Querying the List of Isolated Files
Function
This API is used to query the list of isolated files.
Calling Method
For details, see Calling APIs.
URI
GET /v5/{project_id}/event/isolated-file
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
project_id |
Yes |
String |
Project ID |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
enterprise_project_id |
No |
String |
ID of the enterprise project that a server belongs. An enterprise project can be configured only after the enterprise project function is enabled. Enterprise project ID. The value 0 indicates the default enterprise project. To query servers in all enterprise projects, set this parameter to all_granted_eps. If you have only the permission on an enterprise project, you need to transfer the enterprise project ID to query the server in the enterprise project. Otherwise, an error is reported due to insufficient permission. |
|
file_path |
No |
String |
File path |
|
host_name |
No |
String |
Server name |
|
private_ip |
No |
String |
Server private IP address |
|
public_ip |
No |
String |
Server public IP address |
|
file_hash |
No |
String |
File hash. The current value is sha256. |
|
asset_value |
No |
String |
Asset importance. The options are as follows:
|
|
offset |
No |
Integer |
Offset, which specifies the start position of the record to be returned. |
|
limit |
No |
Integer |
Number of records displayed on each page. |
|
isolation_status |
No |
String |
Isolation status. The options are as follows:
|
|
last_days |
No |
Integer |
Number of days to be queried. This parameter is manually exclusive with begin_time and end_time. |
|
begin_time |
No |
Long |
Customized start time of a segment. The timestamp is accurate to seconds. The end_time should be no more than two days earlier than the begin_time. This parameter is manually exclusive with the queried duration. |
|
end_time |
No |
Long |
Customized end time of a segment. The timestamp is accurate to seconds. The end_time should be no more than two days earlier than the begin_time. This parameter is manually exclusive with the queried duration. |
Request Parameters
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
X-Auth-Token |
Yes |
String |
User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token. |
|
region |
No |
String |
Region ID |
Response Parameters
Status code: 200
|
Parameter |
Type |
Description |
|---|---|---|
|
total_num |
Integer |
Definition Total number. Range The value range is 0 to 2,147,483,647. |
|
data_list |
Array of IsolatedFileResponseInfo objects |
Isolated file details |
|
Parameter |
Type |
Description |
|---|---|---|
|
os_type |
String |
Definition OS type. Range
|
|
host_id |
String |
Definition Server ID. Range The value can contain 1 to 64 characters. |
|
host_name |
String |
Definition Server name. Range The value can contain 1 to 256 characters. |
|
file_hash |
String |
Definition File hash. Range The value can contain 1 to 256 characters. |
|
file_path |
String |
Definition File path. Range The value can contain 1 to 256 characters. |
|
file_attr |
String |
Definition File attribute. Range The value can contain 1 to 256 characters. |
|
isolation_status |
String |
Isolation status. The options are as follows:
|
|
private_ip |
String |
Definition Server private IP address. Range The value can contain 1 to 128 characters. |
|
public_ip |
String |
Definition EIP. Range The value can contain 1 to 256 characters. |
|
asset_value |
String |
Asset importance. Its value can be:
|
|
update_time |
Integer |
Update time, in milliseconds |
|
agent_version |
String |
Agent version |
|
isolate_source |
String |
Isolation source. The options are as follows:
|
|
event_name |
String |
Definition Event name. Range The value can contain 1 to 256 characters. |
|
agent_event_info |
IsolateEventResponseInfo object |
Isolation event details |
|
antivirus_result_info |
AntivirusResultDetailInfo object |
Results of virus scanning and removal |
|
Parameter |
Type |
Description |
|---|---|---|
|
event_id |
String |
Definition Event ID. Range The value can contain 1 to 64 characters. |
|
event_class_id |
String |
Definition Event type. Range
|
|
event_type |
Integer |
Definition Event type. Range
|
|
event_name |
String |
Definition Event name. Range The value can contain 1 to 256 characters. |
|
severity |
String |
Definition Risk level. Range
|
|
container_name |
String |
Definition Container instance name. This parameter is available only for container alarms. Range The value can contain 1 to 256 characters. |
|
image_name |
String |
Definition Image name. This parameter is available only for container alarms. Range The value can contain 1 to 256 characters. |
|
host_name |
String |
Definition Server name. Range The value can contain 1 to 256 characters. |
|
host_id |
String |
Definition Server ID. Range The value can contain 1 to 64 characters. |
|
private_ip |
String |
Definition Server private IP address. Range The value can contain 1 to 128 characters. |
|
public_ip |
String |
Definition EIP. Range The value can contain 1 to 256 characters. |
|
os_type |
String |
Definition OS type. Range
|
|
host_status |
String |
Server status. The options are as follows:
|
|
agent_status |
String |
Agent status. Its value can be:
|
|
protect_status |
String |
Protection status. Its value can be:
|
|
asset_value |
String |
Asset importance. The options are as follows:
|
|
attack_phase |
String |
Definition Attack phase. Range
|
|
attack_tag |
String |
Definition Attack tag. Range
|
|
occur_time |
Integer |
Definition Occurrence time, accurate to milliseconds Range The value range is 0 to 9,223,372,036,854,775,807. |
|
recent_time |
Integer |
Occurrence time, accurate to milliseconds |
|
handle_time |
Integer |
Definition Handling time, in milliseconds. This parameter is available only for handled alarms. Range The value range is 0 to 9,223,372,036,854,775,807. |
|
handle_status |
String |
Definition Handling status. Range
|
|
handle_method |
String |
Definition Handling method, which is available only for handled alarms. Range
|
|
handler |
String |
Definition Remarks. This parameter is available only for handled alarms. Range The value can contain 1 to 256 characters. |
|
memo |
String |
Remarks for manual handling |
|
operate_accept_list |
Array of strings |
Supported processing operations |
|
operate_detail_list |
Array of EventDetailResponseInfo objects |
Operation details list (Not displayed on the page) |
|
forensic_info |
Object |
Forensic data |
|
resource_info |
Object |
Resource information |
|
geo_info |
Object |
Geographic information |
|
network_info |
Object |
Network information |
|
app_info |
Object |
Application information |
|
system_info |
Object |
System information |
|
malware_info |
Object |
Malware information |
|
extend_info |
Object |
Extension information |
|
recommendation |
String |
Handling suggestion |
|
att_ck |
String |
att_ck identifier |
|
event_details |
String |
Event summary |
|
confidence |
Integer |
Confidence This field is displayed only for intelligence and antivirus alarms. |
|
process_info_list |
Object |
Process information list |
|
user_info_list |
Object |
User information list |
|
file_info_list |
Object |
File information list |
|
registry_info_list |
Object |
Registry information list |
|
cluster_info |
Object |
Registry information list |
|
tag_list |
Array of strings |
Tag list |
|
description |
String |
Alarm description |
|
event_abstract |
String |
Alarm summary |
|
event_count |
Integer |
Event occurrences |
|
cluster_id |
String |
Cluster ID |
|
Parameter |
Type |
Description |
|---|---|---|
|
agent_id |
String |
Definition Agent ID Constraints N/A Range The value can contain 1 to 64 characters. Default Value N/A |
|
process_pid |
Integer |
Definition Process ID. Range The value range is 0 to 2,147,483,647. |
|
is_parent |
Boolean |
Definition Whether a process is a parent process. Range
|
|
file_hash |
String |
Definition File hash. Range The value can contain 1 to 256 characters. |
|
file_path |
String |
Definition File path. Range The value can contain 1 to 256 characters. |
|
file_attr |
String |
Definition File attribute. Range The value can contain 1 to 256 characters. |
|
private_ip |
String |
Definition Server private IP address. Range The value can contain 1 to 128 characters. |
|
login_ip |
String |
Definition Login source IP address. Range The value can contain 1 to 256 characters. |
|
login_user_name |
String |
Definition Login username. Range The value can contain 1 to 256 characters. |
|
keyword |
String |
Alarm event keyword, which is used only for the alarm whitelist. |
|
hash |
String |
Alarm event hash, which is used only for the alarm whitelist. |
|
Parameter |
Type |
Description |
|---|---|---|
|
result_id |
String |
The result ID of virus scanning and removal |
|
malware_name |
String |
Virus name |
|
file_path |
String |
Definition File path. Range The value can contain 1 to 256 characters. |
|
file_hash |
String |
Definition File hash. Range The value can contain 1 to 256 characters. |
|
file_size |
Integer |
Definition File size. Constraints N/A Range The value range is 0 to 9,223,372,036,854,775,807. Default Value N/A |
|
file_owner |
String |
File owner |
|
file_attr |
String |
Definition File attribute. Range The value can contain 1 to 256 characters. |
|
file_ctime |
Integer |
File creation time |
|
file_mtime |
Integer |
File update time |
|
update_time |
Integer |
Update time, in milliseconds |
|
agent_id |
String |
Definition Agent ID Constraints N/A Range The value can contain 1 to 64 characters. Default Value N/A |
Example Requests
Query the first 10 isolated files.
GET https://{endpoint}/v5/{project_id}/event/isolated-file?limit=10&offset=0&enterprise_project_id=xxxExample Responses
Status code: 200
Request succeeded.
{
"total_num" : 1409,
"data_list" : [ {
"host_id" : "b44***1be-4c28-4bf3-8070-fde5****6689",
"host_name" : "h00657476-linux",
"private_ip" : "192.168.0.93",
"public_ip" : "100.93.10.247",
"asset_value" : "common",
"os_type" : "Linux",
"file_hash" : "32d62a995215243********a611134e9891b1264e222e55d78",
"file_path" : "/root/***e_Samples/****-CVE/39d46a0*****20c915db30d",
"isolation_status" : "isolated",
"file_attr" : "33261",
"update_time" : 1737512051632,
"agent_version" : "3.2.15.10",
"isolate_source" : "event",
"event_name" : "Unclassified Malware",
"agent_event_info" : {
"severity" : "High",
"recommendation" : "For malicious program alarms, you are advised to perform the following operations:\n1. If you receive an alarm, check whether the file or process mentioned in the alarm is normal. If it is normal, select the alarm, click **Handle**, and ignore it or add it to the alarm whitelist.\n2. If you receive an alarm, check whether the file or process mentioned in the alarm is normal. If it is malicious, select the alarm, click **Handle**, isolate and kill it, or manually clear viruses.\n3. If your data is lost due to malicious programs and you have subscribed to CBR, try using CBR to restore data.\n4. To prevent future intrusions, fix vulnerabilities on the **Vulnerabilities** page under the HSS risk prevention menu item.",
"description" : "The malware alarm is an alarm generated when security software or the system detects that a malware threat exists in your computer or network. Malware stands for malicious software. It is a program that can infect and damage authorized users' computers in multiple ways. Malicious program alarms are used to remind users to take measures to prevent malicious software threats.",
"event_id" : "ac04***86-d7a9-11ef-9fd1-fa1****8dea",
"event_class_id" : "av_1001",
"event_type" : 1001,
"event_name" : "Unclassified Malware",
"host_name" : "h00657476-linux",
"host_id" : "b44d***be-4c28-4bf3-8070-fde59***c6689",
"attack_phase" : "installation",
"attack_tag" : "abnormal_behavior",
"occur_time" : 1737430920000,
"recent_time" : 1737465583543,
"handle_time" : 1737512072882,
"handle_status" : "handled",
"handle_method" : "isolate_and_kill",
"handler" : "scc_hss_g00840938_01",
"memo" : "Two alarms have been handled.",
"resource_info" : {
"project_id" : "84b5266c14ae489fa6549827f032dc62",
"enterprise_project_id" : "0",
"region_name" : "cn-north-7",
"host_name" : "h00657476-linux",
"host_ip" : "192.168.0.***",
"public_ip" : "1**.93.10.***",
"host_id" : "b4***1be-4c28-4bf3-8070-fde***6689",
"asset_value" : "common",
"cloud_id" : "",
"vm_name" : "h00657476-linux",
"vm_uuid" : "b4***1be-4c28-4bf3-8070-fde5***6689",
"os_type" : "Linux",
"os_name" : "HCE OS",
"os_version" : "2.0",
"agent_version" : "3.2.15.10"
},
"malware_info" : {
"malware_family" : "Generic",
"severity" : 0
},
"att_ck" : "Impact",
"confidence" : 90,
"file_info_list" : [ {
"file_path" : "/root/******les/*****-CVE/39d46a0cd603*****db30d",
"file_hash" : "32d62a995215243f******34e9891b1264e222e55d78"
} ],
"event_abstract" : "There is suspicious malware on server h00657476-linux at 11:42:00 on January 21, 2025. The confidence level is medium, and the access file directory is **/root/Malware_Samples/Common-CVE/39d46a0cd60393e5571b720c915db30d**.",
"event_count" : 4
}
} ]
}SDK Sample Code
The SDK sample code is as follows.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
package com.huaweicloud.sdk.test;
import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.hss.v5.region.HssRegion;
import com.huaweicloud.sdk.hss.v5.*;
import com.huaweicloud.sdk.hss.v5.model.*;
public class ListIsolatedFileSolution {
public static void main(String[] args) {
// The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
// In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
String ak = System.getenv("CLOUD_SDK_AK");
String sk = System.getenv("CLOUD_SDK_SK");
String projectId = "{project_id}";
ICredential auth = new BasicCredentials()
.withProjectId(projectId)
.withAk(ak)
.withSk(sk);
HssClient client = HssClient.newBuilder()
.withCredential(auth)
.withRegion(HssRegion.valueOf("<YOUR REGION>"))
.build();
ListIsolatedFileRequest request = new ListIsolatedFileRequest();
try {
ListIsolatedFileResponse response = client.listIsolatedFile(request);
System.out.println(response.toString());
} catch (ConnectionException e) {
e.printStackTrace();
} catch (RequestTimeoutException e) {
e.printStackTrace();
} catch (ServiceResponseException e) {
e.printStackTrace();
System.out.println(e.getHttpStatusCode());
System.out.println(e.getRequestId());
System.out.println(e.getErrorCode());
System.out.println(e.getErrorMsg());
}
}
}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# coding: utf-8
import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkhss.v5.region.hss_region import HssRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkhss.v5 import *
if __name__ == "__main__":
# The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
# In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
ak = os.environ["CLOUD_SDK_AK"]
sk = os.environ["CLOUD_SDK_SK"]
projectId = "{project_id}"
credentials = BasicCredentials(ak, sk, projectId)
client = HssClient.new_builder() \
.with_credentials(credentials) \
.with_region(HssRegion.value_of("<YOUR REGION>")) \
.build()
try:
request = ListIsolatedFileRequest()
response = client.list_isolated_file(request)
print(response)
except exceptions.ClientRequestException as e:
print(e.status_code)
print(e.request_id)
print(e.error_code)
print(e.error_msg)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
package main
import (
"fmt"
"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
hss "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5"
"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/model"
region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/region"
)
func main() {
// The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
// In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
ak := os.Getenv("CLOUD_SDK_AK")
sk := os.Getenv("CLOUD_SDK_SK")
projectId := "{project_id}"
auth := basic.NewCredentialsBuilder().
WithAk(ak).
WithSk(sk).
WithProjectId(projectId).
Build()
client := hss.NewHssClient(
hss.HssClientBuilder().
WithRegion(region.ValueOf("<YOUR REGION>")).
WithCredential(auth).
Build())
request := &model.ListIsolatedFileRequest{}
response, err := client.ListIsolatedFile(request)
if err == nil {
fmt.Printf("%+v\n", response)
} else {
fmt.Println(err)
}
}
|
For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
package com.huaweicloud.sdk.test;
import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.hss.v5.region.HssRegion;
import com.huaweicloud.sdk.hss.v5.*;
import com.huaweicloud.sdk.hss.v5.model.*;
public class ListIsolatedFileSolution {
public static void main(String[] args) {
// The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
// In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
String ak = System.getenv("CLOUD_SDK_AK");
String sk = System.getenv("CLOUD_SDK_SK");
String projectId = "{project_id}";
ICredential auth = new BasicCredentials()
.withProjectId(projectId)
.withAk(ak)
.withSk(sk);
HssClient client = HssClient.newBuilder()
.withCredential(auth)
.withRegion(HssRegion.valueOf("<YOUR REGION>"))
.build();
ListIsolatedFileRequest request = new ListIsolatedFileRequest();
try {
ListIsolatedFileResponse response = client.listIsolatedFile(request);
System.out.println(response.toString());
} catch (ConnectionException e) {
e.printStackTrace();
} catch (RequestTimeoutException e) {
e.printStackTrace();
} catch (ServiceResponseException e) {
e.printStackTrace();
System.out.println(e.getHttpStatusCode());
System.out.println(e.getRequestId());
System.out.println(e.getErrorCode());
System.out.println(e.getErrorMsg());
}
}
}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# coding: utf-8
import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkhss.v5.region.hss_region import HssRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkhss.v5 import *
if __name__ == "__main__":
# The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
# In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
ak = os.environ["CLOUD_SDK_AK"]
sk = os.environ["CLOUD_SDK_SK"]
projectId = "{project_id}"
credentials = BasicCredentials(ak, sk, projectId)
client = HssClient.new_builder() \
.with_credentials(credentials) \
.with_region(HssRegion.value_of("<YOUR REGION>")) \
.build()
try:
request = ListIsolatedFileRequest()
response = client.list_isolated_file(request)
print(response)
except exceptions.ClientRequestException as e:
print(e.status_code)
print(e.request_id)
print(e.error_code)
print(e.error_msg)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
package main
import (
"fmt"
"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
hss "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5"
"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/model"
region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/region"
)
func main() {
// The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
// In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
ak := os.Getenv("CLOUD_SDK_AK")
sk := os.Getenv("CLOUD_SDK_SK")
projectId := "{project_id}"
auth := basic.NewCredentialsBuilder().
WithAk(ak).
WithSk(sk).
WithProjectId(projectId).
Build()
client := hss.NewHssClient(
hss.HssClientBuilder().
WithRegion(region.ValueOf("<YOUR REGION>")).
WithCredential(auth).
Build())
request := &model.ListIsolatedFileRequest{}
response, err := client.ListIsolatedFile(request)
if err == nil {
fmt.Printf("%+v\n", response)
} else {
fmt.Println(err)
}
}
|
For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.
Status Codes
|
Status Code |
Description |
|---|---|
|
200 |
Request succeeded. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
