Creating an Incident
Function
This API is used to create an incident.
Calling Method
For details, see Calling APIs.
URI
POST /v1/{project_id}/workspaces/{workspace_id}/soc/incidents
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
project_id |
Yes |
String |
Project ID. |
workspace_id |
Yes |
String |
Workspace ID. |
Request Parameters
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
X-Auth-Token |
Yes |
String |
User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is the user token. |
content-type |
Yes |
String |
Content type. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
data_object |
No |
Incident object |
Incident entity information. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
version |
No |
String |
Version of the incident object. The value must be the one released by the SSA service. |
id |
No |
String |
Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters. |
domain_id |
No |
String |
ID of the account (domain_id) to whom the data is delivered and hosted. |
region_id |
No |
String |
ID of the region where the account to whom the data is delivered and hosted. |
workspace_id |
No |
String |
ID of the current workspace. |
labels |
No |
String |
Tag (display only). |
environment |
No |
environment object |
Coordinates of the environment where the incident was generated. |
data_source |
No |
data_source object |
Data source reported for the first time. |
first_observed_time |
No |
String |
First discovery time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
last_observed_time |
No |
String |
Latest discovery time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
create_time |
No |
String |
Recording time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
arrive_time |
No |
String |
Receiving time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
title |
No |
String |
Incident title. |
description |
No |
String |
Incident description. |
source_url |
No |
String |
Incident URL, which points to the page displaying the current incident description in the data source product. |
count |
No |
Integer |
Incident occurrences. |
confidence |
No |
Integer |
Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or problem. Value range: 0 to 100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%. |
severity |
No |
String |
Severity level. Value range: Tips | Low | Medium | High | Fatal Note: 0: Tips. No threats are found. 1: Low. No actions are required for the threat. 2: Medium. The threat needs to be handled but is not urgent. 3: High. The threat must be handled preferentially. 4: Fatal. The threat must be handled immediately to prevent further damage. |
criticality |
No |
Integer |
Criticality, which specifies the importance level of the resources involved in an incident. Value range: 0 to 100. 0 indicates that the resource is not critical, and 100 indicates that the resource is critical. |
incident_type |
No |
incident_type object |
Incident classification. For details, see the Alert and Incident Type Definition. |
network_list |
No |
Array of network_list objects |
Network information. |
resource_list |
No |
Array of resource_list objects |
Affected resources. |
remediation |
No |
remediation object |
Remedy measure. |
verification_state |
No |
String |
Verification status, which identifies the accuracy of the incident. The options are as follows: Unknown: The incident is unknown True_Positive: The incident is confirmed. False_Positive: The incident is a false positive. The default value is Unknown. |
handle_status |
No |
String |
Incident handling status. The options are as follows: Open: Default status. Block Closed The default value is Open. |
sla |
No |
Integer |
Closure time: The deadline by which the incident must be resolved. Unit: hour. |
update_time |
No |
String |
Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
close_time |
No |
String |
Closure time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
ipdrr_phase |
No |
String |
Period/Handling phase No. Preparation: Preparation stage. Detection and Analysis: Detection and analysis stage. Contain, Eradication& Recovery: Containment, eradication, and recovery stage. Post-Incident-Activity: Post-incident activity stage. |
simulation |
No |
String |
Debugging field. |
actor |
No |
String |
Incident investigator. |
owner |
No |
String |
Owner and service owner. |
creator |
No |
String |
Creator. |
close_reason |
No |
String |
Closure reason. False detection Resolved Repeated Other |
close_comment |
No |
String |
Comment for the closure. |
malware |
No |
malware object |
Malware. |
system_info |
No |
Object |
System information. |
process |
No |
Array of process objects |
Process information. |
user_info |
No |
Array of user_info objects |
User information. |
file_info |
No |
Array of file_info objects |
File information. |
system_alert_table |
No |
Object |
Layout fields in the incident list. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
vendor_type |
No |
String |
Environment provider. |
domain_id |
No |
String |
Account ID. |
region_id |
No |
String |
Region ID. global is returned for global services. |
cross_workspace_id |
No |
String |
Source workspace ID before data delivery. In the source workspace, the value is null. After data delivery, the value is the ID of the delegated user. |
project_id |
No |
String |
Project ID. The default value is null for global services. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
source_type |
No |
Integer |
Data source type. The options are as follows: 1: Cloud service 2: Third-party product 3: Private product |
domain_id |
No |
String |
Account ID to which the data source product belongs. |
project_id |
No |
String |
ID of the project to which the data source product belongs. |
region_id |
No |
String |
Region where the data source product is located. For details about the value range, see "Regions and Endpoints". |
company_name |
No |
String |
Name of the company to which the data source product belongs. |
product_name |
No |
String |
Name of the data source product. |
product_feature |
No |
String |
Name of the feature of the product that detects the incident. |
product_module |
No |
String |
Threat detection model list. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
category |
No |
String |
Category. |
incident_type |
No |
String |
Incident type. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
direction |
No |
String |
Direction. The value can be IN or OUT. |
protocol |
No |
String |
Protocol, including Layer 7 and Layer 4 protocols. Reference: IANA registered name https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml |
src_ip |
No |
String |
Source IP address. |
src_port |
No |
Integer |
Source port. Value range: 0 - 65535. |
src_domain |
No |
String |
Source domain name. |
src_geo |
No |
src_geo object |
Geographical location of the source IP address. |
dest_ip |
No |
String |
Destination IP address. |
dest_port |
No |
String |
Destination port. Value range: 0 to 65535. |
dest_domain |
No |
String |
Destination domain name. |
dest_geo |
No |
dest_geo object |
Geographical location of the destination IP address. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
latitude |
No |
Number |
Latitude. |
longitude |
No |
Number |
Longitude. |
city_code |
No |
String |
City Code. |
country_code |
No |
String |
Country code. For details, see ISO 3166-1 alpha-2. For example, CN|US|DE|IT|SG. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
latitude |
No |
Number |
Latitude. |
longitude |
No |
Number |
Longitude. |
city_code |
No |
String |
City Code. |
country_code |
No |
String |
Country code. For details, see ISO 3166-1 alpha-2. For example, CN|US|DE|IT|SG. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
id |
No |
String |
Cloud service resource ID. |
name |
No |
String |
Resource name. |
type |
No |
String |
Resource type, which reuses the RMS type field. |
provider |
No |
String |
Cloud service name, which is the same as the provider field in the RMS service. |
region_id |
No |
String |
Region. Enter the value based on the cloud region ID. |
domain_id |
No |
String |
ID of the account to which the resource belongs, in UUID format. |
project_id |
No |
String |
ID of the project to which the resource belongs, in UUID format. |
ep_id |
No |
String |
Enterprise project ID. |
ep_name |
No |
String |
Enterprise project name. |
tags |
No |
String |
Resource tags.
|
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
recommendation |
No |
String |
Recommended solution. |
url |
No |
String |
URL, which points to the general handling details for the incident. The URL must be accessible from the public network with no credentials required. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
malware_family |
No |
String |
Malicious family. |
malware_class |
No |
String |
Malware classification. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
process_name |
No |
String |
Process name. |
process_path |
No |
String |
Path of the process execution file. |
process_pid |
No |
Integer |
Process ID. |
process_uid |
No |
Integer |
User ID associated with the process. |
process_cmdline |
No |
String |
Process command line. |
process_parent_name |
No |
String |
Parent process name. |
process_parent_path |
No |
String |
Path of the parent process execution file. |
process_parent_pid |
No |
Integer |
Parent process ID. |
process_parent_uid |
No |
Integer |
User ID associated with the parent process. |
process_parent_cmdline |
No |
String |
Parent process command line. |
process_child_name |
No |
String |
Subprocess name. |
process_child_path |
No |
String |
Path of the subprocess execution file. |
process_child_pid |
No |
Integer |
Subprocess ID. |
process_child_uid |
No |
Integer |
User ID associated with the subprocess. |
process_child_cmdline |
No |
String |
Subprocess command line. |
process_launche_time |
No |
String |
Process start time. The format is ISO 8601: YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
process_terminate_time |
No |
String |
Process end time. The format is ISO 8601: YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
user_id |
No |
String |
User ID (UID). |
user_name |
No |
String |
Username. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
file_path |
No |
String |
File path/name. |
file_content |
No |
String |
File content. |
file_new_path |
No |
String |
New file path/name. |
file_hash |
No |
String |
File hashes. |
file_md5 |
No |
String |
File MD5 value. |
file_sha256 |
No |
String |
SHA256 value of the file. |
file_attr |
No |
String |
File attributes. |
Response Parameters
Status code: 200
Parameter |
Type |
Description |
---|---|---|
X-request-id |
String |
Request ID. Format: request_uuid-timestamp-hostname. |
Parameter |
Type |
Description |
---|---|---|
code |
String |
Error code. |
message |
String |
Error message. |
data |
IncidentDetail object |
Incident details object. |
Parameter |
Type |
Description |
---|---|---|
create_time |
String |
Recording time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
data_object |
Incident object |
Incident entity information. |
dataclass_ref |
dataclass_ref object |
Data class object. |
format_version |
Integer |
Format version. |
id |
String |
Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters. |
project_id |
String |
ID of the current project. |
update_time |
String |
Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the alert was generated. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
version |
Integer |
Version. |
workspace_id |
String |
ID of the current workspace. |
Parameter |
Type |
Description |
---|---|---|
version |
String |
Version of the incident object. The value must be the one released by the SSA service. |
id |
String |
Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters. |
domain_id |
String |
ID of the account (domain_id) to whom the data is delivered and hosted. |
region_id |
String |
ID of the region where the account to whom the data is delivered and hosted. |
workspace_id |
String |
ID of the current workspace. |
labels |
String |
Tag (display only). |
environment |
environment object |
Coordinates of the environment where the incident was generated. |
data_source |
data_source object |
Data source reported for the first time. |
first_observed_time |
String |
First discovery time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
last_observed_time |
String |
Latest discovery time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
create_time |
String |
Recording time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
arrive_time |
String |
Receiving time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
title |
String |
Incident title. |
description |
String |
Incident description. |
source_url |
String |
Incident URL, which points to the page displaying the current incident description in the data source product. |
count |
Integer |
Incident occurrences. |
confidence |
Integer |
Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or problem. Value range: 0 to 100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%. |
severity |
String |
Severity level. Value range: Tips | Low | Medium | High | Fatal Note: 0: Tips. No threats are found. 1: Low. No actions are required for the threat. 2: Medium. The threat needs to be handled but is not urgent. 3: High. The threat must be handled preferentially. 4: Fatal. The threat must be handled immediately to prevent further damage. |
criticality |
Integer |
Criticality, which specifies the importance level of the resources involved in an incident. Value range: 0 to 100. 0 indicates that the resource is not critical, and 100 indicates that the resource is critical. |
incident_type |
incident_type object |
Incident classification. For details, see the Alert and Incident Type Definition. |
network_list |
Array of network_list objects |
Network information. |
resource_list |
Array of resource_list objects |
Affected resources. |
remediation |
remediation object |
Remedy measure. |
verification_state |
String |
Verification status, which identifies the accuracy of the incident. The options are as follows: Unknown: The incident is unknown True_Positive: The incident is confirmed. False_Positive: The incident is a false positive. The default value is Unknown. |
handle_status |
String |
Incident handling status. The options are as follows: Open: Default status. Block Closed The default value is Open. |
sla |
Integer |
Closure time: The deadline by which the incident must be resolved. Unit: hour. |
update_time |
String |
Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
close_time |
String |
Closure time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
ipdrr_phase |
String |
Period/Handling phase No. Preparation: Preparation stage. Detection and Analysis: Detection and analysis stage. Contain, Eradication& Recovery: Containment, eradication, and recovery stage. Post-Incident-Activity: Post-incident activity stage. |
simulation |
String |
Debugging field. |
actor |
String |
Incident investigator. |
owner |
String |
Owner and service owner. |
creator |
String |
Creator. |
close_reason |
String |
Closure reason. False detection Resolved Repeated Other |
close_comment |
String |
Comment for the closure. |
malware |
malware object |
Malware. |
system_info |
Object |
System information. |
process |
Array of process objects |
Process information. |
user_info |
Array of user_info objects |
User information. |
file_info |
Array of file_info objects |
File information. |
system_alert_table |
Object |
Layout fields in the incident list. |
Parameter |
Type |
Description |
---|---|---|
vendor_type |
String |
Environment provider. |
domain_id |
String |
Account ID. |
region_id |
String |
Region ID. global is returned for global services. |
cross_workspace_id |
String |
Source workspace ID before data delivery. In the source workspace, the value is null. After data delivery, the value is the ID of the delegated user. |
project_id |
String |
Project ID. The default value is null for global services. |
Parameter |
Type |
Description |
---|---|---|
source_type |
Integer |
Data source type. The options are as follows: 1: Cloud service 2: Third-party product 3: Private product |
domain_id |
String |
Account ID to which the data source product belongs. |
project_id |
String |
ID of the project to which the data source product belongs. |
region_id |
String |
Region where the data source product is located. For details about the value range, see "Regions and Endpoints". |
company_name |
String |
Name of the company to which the data source product belongs. |
product_name |
String |
Name of the data source product. |
product_feature |
String |
Name of the feature of the product that detects the incident. |
product_module |
String |
Threat detection model list. |
Parameter |
Type |
Description |
---|---|---|
category |
String |
Category. |
incident_type |
String |
Incident type. |
Parameter |
Type |
Description |
---|---|---|
direction |
String |
Direction. The value can be IN or OUT. |
protocol |
String |
Protocol, including Layer 7 and Layer 4 protocols. Reference: IANA registered name https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml |
src_ip |
String |
Source IP address. |
src_port |
Integer |
Source port. Value range: 0 - 65535. |
src_domain |
String |
Source domain name. |
src_geo |
src_geo object |
Geographical location of the source IP address. |
dest_ip |
String |
Destination IP address. |
dest_port |
String |
Destination port. Value range: 0 to 65535. |
dest_domain |
String |
Destination domain name. |
dest_geo |
dest_geo object |
Geographical location of the destination IP address. |
Parameter |
Type |
Description |
---|---|---|
latitude |
Number |
Latitude. |
longitude |
Number |
Longitude. |
city_code |
String |
City Code. |
country_code |
String |
Country code. For details, see ISO 3166-1 alpha-2. For example, CN|US|DE|IT|SG. |
Parameter |
Type |
Description |
---|---|---|
latitude |
Number |
Latitude. |
longitude |
Number |
Longitude. |
city_code |
String |
City Code. |
country_code |
String |
Country code. For details, see ISO 3166-1 alpha-2. For example, CN|US|DE|IT|SG. |
Parameter |
Type |
Description |
---|---|---|
id |
String |
Cloud service resource ID. |
name |
String |
Resource name. |
type |
String |
Resource type, which reuses the RMS type field. |
provider |
String |
Cloud service name, which is the same as the provider field in the RMS service. |
region_id |
String |
Region. Enter the value based on the cloud region ID. |
domain_id |
String |
ID of the account to which the resource belongs, in UUID format. |
project_id |
String |
ID of the project to which the resource belongs, in UUID format. |
ep_id |
String |
Enterprise project ID. |
ep_name |
String |
Enterprise project name. |
tags |
String |
Resource tags.
|
Parameter |
Type |
Description |
---|---|---|
recommendation |
String |
Recommended solution. |
url |
String |
URL, which points to the general handling details for the incident. The URL must be accessible from the public network with no credentials required. |
Parameter |
Type |
Description |
---|---|---|
malware_family |
String |
Malicious family. |
malware_class |
String |
Malware classification. |
Parameter |
Type |
Description |
---|---|---|
process_name |
String |
Process name. |
process_path |
String |
Path of the process execution file. |
process_pid |
Integer |
Process ID. |
process_uid |
Integer |
User ID associated with the process. |
process_cmdline |
String |
Process command line. |
process_parent_name |
String |
Parent process name. |
process_parent_path |
String |
Path of the parent process execution file. |
process_parent_pid |
Integer |
Parent process ID. |
process_parent_uid |
Integer |
User ID associated with the parent process. |
process_parent_cmdline |
String |
Parent process command line. |
process_child_name |
String |
Subprocess name. |
process_child_path |
String |
Path of the subprocess execution file. |
process_child_pid |
Integer |
Subprocess ID. |
process_child_uid |
Integer |
User ID associated with the subprocess. |
process_child_cmdline |
String |
Subprocess command line. |
process_launche_time |
String |
Process start time. The format is ISO 8601: YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
process_terminate_time |
String |
Process end time. The format is ISO 8601: YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
Parameter |
Type |
Description |
---|---|---|
user_id |
String |
User ID (UID). |
user_name |
String |
Username. |
Parameter |
Type |
Description |
---|---|---|
file_path |
String |
File path/name. |
file_content |
String |
File content. |
file_new_path |
String |
New file path/name. |
file_hash |
String |
File hashes. |
file_md5 |
String |
File MD5 value. |
file_sha256 |
String |
SHA256 value of the file. |
file_attr |
String |
File attributes. |
Parameter |
Type |
Description |
---|---|---|
id |
String |
Unique identifier of a data class. The value is in UUID format and can contain a maximum of 36 characters. |
name |
String |
Data class name. |
Status code: 400
Parameter |
Type |
Description |
---|---|---|
X-request-id |
String |
Request ID. Format: request_uuid-timestamp-hostname. |
Parameter |
Type |
Description |
---|---|---|
code |
String |
Error code. |
message |
String |
Error description. |
Example Requests
Create an incident. Set the incident title to MyXXX, tag to MyXXX, severity to tips, and occurrence times to 4.
{
"data_object" : {
"version" : "1.0",
"environment" : {
"vendor_type" : "MyXXX",
"domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
},
"data_source" : {
"source_type" : 3,
"domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"product_name" : "test",
"product_feature" : "test"
},
"first_observed_time" : "2021-01-30T23:00:00Z+0800",
"last_observed_time" : "2021-01-30T23:00:00Z+0800",
"create_time" : "2021-01-30T23:00:00Z+0800",
"arrive_time" : "2021-01-30T23:00:00Z+0800",
"title" : "MyXXX",
"labels" : "MyXXX",
"description" : "This my XXXX",
"source_url" : "http://xxx",
"count" : 4,
"confidence" : 4,
"severity" : "TIPS",
"criticality" : 4,
"incident_type" : {
"incident_type" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"category" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
},
"network_list" : [ {
"direction" : {
"IN" : null
},
"protocol" : "TCP",
"src_ip" : "192.168.0.1",
"src_port" : "1",
"src_domain" : "xxx",
"dest_ip" : "192.168.0.1",
"dest_port" : "1",
"dest_domain" : "xxx",
"src_geo" : {
"latitude" : 90,
"longitude" : 180
},
"dest_geo" : {
"latitude" : 90,
"longitude" : 180
}
} ],
"resource_list" : [ {
"id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"name" : "MyXXX",
"type" : "MyXXX",
"domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"ep_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"ep_name" : "MyXXX",
"tags" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
} ],
"remediation" : {
"recommendation" : "MyXXX",
"url" : "MyXXX"
},
"verification_state" : "**Unknown**: Unknown; **True_Positive**: Positive; **False_Positive**: False positive. The default value is **Unknown**.",
"handle_status" : "**Open**: Open; **Block**: Pending; **Closed**: Closed. The default value is **Open**.",
"sla" : 60000,
"update_time" : "2021-01-30T23:00:00Z+0800",
"close_time" : "2021-01-30T23:00:00Z+0800",
"ipdrr_phase" : "**Preparation**: Preparation stage. **Detection and Analysis**: Detection and analysis stage. **Contain, Eradication& Recovery**: Containment, eradication, and recovery stage. **Post-Incident-Activity**: Post-incident activity stage.",
"simulation" : "false",
"actor" : "Tom",
"owner" : "MyXXX",
"creator" : "MyXXX",
"close_reason" : "False positive; Resolved; Duplicate; Others",
"close_comment" : "False positive; Resolved; Duplicate; Others",
"malware" : {
"malware_family" : "family",
"malware_class" : "Malicious memory occupation."
},
"system_info" : { },
"process" : [ {
"process_name" : "MyXXX",
"process_path" : "MyXXX",
"process_pid" : 123,
"process_uid" : 123,
"process_cmdline" : "MyXXX"
} ],
"user_info" : [ {
"user_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"user_name" : "MyXXX"
} ],
"file_info" : [ {
"file_path" : "MyXXX",
"file_content" : "MyXXX",
"file_new_path" : "MyXXX",
"file_hash" : "MyXXX",
"file_md5" : "MyXXX",
"file_sha256" : "MyXXX",
"file_attr" : "MyXXX"
} ],
"id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca620"
}
}
Example Responses
Status code: 200
Response body for requests for creating incidents.
{
"code" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"message" : "Error message",
"data" : {
"data_object" : {
"version" : "1.0",
"environment" : {
"vendor_type" : "MyXXX",
"domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
},
"data_source" : {
"source_type" : 3,
"domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
},
"first_observed_time" : "2021-01-30T23:00:00Z+0800",
"last_observed_time" : "2021-01-30T23:00:00Z+0800",
"create_time" : "2021-01-30T23:00:00Z+0800",
"arrive_time" : "2021-01-30T23:00:00Z+0800",
"title" : "MyXXX",
"description" : "This my XXXX",
"source_url" : "http://xxx",
"count" : 4,
"confidence" : 4,
"severity" : "TIPS",
"criticality" : 4,
"incident_type" : { },
"network_list" : [ {
"direction" : {
"IN" : null
},
"protocol" : "TCP",
"src_ip" : "192.168.0.1",
"src_port" : "1",
"src_domain" : "xxx",
"dest_ip" : "192.168.0.1",
"dest_port" : "1",
"dest_domain" : "xxx",
"src_geo" : {
"latitude" : 90,
"longitude" : 180
},
"dest_geo" : {
"latitude" : 90,
"longitude" : 180
}
} ],
"resource_list" : [ {
"id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"name" : "MyXXX",
"type" : "MyXXX",
"domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"ep_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"ep_name" : "MyXXX",
"tags" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
} ],
"remediation" : {
"recommendation" : "MyXXX",
"url" : "MyXXX"
},
"verification_state" : "**Unknown**: Unknown; **True_Positive**: Positive; **False_Positive**: False positive. The default value is **Unknown**.",
"handle_status" : "**Open**: Open; **Block**: Pending; **Closed**: Closed. The default value is **Open**.",
"sla" : 60000,
"update_time" : "2021-01-30T23:00:00Z+0800",
"close_time" : "2021-01-30T23:00:00Z+0800",
"ipdrr_phase" : "**Preparation**: Preparation stage. **Detection and Analysis**: Detection and analysis stage. **Contain, Eradication& Recovery**: Containment, eradication, and recovery stage. **Post-Incident-Activity**: Post-incident activity stage.",
"simulation" : "false",
"actor" : "Tom",
"owner" : "MyXXX",
"creator" : "MyXXX",
"close_reason" : "False positive; Resolved; Duplicate; Others",
"close_comment" : "False positive; Resolved; Duplicate; Others",
"malware" : {
"malware_family" : "family",
"malware_class" : "Malicious memory occupation."
},
"system_info" : { },
"process" : [ {
"process_name" : "MyXXX",
"process_path" : "MyXXX",
"process_pid" : 123,
"process_uid" : 123,
"process_cmdline" : "MyXXX"
} ],
"user_info" : [ {
"user_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"user_name" : "MyXXX"
} ],
"file_info" : [ {
"file_path" : "MyXXX",
"file_content" : "MyXXX",
"file_new_path" : "MyXXX",
"file_hash" : "MyXXX",
"file_md5" : "MyXXX",
"file_sha256" : "MyXXX",
"file_attr" : "MyXXX"
} ],
"id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca620"
},
"create_time" : "2021-01-30T23:00:00Z+0800",
"update_time" : "2021-01-30T23:00:00Z+0800",
"project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
"workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
}
}
SDK Sample Code
The SDK sample code is as follows.
Java
Create an incident. Set the incident title to MyXXX, tag to MyXXX, severity to tips, and occurrence times to 4.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 |
package com.huaweicloud.sdk.test;
import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.secmaster.v2.region.SecMasterRegion;
import com.huaweicloud.sdk.secmaster.v2.*;
import com.huaweicloud.sdk.secmaster.v2.model.*;
import java.util.List;
import java.util.ArrayList;
public class CreateIncidentSolution {
public static void main(String[] args) {
// The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
// In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
String ak = System.getenv("CLOUD_SDK_AK");
String sk = System.getenv("CLOUD_SDK_SK");
String projectId = "{project_id}";
ICredential auth = new BasicCredentials()
.withProjectId(projectId)
.withAk(ak)
.withSk(sk);
SecMasterClient client = SecMasterClient.newBuilder()
.withCredential(auth)
.withRegion(SecMasterRegion.valueOf("<YOUR REGION>"))
.build();
CreateIncidentRequest request = new CreateIncidentRequest();
request.withWorkspaceId("{workspace_id}");
CreateIncidentRequestBody body = new CreateIncidentRequestBody();
List<IncidentFileInfo> listDataObjectFileInfo = new ArrayList<>();
listDataObjectFileInfo.add(
new IncidentFileInfo()
.withFilePath("MyXXX")
.withFileContent("MyXXX")
.withFileNewPath("MyXXX")
.withFileHash("MyXXX")
.withFileMd5("MyXXX")
.withFileSha256("MyXXX")
.withFileAttr("MyXXX")
);
List<IncidentUserInfo> listDataObjectUserInfo = new ArrayList<>();
listDataObjectUserInfo.add(
new IncidentUserInfo()
.withUserId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withUserName("MyXXX")
);
List<IncidentProcess> listDataObjectProcess = new ArrayList<>();
listDataObjectProcess.add(
new IncidentProcess()
.withProcessName("MyXXX")
.withProcessPath("MyXXX")
.withProcessPid(123)
.withProcessUid(123)
.withProcessCmdline("MyXXX")
);
IncidentMalware malwareDataObject = new IncidentMalware();
malwareDataObject.withMalwareFamily("family")
.withMalwareClass("Malicious memory occupation.");
IncidentRemediation remediationDataObject = new IncidentRemediation();
remediationDataObject.withRecommendation("MyXXX")
.withUrl("MyXXX");
List<IncidentResourceList> listDataObjectResourceList = new ArrayList<>();
listDataObjectResourceList.add(
new IncidentResourceList()
.withId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withName("MyXXX")
.withType("MyXXX")
.withRegionId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withDomainId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withProjectId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withEpId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withEpName("MyXXX")
.withTags("909494e3-558e-46b6-a9eb-07a8e18ca62f")
);
IncidentDestGeo destGeoNetworkList = new IncidentDestGeo();
destGeoNetworkList.withLatitude(java.math.BigDecimal.valueOf(90))
.withLongitude(java.math.BigDecimal.valueOf(180));
IncidentSrcGeo srcGeoNetworkList = new IncidentSrcGeo();
srcGeoNetworkList.withLatitude(java.math.BigDecimal.valueOf(90))
.withLongitude(java.math.BigDecimal.valueOf(180));
List<IncidentNetworkList> listDataObjectNetworkList = new ArrayList<>();
listDataObjectNetworkList.add(
new IncidentNetworkList()
.withDirection(IncidentNetworkList.DirectionEnum.fromValue("{}"))
.withProtocol("TCP")
.withSrcIp("192.168.0.1")
.withSrcPort(1)
.withSrcDomain("xxx")
.withSrcGeo(srcGeoNetworkList)
.withDestIp("192.168.0.1")
.withDestPort("1")
.withDestDomain("xxx")
.withDestGeo(destGeoNetworkList)
);
IncidentIncidentType incidentTypeDataObject = new IncidentIncidentType();
incidentTypeDataObject.withCategory("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withIncidentType("909494e3-558e-46b6-a9eb-07a8e18ca62f");
IncidentDataSource dataSourceDataObject = new IncidentDataSource();
dataSourceDataObject.withSourceType(3)
.withDomainId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withProjectId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withRegionId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withProductName("test")
.withProductFeature("test");
IncidentEnvironment environmentDataObject = new IncidentEnvironment();
environmentDataObject.withVendorType("MyXXX")
.withDomainId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withRegionId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withProjectId("909494e3-558e-46b6-a9eb-07a8e18ca62f");
Incident dataObjectbody = new Incident();
dataObjectbody.withVersion("1.0")
.withId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
.withWorkspaceId("909494e3-558e-46b6-a9eb-07a8e18ca620")
.withLabels("MyXXX")
.withEnvironment(environmentDataObject)
.withDataSource(dataSourceDataObject)
.withFirstObservedTime("2021-01-30T23:00:00Z+0800")
.withLastObservedTime("2021-01-30T23:00:00Z+0800")
.withCreateTime("2021-01-30T23:00:00Z+0800")
.withArriveTime("2021-01-30T23:00:00Z+0800")
.withTitle("MyXXX")
.withDescription("This my XXXX")
.withSourceUrl("http://xxx")
.withCount(4)
.withConfidence(4)
.withSeverity(Incident.SeverityEnum.fromValue("TIPS"))
.withCriticality(4)
.withIncidentType(incidentTypeDataObject)
.withNetworkList(listDataObjectNetworkList)
.withResourceList(listDataObjectResourceList)
.withRemediation(remediationDataObject)
.withVerificationState(Incident.VerificationStateEnum.fromValue("**Unknown**: Unknown; **True_Positive**: Positive; **False_Positive**: False positive. The default value is **Unknown**."))
.withHandleStatus(Incident.HandleStatusEnum.fromValue("**Open**: Open; **Block**: Pending; **Closed**: Closed. The default value is **Open**."))
.withSla(60000)
.withUpdateTime("2021-01-30T23:00:00Z+0800")
.withCloseTime("2021-01-30T23:00:00Z+0800")
.withIpdrrPhase(Incident.IpdrrPhaseEnum.fromValue("**Preparation**: Preparation stage. **Detection and Analysis**: Detection and analysis stage. **Contain, Eradication& Recovery**: Containment, eradication, and recovery stage. **Post-Incident-Activity**: Post-incident activity stage."))
.withSimulation("false")
.withActor("Tom")
.withOwner("MyXXX")
.withCreator("MyXXX")
.withCloseReason(Incident.CloseReasonEnum.fromValue("False positive; Resolved; Duplicate; Others"))
.withCloseComment("False positive; Resolved; Duplicate; Others")
.withMalware(malwareDataObject)
.withSystemInfo(new Object())
.withProcess(listDataObjectProcess)
.withUserInfo(listDataObjectUserInfo)
.withFileInfo(listDataObjectFileInfo);
body.withDataObject(dataObjectbody);
request.withBody(body);
try {
CreateIncidentResponse response = client.createIncident(request);
System.out.println(response.toString());
} catch (ConnectionException e) {
e.printStackTrace();
} catch (RequestTimeoutException e) {
e.printStackTrace();
} catch (ServiceResponseException e) {
e.printStackTrace();
System.out.println(e.getHttpStatusCode());
System.out.println(e.getRequestId());
System.out.println(e.getErrorCode());
System.out.println(e.getErrorMsg());
}
}
}
|
Python
Create an incident. Set the incident title to MyXXX, tag to MyXXX, severity to tips, and occurrence times to 4.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 |
# coding: utf-8
import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdksecmaster.v2.region.secmaster_region import SecMasterRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdksecmaster.v2 import *
if __name__ == "__main__":
# The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
# In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
ak = os.environ["CLOUD_SDK_AK"]
sk = os.environ["CLOUD_SDK_SK"]
projectId = "{project_id}"
credentials = BasicCredentials(ak, sk, projectId)
client = SecMasterClient.new_builder() \
.with_credentials(credentials) \
.with_region(SecMasterRegion.value_of("<YOUR REGION>")) \
.build()
try:
request = CreateIncidentRequest()
request.workspace_id = "{workspace_id}"
listFileInfoDataObject = [
IncidentFileInfo(
file_path="MyXXX",
file_content="MyXXX",
file_new_path="MyXXX",
file_hash="MyXXX",
file_md5="MyXXX",
file_sha256="MyXXX",
file_attr="MyXXX"
)
]
listUserInfoDataObject = [
IncidentUserInfo(
user_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
user_name="MyXXX"
)
]
listProcessDataObject = [
IncidentProcess(
process_name="MyXXX",
process_path="MyXXX",
process_pid=123,
process_uid=123,
process_cmdline="MyXXX"
)
]
malwareDataObject = IncidentMalware(
malware_family="family",
malware_class="Malicious memory occupation."
)
remediationDataObject = IncidentRemediation(
recommendation="MyXXX",
url="MyXXX"
)
listResourceListDataObject = [
IncidentResourceList(
id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
name="MyXXX",
type="MyXXX",
region_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
domain_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
project_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
ep_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
ep_name="MyXXX",
tags="909494e3-558e-46b6-a9eb-07a8e18ca62f"
)
]
destGeoNetworkList = IncidentDestGeo(
latitude=90,
longitude=180
)
srcGeoNetworkList = IncidentSrcGeo(
latitude=90,
longitude=180
)
listNetworkListDataObject = [
IncidentNetworkList(
direction="{}",
protocol="TCP",
src_ip="192.168.0.1",
src_port=1,
src_domain="xxx",
src_geo=srcGeoNetworkList,
dest_ip="192.168.0.1",
dest_port="1",
dest_domain="xxx",
dest_geo=destGeoNetworkList
)
]
incidentTypeDataObject = IncidentIncidentType(
category="909494e3-558e-46b6-a9eb-07a8e18ca62f",
incident_type="909494e3-558e-46b6-a9eb-07a8e18ca62f"
)
dataSourceDataObject = IncidentDataSource(
source_type=3,
domain_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
project_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
region_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
product_name="test",
product_feature="test"
)
environmentDataObject = IncidentEnvironment(
vendor_type="MyXXX",
domain_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
region_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
project_id="909494e3-558e-46b6-a9eb-07a8e18ca62f"
)
dataObjectbody = Incident(
version="1.0",
id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
workspace_id="909494e3-558e-46b6-a9eb-07a8e18ca620",
labels="MyXXX",
environment=environmentDataObject,
data_source=dataSourceDataObject,
first_observed_time="2021-01-30T23:00:00Z+0800",
last_observed_time="2021-01-30T23:00:00Z+0800",
create_time="2021-01-30T23:00:00Z+0800",
arrive_time="2021-01-30T23:00:00Z+0800",
title="MyXXX",
description="This my XXXX",
source_url="http://xxx",
count=4,
confidence=4,
severity="TIPS",
criticality=4,
incident_type=incidentTypeDataObject,
network_list=listNetworkListDataObject,
resource_list=listResourceListDataObject,
remediation=remediationDataObject,
verification_state="**Unknown**: Unknown; **True_Positive**: Positive; **False_Positive**: False positive. The default value is **Unknown**.",
handle_status="**Open**: Open; **Block**: Pending; **Closed**: Closed. The default value is **Open**.",
sla=60000,
update_time="2021-01-30T23:00:00Z+0800",
close_time="2021-01-30T23:00:00Z+0800",
ipdrr_phase="**Preparation**: Preparation stage. **Detection and Analysis**: Detection and analysis stage. **Contain, Eradication& Recovery**: Containment, eradication, and recovery stage. **Post-Incident-Activity**: Post-incident activity stage.",
simulation="false",
actor="Tom",
owner="MyXXX",
creator="MyXXX",
close_reason="False positive; Resolved; Duplicate; Others",
close_comment="False positive; Resolved; Duplicate; Others",
malware=malwareDataObject,
system_info={},
process=listProcessDataObject,
user_info=listUserInfoDataObject,
file_info=listFileInfoDataObject
)
request.body = CreateIncidentRequestBody(
data_object=dataObjectbody
)
response = client.create_incident(request)
print(response)
except exceptions.ClientRequestException as e:
print(e.status_code)
print(e.request_id)
print(e.error_code)
print(e.error_msg)
|
Go
Create an incident. Set the incident title to MyXXX, tag to MyXXX, severity to tips, and occurrence times to 4.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 |
package main
import (
"fmt"
"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
secmaster "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2"
"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2/model"
region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2/region"
)
func main() {
// The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
// In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
ak := os.Getenv("CLOUD_SDK_AK")
sk := os.Getenv("CLOUD_SDK_SK")
projectId := "{project_id}"
auth := basic.NewCredentialsBuilder().
WithAk(ak).
WithSk(sk).
WithProjectId(projectId).
Build()
client := secmaster.NewSecMasterClient(
secmaster.SecMasterClientBuilder().
WithRegion(region.ValueOf("<YOUR REGION>")).
WithCredential(auth).
Build())
request := &model.CreateIncidentRequest{}
request.WorkspaceId = "{workspace_id}"
filePathFileInfo:= "MyXXX"
fileContentFileInfo:= "MyXXX"
fileNewPathFileInfo:= "MyXXX"
fileHashFileInfo:= "MyXXX"
fileMd5FileInfo:= "MyXXX"
fileSha256FileInfo:= "MyXXX"
fileAttrFileInfo:= "MyXXX"
var listFileInfoDataObject = []model.IncidentFileInfo{
{
FilePath: &filePathFileInfo,
FileContent: &fileContentFileInfo,
FileNewPath: &fileNewPathFileInfo,
FileHash: &fileHashFileInfo,
FileMd5: &fileMd5FileInfo,
FileSha256: &fileSha256FileInfo,
FileAttr: &fileAttrFileInfo,
},
}
userIdUserInfo:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
userNameUserInfo:= "MyXXX"
var listUserInfoDataObject = []model.IncidentUserInfo{
{
UserId: &userIdUserInfo,
UserName: &userNameUserInfo,
},
}
processNameProcess:= "MyXXX"
processPathProcess:= "MyXXX"
processPidProcess:= int32(123)
processUidProcess:= int32(123)
processCmdlineProcess:= "MyXXX"
var listProcessDataObject = []model.IncidentProcess{
{
ProcessName: &processNameProcess,
ProcessPath: &processPathProcess,
ProcessPid: &processPidProcess,
ProcessUid: &processUidProcess,
ProcessCmdline: &processCmdlineProcess,
},
}
malwareFamilyMalware:= "family"
malwareClassMalware:= "Malicious memory occupation."
malwareDataObject := &model.IncidentMalware{
MalwareFamily: &malwareFamilyMalware,
MalwareClass: &malwareClassMalware,
}
recommendationRemediation:= "MyXXX"
urlRemediation:= "MyXXX"
remediationDataObject := &model.IncidentRemediation{
Recommendation: &recommendationRemediation,
Url: &urlRemediation,
}
idResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
nameResourceList:= "MyXXX"
typeResourceList:= "MyXXX"
regionIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
domainIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
projectIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
epIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
epNameResourceList:= "MyXXX"
tagsResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
var listResourceListDataObject = []model.IncidentResourceList{
{
Id: &idResourceList,
Name: &nameResourceList,
Type: &typeResourceList,
RegionId: ®ionIdResourceList,
DomainId: &domainIdResourceList,
ProjectId: &projectIdResourceList,
EpId: &epIdResourceList,
EpName: &epNameResourceList,
Tags: &tagsResourceList,
},
}
latitudeDestGeo:= float32(90)
longitudeDestGeo:= float32(180)
destGeoNetworkList := &model.IncidentDestGeo{
Latitude: &latitudeDestGeo,
Longitude: &longitudeDestGeo,
}
latitudeSrcGeo:= float32(90)
longitudeSrcGeo:= float32(180)
srcGeoNetworkList := &model.IncidentSrcGeo{
Latitude: &latitudeSrcGeo,
Longitude: &longitudeSrcGeo,
}
directionNetworkList:= model.GetIncidentNetworkListDirectionEnum().{}
protocolNetworkList:= "TCP"
srcIpNetworkList:= "192.168.0.1"
srcPortNetworkList:= int32(1)
srcDomainNetworkList:= "xxx"
destIpNetworkList:= "192.168.0.1"
destPortNetworkList:= "1"
destDomainNetworkList:= "xxx"
var listNetworkListDataObject = []model.IncidentNetworkList{
{
Direction: &directionNetworkList,
Protocol: &protocolNetworkList,
SrcIp: &srcIpNetworkList,
SrcPort: &srcPortNetworkList,
SrcDomain: &srcDomainNetworkList,
SrcGeo: srcGeoNetworkList,
DestIp: &destIpNetworkList,
DestPort: &destPortNetworkList,
DestDomain: &destDomainNetworkList,
DestGeo: destGeoNetworkList,
},
}
categoryIncidentType:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
incidentTypeIncidentType:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
incidentTypeDataObject := &model.IncidentIncidentType{
Category: &categoryIncidentType,
IncidentType: &incidentTypeIncidentType,
}
sourceTypeDataSource:= int32(3)
domainIdDataSource:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
projectIdDataSource:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
regionIdDataSource:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
productNameDataSource:= "test"
productFeatureDataSource:= "test"
dataSourceDataObject := &model.IncidentDataSource{
SourceType: &sourceTypeDataSource,
DomainId: &domainIdDataSource,
ProjectId: &projectIdDataSource,
RegionId: ®ionIdDataSource,
ProductName: &productNameDataSource,
ProductFeature: &productFeatureDataSource,
}
vendorTypeEnvironment:= "MyXXX"
domainIdEnvironment:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
regionIdEnvironment:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
projectIdEnvironment:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
environmentDataObject := &model.IncidentEnvironment{
VendorType: &vendorTypeEnvironment,
DomainId: &domainIdEnvironment,
RegionId: ®ionIdEnvironment,
ProjectId: &projectIdEnvironment,
}
versionDataObject:= "1.0"
idDataObject:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
workspaceIdDataObject:= "909494e3-558e-46b6-a9eb-07a8e18ca620"
labelsDataObject:= "MyXXX"
firstObservedTimeDataObject:= "2021-01-30T23:00:00Z+0800"
lastObservedTimeDataObject:= "2021-01-30T23:00:00Z+0800"
createTimeDataObject:= "2021-01-30T23:00:00Z+0800"
arriveTimeDataObject:= "2021-01-30T23:00:00Z+0800"
titleDataObject:= "MyXXX"
descriptionDataObject:= "This my XXXX"
sourceUrlDataObject:= "http://xxx"
countDataObject:= int32(4)
confidenceDataObject:= int32(4)
severityDataObject:= model.GetIncidentSeverityEnum().TIPS
criticalityDataObject:= int32(4)
verificationStateDataObject:= model.GetIncidentVerificationStateEnum().**UNKNOWN**_UNKNOWN;_**TRUE_POSITIVE**_POSITIVE;_**FALSE_POSITIVE**_FALSE_POSITIVE__THE_DEFAULT_VALUE_IS_**UNKNOWN**_
handleStatusDataObject:= model.GetIncidentHandleStatusEnum().**OPEN**_OPEN;_**BLOCK**_PENDING;_**CLOSED**_CLOSED__THE_DEFAULT_VALUE_IS_**OPEN**_
slaDataObject:= int32(60000)
updateTimeDataObject:= "2021-01-30T23:00:00Z+0800"
closeTimeDataObject:= "2021-01-30T23:00:00Z+0800"
ipdrrPhaseDataObject:= model.GetIncidentIpdrrPhaseEnum().**PREPARATION**_PREPARATION_STAGE__**DETECTION_AND_ANALYSIS**_DETECTION_AND_ANALYSIS_STAGE__**CONTAIN,_ERADICATION&_RECOVERY**_CONTAINMENT,_ERADICATION,_AND_RECOVERY_STAGE__**POST_INCIDENT_ACTIVITY**_POST_INCIDENT_ACTIVITY_STAGE_
simulationDataObject:= "false"
actorDataObject:= "Tom"
ownerDataObject:= "MyXXX"
creatorDataObject:= "MyXXX"
closeReasonDataObject:= model.GetIncidentCloseReasonEnum().FALSE_POSITIVE;_RESOLVED;_DUPLICATE;_OTHERS
closeCommentDataObject:= "False positive; Resolved; Duplicate; Others"
var systemInfoDataObject interface{} = make(map[string]string)
dataObjectbody := &model.Incident{
Version: &versionDataObject,
Id: &idDataObject,
WorkspaceId: &workspaceIdDataObject,
Labels: &labelsDataObject,
Environment: environmentDataObject,
DataSource: dataSourceDataObject,
FirstObservedTime: &firstObservedTimeDataObject,
LastObservedTime: &lastObservedTimeDataObject,
CreateTime: &createTimeDataObject,
ArriveTime: &arriveTimeDataObject,
Title: &titleDataObject,
Description: &descriptionDataObject,
SourceUrl: &sourceUrlDataObject,
Count: &countDataObject,
Confidence: &confidenceDataObject,
Severity: &severityDataObject,
Criticality: &criticalityDataObject,
IncidentType: incidentTypeDataObject,
NetworkList: &listNetworkListDataObject,
ResourceList: &listResourceListDataObject,
Remediation: remediationDataObject,
VerificationState: &verificationStateDataObject,
HandleStatus: &handleStatusDataObject,
Sla: &slaDataObject,
UpdateTime: &updateTimeDataObject,
CloseTime: &closeTimeDataObject,
IpdrrPhase: &ipdrrPhaseDataObject,
Simulation: &simulationDataObject,
Actor: &actorDataObject,
Owner: &ownerDataObject,
Creator: &creatorDataObject,
CloseReason: &closeReasonDataObject,
CloseComment: &closeCommentDataObject,
Malware: malwareDataObject,
SystemInfo: &systemInfoDataObject,
Process: &listProcessDataObject,
UserInfo: &listUserInfoDataObject,
FileInfo: &listFileInfoDataObject,
}
request.Body = &model.CreateIncidentRequestBody{
DataObject: dataObjectbody,
}
response, err := client.CreateIncident(request)
if err == nil {
fmt.Printf("%+v\n", response)
} else {
fmt.Println(err)
}
}
|
More
For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.
Status Codes
Status Code |
Description |
---|---|
200 |
Response body for requests for creating incidents. |
400 |
Response body for a failed request for creating incidents. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot