Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
DataArts Fabric
IoT
IoT Device Access
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
Huawei Cloud Astro Canvas
Huawei Cloud Astro Zero
CodeArts Governance
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance (CCI)
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Cloud Transformation
Well-Architected Framework
Cloud Adoption Framework
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Blockchain
Blockchain Service
Web3 Node Engine Service
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Creating an Incident

Function

This API is used to create an incident.

Calling Method

For details, see Calling APIs.

URI

POST /v1/{project_id}/workspaces/{workspace_id}/soc/incidents

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID.

workspace_id

Yes

String

Workspace ID.

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token.

It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is the user token.

content-type

Yes

String

Content type.

Table 3 Request body parameters

Parameter

Mandatory

Type

Description

data_object

No

Incident object

Incident entity information.

Table 4 Incident

Parameter

Mandatory

Type

Description

version

No

String

Version of the incident object. The value must be the one released by the SSA service.

id

No

String

Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters.

domain_id

No

String

ID of the account (domain_id) to whom the data is delivered and hosted.

region_id

No

String

ID of the region where the account to whom the data is delivered and hosted.

workspace_id

No

String

ID of the current workspace.

labels

No

String

Tag (display only).

environment

No

environment object

Coordinates of the environment where the incident was generated.

data_source

No

data_source object

Data source reported for the first time.

first_observed_time

No

String

First discovery time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

last_observed_time

No

String

Latest discovery time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

create_time

No

String

Recording time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

arrive_time

No

String

Receiving time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

title

No

String

Incident title.

description

No

String

Incident description.

source_url

No

String

Incident URL, which points to the page displaying the current incident description in the data source product.

count

No

Integer

Incident occurrences.

confidence

No

Integer

Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or problem.

Value range: 0 to 100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%.

severity

No

String

Severity level. Value range: Tips | Low | Medium | High | Fatal

Note:

0: Tips. No threats are found.

1: Low. No actions are required for the threat.

2: Medium. The threat needs to be handled but is not urgent.

3: High. The threat must be handled preferentially.

4: Fatal. The threat must be handled immediately to prevent further damage.

criticality

No

Integer

Criticality, which specifies the importance level of the resources involved in an incident.

Value range: 0 to 100. 0 indicates that the resource is not critical, and 100 indicates that the resource is critical.

incident_type

No

incident_type object

Incident classification. For details, see the Alert and Incident Type Definition.

network_list

No

Array of network_list objects

Network information.

resource_list

No

Array of resource_list objects

Affected resources.

remediation

No

remediation object

Remedy measure.

verification_state

No

String

Verification status, which identifies the accuracy of the incident. The options are as follows:

Unknown: The incident is unknown

True_Positive: The incident is confirmed.

False_Positive: The incident is a false positive.

The default value is Unknown.

handle_status

No

String

Incident handling status. The options are as follows:

Open: Default status.

Block

Closed

The default value is Open.

sla

No

Integer

Closure time: The deadline by which the incident must be resolved. Unit: hour.

update_time

No

String

Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

close_time

No

String

Closure time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

ipdrr_phase

No

String

Period/Handling phase No.

Preparation: Preparation stage. Detection and Analysis: Detection and analysis stage. Contain, Eradication& Recovery: Containment, eradication, and recovery stage. Post-Incident-Activity: Post-incident activity stage.

simulation

No

String

Debugging field.

actor

No

String

Incident investigator.

owner

No

String

Owner and service owner.

creator

No

String

Creator.

close_reason

No

String

Closure reason.

False detection

Resolved

Repeated

Other

close_comment

No

String

Comment for the closure.

malware

No

malware object

Malware.

system_info

No

Object

System information.

process

No

Array of process objects

Process information.

user_info

No

Array of user_info objects

User information.

file_info

No

Array of file_info objects

File information.

system_alert_table

No

Object

Layout fields in the incident list.

Table 5 environment

Parameter

Mandatory

Type

Description

vendor_type

No

String

Environment provider.

domain_id

No

String

Account ID.

region_id

No

String

Region ID. global is returned for global services.

cross_workspace_id

No

String

Source workspace ID before data delivery. In the source workspace, the value is null. After data delivery, the value is the ID of the delegated user.

project_id

No

String

Project ID. The default value is null for global services.

Table 6 data_source

Parameter

Mandatory

Type

Description

source_type

No

Integer

Data source type. The options are as follows:

1: Cloud service

2: Third-party product

3: Private product

domain_id

No

String

Account ID to which the data source product belongs.

project_id

No

String

ID of the project to which the data source product belongs.

region_id

No

String

Region where the data source product is located. For details about the value range, see "Regions and Endpoints".

company_name

No

String

Name of the company to which the data source product belongs.

product_name

No

String

Name of the data source product.

product_feature

No

String

Name of the feature of the product that detects the incident.

product_module

No

String

Threat detection model list.

Table 7 incident_type

Parameter

Mandatory

Type

Description

category

No

String

Category.

incident_type

No

String

Incident type.

Table 8 network_list

Parameter

Mandatory

Type

Description

direction

No

String

Direction. The value can be IN or OUT.

protocol

No

String

Protocol, including Layer 7 and Layer 4 protocols.

Reference: IANA registered name

https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

src_ip

No

String

Source IP address.

src_port

No

Integer

Source port. Value range: 0 - 65535.

src_domain

No

String

Source domain name.

src_geo

No

src_geo object

Geographical location of the source IP address.

dest_ip

No

String

Destination IP address.

dest_port

No

String

Destination port. Value range: 0 to 65535.

dest_domain

No

String

Destination domain name.

dest_geo

No

dest_geo object

Geographical location of the destination IP address.

Table 9 src_geo

Parameter

Mandatory

Type

Description

latitude

No

Number

Latitude.

longitude

No

Number

Longitude.

city_code

No

String

City Code.

country_code

No

String

Country code. For details, see ISO 3166-1 alpha-2. For example, CN|US|DE|IT|SG.

Table 10 dest_geo

Parameter

Mandatory

Type

Description

latitude

No

Number

Latitude.

longitude

No

Number

Longitude.

city_code

No

String

City Code.

country_code

No

String

Country code. For details, see ISO 3166-1 alpha-2. For example, CN|US|DE|IT|SG.

Table 11 resource_list

Parameter

Mandatory

Type

Description

id

No

String

Cloud service resource ID.

name

No

String

Resource name.

type

No

String

Resource type, which reuses the RMS type field.

provider

No

String

Cloud service name, which is the same as the provider field in the RMS service.

region_id

No

String

Region. Enter the value based on the cloud region ID.

domain_id

No

String

ID of the account to which the resource belongs, in UUID format.

project_id

No

String

ID of the project to which the resource belongs, in UUID format.

ep_id

No

String

Enterprise project ID.

ep_name

No

String

Enterprise project name.

tags

No

String

Resource tags.

  1. A maximum of 50 key-value pairs are supported.

  2. The value can contain a maximum of 255 characters, including letters, digits, spaces, and special characters (+, -, =, ., _, :, /,@).

Table 12 remediation

Parameter

Mandatory

Type

Description

recommendation

No

String

Recommended solution.

url

No

String

URL, which points to the general handling details for the incident. The URL must be accessible from the public network with no credentials required.

Table 13 malware

Parameter

Mandatory

Type

Description

malware_family

No

String

Malicious family.

malware_class

No

String

Malware classification.

Table 14 process

Parameter

Mandatory

Type

Description

process_name

No

String

Process name.

process_path

No

String

Path of the process execution file.

process_pid

No

Integer

Process ID.

process_uid

No

Integer

User ID associated with the process.

process_cmdline

No

String

Process command line.

process_parent_name

No

String

Parent process name.

process_parent_path

No

String

Path of the parent process execution file.

process_parent_pid

No

Integer

Parent process ID.

process_parent_uid

No

Integer

User ID associated with the parent process.

process_parent_cmdline

No

String

Parent process command line.

process_child_name

No

String

Subprocess name.

process_child_path

No

String

Path of the subprocess execution file.

process_child_pid

No

Integer

Subprocess ID.

process_child_uid

No

Integer

User ID associated with the subprocess.

process_child_cmdline

No

String

Subprocess command line.

process_launche_time

No

String

Process start time. The format is ISO 8601: YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

process_terminate_time

No

String

Process end time. The format is ISO 8601: YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Table 15 user_info

Parameter

Mandatory

Type

Description

user_id

No

String

User ID (UID).

user_name

No

String

Username.

Table 16 file_info

Parameter

Mandatory

Type

Description

file_path

No

String

File path/name.

file_content

No

String

File content.

file_new_path

No

String

New file path/name.

file_hash

No

String

File hashes.

file_md5

No

String

File MD5 value.

file_sha256

No

String

SHA256 value of the file.

file_attr

No

String

File attributes.

Response Parameters

Status code: 200

Table 17 Response header parameters

Parameter

Type

Description

X-request-id

String

Request ID. Format: request_uuid-timestamp-hostname.

Table 18 Response body parameters

Parameter

Type

Description

code

String

Error code.

message

String

Error message.

data

IncidentDetail object

Incident details object.

Table 19 IncidentDetail

Parameter

Type

Description

create_time

String

Recording time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

data_object

Incident object

Incident entity information.

dataclass_ref

dataclass_ref object

Data class object.

format_version

Integer

Format version.

id

String

Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters.

project_id

String

ID of the current project.

update_time

String

Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the alert was generated. If this parameter cannot be parsed, the default time zone GMT+8 is used.

version

Integer

Version.

workspace_id

String

ID of the current workspace.

Table 20 Incident

Parameter

Type

Description

version

String

Version of the incident object. The value must be the one released by the SSA service.

id

String

Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters.

domain_id

String

ID of the account (domain_id) to whom the data is delivered and hosted.

region_id

String

ID of the region where the account to whom the data is delivered and hosted.

workspace_id

String

ID of the current workspace.

labels

String

Tag (display only).

environment

environment object

Coordinates of the environment where the incident was generated.

data_source

data_source object

Data source reported for the first time.

first_observed_time

String

First discovery time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

last_observed_time

String

Latest discovery time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

create_time

String

Recording time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

arrive_time

String

Receiving time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

title

String

Incident title.

description

String

Incident description.

source_url

String

Incident URL, which points to the page displaying the current incident description in the data source product.

count

Integer

Incident occurrences.

confidence

Integer

Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or problem.

Value range: 0 to 100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%.

severity

String

Severity level. Value range: Tips | Low | Medium | High | Fatal

Note:

0: Tips. No threats are found.

1: Low. No actions are required for the threat.

2: Medium. The threat needs to be handled but is not urgent.

3: High. The threat must be handled preferentially.

4: Fatal. The threat must be handled immediately to prevent further damage.

criticality

Integer

Criticality, which specifies the importance level of the resources involved in an incident.

Value range: 0 to 100. 0 indicates that the resource is not critical, and 100 indicates that the resource is critical.

incident_type

incident_type object

Incident classification. For details, see the Alert and Incident Type Definition.

network_list

Array of network_list objects

Network information.

resource_list

Array of resource_list objects

Affected resources.

remediation

remediation object

Remedy measure.

verification_state

String

Verification status, which identifies the accuracy of the incident. The options are as follows:

Unknown: The incident is unknown

True_Positive: The incident is confirmed.

False_Positive: The incident is a false positive.

The default value is Unknown.

handle_status

String

Incident handling status. The options are as follows:

Open: Default status.

Block

Closed

The default value is Open.

sla

Integer

Closure time: The deadline by which the incident must be resolved. Unit: hour.

update_time

String

Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

close_time

String

Closure time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

ipdrr_phase

String

Period/Handling phase No.

Preparation: Preparation stage. Detection and Analysis: Detection and analysis stage. Contain, Eradication& Recovery: Containment, eradication, and recovery stage. Post-Incident-Activity: Post-incident activity stage.

simulation

String

Debugging field.

actor

String

Incident investigator.

owner

String

Owner and service owner.

creator

String

Creator.

close_reason

String

Closure reason.

False detection

Resolved

Repeated

Other

close_comment

String

Comment for the closure.

malware

malware object

Malware.

system_info

Object

System information.

process

Array of process objects

Process information.

user_info

Array of user_info objects

User information.

file_info

Array of file_info objects

File information.

system_alert_table

Object

Layout fields in the incident list.

Table 21 environment

Parameter

Type

Description

vendor_type

String

Environment provider.

domain_id

String

Account ID.

region_id

String

Region ID. global is returned for global services.

cross_workspace_id

String

Source workspace ID before data delivery. In the source workspace, the value is null. After data delivery, the value is the ID of the delegated user.

project_id

String

Project ID. The default value is null for global services.

Table 22 data_source

Parameter

Type

Description

source_type

Integer

Data source type. The options are as follows:

1: Cloud service

2: Third-party product

3: Private product

domain_id

String

Account ID to which the data source product belongs.

project_id

String

ID of the project to which the data source product belongs.

region_id

String

Region where the data source product is located. For details about the value range, see "Regions and Endpoints".

company_name

String

Name of the company to which the data source product belongs.

product_name

String

Name of the data source product.

product_feature

String

Name of the feature of the product that detects the incident.

product_module

String

Threat detection model list.

Table 23 incident_type

Parameter

Type

Description

category

String

Category.

incident_type

String

Incident type.

Table 24 network_list

Parameter

Type

Description

direction

String

Direction. The value can be IN or OUT.

protocol

String

Protocol, including Layer 7 and Layer 4 protocols.

Reference: IANA registered name

https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

src_ip

String

Source IP address.

src_port

Integer

Source port. Value range: 0 - 65535.

src_domain

String

Source domain name.

src_geo

src_geo object

Geographical location of the source IP address.

dest_ip

String

Destination IP address.

dest_port

String

Destination port. Value range: 0 to 65535.

dest_domain

String

Destination domain name.

dest_geo

dest_geo object

Geographical location of the destination IP address.

Table 25 src_geo

Parameter

Type

Description

latitude

Number

Latitude.

longitude

Number

Longitude.

city_code

String

City Code.

country_code

String

Country code. For details, see ISO 3166-1 alpha-2. For example, CN|US|DE|IT|SG.

Table 26 dest_geo

Parameter

Type

Description

latitude

Number

Latitude.

longitude

Number

Longitude.

city_code

String

City Code.

country_code

String

Country code. For details, see ISO 3166-1 alpha-2. For example, CN|US|DE|IT|SG.

Table 27 resource_list

Parameter

Type

Description

id

String

Cloud service resource ID.

name

String

Resource name.

type

String

Resource type, which reuses the RMS type field.

provider

String

Cloud service name, which is the same as the provider field in the RMS service.

region_id

String

Region. Enter the value based on the cloud region ID.

domain_id

String

ID of the account to which the resource belongs, in UUID format.

project_id

String

ID of the project to which the resource belongs, in UUID format.

ep_id

String

Enterprise project ID.

ep_name

String

Enterprise project name.

tags

String

Resource tags.

  1. A maximum of 50 key-value pairs are supported.

  2. The value can contain a maximum of 255 characters, including letters, digits, spaces, and special characters (+, -, =, ., _, :, /,@).

Table 28 remediation

Parameter

Type

Description

recommendation

String

Recommended solution.

url

String

URL, which points to the general handling details for the incident. The URL must be accessible from the public network with no credentials required.

Table 29 malware

Parameter

Type

Description

malware_family

String

Malicious family.

malware_class

String

Malware classification.

Table 30 process

Parameter

Type

Description

process_name

String

Process name.

process_path

String

Path of the process execution file.

process_pid

Integer

Process ID.

process_uid

Integer

User ID associated with the process.

process_cmdline

String

Process command line.

process_parent_name

String

Parent process name.

process_parent_path

String

Path of the parent process execution file.

process_parent_pid

Integer

Parent process ID.

process_parent_uid

Integer

User ID associated with the parent process.

process_parent_cmdline

String

Parent process command line.

process_child_name

String

Subprocess name.

process_child_path

String

Path of the subprocess execution file.

process_child_pid

Integer

Subprocess ID.

process_child_uid

Integer

User ID associated with the subprocess.

process_child_cmdline

String

Subprocess command line.

process_launche_time

String

Process start time. The format is ISO 8601: YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

process_terminate_time

String

Process end time. The format is ISO 8601: YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Table 31 user_info

Parameter

Type

Description

user_id

String

User ID (UID).

user_name

String

Username.

Table 32 file_info

Parameter

Type

Description

file_path

String

File path/name.

file_content

String

File content.

file_new_path

String

New file path/name.

file_hash

String

File hashes.

file_md5

String

File MD5 value.

file_sha256

String

SHA256 value of the file.

file_attr

String

File attributes.

Table 33 dataclass_ref

Parameter

Type

Description

id

String

Unique identifier of a data class. The value is in UUID format and can contain a maximum of 36 characters.

name

String

Data class name.

Status code: 400

Table 34 Response header parameters

Parameter

Type

Description

X-request-id

String

Request ID. Format: request_uuid-timestamp-hostname.

Table 35 Response body parameters

Parameter

Type

Description

code

String

Error code.

message

String

Error description.

Example Requests

Create an incident. Set the incident title to MyXXX, tag to MyXXX, severity to tips, and occurrence times to 4.

{
  "data_object" : {
    "version" : "1.0",
    "environment" : {
      "vendor_type" : "MyXXX",
      "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
    },
    "data_source" : {
      "source_type" : 3,
      "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "product_name" : "test",
      "product_feature" : "test"
    },
    "first_observed_time" : "2021-01-30T23:00:00Z+0800",
    "last_observed_time" : "2021-01-30T23:00:00Z+0800",
    "create_time" : "2021-01-30T23:00:00Z+0800",
    "arrive_time" : "2021-01-30T23:00:00Z+0800",
    "title" : "MyXXX",
    "labels" : "MyXXX",
    "description" : "This my XXXX",
    "source_url" : "http://xxx",
    "count" : 4,
    "confidence" : 4,
    "severity" : "TIPS",
    "criticality" : 4,
    "incident_type" : {
      "incident_type" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "category" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
    },
    "network_list" : [ {
      "direction" : {
        "IN" : null
      },
      "protocol" : "TCP",
      "src_ip" : "192.168.0.1",
      "src_port" : "1",
      "src_domain" : "xxx",
      "dest_ip" : "192.168.0.1",
      "dest_port" : "1",
      "dest_domain" : "xxx",
      "src_geo" : {
        "latitude" : 90,
        "longitude" : 180
      },
      "dest_geo" : {
        "latitude" : 90,
        "longitude" : 180
      }
    } ],
    "resource_list" : [ {
      "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "name" : "MyXXX",
      "type" : "MyXXX",
      "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "ep_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "ep_name" : "MyXXX",
      "tags" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
    } ],
    "remediation" : {
      "recommendation" : "MyXXX",
      "url" : "MyXXX"
    },
    "verification_state" : "**Unknown**: Unknown; **True_Positive**: Positive; **False_Positive**: False positive. The default value is **Unknown**.",
    "handle_status" : "**Open**: Open; **Block**: Pending; **Closed**: Closed. The default value is **Open**.",
    "sla" : 60000,
    "update_time" : "2021-01-30T23:00:00Z+0800",
    "close_time" : "2021-01-30T23:00:00Z+0800",
    "ipdrr_phase" : "**Preparation**: Preparation stage. **Detection and Analysis**: Detection and analysis stage. **Contain, Eradication& Recovery**: Containment, eradication, and recovery stage. **Post-Incident-Activity**: Post-incident activity stage.",
    "simulation" : "false",
    "actor" : "Tom",
    "owner" : "MyXXX",
    "creator" : "MyXXX",
    "close_reason" : "False positive; Resolved; Duplicate; Others",
    "close_comment" : "False positive; Resolved; Duplicate; Others",
    "malware" : {
      "malware_family" : "family",
      "malware_class" : "Malicious memory occupation."
    },
    "system_info" : { },
    "process" : [ {
      "process_name" : "MyXXX",
      "process_path" : "MyXXX",
      "process_pid" : 123,
      "process_uid" : 123,
      "process_cmdline" : "MyXXX"
    } ],
    "user_info" : [ {
      "user_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "user_name" : "MyXXX"
    } ],
    "file_info" : [ {
      "file_path" : "MyXXX",
      "file_content" : "MyXXX",
      "file_new_path" : "MyXXX",
      "file_hash" : "MyXXX",
      "file_md5" : "MyXXX",
      "file_sha256" : "MyXXX",
      "file_attr" : "MyXXX"
    } ],
    "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
    "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca620"
  }
}

Example Responses

Status code: 200

Response body for requests for creating incidents.

{
  "code" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
  "message" : "Error message",
  "data" : {
    "data_object" : {
      "version" : "1.0",
      "environment" : {
        "vendor_type" : "MyXXX",
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      },
      "data_source" : {
        "source_type" : 3,
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      },
      "first_observed_time" : "2021-01-30T23:00:00Z+0800",
      "last_observed_time" : "2021-01-30T23:00:00Z+0800",
      "create_time" : "2021-01-30T23:00:00Z+0800",
      "arrive_time" : "2021-01-30T23:00:00Z+0800",
      "title" : "MyXXX",
      "description" : "This my XXXX",
      "source_url" : "http://xxx",
      "count" : 4,
      "confidence" : 4,
      "severity" : "TIPS",
      "criticality" : 4,
      "incident_type" : { },
      "network_list" : [ {
        "direction" : {
          "IN" : null
        },
        "protocol" : "TCP",
        "src_ip" : "192.168.0.1",
        "src_port" : "1",
        "src_domain" : "xxx",
        "dest_ip" : "192.168.0.1",
        "dest_port" : "1",
        "dest_domain" : "xxx",
        "src_geo" : {
          "latitude" : 90,
          "longitude" : 180
        },
        "dest_geo" : {
          "latitude" : 90,
          "longitude" : 180
        }
      } ],
      "resource_list" : [ {
        "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "name" : "MyXXX",
        "type" : "MyXXX",
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "ep_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "ep_name" : "MyXXX",
        "tags" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      } ],
      "remediation" : {
        "recommendation" : "MyXXX",
        "url" : "MyXXX"
      },
      "verification_state" : "**Unknown**: Unknown; **True_Positive**: Positive; **False_Positive**: False positive. The default value is **Unknown**.",
      "handle_status" : "**Open**: Open; **Block**: Pending; **Closed**: Closed. The default value is **Open**.",
      "sla" : 60000,
      "update_time" : "2021-01-30T23:00:00Z+0800",
      "close_time" : "2021-01-30T23:00:00Z+0800",
      "ipdrr_phase" : "**Preparation**: Preparation stage. **Detection and Analysis**: Detection and analysis stage. **Contain, Eradication& Recovery**: Containment, eradication, and recovery stage. **Post-Incident-Activity**: Post-incident activity stage.",
      "simulation" : "false",
      "actor" : "Tom",
      "owner" : "MyXXX",
      "creator" : "MyXXX",
      "close_reason" : "False positive; Resolved; Duplicate; Others",
      "close_comment" : "False positive; Resolved; Duplicate; Others",
      "malware" : {
        "malware_family" : "family",
        "malware_class" : "Malicious memory occupation."
      },
      "system_info" : { },
      "process" : [ {
        "process_name" : "MyXXX",
        "process_path" : "MyXXX",
        "process_pid" : 123,
        "process_uid" : 123,
        "process_cmdline" : "MyXXX"
      } ],
      "user_info" : [ {
        "user_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "user_name" : "MyXXX"
      } ],
      "file_info" : [ {
        "file_path" : "MyXXX",
        "file_content" : "MyXXX",
        "file_new_path" : "MyXXX",
        "file_hash" : "MyXXX",
        "file_md5" : "MyXXX",
        "file_sha256" : "MyXXX",
        "file_attr" : "MyXXX"
      } ],
      "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca620"
    },
    "create_time" : "2021-01-30T23:00:00Z+0800",
    "update_time" : "2021-01-30T23:00:00Z+0800",
    "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
    "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
  }
}

SDK Sample Code

The SDK sample code is as follows.

Java

Create an incident. Set the incident title to MyXXX, tag to MyXXX, severity to tips, and occurrence times to 4.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.secmaster.v2.region.SecMasterRegion;
import com.huaweicloud.sdk.secmaster.v2.*;
import com.huaweicloud.sdk.secmaster.v2.model.*;

import java.util.List;
import java.util.ArrayList;

public class CreateIncidentSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        SecMasterClient client = SecMasterClient.newBuilder()
                .withCredential(auth)
                .withRegion(SecMasterRegion.valueOf("<YOUR REGION>"))
                .build();
        CreateIncidentRequest request = new CreateIncidentRequest();
        request.withWorkspaceId("{workspace_id}");
        CreateIncidentRequestBody body = new CreateIncidentRequestBody();
        List<IncidentFileInfo> listDataObjectFileInfo = new ArrayList<>();
        listDataObjectFileInfo.add(
            new IncidentFileInfo()
                .withFilePath("MyXXX")
                .withFileContent("MyXXX")
                .withFileNewPath("MyXXX")
                .withFileHash("MyXXX")
                .withFileMd5("MyXXX")
                .withFileSha256("MyXXX")
                .withFileAttr("MyXXX")
        );
        List<IncidentUserInfo> listDataObjectUserInfo = new ArrayList<>();
        listDataObjectUserInfo.add(
            new IncidentUserInfo()
                .withUserId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
                .withUserName("MyXXX")
        );
        List<IncidentProcess> listDataObjectProcess = new ArrayList<>();
        listDataObjectProcess.add(
            new IncidentProcess()
                .withProcessName("MyXXX")
                .withProcessPath("MyXXX")
                .withProcessPid(123)
                .withProcessUid(123)
                .withProcessCmdline("MyXXX")
        );
        IncidentMalware malwareDataObject = new IncidentMalware();
        malwareDataObject.withMalwareFamily("family")
            .withMalwareClass("Malicious memory occupation.");
        IncidentRemediation remediationDataObject = new IncidentRemediation();
        remediationDataObject.withRecommendation("MyXXX")
            .withUrl("MyXXX");
        List<IncidentResourceList> listDataObjectResourceList = new ArrayList<>();
        listDataObjectResourceList.add(
            new IncidentResourceList()
                .withId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
                .withName("MyXXX")
                .withType("MyXXX")
                .withRegionId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
                .withDomainId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
                .withProjectId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
                .withEpId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
                .withEpName("MyXXX")
                .withTags("909494e3-558e-46b6-a9eb-07a8e18ca62f")
        );
        IncidentDestGeo destGeoNetworkList = new IncidentDestGeo();
        destGeoNetworkList.withLatitude(java.math.BigDecimal.valueOf(90))
            .withLongitude(java.math.BigDecimal.valueOf(180));
        IncidentSrcGeo srcGeoNetworkList = new IncidentSrcGeo();
        srcGeoNetworkList.withLatitude(java.math.BigDecimal.valueOf(90))
            .withLongitude(java.math.BigDecimal.valueOf(180));
        List<IncidentNetworkList> listDataObjectNetworkList = new ArrayList<>();
        listDataObjectNetworkList.add(
            new IncidentNetworkList()
                .withDirection(IncidentNetworkList.DirectionEnum.fromValue("{}"))
                .withProtocol("TCP")
                .withSrcIp("192.168.0.1")
                .withSrcPort(1)
                .withSrcDomain("xxx")
                .withSrcGeo(srcGeoNetworkList)
                .withDestIp("192.168.0.1")
                .withDestPort("1")
                .withDestDomain("xxx")
                .withDestGeo(destGeoNetworkList)
        );
        IncidentIncidentType incidentTypeDataObject = new IncidentIncidentType();
        incidentTypeDataObject.withCategory("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withIncidentType("909494e3-558e-46b6-a9eb-07a8e18ca62f");
        IncidentDataSource dataSourceDataObject = new IncidentDataSource();
        dataSourceDataObject.withSourceType(3)
            .withDomainId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withProjectId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withRegionId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withProductName("test")
            .withProductFeature("test");
        IncidentEnvironment environmentDataObject = new IncidentEnvironment();
        environmentDataObject.withVendorType("MyXXX")
            .withDomainId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withRegionId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withProjectId("909494e3-558e-46b6-a9eb-07a8e18ca62f");
        Incident dataObjectbody = new Incident();
        dataObjectbody.withVersion("1.0")
            .withId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withWorkspaceId("909494e3-558e-46b6-a9eb-07a8e18ca620")
            .withLabels("MyXXX")
            .withEnvironment(environmentDataObject)
            .withDataSource(dataSourceDataObject)
            .withFirstObservedTime("2021-01-30T23:00:00Z+0800")
            .withLastObservedTime("2021-01-30T23:00:00Z+0800")
            .withCreateTime("2021-01-30T23:00:00Z+0800")
            .withArriveTime("2021-01-30T23:00:00Z+0800")
            .withTitle("MyXXX")
            .withDescription("This my XXXX")
            .withSourceUrl("http://xxx")
            .withCount(4)
            .withConfidence(4)
            .withSeverity(Incident.SeverityEnum.fromValue("TIPS"))
            .withCriticality(4)
            .withIncidentType(incidentTypeDataObject)
            .withNetworkList(listDataObjectNetworkList)
            .withResourceList(listDataObjectResourceList)
            .withRemediation(remediationDataObject)
            .withVerificationState(Incident.VerificationStateEnum.fromValue("**Unknown**: Unknown; **True_Positive**: Positive; **False_Positive**: False positive. The default value is **Unknown**."))
            .withHandleStatus(Incident.HandleStatusEnum.fromValue("**Open**: Open; **Block**: Pending; **Closed**: Closed. The default value is **Open**."))
            .withSla(60000)
            .withUpdateTime("2021-01-30T23:00:00Z+0800")
            .withCloseTime("2021-01-30T23:00:00Z+0800")
            .withIpdrrPhase(Incident.IpdrrPhaseEnum.fromValue("**Preparation**: Preparation stage. **Detection and Analysis**: Detection and analysis stage. **Contain, Eradication& Recovery**: Containment, eradication, and recovery stage. **Post-Incident-Activity**: Post-incident activity stage."))
            .withSimulation("false")
            .withActor("Tom")
            .withOwner("MyXXX")
            .withCreator("MyXXX")
            .withCloseReason(Incident.CloseReasonEnum.fromValue("False positive; Resolved; Duplicate; Others"))
            .withCloseComment("False positive; Resolved; Duplicate; Others")
            .withMalware(malwareDataObject)
            .withSystemInfo(new Object())
            .withProcess(listDataObjectProcess)
            .withUserInfo(listDataObjectUserInfo)
            .withFileInfo(listDataObjectFileInfo);
        body.withDataObject(dataObjectbody);
        request.withBody(body);
        try {
            CreateIncidentResponse response = client.createIncident(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

Python

Create an incident. Set the incident title to MyXXX, tag to MyXXX, severity to tips, and occurrence times to 4.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdksecmaster.v2.region.secmaster_region import SecMasterRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdksecmaster.v2 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = SecMasterClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(SecMasterRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = CreateIncidentRequest()
        request.workspace_id = "{workspace_id}"
        listFileInfoDataObject = [
            IncidentFileInfo(
                file_path="MyXXX",
                file_content="MyXXX",
                file_new_path="MyXXX",
                file_hash="MyXXX",
                file_md5="MyXXX",
                file_sha256="MyXXX",
                file_attr="MyXXX"
            )
        ]
        listUserInfoDataObject = [
            IncidentUserInfo(
                user_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
                user_name="MyXXX"
            )
        ]
        listProcessDataObject = [
            IncidentProcess(
                process_name="MyXXX",
                process_path="MyXXX",
                process_pid=123,
                process_uid=123,
                process_cmdline="MyXXX"
            )
        ]
        malwareDataObject = IncidentMalware(
            malware_family="family",
            malware_class="Malicious memory occupation."
        )
        remediationDataObject = IncidentRemediation(
            recommendation="MyXXX",
            url="MyXXX"
        )
        listResourceListDataObject = [
            IncidentResourceList(
                id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
                name="MyXXX",
                type="MyXXX",
                region_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
                domain_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
                project_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
                ep_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
                ep_name="MyXXX",
                tags="909494e3-558e-46b6-a9eb-07a8e18ca62f"
            )
        ]
        destGeoNetworkList = IncidentDestGeo(
            latitude=90,
            longitude=180
        )
        srcGeoNetworkList = IncidentSrcGeo(
            latitude=90,
            longitude=180
        )
        listNetworkListDataObject = [
            IncidentNetworkList(
                direction="{}",
                protocol="TCP",
                src_ip="192.168.0.1",
                src_port=1,
                src_domain="xxx",
                src_geo=srcGeoNetworkList,
                dest_ip="192.168.0.1",
                dest_port="1",
                dest_domain="xxx",
                dest_geo=destGeoNetworkList
            )
        ]
        incidentTypeDataObject = IncidentIncidentType(
            category="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            incident_type="909494e3-558e-46b6-a9eb-07a8e18ca62f"
        )
        dataSourceDataObject = IncidentDataSource(
            source_type=3,
            domain_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            project_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            region_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            product_name="test",
            product_feature="test"
        )
        environmentDataObject = IncidentEnvironment(
            vendor_type="MyXXX",
            domain_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            region_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            project_id="909494e3-558e-46b6-a9eb-07a8e18ca62f"
        )
        dataObjectbody = Incident(
            version="1.0",
            id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            workspace_id="909494e3-558e-46b6-a9eb-07a8e18ca620",
            labels="MyXXX",
            environment=environmentDataObject,
            data_source=dataSourceDataObject,
            first_observed_time="2021-01-30T23:00:00Z+0800",
            last_observed_time="2021-01-30T23:00:00Z+0800",
            create_time="2021-01-30T23:00:00Z+0800",
            arrive_time="2021-01-30T23:00:00Z+0800",
            title="MyXXX",
            description="This my XXXX",
            source_url="http://xxx",
            count=4,
            confidence=4,
            severity="TIPS",
            criticality=4,
            incident_type=incidentTypeDataObject,
            network_list=listNetworkListDataObject,
            resource_list=listResourceListDataObject,
            remediation=remediationDataObject,
            verification_state="**Unknown**: Unknown; **True_Positive**: Positive; **False_Positive**: False positive. The default value is **Unknown**.",
            handle_status="**Open**: Open; **Block**: Pending; **Closed**: Closed. The default value is **Open**.",
            sla=60000,
            update_time="2021-01-30T23:00:00Z+0800",
            close_time="2021-01-30T23:00:00Z+0800",
            ipdrr_phase="**Preparation**: Preparation stage. **Detection and Analysis**: Detection and analysis stage. **Contain, Eradication& Recovery**: Containment, eradication, and recovery stage. **Post-Incident-Activity**: Post-incident activity stage.",
            simulation="false",
            actor="Tom",
            owner="MyXXX",
            creator="MyXXX",
            close_reason="False positive; Resolved; Duplicate; Others",
            close_comment="False positive; Resolved; Duplicate; Others",
            malware=malwareDataObject,
            system_info={},
            process=listProcessDataObject,
            user_info=listUserInfoDataObject,
            file_info=listFileInfoDataObject
        )
        request.body = CreateIncidentRequestBody(
            data_object=dataObjectbody
        )
        response = client.create_incident(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

Go

Create an incident. Set the incident title to MyXXX, tag to MyXXX, severity to tips, and occurrence times to 4.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    secmaster "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := secmaster.NewSecMasterClient(
        secmaster.SecMasterClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.CreateIncidentRequest{}
	request.WorkspaceId = "{workspace_id}"
	filePathFileInfo:= "MyXXX"
	fileContentFileInfo:= "MyXXX"
	fileNewPathFileInfo:= "MyXXX"
	fileHashFileInfo:= "MyXXX"
	fileMd5FileInfo:= "MyXXX"
	fileSha256FileInfo:= "MyXXX"
	fileAttrFileInfo:= "MyXXX"
	var listFileInfoDataObject = []model.IncidentFileInfo{
        {
            FilePath: &filePathFileInfo,
            FileContent: &fileContentFileInfo,
            FileNewPath: &fileNewPathFileInfo,
            FileHash: &fileHashFileInfo,
            FileMd5: &fileMd5FileInfo,
            FileSha256: &fileSha256FileInfo,
            FileAttr: &fileAttrFileInfo,
        },
    }
	userIdUserInfo:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	userNameUserInfo:= "MyXXX"
	var listUserInfoDataObject = []model.IncidentUserInfo{
        {
            UserId: &userIdUserInfo,
            UserName: &userNameUserInfo,
        },
    }
	processNameProcess:= "MyXXX"
	processPathProcess:= "MyXXX"
	processPidProcess:= int32(123)
	processUidProcess:= int32(123)
	processCmdlineProcess:= "MyXXX"
	var listProcessDataObject = []model.IncidentProcess{
        {
            ProcessName: &processNameProcess,
            ProcessPath: &processPathProcess,
            ProcessPid: &processPidProcess,
            ProcessUid: &processUidProcess,
            ProcessCmdline: &processCmdlineProcess,
        },
    }
	malwareFamilyMalware:= "family"
	malwareClassMalware:= "Malicious memory occupation."
	malwareDataObject := &model.IncidentMalware{
		MalwareFamily: &malwareFamilyMalware,
		MalwareClass: &malwareClassMalware,
	}
	recommendationRemediation:= "MyXXX"
	urlRemediation:= "MyXXX"
	remediationDataObject := &model.IncidentRemediation{
		Recommendation: &recommendationRemediation,
		Url: &urlRemediation,
	}
	idResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	nameResourceList:= "MyXXX"
	typeResourceList:= "MyXXX"
	regionIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	domainIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	projectIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	epIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	epNameResourceList:= "MyXXX"
	tagsResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	var listResourceListDataObject = []model.IncidentResourceList{
        {
            Id: &idResourceList,
            Name: &nameResourceList,
            Type: &typeResourceList,
            RegionId: &regionIdResourceList,
            DomainId: &domainIdResourceList,
            ProjectId: &projectIdResourceList,
            EpId: &epIdResourceList,
            EpName: &epNameResourceList,
            Tags: &tagsResourceList,
        },
    }
	latitudeDestGeo:= float32(90)
	longitudeDestGeo:= float32(180)
	destGeoNetworkList := &model.IncidentDestGeo{
		Latitude: &latitudeDestGeo,
		Longitude: &longitudeDestGeo,
	}
	latitudeSrcGeo:= float32(90)
	longitudeSrcGeo:= float32(180)
	srcGeoNetworkList := &model.IncidentSrcGeo{
		Latitude: &latitudeSrcGeo,
		Longitude: &longitudeSrcGeo,
	}
	directionNetworkList:= model.GetIncidentNetworkListDirectionEnum().{}
	protocolNetworkList:= "TCP"
	srcIpNetworkList:= "192.168.0.1"
	srcPortNetworkList:= int32(1)
	srcDomainNetworkList:= "xxx"
	destIpNetworkList:= "192.168.0.1"
	destPortNetworkList:= "1"
	destDomainNetworkList:= "xxx"
	var listNetworkListDataObject = []model.IncidentNetworkList{
        {
            Direction: &directionNetworkList,
            Protocol: &protocolNetworkList,
            SrcIp: &srcIpNetworkList,
            SrcPort: &srcPortNetworkList,
            SrcDomain: &srcDomainNetworkList,
            SrcGeo: srcGeoNetworkList,
            DestIp: &destIpNetworkList,
            DestPort: &destPortNetworkList,
            DestDomain: &destDomainNetworkList,
            DestGeo: destGeoNetworkList,
        },
    }
	categoryIncidentType:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	incidentTypeIncidentType:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	incidentTypeDataObject := &model.IncidentIncidentType{
		Category: &categoryIncidentType,
		IncidentType: &incidentTypeIncidentType,
	}
	sourceTypeDataSource:= int32(3)
	domainIdDataSource:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	projectIdDataSource:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	regionIdDataSource:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	productNameDataSource:= "test"
	productFeatureDataSource:= "test"
	dataSourceDataObject := &model.IncidentDataSource{
		SourceType: &sourceTypeDataSource,
		DomainId: &domainIdDataSource,
		ProjectId: &projectIdDataSource,
		RegionId: &regionIdDataSource,
		ProductName: &productNameDataSource,
		ProductFeature: &productFeatureDataSource,
	}
	vendorTypeEnvironment:= "MyXXX"
	domainIdEnvironment:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	regionIdEnvironment:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	projectIdEnvironment:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	environmentDataObject := &model.IncidentEnvironment{
		VendorType: &vendorTypeEnvironment,
		DomainId: &domainIdEnvironment,
		RegionId: &regionIdEnvironment,
		ProjectId: &projectIdEnvironment,
	}
	versionDataObject:= "1.0"
	idDataObject:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	workspaceIdDataObject:= "909494e3-558e-46b6-a9eb-07a8e18ca620"
	labelsDataObject:= "MyXXX"
	firstObservedTimeDataObject:= "2021-01-30T23:00:00Z+0800"
	lastObservedTimeDataObject:= "2021-01-30T23:00:00Z+0800"
	createTimeDataObject:= "2021-01-30T23:00:00Z+0800"
	arriveTimeDataObject:= "2021-01-30T23:00:00Z+0800"
	titleDataObject:= "MyXXX"
	descriptionDataObject:= "This my XXXX"
	sourceUrlDataObject:= "http://xxx"
	countDataObject:= int32(4)
	confidenceDataObject:= int32(4)
	severityDataObject:= model.GetIncidentSeverityEnum().TIPS
	criticalityDataObject:= int32(4)
	verificationStateDataObject:= model.GetIncidentVerificationStateEnum().**UNKNOWN**_UNKNOWN;_**TRUE_POSITIVE**_POSITIVE;_**FALSE_POSITIVE**_FALSE_POSITIVE__THE_DEFAULT_VALUE_IS_**UNKNOWN**_
	handleStatusDataObject:= model.GetIncidentHandleStatusEnum().**OPEN**_OPEN;_**BLOCK**_PENDING;_**CLOSED**_CLOSED__THE_DEFAULT_VALUE_IS_**OPEN**_
	slaDataObject:= int32(60000)
	updateTimeDataObject:= "2021-01-30T23:00:00Z+0800"
	closeTimeDataObject:= "2021-01-30T23:00:00Z+0800"
	ipdrrPhaseDataObject:= model.GetIncidentIpdrrPhaseEnum().**PREPARATION**_PREPARATION_STAGE__**DETECTION_AND_ANALYSIS**_DETECTION_AND_ANALYSIS_STAGE__**CONTAIN,_ERADICATION&_RECOVERY**_CONTAINMENT,_ERADICATION,_AND_RECOVERY_STAGE__**POST_INCIDENT_ACTIVITY**_POST_INCIDENT_ACTIVITY_STAGE_
	simulationDataObject:= "false"
	actorDataObject:= "Tom"
	ownerDataObject:= "MyXXX"
	creatorDataObject:= "MyXXX"
	closeReasonDataObject:= model.GetIncidentCloseReasonEnum().FALSE_POSITIVE;_RESOLVED;_DUPLICATE;_OTHERS
	closeCommentDataObject:= "False positive; Resolved; Duplicate; Others"
	var systemInfoDataObject interface{} = make(map[string]string)
	dataObjectbody := &model.Incident{
		Version: &versionDataObject,
		Id: &idDataObject,
		WorkspaceId: &workspaceIdDataObject,
		Labels: &labelsDataObject,
		Environment: environmentDataObject,
		DataSource: dataSourceDataObject,
		FirstObservedTime: &firstObservedTimeDataObject,
		LastObservedTime: &lastObservedTimeDataObject,
		CreateTime: &createTimeDataObject,
		ArriveTime: &arriveTimeDataObject,
		Title: &titleDataObject,
		Description: &descriptionDataObject,
		SourceUrl: &sourceUrlDataObject,
		Count: &countDataObject,
		Confidence: &confidenceDataObject,
		Severity: &severityDataObject,
		Criticality: &criticalityDataObject,
		IncidentType: incidentTypeDataObject,
		NetworkList: &listNetworkListDataObject,
		ResourceList: &listResourceListDataObject,
		Remediation: remediationDataObject,
		VerificationState: &verificationStateDataObject,
		HandleStatus: &handleStatusDataObject,
		Sla: &slaDataObject,
		UpdateTime: &updateTimeDataObject,
		CloseTime: &closeTimeDataObject,
		IpdrrPhase: &ipdrrPhaseDataObject,
		Simulation: &simulationDataObject,
		Actor: &actorDataObject,
		Owner: &ownerDataObject,
		Creator: &creatorDataObject,
		CloseReason: &closeReasonDataObject,
		CloseComment: &closeCommentDataObject,
		Malware: malwareDataObject,
		SystemInfo: &systemInfoDataObject,
		Process: &listProcessDataObject,
		UserInfo: &listUserInfoDataObject,
		FileInfo: &listFileInfoDataObject,
	}
	request.Body = &model.CreateIncidentRequestBody{
		DataObject: dataObjectbody,
	}
	response, err := client.CreateIncident(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

More

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

Response body for requests for creating incidents.

400

Response body for a failed request for creating incidents.

Error Codes

See Error Codes.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback