |
Yes |
String |
User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token. |
|
region |
No |
String |
Region ID |
Response Parameters
Status code: 200
|
Parameter |
Type |
Description |
|---|---|---|
|
total_num |
Integer |
Total number |
|
data_list |
Array of IsolatedFileResponseInfo objects |
Isolated file details |
|
Parameter |
Type |
Description |
|---|---|---|
|
os_type |
String |
OS type. Its value can be:
|
|
host_id |
String |
Server ID |
|
host_name |
String |
Server name |
|
file_hash |
String |
File hash |
|
file_path |
String |
File path |
|
file_attr |
String |
File attribute |
|
isolation_status |
String |
Isolation status. The options are as follows:
|
|
private_ip |
String |
Server private IP address |
|
public_ip |
String |
Elastic IP address |
|
asset_value |
String |
Asset importance. Its value can be:
|
|
update_time |
Integer |
Update time, in milliseconds |
|
agent_version |
String |
Agent version |
|
isolate_source |
String |
Isolation source. The options are as follows:
|
|
event_name |
String |
Event name |
|
agent_event_info |
IsolateEventResponseInfo object |
Isolation event details |
|
antivirus_result_info |
AntivirusResultDetailInfo object |
Results of virus scanning and removal |
|
Parameter |
Type |
Description |
|---|---|---|
|
event_id |
String |
Event ID. |
|
event_class_id |
String |
Event category. Its value can be:
|
|
event_type |
Integer |
Event type. Its value can be:
|
|
event_name |
String |
Event name |
|
severity |
String |
Threat level. The options are as follows:
|
|
container_name |
String |
Container instance name |
|
image_name |
String |
Image name. This parameter is available only for container alarms. |
|
host_name |
String |
Server name |
|
host_id |
String |
Server ID |
|
private_ip |
String |
Server private IP address |
|
public_ip |
String |
Elastic IP address |
|
os_type |
String |
OS type. Its value can be:
|
|
host_status |
String |
Server status. The options are as follows:
|
|
agent_status |
String |
Agent status. Its value can be:
|
|
protect_status |
String |
Protection status. Its value can be:
|
|
asset_value |
String |
Asset importance. The options are as follows:
|
|
attack_phase |
String |
Attack phase. Its value can be:
|
|
attack_tag |
String |
Attack tag. Its value can be:
|
|
occur_time |
Integer |
Occurrence time, accurate to milliseconds. |
|
recent_time |
Integer |
Occurrence time, accurate to milliseconds |
|
handle_time |
Integer |
Handling time, in milliseconds. This parameter is available only for handled alarms. |
|
handle_status |
String |
Handling status. It can be:
|
|
handle_method |
String |
Handling method. This parameter is available only for handled alarms. The options are as follows:
|
|
handler |
String |
Remarks. This parameter is available only for handled alarms. |
|
memo |
String |
Remarks for manual handling |
|
operate_accept_list |
Array of strings |
Supported processing operations |
|
operate_detail_list |
Array of EventDetailResponseInfo objects |
Operation details list (Not displayed on the page) |
|
forensic_info |
Object |
Forensic data |
|
resource_info |
Object |
Resource information |
|
geo_info |
Object |
Geographic information |
|
network_info |
Object |
Network information |
|
app_info |
Object |
Application information |
|
system_info |
Object |
System information |
|
malware_info |
Object |
Malware information |
|
extend_info |
Object |
Extension information |
|
recommendation |
String |
Handling suggestion |
|
att_ck |
String |
att_ck identifier |
|
event_details |
String |
Event summary |
|
confidence |
Integer |
Confidence This field is displayed only for intelligence and antivirus alarms. |
|
process_info_list |
Object |
Process information list |
|
user_info_list |
Object |
User information list |
|
file_info_list |
Object |
File information list |
|
registry_info_list |
Object |
Registry information list |
|
cluster_info |
Object |
Registry information list |
|
tag_list |
Array of strings |
Tag list |
|
description |
String |
Alarm description |
|
event_abstract |
String |
Alarm summary |
|
event_count |
Integer |
Event occurrences |
|
cluster_id |
String |
Cluster ID |
|
Parameter |
Type |
Description |
|---|---|---|
|
agent_id |
String |
Agent ID |
|
process_pid |
Integer |
process-ID |
|
is_parent |
Boolean |
Whether a process is a parent process |
|
file_hash |
String |
File hash |
|
file_path |
String |
File path |
|
file_attr |
String |
File attribute |
|
private_ip |
String |
Server private IP address |
|
login_ip |
String |
Login source IP address |
|
login_user_name |
String |
Login username |
|
keyword |
String |
Alarm event keyword, which is used only for the alarm whitelist. |
|
hash |
String |
Alarm event hash, which is used only for the alarm whitelist. |
|
Parameter |
Type |
Description |
|---|---|---|
|
result_id |
String |
The result ID of virus scanning and removal |
|
malware_name |
String |
Virus name |
|
file_path |
String |
File path |
|
file_hash |
String |
File hash |
|
file_size |
Integer |
File size |
|
file_owner |
String |
File owner |
|
file_attr |
String |
File attribute |
|
file_ctime |
Integer |
File creation time |
|
file_mtime |
Integer |
File update time |
|
update_time |
Integer |
Update time, in milliseconds |
|
agent_id |
String |
Agent ID |
Example Requests
Query the first 10 isolated files.
GET https://{endpoint}/v5/{project_id}/event/isolated-file?limit=10&offset=0&enterprise_project_id=xxxExample Responses
Status code: 200
Request succeeded.
{
"total_num" : 1409,
"data_list" : [ {
"host_id" : "b44***1be-4c28-4bf3-8070-fde5****6689",
"host_name" : "h00657476-linux",
"private_ip" : "192.168.0.93",
"public_ip" : "100.93.10.247",
"asset_value" : "common",
"os_type" : "Linux",
"file_hash" : "32d62a995215243********a611134e9891b1264e222e55d78",
"file_path" : "/root/***e_Samples/****-CVE/39d46a0*****20c915db30d",
"isolation_status" : "isolated",
"file_attr" : "33261",
"update_time" : 1737512051632,
"agent_version" : "3.2.15.10",
"isolate_source" : "event",
"event_name" : "Unclassified Malware",
"agent_event_info" : {
"severity" : "High",
"recommendation" : "For malicious program alarms, you are advised to perform the following operations:\n\n1. After receiving an alarm, check whether the related file or process is normal. If yes, select the corresponding alarm event, click Handle, and select Ignore or Add to Whitelist.\n\n2. After receiving an alarm, check whether the related file or process is normal. If the file or process is malicious, select the corresponding alarm event, click Handle, and select Isolate and Kill or manually clear the viruses.\n\n3. If your data is lost due to malicious programs and you have subscribed to CBR, you can try to restore data using CBR.\n\n4. To prevent intrusion again, you can fix vulnerabilities in HSS.",
"description" : "The malware alarm is an alarm generated when security software or the system detects that a malware threat exists in your computer or network. Malware stands for malicious software. It is a program that can infect and damage authorized users' computers in multiple ways. Malicious program alarms are used to remind users to take measures to prevent malicious software threats.",
"event_id" : "ac04***86-d7a9-11ef-9fd1-fa1****8dea",
"event_class_id" : "av_1001",
"event_type" : 1001,
"event_name" : "Unclassified Malware",
"host_name" : "h00657476-linux",
"host_id" : "b44d***be-4c28-4bf3-8070-fde59***c6689",
"attack_phase" : "installation",
"attack_tag" : "abnormal_behavior",
"occur_time" : 1737430920000,
"recent_time" : 1737465583543,
"handle_time" : 1737512072882,
"handle_status" : "handled",
"handle_method" : "isolate_and_kill",
"handler" : "scc_hss_g00840938_01",
"memo" : "Two alarms have been handled.",
"resource_info" : {
"project_id" : "84b5266c14ae489fa6549827f032dc62",
"enterprise_project_id" : "0",
"region_name" : "cn-north-7",
"host_name" : "h00657476-linux",
"host_ip" : "192.168.0.***",
"public_ip" : "1**.93.10.***",
"host_id" : "b4***1be-4c28-4bf3-8070-fde***6689",
"asset_value" : "common",
"cloud_id" : "",
"vm_name" : "h00657476-linux",
"vm_uuid" : "b4***1be-4c28-4bf3-8070-fde5***6689",
"os_type" : "Linux",
"os_name" : "HCE OS",
"os_version" : "2.0",
"agent_version" : "3.2.15.10"
},
"malware_info" : {
"malware_family" : "Generic",
"severity" : 0
},
"att_ck" : "Impact",
"confidence" : 90,
"file_info_list" : [ {
"file_path" : "/root/******les/*****-CVE/39d46a0cd603*****db30d",
"file_hash" : "32d62a995215243f******34e9891b1264e222e55d78"
} ],
"event_abstract" : "There is suspicious malware on server h00657476-linux at 11:42:00 on January 21, 2025. The confidence level is medium, and the access file directory is **/root/Malware_Samples/Common-CVE/39d46a0cd60393e5571b720c915db30d**.",
"event_count" : 4
}
} ]
}SDK Sample Code
The SDK sample code is as follows.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
package com.huaweicloud.sdk.test;
import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.hss.v5.region.HssRegion;
import com.huaweicloud.sdk.hss.v5.*;
import com.huaweicloud.sdk.hss.v5.model.*;
public class ListIsolatedFileSolution {
public static void main(String[] args) {
// The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
// In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
String ak = System.getenv("CLOUD_SDK_AK");
String sk = System.getenv("CLOUD_SDK_SK");
String projectId = "{project_id}";
ICredential auth = new BasicCredentials()
.withProjectId(projectId)
.withAk(ak)
.withSk(sk);
HssClient client = HssClient.newBuilder()
.withCredential(auth)
.withRegion(HssRegion.valueOf("<YOUR REGION>"))
.build();
ListIsolatedFileRequest request = new ListIsolatedFileRequest();
try {
ListIsolatedFileResponse response = client.listIsolatedFile(request);
System.out.println(response.toString());
} catch (ConnectionException e) {
e.printStackTrace();
} catch (RequestTimeoutException e) {
e.printStackTrace();
} catch (ServiceResponseException e) {
e.printStackTrace();
System.out.println(e.getHttpStatusCode());
System.out.println(e.getRequestId());
System.out.println(e.getErrorCode());
System.out.println(e.getErrorMsg());
}
}
}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# coding: utf-8
import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkhss.v5.region.hss_region import HssRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkhss.v5 import *
if __name__ == "__main__":
# The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
# In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
ak = os.environ["CLOUD_SDK_AK"]
sk = os.environ["CLOUD_SDK_SK"]
projectId = "{project_id}"
credentials = BasicCredentials(ak, sk, projectId)
client = HssClient.new_builder() \
.with_credentials(credentials) \
.with_region(HssRegion.value_of("<YOUR REGION>")) \
.build()
try:
request = ListIsolatedFileRequest()
response = client.list_isolated_file(request)
print(response)
except exceptions.ClientRequestException as e:
print(e.status_code)
print(e.request_id)
print(e.error_code)
print(e.error_msg)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
package main
import (
"fmt"
"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
hss "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5"
"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/model"
region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/region"
)
func main() {
// The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
// In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
ak := os.Getenv("CLOUD_SDK_AK")
sk := os.Getenv("CLOUD_SDK_SK")
projectId := "{project_id}"
auth := basic.NewCredentialsBuilder().
WithAk(ak).
WithSk(sk).
WithProjectId(projectId).
Build()
client := hss.NewHssClient(
hss.HssClientBuilder().
WithRegion(region.ValueOf("<YOUR REGION>")).
WithCredential(auth).
Build())
request := &model.ListIsolatedFileRequest{}
response, err := client.ListIsolatedFile(request)
if err == nil {
fmt.Printf("%+v\n", response)
} else {
fmt.Println(err)
}
}
|
For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
package com.huaweicloud.sdk.test;
import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.hss.v5.region.HssRegion;
import com.huaweicloud.sdk.hss.v5.*;
import com.huaweicloud.sdk.hss.v5.model.*;
public class ListIsolatedFileSolution {
public static void main(String[] args) {
// The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
// In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
String ak = System.getenv("CLOUD_SDK_AK");
String sk = System.getenv("CLOUD_SDK_SK");
String projectId = "{project_id}";
ICredential auth = new BasicCredentials()
.withProjectId(projectId)
.withAk(ak)
.withSk(sk);
HssClient client = HssClient.newBuilder()
.withCredential(auth)
.withRegion(HssRegion.valueOf("<YOUR REGION>"))
.build();
ListIsolatedFileRequest request = new ListIsolatedFileRequest();
try {
ListIsolatedFileResponse response = client.listIsolatedFile(request);
System.out.println(response.toString());
} catch (ConnectionException e) {
e.printStackTrace();
} catch (RequestTimeoutException e) {
e.printStackTrace();
} catch (ServiceResponseException e) {
e.printStackTrace();
System.out.println(e.getHttpStatusCode());
System.out.println(e.getRequestId());
System.out.println(e.getErrorCode());
System.out.println(e.getErrorMsg());
}
}
}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# coding: utf-8
import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkhss.v5.region.hss_region import HssRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkhss.v5 import *
if __name__ == "__main__":
# The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
# In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
ak = os.environ["CLOUD_SDK_AK"]
sk = os.environ["CLOUD_SDK_SK"]
projectId = "{project_id}"
credentials = BasicCredentials(ak, sk, projectId)
client = HssClient.new_builder() \
.with_credentials(credentials) \
.with_region(HssRegion.value_of("<YOUR REGION>")) \
.build()
try:
request = ListIsolatedFileRequest()
response = client.list_isolated_file(request)
print(response)
except exceptions.ClientRequestException as e:
print(e.status_code)
print(e.request_id)
print(e.error_code)
print(e.error_msg)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
package main
import (
"fmt"
"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
hss "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5"
"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/model"
region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/region"
)
func main() {
// The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
// In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
ak := os.Getenv("CLOUD_SDK_AK")
sk := os.Getenv("CLOUD_SDK_SK")
projectId := "{project_id}"
auth := basic.NewCredentialsBuilder().
WithAk(ak).
WithSk(sk).
WithProjectId(projectId).
Build()
client := hss.NewHssClient(
hss.HssClientBuilder().
WithRegion(region.ValueOf("<YOUR REGION>")).
WithCredential(auth).
Build())
request := &model.ListIsolatedFileRequest{}
response, err := client.ListIsolatedFile(request)
if err == nil {
fmt.Printf("%+v\n", response)
} else {
fmt.Println(err)
}
}
|
For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.
Status Codes
|
Status Code |
Description |
|---|---|
|
200 |
Request succeeded. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
