Querying the List of Isolated Files

Function

This API is used to query the list of isolated files.

Calling Method

For details, see Calling APIs.

URI

GET /v5/{project_id}/event/isolated-file

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID Minimum: 20 Maximum: 64

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Enterprise project ID. To query all enterprise projects, set this parameter to all_granted_eps. Minimum: 0 Maximum: 64
file_path	No	String	File path
host_name	No	String	Server name Minimum: 1 Maximum: 64
private_ip	No	String	Server private IP address Minimum: 1 Maximum: 256
public_ip	No	String	Server public IP address Minimum: 1 Maximum: 256
file_hash	No	String	The hash value calculated using the SHA256 algorithm.
asset_value	No	String	Asset importance. The options are as follows: important common test Minimum: 0 Maximum: 128
offset	No	Integer	Offset, which specifies the start position of the record to be returned. The value must be a number. Minimum: 0 Maximum: 2000000 Default: 0
limit	No	Integer	Number of records displayed on each page. Minimum: 10 Maximum: 1000 Default: 10

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token. Minimum: 1 Maximum: 32768
region	Yes	String	Region ID Minimum: 0 Maximum: 128

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
total_num	Integer	Total number
data_list	Array of IsolatedFileResponseInfo objects	Isolated file details Array Length: 0 - 100

**Table 5** IsolatedFileResponseInfo
Parameter	Type	Description
os_type	String	OS type. Its value can be: Linux Windows
host_id	String	Host ID
host_name	String	Server name
file_hash	String	File hash
file_path	String	File path
file_attr	String	File attribute
isolation_status	String	Isolation status. The options are as follows: isolated restored isolating restoring
private_ip	String	Server private IP address
public_ip	String	Elastic IP address
asset_value	String	Asset importance
update_time	Integer	Time when the event whitelist is updated, in milliseconds.
agent_version	String	Agent version
isolate_source	String	Isolation source. The options are as follows: event: security alarm event antivirus: virus scanning and removal
event_name	String	Event name
agent_event_info	IsolateEventResponseInfo object	Isolation event details
antivirus_result_info	AntivirusResultDetailInfo object	Results of virus scanning and removal

**Table 6** IsolateEventResponseInfo
Parameter	Type	Description
event_id	String	Event ID
event_class_id	String	Event category. Its value can be: container_1001: Container namespace container_1002: Container open port container_1003: Container security option container_1004: Container mount directory containerescape_0001: High-risk system call containerescape_0002: Shocker attack containerescape_0003: Dirty Cow attack containerescape_0004: Container file escape dockerfile_001: Modification of user-defined protected container file dockerfile_002: Modification of executable files in the container file system dockerproc_001: Abnormal container process fileprotect_0001: File privilege escalation fileprotect_0002: Key file change fileprotect_0003: AuthorizedKeysFile path change fileprotect_0004: File directory change login_0001: Brute-force attack attempt login_0002: Brute-force attack succeeded login_1001: Succeeded login login_1002: Remote login login_1003: Weak password malware_0001: Shell change malware_0002: Reverse shell malware_1001: Malicious program procdet_0001: Abnormal process behavior procdet_0002: Process privilege escalation procreport_0001: High-risk command user_1001: Account change user_1002: Unsafe account vmescape_0001: Sensitive command executed on VM vmescape_0002: Sensitive file accessed by virtualization process vmescape_0003: Abnormal VM port access webshell_0001: Web shell network_1001: Mining network_1002: DDoS attacks network_1003: Malicious scanning network_1004: Attack in sensitive areas ransomware_0001: ransomware attack ransomware_0002: ransomware attack ransomware_0003: ransomware attack fileless_0001: process injection fileless_0002: dynamic library injection fileless_0003: key configuration change fileless_0004: environment variable change fileless_0005: memory file process fileless_0006: VDSO hijacking crontab_1001: suspicious crontab task vul_exploit_0001: Redis vulnerability exploit vul_exploit_0002: Hadoop vulnerability exploit vul_exploit_0003: MySQL vulnerability exploit rootkit_0001: suspicious rootkit file rootkit_0002: suspicious kernel module RASP_0004: web shell upload RASP_0018: fileless web shell blockexec_001: known ransomware attack hips_0001: Windows Defender disabled hips_0002: suspicious hacker tool hips_0003: suspicious ransomware encryption behavior hips_0004: hidden account creation hips_0005: user password and credential reading hips_0006: suspicious SAM file export hips_0007: suspicious shadow copy deletion hips_0008: backup file deletion hips_0009: registry of suspicious ransomware hips_0010: suspicious abnormal process hips_0011: suspicious scan hips_0012: suspicious ransomware script running hips_0013: suspicious mining command execution hips_0014: suspicious windows security center disabling hips_0015: suspicious behavior of disabling the firewall service hips_0016: suspicious system automatic recovery disabling hips_0017: executable file execution in Office hips_0018: abnormal file creation with macros in Office hips_0019: suspicious registry operation hips_0020: Confluence remote code execution hips_0021: MSDT remote code execution portscan_0001: common port scan portscan_0002: secret port scan k8s_1001: Kubernetes event deletion k8s_1002: privileged pod creations k8s_1003: interactive shell used in pod k8s_1004: pod created with sensitive directory k8s_1005: pod created with server network k8s_1006: pod created with host PID space k8s_1007: authentication failure when common pods access API server k8s_1008: API server access from common pod using cURL k8s_1009: exec in system management space k8s_1010: pod created in management space k8s_1011: static pod creation k8s_1012: DaemonSet creation k8s_1013: scheduled cluster task creation k8s_1014: operation on secrets k8s_1015: allowed operation enumeration k8s_1016: high privilege RoleBinding or ClusterRoleBinding k8s_1017: ServiceAccount creation k8s_1018: Cronjob creation k8s_1019: interactive shell used for exec in pods k8s_1020: unauthorized access to API server k8s_1021: access to API server with curl k8s_1022: Ingress vulnerability k8s_1023: man-in-the-middle (MITM) attack k8s_1024: worm, mining, or Trojan k8s_1025: K8s event deletion k8s_1026: SelfSubjectRulesReview imgblock_0001: image blocking based on whitelist imgblock_0002: image blocking based on blacklist imgblock_0003: image tag blocking based on whitelist imgblock_0004: image tag blocking based on blacklist imgblock_0005: container creation blocked based on whitelist imgblock_0006: container creation blocked based on blacklist imgblock_0007: container mount proc blocking imgblock_0008: container seccomp unconfined blocking imgblock_0009: container privilege blocking imgblock_0010: container capabilities blocking
event_type	Integer	Event type. Its value can be: 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010 : Rootkit 1011: ransomware 1012: hacker tool 1015 : web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid accounts 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: enumerating user information 13004: cluster role binding
event_name	String	Event name
severity	String	Threat level. Its value can be: Security Low Medium High Critical
container_name	String	Container instance name. This API is available only for container alarms.
image_name	String	Image name. This API is available only for container alarms.
host_name	String	Server name
host_id	String	Host ID
private_ip	String	Server private IP address
public_ip	String	Elastic IP address
os_type	String	OS type. Its value can be: Linux Windows
host_status	String	Server status. The options are as follows: ACTIVE SHUTOFF BUILDING ERROR Minimum: 1 Maximum: 32
agent_status	String	Agent status. Its value can be: installed not_installed: online offline install_failed installing Minimum: 1 Maximum: 32
protect_status	String	Protection status. Its value can be: closed opened Minimum: 1 Maximum: 32
asset_value	String	Asset importance. The options are as follows: important common test Minimum: 0 Maximum: 128
attack_phase	String	Attack phase. Its value can be: reconnaissance weaponization delivery exploit installation command_and_control actions
attack_tag	String	Attack tag. Its value can be: attack_success attack_attempt attack_blocked abnormal_behavior collapsible_host system_vulnerability
occur_time	Integer	Occurrence time, accurate to milliseconds.
handle_time	Integer	Handling time, in milliseconds. This API is available only for handled alarms.
handle_status	String	Processing status. Its value can be: unhandled handled
handle_method	String	Handling method. This API is available only for handled alarms. The options are as follows: mark_as_handled ignore add_to_alarm_whitelist add_to_login_whitelist isolate_and_kill
handler	String	Remarks. This API is available only for handled alarms.
recommendation	String	Handling suggestion
description	String	Alarm description Minimum: 0 Maximum: 1024
event_abstract	String	Alarm summary Minimum: 0 Maximum: 512
event_count	Integer	Event occurrences Minimum: 0 Maximum: 2147483647

**Table 7** AntivirusResultDetailInfo
Parameter	Type	Description
result_id	String	The result ID of virus scanning and removal
malware_name	String	Virus name
file_path	String	File path
file_hash	String	File hash
file_size	Integer	File size
file_owner	String	File owner
file_attr	String	File attribute
file_ctime	Integer	File creation time
file_mtime	Integer	File update time
update_time	Integer	Time when the event whitelist is updated, in milliseconds.
agent_id	String	Agent ID

Example Requests

Query the first 10 isolated files.

GET https://{endpoint}/v5/{project_id}/event/isolated-file?limit=10&offset=0&enterprise_project_id=xxx

Example Responses

Status code: 200

Isolated files list

{
  "data_list" : [ {
    "file_attr" : "0",
    "file_hash" : "58693382bc0c9f60ef86e5b37cf3c2f3a9c9ec46936901eaa9131f7ee4a09bde",
    "file_path" : "C:\\Users\\Public\\Public Docker\\system32.exe",
    "os_type" : "Linux",
    "host_id" : "5a41ca47-8ea7-4a65-a8fb-950d03d8638e",
    "host_name" : "ecs-wi-800211",
    "isolation_status" : "isolated",
    "private_ip" : "127.0.0.2",
    "public_ip" : "127.0.0.1",
    "asset_value" : "common",
    "update_time" : 1698304933717,
    "agent_version" : "3.2.10",
    "isolate_source" : "event",
    "event_name" : "Spyware",
    "antivirus_result_info" : {
      "result_id" : "5a41ca47-8ea7-4a65-a8fb-950d03d8638e",
      "malware_name" : "Win32.Virus.Hidrag",
      "file_attr" : "0",
      "file_hash" : "58693382bc0c9f60ef86e5b37cf3c2f3a9c9ec46936901eaa9131f7ee4a09bde",
      "file_path" : "C:\\Users\\Public\\Public Docker\\system32.exe",
      "file_size" : 58460,
      "file_owner" : "Administrators",
      "file_ctime" : 1700039800,
      "file_mtime" : 1700039800,
      "update_time" : 1698304933717,
      "agent_id" : "5a41ca47-8ea7-4a65-a8fb-950d03d8638e"
    },
    "agent_event_info" : {
      "attack_phase" : "exploit",
      "attack_tag" : "abnormal_behavior",
      "event_class_id" : "lgin_1002",
      "event_id" : "d8a12cf7-6a43-4cd6-92b4-aabf1e917",
      "event_name" : "different locations",
      "event_type" : 4004,
      "handle_status" : "unhandled",
      "host_name" : "xxx",
      "occur_time" : 1661593036627,
      "private_ip" : "127.0.0.1",
      "severity" : "Medium",
      "os_type" : "Linux",
      "agent_status" : "online",
      "asset_value" : "common",
      "protect_status" : "opened",
      "host_status" : "ACTIVE",
      "description" : "",
      "event_abstract" : "",
      "image_name" : "image",
      "container_name" : "test",
      "host_id" : "5a41ca47-8ea7-4a65-a8fb-950d03d8638e",
      "public_ip" : "127.0.0.2",
      "handle_time" : 1698304933717,
      "handle_method" : "ignore",
      "recommendation" : "Handling suggestion",
      "event_count" : 1
    }
  } ],
  "total_num" : 1
}

SDK Sample Code

The SDK sample code is as follows.

      
       
         
         
           package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.hss.v5.region.HssRegion;
import com.huaweicloud.sdk.hss.v5.*;
import com.huaweicloud.sdk.hss.v5.model.*;


public class ListIsolatedFileSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new BasicCredentials()
                .withAk(ak)
                .withSk(sk);

        HssClient client = HssClient.newBuilder()
                .withCredential(auth)
                .withRegion(HssRegion.valueOf("<YOUR REGION>"))
                .build();
        ListIsolatedFileRequest request = new ListIsolatedFileRequest();
        request.withEnterpriseProjectId("<enterprise_project_id>");
        request.withFilePath("<file_path>");
        request.withHostName("<host_name>");
        request.withPrivateIp("<private_ip>");
        request.withPublicIp("<public_ip>");
        request.withFileHash("<file_hash>");
        request.withAssetValue("<asset_value>");
        request.withOffset(<offset>);
        request.withLimit(<limit>);
        try {
            ListIsolatedFileResponse response = client.listIsolatedFile(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

          

        

      
     

      
       
         
         
           # coding: utf-8

from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkhss.v5.region.hss_region import HssRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkhss.v5 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = __import__('os').getenv("CLOUD_SDK_AK")
    sk = __import__('os').getenv("CLOUD_SDK_SK")

    credentials = BasicCredentials(ak, sk) \

    client = HssClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(HssRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ListIsolatedFileRequest()
        request.enterprise_project_id = "<enterprise_project_id>"
        request.file_path = "<file_path>"
        request.host_name = "<host_name>"
        request.private_ip = "<private_ip>"
        request.public_ip = "<public_ip>"
        request.file_hash = "<file_hash>"
        request.asset_value = "<asset_value>"
        request.offset = <offset>
        request.limit = <limit>
        response = client.list_isolated_file(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

          

        

      
     

      
       
         
         
           package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    hss "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := hss.NewHssClient(
        hss.HssClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ListIsolatedFileRequest{}
	enterpriseProjectIdRequest:= "<enterprise_project_id>"
	request.EnterpriseProjectId = &enterpriseProjectIdRequest
	filePathRequest:= "<file_path>"
	request.FilePath = &filePathRequest
	hostNameRequest:= "<host_name>"
	request.HostName = &hostNameRequest
	privateIpRequest:= "<private_ip>"
	request.PrivateIp = &privateIpRequest
	publicIpRequest:= "<public_ip>"
	request.PublicIp = &publicIpRequest
	fileHashRequest:= "<file_hash>"
	request.FileHash = &fileHashRequest
	assetValueRequest:= "<asset_value>"
	request.AssetValue = &assetValueRequest
	offsetRequest:= int32(<offset>)
	request.Offset = &offsetRequest
	limitRequest:= int32(<limit>)
	request.Limit = &limitRequest
	response, err := client.ListIsolatedFile(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

          

        

      
     