Updated on 2024-03-27 GMT+08:00

Querying the Detected Intrusion List

Function

This API is used to query the detected intrusion list.

Calling Method

For details, see Calling APIs.

URI

GET /v5/{project_id}/event/events

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID

Minimum: 20

Maximum: 64

Table 2 Query Parameters

Parameter

Mandatory

Type

Description

category

Yes

String

Event category. Its value can be:

  • host: host security event

  • container: container security event

Minimum: 0

Maximum: 32

enterprise_project_id

No

String

Enterprise project ID. To query all enterprise projects, set this parameter to all_granted_eps.

Minimum: 0

Maximum: 64

last_days

No

Integer

Number of days to be queried. This parameter is mutually exclusive with begin_time and end_time.

Minimum: 1

Maximum: 30

host_name

No

String

Server name

Minimum: 1

Maximum: 64

host_id

No

String

Host ID

Minimum: 0

Maximum: 64

private_ip

No

String

Server IP address

Minimum: 1

Maximum: 256

public_ip

No

String

Server public IP address

Minimum: 1

Maximum: 256

container_name

No

String

Container instance name

offset

No

Integer

Offset, which specifies the start position of the record to be returned. The value must be a number no less than 0.

Minimum: 0

Maximum: 2000000

Default: 0

limit

No

Integer

Number of records displayed on each page

Minimum: 10

Maximum: 1000

Default: 10

event_types

No

Array

Event type. Its value can be:

  • 1001: common malware

  • 1002: virus

  • 1003: worm

  • 1004: Trojan

  • 1005: botnet

  • 1006: backdoor

  • 1010 :Rootkit

  • 1011: ransomware

  • 1012: hacker tool

  • 1015 : web shell

  • 1016: mining

  • 1017: reverse shell

  • 2001: common vulnerability exploit

  • 2012: remote code execution

  • 2047: Redis vulnerability exploit

  • 2048: Hadoop vulnerability exploit

  • 2049: MySQL vulnerability exploit

  • 3002: file privilege escalation

  • 3003: process privilege escalation

  • 3004: critical file change

  • 3005: file/directory change

  • 3007: abnormal process behavior

  • 3015: high-risk command execution

  • 3018: abnormal shell

  • 3026: crontab privilege escalation

  • 3027: suspicious crontab task

  • 3029: system protection disabled

  • 3030: backup deletion

  • 3031: suspicious registry operations

  • 3036: container image blocking

  • 4002: brute-force attack

  • 4004: abnormal login

  • 4006: invalid accounts

  • 4014: account added

  • 4020: password theft

  • 6002: port scan

  • 6003: server scan

  • 13001: Kubernetes event deletion

  • 13002: abnormal pod behavior

  • 13003: enumerating user information

  • 13004: cluster role binding

Minimum: 1000

Maximum: 30000

Array Length: 1 - 500

handle_status

No

String

Status. Its value can be:

  • unhandled

  • handled

Minimum: 1

Maximum: 32

severity

No

String

Threat level. Its value can be:

  • Security

  • Low

  • Medium

  • High

  • Critical

Minimum: 1

Maximum: 32

begin_time

No

String

Customized start time of a segment. The timestamp is accurate to seconds. The begin_time should be no more than two days earlier than the end_time. This parameter is mutually exclusive with the queried duration.

Minimum: 13

Maximum: 13

end_time

No

String

Customized end time of a segment. The timestamp is accurate to seconds. The begin_time should be no more than two days earlier than the end_time. This parameter is mutually exclusive with the queried duration.

Minimum: 13

Maximum: 13

event_class_ids

No

Array

Event ID. Its value can be:

  • container_1001: container namespace

  • container_1002: container port enabled

  • container_1003: container security options

  • container_1004: container mount directory

  • containerescape_0001: high-risk system call

  • containerescape_0002: shocker attack

  • containerescape_0003: Dirty Cow attack

  • containerescape_0004: container file escape

  • dockerfile_001: modification of user-defined protected container file

  • dockerfile_002: modification of executable files in the container file system

  • dockerproc_001: abnormal container process

  • fileprotect_0001: file privilege escalation

  • fileprotect_0002: key file change

  • fileprotect_0003: key file path change

  • fileprotect_0004: file/directory change

  • av_1002: virus

  • av_1003: worm

  • av_1004: Trojan

  • av_1005: botnet

  • av_1006: backdoor

  • av_1007: spyware

  • av_1008: malicious adware

  • av_1009: phishing

  • av_1010 : Rootkit

  • av_1011: ransomware

  • av_1012: hacker tool

  • av_1013: grayware

  • av_1015 : web shell

  • av_1016: mining software

  • login_0001: brute-force cracking

  • login_0002: successful cracking

  • login_1001: successful login

  • login_1002: remote login

  • login_1003: weak password

  • malware_0001: shell change report

  • malware_0002: reverse shell report

  • malware_1001: malicious program

  • procdet_0001: abnormal process behavior detection

  • procdet_0002: process privilege escalation

  • crontab_0001: crontab script privilege escalation

  • crontab_0002: malicious path privilege escalation

  • procreport_0001: risky commands

  • user_1001: account change

  • user_1002: risky account

  • vmescape_0001: VM sensitive command execution

  • vmescape_0002: access from virtualization process to sensitive file

  • vmescape_0003: abnormal VM port access

  • webshell_0001: web shell

  • network_1001: malicious mining

  • network_1002: DDoS attacks

  • network_1003: malicious scan

  • network_1004: attack in sensitive areas

  • ransomware_0001: ransomware attack

  • ransomware_0002: ransomware attack

  • ransomware_0003: ransomware attack

  • fileless_0001: process injection

  • fileless_0002: dynamic library injection

  • fileless_0003: key configuration change

  • fileless_0004: environment variable change

  • fileless_0005: memory file process

  • fileless_0006: VDSO hijacking

  • crontab_1001: suspicious crontab task

  • vul_exploit_0001: Redis vulnerability exploit

  • vul_exploit_0002: Hadoop vulnerability exploit

  • vul_exploit_0003: MySQL vulnerability exploit

  • rootkit_0001: suspicious rootkit file

  • rootkit_0002: suspicious kernel module

  • RASP_0004: web shell upload

  • RASP_0018: fileless web shell

  • blockexec_001: known ransomware attack

  • hips_0001: Windows Defender disabled

  • hips_0002: suspicious hacker tool

  • hips_0003: suspicious ransomware encryption behavior

  • hips_0004: hidden account creation

  • hips_0005: user password and credential reading

  • hips_0006: suspicious SAM file export

  • hips_0007: suspicious shadow copy deletion

  • hips_0008: backup file deletion

  • hips_0009: registry of suspicious ransomware

  • hips_0010: suspicious abnormal process

  • hips_0011: suspicious scan

  • hips_0012: suspicious ransomware script running

  • hips_0013: suspicious mining command execution

  • hips_0014: suspicious windows security center disabling

  • hips_0015: suspicious behavior of disabling the firewall service

  • hips_0016: suspicious system automatic recovery disabling

  • hips_0017: executable file execution in Office

  • hips_0018: abnormal file creation with macros in Office

  • hips_0019: suspicious registry operation

  • hips_0020: Confluence remote code execution

  • hips_0021: MSDT remote code execution

  • portscan_0001: common port scan

  • portscan_0002: secret port scan

  • k8s_1001: Kubernetes event deletion

  • k8s_1002: privileged pod creations

  • k8s_1003: interactive shell used in pod

  • k8s_1004: pod created with sensitive directory

  • k8s_1005: pod created with server network

  • k8s_1006: pod created with host PID space

  • k8s_1007: authentication failure when common pods access API server

  • k8s_1008: API server access from common pod using cURL

  • k8s_1009: exec in system management space

  • k8s_1010: pod created in management space

  • k8s_1011: static pod creation

  • k8s_1012: DaemonSet creation

  • k8s_1013: scheduled cluster task creation

  • k8s_1014: operation on secrets

  • k8s_1015: allowed operation enumeration

  • k8s_1016: high privilege RoleBinding or ClusterRoleBinding

  • k8s_1017: ServiceAccount creation

  • k8s_1018: Cronjob creation

  • k8s_1019: interactive shell used for exec in pods

  • k8s_1020: unauthorized access to API server

  • k8s_1021: access to API server with curl

  • k8s_1022: Ingress vulnerability

  • k8s_1023: man-in-the-middle (MITM) attack

  • k8s_1024: worm, mining, or Trojan

  • k8s_1025: K8s event deletion

  • k8s_1026: SelfSubjectRulesReview

  • imgblock_0001: image blocking based on whitelist

  • imgblock_0002: image blocking based on blacklist

  • imgblock_0003: image tag blocking based on whitelist

  • imgblock_0004: image tag blocking based on blacklist

  • imgblock_0005: container creation blocked based on whitelist

  • imgblock_0006: container creation blocked based on blacklist

  • imgblock_0007: container mount proc blocking

  • imgblock_0008: container seccomp unconfined blocking

  • imgblock_0009: container privilege blocking

  • imgblock_0010: container capabilities blocking

Array Length: 1 - 200

severity_list

No

Array

Threat level. The options are as follows:

  • Security

  • Low

  • Medium

  • High

  • Critical

Minimum: 0

Maximum: 32

Array Length: 0 - 5

attack_tag

No

String

Indicates the attack flag. The options are as follows:

  • attack_success: attack success

  • attack_attempt: attack attempt

  • attack_blocked: blocked attack

  • abnormal_behavior: abnormal behavior

  • collapsible_host: compromised host

  • system_vulnerability: system vulnerability

Minimum: 0

Maximum: 32

asset_value

No

String

Asset importance. The options are as follows:

  • important

  • common

  • test

Minimum: 0

Maximum: 128

tag_list

No

Array

Event tag list, for example, ["hot event"].

Minimum: 0

Maximum: 10

Array Length: 0 - 20

att_ck

No

String

ATT&CK attack stage, including:

  • Reconnaissance:

  • Initial Access:

  • Execution:

  • Persistence:

  • Privilege Escalation:

  • Defense Evasion: defense bypass

  • Credential Access:

  • Command and Control:

  • Impact: Damage is affected.

Minimum: 0

Maximum: 32

event_name

No

String

Alarm name

Minimum: 1

Maximum: 128

Request Parameters

Table 3 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

Minimum: 1

Maximum: 32768

region

Yes

String

Region ID

Minimum: 0

Maximum: 128

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

total_num

Integer

Total number of alarm events

Minimum: 0

Maximum: 2147483647

data_list

Array of EventManagementResponseInfo objects

Event list

Array Length: 0 - 1000

Table 5 EventManagementResponseInfo

Parameter

Type

Description

event_id

String

Event ID

event_class_id

String

Event category. Its value can be:

  • container_1001: Container namespace

  • container_1002: Container open port

  • container_1003: Container security option

  • container_1004: Container mount directory

  • containerescape_0001: High-risk system call

  • containerescape_0002: Shocker attack

  • containerescape_0003: Dirty Cow attack

  • containerescape_0004: Container file escape

  • dockerfile_001: Modification of user-defined protected container file

  • dockerfile_002: Modification of executable files in the container file system

  • dockerproc_001: Abnormal container process

  • fileprotect_0001: File privilege escalation

  • fileprotect_0002: Key file change

  • fileprotect_0003: AuthorizedKeysFile path change

  • fileprotect_0004: File directory change

  • login_0001: Brute-force attack attempt

  • login_0002: Brute-force attack succeeded

  • login_1001: Succeeded login

  • login_1002: Remote login

  • login_1003: Weak password

  • malware_0001: Shell change

  • malware_0002: Reverse shell

  • malware_1001: Malicious program

  • procdet_0001: Abnormal process behavior

  • procdet_0002: Process privilege escalation

  • procreport_0001: High-risk command

  • user_1001: Account change

  • user_1002: Unsafe account

  • vmescape_0001: Sensitive command executed on VM

  • vmescape_0002: Sensitive file accessed by virtualization process

  • vmescape_0003: Abnormal VM port access

  • webshell_0001: Web shell

  • network_1001: Mining

  • network_1002: DDoS attacks

  • network_1003: Malicious scanning

  • network_1004: Attack in sensitive areas

  • ransomware_0001: ransomware attack

  • ransomware_0002: ransomware attack

  • ransomware_0003: ransomware attack

  • fileless_0001: process injection

  • fileless_0002: dynamic library injection

  • fileless_0003: key configuration change

  • fileless_0004: environment variable change

  • fileless_0005: memory file process

  • fileless_0006: VDSO hijacking

  • crontab_1001: suspicious crontab task

  • vul_exploit_0001: Redis vulnerability exploit

  • vul_exploit_0002: Hadoop vulnerability exploit

  • vul_exploit_0003: MySQL vulnerability exploit

  • rootkit_0001: suspicious rootkit file

  • rootkit_0002: suspicious kernel module

  • RASP_0004: web shell upload

  • RASP_0018: fileless web shell

  • blockexec_001: known ransomware attack

  • hips_0001: Windows Defender disabled

  • hips_0002: suspicious hacker tool

  • hips_0003: suspicious ransomware encryption behavior

  • hips_0004: hidden account creation

  • hips_0005: user password and credential reading

  • hips_0006: suspicious SAM file export

  • hips_0007: suspicious shadow copy deletion

  • hips_0008: backup file deletion

  • hips_0009: registry of suspicious ransomware

  • hips_0010: suspicious abnormal process

  • hips_0011: suspicious scan

  • hips_0012: suspicious ransomware script running

  • hips_0013: suspicious mining command execution

  • hips_0014: suspicious windows security center disabling

  • hips_0015: suspicious behavior of disabling the firewall service

  • hips_0016: suspicious system automatic recovery disabling

  • hips_0017: executable file execution in Office

  • hips_0018: abnormal file creation with macros in Office

  • hips_0019: suspicious registry operation

  • hips_0020: Confluence remote code execution

  • hips_0021: MSDT remote code execution

  • portscan_0001: common port scan

  • portscan_0002: secret port scan

  • k8s_1001: Kubernetes event deletion

  • k8s_1002: privileged pod creations

  • k8s_1003: interactive shell used in pod

  • k8s_1004: pod created with sensitive directory

  • k8s_1005: pod created with server network

  • k8s_1006: pod created with host PID space

  • k8s_1007: authentication failure when common pods access API server

  • k8s_1008: API server access from common pod using cURL

  • k8s_1009: exec in system management space

  • k8s_1010: pod created in management space

  • k8s_1011: static pod creation

  • k8s_1012: DaemonSet creation

  • k8s_1013: scheduled cluster task creation

  • k8s_1014: operation on secrets

  • k8s_1015: allowed operation enumeration

  • k8s_1016: high privilege RoleBinding or ClusterRoleBinding

  • k8s_1017: ServiceAccount creation

  • k8s_1018: Cronjob creation

  • k8s_1019: interactive shell used for exec in pods

  • k8s_1020: unauthorized access to API server

  • k8s_1021: access to API server with curl

  • k8s_1022: Ingress vulnerability

  • k8s_1023: man-in-the-middle (MITM) attack

  • k8s_1024: worm, mining, or Trojan

  • k8s_1025: K8s event deletion

  • k8s_1026: SelfSubjectRulesReview

  • imgblock_0001: image blocking based on whitelist

  • imgblock_0002: image blocking based on blacklist

  • imgblock_0003: image tag blocking based on whitelist

  • imgblock_0004: image tag blocking based on blacklist

  • imgblock_0005: container creation blocked based on whitelist

  • imgblock_0006: container creation blocked based on blacklist

  • imgblock_0007: container mount proc blocking

  • imgblock_0008: container seccomp unconfined blocking

  • imgblock_0009: container privilege blocking

  • imgblock_0010: container capabilities blocking

event_type

Integer

Event type. Its value can be:

  • 1001: common malware

  • 1002: virus

  • 1003: worm

  • 1004: Trojan

  • 1005: botnet

  • 1006: backdoor

  • 1010 : Rootkit

  • 1011: ransomware

  • 1012: hacker tool

  • 1015 : web shell

  • 1016: mining

  • 1017: reverse shell

  • 2001: common vulnerability exploit

  • 2012: remote code execution

  • 2047: Redis vulnerability exploit

  • 2048: Hadoop vulnerability exploit

  • 2049: MySQL vulnerability exploit

  • 3002: file privilege escalation

  • 3003: process privilege escalation

  • 3004: critical file change

  • 3005: file/directory change

  • 3007: abnormal process behavior

  • 3015: high-risk command execution

  • 3018: abnormal shell

  • 3027: suspicious crontab task

  • 3029: system protection disabled

  • 3030: backup deletion

  • 3031: suspicious registry operations

  • 3036: container image blocking

  • 4002: brute-force attack

  • 4004: abnormal login

  • 4006: invalid accounts

  • 4014: account added

  • 4020: password theft

  • 6002: port scan

  • 6003: server scan

  • 13001: Kubernetes event deletion

  • 13002: abnormal pod behavior

  • 13003: enumerating user information

  • 13004: cluster role binding

event_name

String

Event name

severity

String

Threat level. Its value can be:

  • Security

  • Low

  • Medium

  • High

  • Critical

container_name

String

Container instance name. This API is available only for container alarms.

image_name

String

Image name. This API is available only for container alarms.

host_name

String

Server name

host_id

String

Host ID

private_ip

String

Server private IP address

public_ip

String

Elastic IP address

os_type

String

OS type. Its value can be:

  • Linux

  • Windows

host_status

String

Server status. The options are as follows:

  • ACTIVE

  • SHUTOFF

  • BUILDING

  • ERROR

Minimum: 1

Maximum: 32

agent_status

String

Agent status. Its value can be:

  • installed

  • not_installed

  • online

  • offline

  • install_failed

  • installing

Minimum: 1

Maximum: 32

protect_status

String

Protection status. Its value can be:

  • closed

  • opened

Minimum: 1

Maximum: 32

asset_value

String

Asset importance. The options are as follows:

  • important

  • common

  • test

Minimum: 0

Maximum: 128

attack_phase

String

Attack phase. Its value can be:

  • reconnaissance

  • weaponization

  • delivery

  • exploit

  • installation

  • command_and_control

  • actions

attack_tag

String

Attack tag. Its value can be:

  • attack_success

  • attack_attempt

  • attack_blocked

  • abnormal_behavior

  • collapsible_host

  • system_vulnerability

occur_time

Integer

Occurrence time, accurate to milliseconds.

handle_time

Integer

Handling time, in milliseconds. This API is available only for handled alarms.

handle_status

String

Processing status. Its value can be:

  • unhandled

  • handled

handle_method

String

Handling method. This API is available only for handled alarms. The options are as follows:

  • mark_as_handled

  • ignore

  • add_to_alarm_whitelist

  • add_to_login_whitelist

  • isolate_and_kill

handler

String

Remarks. This API is available only for handled alarms.

operate_accept_list

Array of strings

Supported processing operation

operate_detail_list

Array of EventDetailResponseInfo objects

Operation details list (not displayed on the page)

Array Length: 0 - 100

forensic_info

Object

Attack information, in JSON format.

resource_info

EventResourceResponseInfo object

Resource information

geo_info

Object

Geographical location, in JSON format.

malware_info

Object

Malware information, in JSON format.

network_info

Object

Network information, in JSON format.

app_info

Object

Application information, in JSON format.

system_info

Object

System information, in JSON format.

extend_info

Object

Extended event information, in JSON format

recommendation

String

Handling suggestions

description

String

Alarm description

Minimum: 0

Maximum: 1024

event_abstract

String

Event abstract

Minimum: 0

Maximum: 512

process_info_list

Array of EventProcessResponseInfo objects

Process information list

Array Length: 0 - 100

user_info_list

Array of EventUserResponseInfo objects

User information list

Array Length: 0 - 100

file_info_list

Array of EventFileResponseInfo objects

File information list

Array Length: 0 - 100

event_details

String

Brief description of the event.

Minimum: 0

Maximum: 204800

tag_list

Array of strings

Tags

Minimum: 0

Maximum: 10

Array Length: 0 - 20

event_count

Integer

Event occurrences

Minimum: 0

Maximum: 2147483647

Table 6 EventDetailResponseInfo

Parameter

Type

Description

agent_id

String

Agent ID

process_pid

Integer

Process ID

is_parent

Boolean

Whether a process is a parent process

file_hash

String

File hash

file_path

String

File path

file_attr

String

File attribute

private_ip

String

Server private IP address

login_ip

String

Login source IP address

login_user_name

String

Login username

keyword

String

Alarm event keyword, which is used only for the alarm whitelist.

hash

String

Alarm event hash, which is used only for the alarm whitelist.

Table 7 EventResourceResponseInfo

Parameter

Type

Description

domain_id

String

User account ID

project_id

String

Project ID

enterprise_project_id

String

Enterprise project ID

region_name

String

Region name

vpc_id

String

VPC ID

cloud_id

String

ECS ID

vm_name

String

VM name

vm_uuid

String

Specifies the VM UUID, that is, the server ID.

container_id

String

Container ID

container_status

String

Container status

pod_uid

String

pod uid

pod_name

String

pod name

namespace

String

namespace

cluster_id

String

Cluster ID

cluster_name

String

Cluster name

image_id

String

Image ID

image_name

String

Image name

host_attr

String

Host attribute

service

String

Service

micro_service

String

Microservice

sys_arch

String

System CPU architecture

os_bit

String

OS bit version

os_type

String

OS type

os_name

String

OS name

os_version

String

OS version

Table 8 EventProcessResponseInfo

Parameter

Type

Description

process_name

String

Process name

process_path

String

Process file path

process_pid

Integer

Process ID

Minimum: 0

Maximum: 2147483647

process_uid

Integer

Process user ID

Minimum: 0

Maximum: 2147483647

process_username

String

Process username

process_cmdline

String

Process file command line

process_filename

String

Process file name

process_start_time

Long

Process start time

Minimum: 0

Maximum: 9223372036854775807

process_gid

Integer

Process group ID

Minimum: 0

Maximum: 2147483647

process_egid

Integer

Valid process group ID

Minimum: 0

Maximum: 2147483647

process_euid

Integer

Valid process user ID

Minimum: 0

Maximum: 2147483647

ancestor_process_path

String

Grandparent process file path

ancestor_process_pid

Integer

Grandfather process ID

Minimum: 0

Maximum: 2147483647

ancestor_process_cmdline

String

Grandparent process file command line

parent_process_name

String

Parent process name

parent_process_path

String

Parent process file path

parent_process_pid

Integer

Parent process ID

Minimum: 0

Maximum: 2147483647

parent_process_uid

Integer

Parent process user ID

Minimum: 0

Maximum: 2147483647

parent_process_cmdline

String

Parent process file command line

parent_process_filename

String

Parent process file name

parent_process_start_time

Long

Parent process start time

Minimum: 0

Maximum: 9223372036854775807

parent_process_gid

Integer

Parent process group ID

Minimum: 0

Maximum: 2147483647

parent_process_egid

Integer

Valid parent process group ID

Minimum: 0

Maximum: 2147483647

parent_process_euid

Integer

Valid parent process user ID

Minimum: 0

Maximum: 2147483647

child_process_name

String

Subprocess name

child_process_path

String

Subprocess file path

child_process_pid

Integer

Subprocess ID

Minimum: 0

Maximum: 2147483647

child_process_uid

Integer

Subprocess user ID

Minimum: 0

Maximum: 2147483647

child_process_cmdline

String

Subprocess file command line

child_process_filename

String

Subprocess file name

child_process_start_time

Long

Subprocess start time

Minimum: 0

Maximum: 9223372036854775807

child_process_gid

Integer

Subprocess group ID

Minimum: 0

Maximum: 2147483647

child_process_egid

Integer

Valid subprocess group ID

Minimum: 0

Maximum: 2147483647

child_process_euid

Integer

Valid subprocess user ID

Minimum: 0

Maximum: 2147483647

virt_cmd

String

Virtualization command

virt_process_name

String

Virtualization process name

escape_mode

String

Escape mode

escape_cmd

String

Commands executed after escape

process_hash

String

Process startup file hash

Table 9 EventUserResponseInfo

Parameter

Type

Description

user_id

Integer

User UID

Minimum: 0

Maximum: 2147483647

user_gid

Integer

User GID

Minimum: 0

Maximum: 2147483647

user_name

String

User name

user_group_name

String

User group name

user_home_dir

String

User home directory

login_ip

String

User login IP address

service_type

String

Service type. The options are as follows:

  • system

  • mysql

  • redis

service_port

Integer

Login service port

Minimum: 0

Maximum: 2147483647

login_mode

Integer

Login mode

Minimum: 0

Maximum: 2147483647

login_last_time

Long

Last login time

Minimum: 0

Maximum: 9223372036854775807

login_fail_count

Integer

Number of failed login attempts

Minimum: 0

Maximum: 2147483647

pwd_hash

String

Password hash

pwd_with_fuzzing

String

Masked password

pwd_used_days

Integer

Password age (days)

Minimum: 0

Maximum: 2147483647

pwd_min_days

Integer

Minimum password validity period

Minimum: 0

Maximum: 2147483647

pwd_max_days

Integer

Maximum password validity period

Minimum: 0

Maximum: 2147483647

pwd_warn_left_days

Integer

Advance warning of password expiration (days)

Minimum: 0

Maximum: 2147483647

Table 10 EventFileResponseInfo

Parameter

Type

Description

file_path

String

File path

file_alias

String

File alias

file_size

Integer

File size

Minimum: 0

Maximum: 2147483647

file_mtime

Long

Time when a file was last modified

Minimum: 0

Maximum: 9223372036854775807

file_atime

Long

Time when a file was last accessed

Minimum: 0

Maximum: 9223372036854775807

file_ctime

Long

Time when the status of a file was last changed

Minimum: 0

Maximum: 9223372036854775807

file_hash

String

The hash value calculated using the SHA256 algorithm.

file_md5

String

File MD5

file_sha256

String

File SHA256

file_type

String

File type

file_content

String

File content

file_attr

String

File attribute

file_operation

Integer

File operation type

Minimum: 0

Maximum: 2147483647

file_action

String

File action

file_change_attr

String

Old/New attribute

file_new_path

String

New file path

file_desc

String

File description

file_key_word

String

File keyword

is_dir

Boolean

Whether it is a directory

fd_info

String

File handle information

fd_count

Integer

Number of file handles

Minimum: 0

Maximum: 2147483647

Example Requests

Query the first 50 unprocessed server events whose enterprise project is xxx.

GET https://{endpoint}/v5/{project_id}/event/events?offset=0&limit=50&handle_status=unhandled&category=host&enterprise_project_id=xxx

Example Responses

Status code: 200

Intrusion list

{
  "total_num" : 1,
  "data_list" : [ {
    "attack_phase" : "exploit",
    "attack_tag" : "abnormal_behavior",
    "event_class_id" : "lgin_1002",
    "event_id" : "d8a12cf7-6a43-4cd6-92b4-aabf1e917",
    "event_name" : "different locations",
    "event_type" : 4004,
    "forensic_info" : {
      "country" : "China",
      "city" : "Lanzhou",
      "ip" : "127.0.0.1",
      "user" : "zhangsan",
      "sub_division" : "Gansu",
      "city_id" : 3110
    },
    "handle_status" : "unhandled",
    "host_name" : "xxx",
    "occur_time" : 1661593036627,
    "operate_accept_list" : [ "ignore" ],
    "operate_detail_list" : [ {
      "agent_id" : "c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8",
      "file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "file_path" : "/usr/test",
      "process_pid" : 3123,
      "file_attr" : 33261,
      "keyword" : "file_path=/usr/test",
      "hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "login_ip" : "127.0.0.1",
      "private_ip" : "127.0.0.2",
      "login_user_name" : "root",
      "is_parent" : false
    } ],
    "private_ip" : "127.0.0.1",
    "resource_info" : {
      "region_name" : "",
      "project_id" : "",
      "enterprise_project_id" : "0",
      "os_type" : "Linux",
      "os_version" : "2.5",
      "vm_name" : "",
      "vm_uuid" : "71a15ecc",
      "cloud_id" : "",
      "container_id" : "",
      "container_status" : "running / terminated",
      "image_id" : "",
      "pod_uid" : "",
      "pod_name" : "",
      "namespace" : "",
      "cluster_id" : "",
      "cluster_name" : ""
    },
    "severity" : "Medium",
    "extend_info" : "",
    "os_type" : "Linux",
    "agent_status" : "online",
    "asset_value" : "common",
    "protect_status" : "opened",
    "host_status" : "ACTIVE",
    "event_details" : "file_path:/root/test",
    "user_info_list" : [ {
      "login_ip" : "",
      "service_port" : 22,
      "service_type" : "ssh",
      "user_name" : "zhangsan",
      "login_mode" : 0,
      "login_last_time" : 1661593024,
      "login_fail_count" : 0
    } ],
    "process_info_list" : [ {
      "process_path" : "/root/test",
      "process_name" : "test",
      "process_cmdline" : "/bin/bash",
      "process_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "process_filename" : "test",
      "process_file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "process_username" : "root",
      "process_pid" : 372612,
      "process_uid" : 10000,
      "process_gid" : 10000,
      "process_egid" : 10000,
      "process_euid" : 10000,
      "process_start_time" : 1661593024,
      "mode" : "0",
      "block" : "",
      "parent_process_path" : "/usr/bin/bash",
      "parent_process_name" : "test",
      "parent_process_cmdline" : "/bin/bash",
      "parent_process_filename" : "test",
      "parent_process_file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "parent_process_pid" : 372612,
      "parent_process_uid" : 10000,
      "parent_process_gid" : 10000,
      "parent_process_egid" : 10000,
      "parent_process_euid" : 10000,
      "parent_process_start_time" : 1661593024,
      "child_process_path" : "/usr/bin/bash",
      "child_process_name" : "test",
      "child_process_cmdline" : "/bin/bash",
      "child_process_filename" : "test",
      "child_process_pid" : 372612,
      "child_process_uid" : 10000,
      "child_process_gid" : 10000,
      "child_process_egid" : 10000,
      "child_process_euid" : 10000,
      "child_process_start_time" : 1661593024,
      "virt_process_name" : "test",
      "virt_cmd" : "/bin/bash",
      "escape_cmd" : "/bin/bash",
      "escape_mode" : "0",
      "ancestor_process_pid" : 372612,
      "ancestor_process_cmdline" : "/bin/bash",
      "ancestor_process_path" : "/usr/bin/bash"
    } ],
    "description" : "",
    "event_abstract" : "",
    "tag_list" : [ "Hot Event" ]
  } ]
}

SDK Sample Code

The SDK sample code is as follows.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.hss.v5.region.HssRegion;
import com.huaweicloud.sdk.hss.v5.*;
import com.huaweicloud.sdk.hss.v5.model.*;

import java.util.List;
import java.util.ArrayList;

public class ListSecurityEventsSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new BasicCredentials()
                .withAk(ak)
                .withSk(sk);

        HssClient client = HssClient.newBuilder()
                .withCredential(auth)
                .withRegion(HssRegion.valueOf("<YOUR REGION>"))
                .build();
        ListSecurityEventsRequest request = new ListSecurityEventsRequest();
        request.withCategory("<category>");
        request.withEnterpriseProjectId("<enterprise_project_id>");
        request.withLastDays(<last_days>);
        request.withHostName("<host_name>");
        request.withHostId("<host_id>");
        request.withPrivateIp("<private_ip>");
        request.withPublicIp("<public_ip>");
        request.withContainerName("<container_name>");
        request.withOffset(<offset>);
        request.withLimit(<limit>);
        request.withEventTypes();
        request.withHandleStatus("<handle_status>");
        request.withSeverity("<severity>");
        request.withBeginTime("<begin_time>");
        request.withEndTime("<end_time>");
        request.withEventClassIds();
        request.withSeverityList();
        request.withAttackTag("<attack_tag>");
        request.withAssetValue("<asset_value>");
        request.withTagList();
        request.withAttCk("<att_ck>");
        request.withEventName("<event_name>");
        try {
            ListSecurityEventsResponse response = client.listSecurityEvents(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# coding: utf-8

from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkhss.v5.region.hss_region import HssRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkhss.v5 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = __import__('os').getenv("CLOUD_SDK_AK")
    sk = __import__('os').getenv("CLOUD_SDK_SK")

    credentials = BasicCredentials(ak, sk) \

    client = HssClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(HssRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ListSecurityEventsRequest()
        request.category = "<category>"
        request.enterprise_project_id = "<enterprise_project_id>"
        request.last_days = <last_days>
        request.host_name = "<host_name>"
        request.host_id = "<host_id>"
        request.private_ip = "<private_ip>"
        request.public_ip = "<public_ip>"
        request.container_name = "<container_name>"
        request.offset = <offset>
        request.limit = <limit>
        request.event_types = 
        request.handle_status = "<handle_status>"
        request.severity = "<severity>"
        request.begin_time = "<begin_time>"
        request.end_time = "<end_time>"
        request.event_class_ids = 
        request.severity_list = 
        request.attack_tag = "<attack_tag>"
        request.asset_value = "<asset_value>"
        request.tag_list = 
        request.att_ck = "<att_ck>"
        request.event_name = "<event_name>"
        response = client.list_security_events(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    hss "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := hss.NewHssClient(
        hss.HssClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ListSecurityEventsRequest{}
	request.Category = "<category>"
	enterpriseProjectIdRequest:= "<enterprise_project_id>"
	request.EnterpriseProjectId = &enterpriseProjectIdRequest
	lastDaysRequest:= int32(<last_days>)
	request.LastDays = &lastDaysRequest
	hostNameRequest:= "<host_name>"
	request.HostName = &hostNameRequest
	hostIdRequest:= "<host_id>"
	request.HostId = &hostIdRequest
	privateIpRequest:= "<private_ip>"
	request.PrivateIp = &privateIpRequest
	publicIpRequest:= "<public_ip>"
	request.PublicIp = &publicIpRequest
	containerNameRequest:= "<container_name>"
	request.ContainerName = &containerNameRequest
	offsetRequest:= int32(<offset>)
	request.Offset = &offsetRequest
	limitRequest:= int32(<limit>)
	request.Limit = &limitRequest
	handleStatusRequest:= "<handle_status>"
	request.HandleStatus = &handleStatusRequest
	severityRequest:= "<severity>"
	request.Severity = &severityRequest
	beginTimeRequest:= "<begin_time>"
	request.BeginTime = &beginTimeRequest
	endTimeRequest:= "<end_time>"
	request.EndTime = &endTimeRequest
	attackTagRequest:= "<attack_tag>"
	request.AttackTag = &attackTagRequest
	assetValueRequest:= "<asset_value>"
	request.AssetValue = &assetValueRequest
	attCkRequest:= "<att_ck>"
	request.AttCk = &attCkRequest
	eventNameRequest:= "<event_name>"
	request.EventName = &eventNameRequest
	response, err := client.ListSecurityEvents(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

Intrusion list

Error Codes

See Error Codes.