Exporting Vulnerability Reports

Function

This API is used to query the forensics information about a specific event.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
If you are using identity policy-based authorization, no identity policy-based permission required for calling this API.

URI

GET /v5/{project_id}/event/forensic

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Definition Project ID, which is used to specify the project that an asset belongs to. After the project ID is configured, you can query assets in the project using the project ID. For details about how to obtain it, see Obtaining a Project ID. Constraints N/A Range The value can contain 1 to 256 characters. Default Value N/A

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Definition Enterprise project ID, which is used to filter assets in different enterprise projects. For details, see Obtaining an Enterprise Project ID. To query assets in all enterprise projects, set this parameter to all_granted_eps. Constraints You need to set this parameter only after the enterprise project function is enabled. Range The value can contain 1 to 256 characters. Default Value 0: default enterprise project.
event_type	Yes	Integer	Definition Event type Constraints N/A Range 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010: rootkit 1011: ransomware 1012: hacker tool 1015: web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid account 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: user information enumeration 13004: cluster role binding 11001: advanced threat event Default Value N/A
event_id	Yes	String	Definition Case code. Constraints N/A Range The value can contain 1 to 128 characters. Default Value N/A
occur_time	Yes	Long	Definition Time when the event was generated. Constraints N/A Range N/A Default Value N/A
category	No	String	Definition Event type. Constraints N/A Range host: server security event container: container security event serverless: serverless security event Default Value N/A

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Definition User token, which contains user identity and permissions. The token can be used for identity authentication when an API is called. For details about how to obtain the token, see Obtaining a User Token. Constraints N/A Range The value can contain 1 to 32,768 characters. Default Value N/A

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
event_type	Integer	Definition Event type Constraints N/A Range 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010: rootkit 1011: ransomware 1012: hacker tool 1015: web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid account 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: user information enumeration 13004: cluster role binding 11001: advanced threat event
event_class_id	String	Definition Event Category Range container_1001: container namespace container_1002: container open port container_1003: container security option container_1004: container mount directory containerescape_0001: high-risk system call containerescape_0002: shocker attack containerescape_0003: Dirty Cow attack containerescape_0004: container file escape dockerfile_001: modification of user-defined protected container file dockerfile_002: modification of executable files in the container file system dockerproc_001: abnormal container process fileprotect_0001: file privilege escalation fileprotect_0002: critical file change fileprotect_0003: critical file path change fileprotect_0004: file/directory change av_1002: virus av_1003: worm av_1004: Trojan av_1005: botnet av_1006: backdoor av_1007: spyware av_1008: adware av_1009: phishing av_1010: rootkit av_1011: ransomware av_1012: hacker tool av_1013: grayware av_1015: web shell av_1016: mining software login_0001: brute-force attack attempt login_0002: successful brute-force attack login_1001: successful login login_1002: remote login login_1003: weak password malware_0001: shell change event malware_0002: reverse shell event malware_1001: malicious program procdet_0001: abnormal process behavior procdet_0002: process privilege escalation procreport_0001: risky command user_1001: account change user_1002: risky account vmescape_0001: VM sensitive command execution vmescape_0002: access from virtualization process to sensitive file vmescape_0003: abnormal VM port access webshell_0001: web shell network_1001: mining network_1002: servers exploited to launch DDoS attacks network_1003: malicious scan network_1004: attack in sensitive areas ransomware_0001: ransomware attack ransomware_0002: ransomware attack ransomware_0003: ransomware attack fileless_0001: process injection fileless_0002: dynamic library injection fileless_0003: critical configuration change fileless_0004: environment variable change fileless_0005: memory file process fileless_0006: VDSO hijacking crontab_1001: suspicious crontab task vul_exploit_0001: Redis vulnerability exploit vul_exploit_0002: Hadoop vulnerability exploit vul_exploit_0003: MySQL vulnerability exploit rootkit_0001: suspicious rootkit file rootkit_0002: suspicious kernel module RASP_0004: web shell upload RASP_0018: fileless web shell blockexec_001: known ransomware attack hips_0001: Windows Defender disabled hips_0002: suspicious hacker tool hips_0003: suspicious ransomware encryption behavior hips_0004: hidden account creation hips_0005: user password and credential reading hips_0006: suspicious SAM file export hips_0007: suspicious shadow copy deletion hips_0008: backup file deletion hips_0009: registry operation probably performed by ransomware hips_0010: suspicious abnormal process hips_0011: suspicious scan hips_0012: suspicious ransomware script execution hips_0013: suspicious mining command execution hips_0014: suspicious Windows security center disabling hips_0015: suspicious firewall disabling hips_0016: suspicious disabling of system automatic recovery hips_0017: executable file creation in Office hips_0018: abnormal file creation with macros in Office hips_0019: suspicious registry operation hips_0020: Confluence remote code execution hips_0021: MSDT remote code execution portscan_0001: common port scan portscan_0002: secret port scan k8s_1001: Kubernetes event deletion k8s_1002: privileged pod creation k8s_1003: interactive shell used in pod k8s_1004: pod created with sensitive directory k8s_1005: pod created with server network k8s_1006: pod created with host PID space k8s_1007: authentication failure when common pods access API server k8s_1008: API server access from common pod using cURL k8s_1009: exec in system management space k8s_1010: pod created in management space k8s_1011: static pod creation k8s_1012: DaemonSet creation k8s_1013: scheduled cluster task creation k8s_1014: operation on secrets k8s_1015: allowed operation enumeration k8s_1016: high privilege RoleBinding or ClusterRoleBinding k8s_1017: ServiceAccount creation k8s_1018: Cronjob creation k8s_1019: interactive shell used for exec in pods k8s_1020: unauthorized access to API server k8s_1021: access to API server with curl k8s_1022: Ingress vulnerability k8s_1023: man-in-the-middle (MITM) attack k8s_1024: worm, mining, or Trojan k8s_1025: K8s event deletion k8s_1026: SelfSubjectRulesReview imgblock_0001: image blocking based on whitelist imgblock_0002: image blocking based on blacklist imgblock_0003: image tag blocking based on whitelist imgblock_0004: image tag blocking based on blacklist imgblock_0005: container creation blocked based on whitelist imgblock_0006: container creation blocked based on blacklist imgblock_0007: container mount proc imgblock_0008: container seccomp unconfined imgblock_0009: container privilege blocking imgblock_0010: container capabilities blocking honeypot_0001: suspicious honeypot access
support_download_file	Boolean	Definition Whether alarm source file download is supported. Range true: supported false: not supported
malware_file_hash	String	Definition Hash value of the malicious file. Currently, the value is sha256. Range N/A
event_forensic_info	EventForensicInfo object	Definition Incident investigation and forensics information Range N/A

**Table 5** EventForensicInfo
Parameter	Type	Description
occur_time	Long	Definition Occurrence time, accurate to milliseconds Range N/A
file_forensic_list	Array of FileForensicInfo objects	Definition File forensics information list. Range N/A
process_chain_forensic	Array of ProcessChainList objects	Definition Process chain forensics information Range N/A
network_forensic	network_forensic object	Definition Network Forensics Range N/A
user_forensic	user_forensic object	Definition User Forensics Range N/A
registry_forensic	registry_forensic object	Definition Registry Forensics Range N/A
abnormal_login_forensic	abnormal_login_forensic object	Definition Abnormal Login Forensics Range N/A
container_forensic	container_forensic object	Definition Container Alarm Forensics Range N/A
malware_forensic	malware_forensic object	Definition Malware Forensics Range N/A
auto_launch_forensic	auto_launch_forensic object	Definition Auto-started Item Forensics Range N/A
kernel_forensic_list	Array of KernelForensicInfo objects	Definition Kernel Forensics Range N/A
geo_forensic	geo_forensic object	Definition Geographical Location Forensics Range N/A
stack_forensic	stack_forensic object	Definition Stack Forensics Range N/A
image_block_forensic	image_block_forensic object	Definition Container Image Blocking Forensics Range N/A
honey_forensic	Array of HoneyForensicInfo objects	Definition Honeypot Forensics Range N/A

**Table 6** FileForensicInfo
Parameter	Type	Description
file_path	String	Definition File path. Range N/A
file_new_path	String	Definition New File Path Range N/A
file_name	String	Definition File name. Range N/A
file_sha256	String	Definition SHA256 value of the file. Range N/A
file_action	String	Definition File action. Range N/A
file_operation	Integer	Definition File operation type. Range N/A
file_size	Integer	Definition File Size Range N/A
file_hash	String	Definition File hash. The current value is sha256. Range N/A
file_desc	String	Definition File description. Range N/A
is_dir	Boolean	Definition Whether it is a directory. Range N/A
file_mtime	Long	Definition Last file modification time (ms). Range N/A
file_atime	Long	Definition Last file access time (ms) Range N/A
file_ctime	Long	Definition Time when the file status last changed (ms) Range N/A
file_alias	String	Definition File alias. Range N/A
file_md5	String	Definition File MD5 value. Range N/A
file_type	String	Definition File type Range N/A
file_key_word	String	Definition File keyword. Range N/A

**Table 7** ProcessChainList
Parameter	Type	Description
[items]	Array of ProcessForensicInfo objects	Process chain list

**Table 8** ProcessForensicInfo
Parameter	Type	Description
process_name	String	Definition Process name. Range N/A
process_path	String	Definition Process file path. Range N/A
process_pid	Integer	Definition Process ID. Range N/A
process_uid	Integer	Definition User ID associated with the process. Range N/A
process_gid	Integer	Definition Process group ID. Range N/A
process_egid	Integer	Definition Valid process group ID. Range N/A
process_euid	Integer	Definition Valid user ID of a process. Range N/A
process_username	String	Definition Process username. Range N/A
process_cmdline	String	Definition Process file command line. Range N/A
process_start_time	Long	Definition Process start time Range N/A
process_file_hash	String	Definition Process file hash. Range N/A
ancestor_process_pid	Integer	Definition Grandparent process ID. Range N/A
ancestor_process_cmdline	String	Definition Grandparent process command line. Range N/A
ancestor_process_path	String	Definition Grandparent process path. Range N/A
session_id	Integer	Definition Session ID Range N/A
event_num	Integer	Definition Number of threat events Range N/A
type	String	Definition Node Type Range 0: process 1: registry 2: file

**Table 9** network_forensic
Parameter	Type	Description
local_address	String	Definition Local IP address Range N/A
local_port	Integer	Definition Local port Range N/A
src_ip	String	Definition Source IP address. Range N/A
remote_address	String	Definition Remote IP address (attacker IP address) Range N/A
remote_port	Integer	Definition Remote Port Range N/A
protocol	String	Definition Protocol Range N/A
app_protocol	String	Definition Application-Layer Protocol Range N/A
flow_direction	String	Definition Traffic Direction Range N/A
count	Integer	Definition Connections Range N/A
first_time	Long	Definition First connection time (ms) Range N/A
last_time	Long	Definition Last Connection Time (ms) Range N/A
request_method	String	Definition Request Methods Range N/A
request_url	String	Definition Request URL. Range N/A
query_string	String	Definition Query string Range N/A
request_params	String	Definition Request parameters. Range N/A
request_header	String	Definition Request header. Range N/A

**Table 10** user_forensic
Parameter	Type	Description
user_id	Integer	Definition User ID (UID). Range N/A
user_gid	Integer	Definition User GID. Range N/A
user_name	String	Definition Username. Range N/A
user_group_name	String	Definition User group name. Range N/A
user_home_dir	String	Definition User home directory. Range N/A
login_ip	String	Definition User login IP address Range N/A
service_type	String	Definition Login Service Type Range N/A
service_port	Integer	Definition Login service port. Range N/A
login_mode	Integer	Definition Login mode. Range N/A
login_last_time	Long	Definition Last login time of a user. Range N/A
login_fail_count	Integer	Definition Number of failed login attempts. Range N/A

**Table 11** registry_forensic
Parameter	Type	Description
reg_key	String	Definition Registry key Range N/A
reg_value	String	Definition Registry value Range N/A
reg_new_key	String	Definition New key in the registry Range N/A
reg_op_type	String	Definition Registry key/value operation type Range N/A

**Table 12** abnormal_login_forensic
Parameter	Type	Description
ip	String	Definition IP Range N/A
user	String	Definition User Range N/A
country	String	Definition Country/Region Range N/A
sub_division	String	Definition Province Range N/A
city	String	Definition City Range N/A
city_id	Integer	Definition Login Source (Mapping Location Name) Range N/A

**Table 13** container_forensic
Parameter	Type	Description
container_id	String	Definition Container ID Range N/A
container_status	String	Definition Container Status. Range N/A
pod_uid	String	Definition pod uid Range N/A
pod_name	String	Definition pod name Range N/A
namespace	String	Definition namespace Range N/A
cluster_id	String	Definition Cluster ID. Constraints N/A Range Length: 1 to 64 characters Default Value N/A
cluster_name	String	Definition Cluster name Constraints N/A Range The value can contain 1 to 256 characters. Default Value N/A
image_id	String	Definition Image ID. Range N/A
image_name	String	Definition Image name. Range N/A
priviledged	Boolean	Definition Privileged Container Range N/A
pid_mode	String	Definition Container PID Namespace Mode Range N/A
ipc_mode	String	Definition Container IPC Namespace Mode Range N/A
network_mode	String	Definition Container Network Namespace Mode Range N/A
publish_allports	Boolean	Definition Open All Container Ports Range N/A
capabilities	String	Definition Container Capability Range N/A
security_opts	String	Definition Container Security Option Range N/A
ports	String	Definition Container Open Port Range N/A
mounts	String	Definition Container Mount Point Range N/A
sys_call	String	Definition System call Range N/A
container_name	String	Definition Container name. Range N/A

**Table 14** malware_forensic
Parameter	Type	Description
malware_family	String	Definition Malware family. Range N/A
malware_name	String	Definition Malware name Range N/A
malware_type	String	Definition Malware type Range N/A
confidence	Integer	Definition Credibility Range N/A

**Table 15** auto_launch_forensic
Parameter	Type	Description
event	Integer	Definition Event Range N/A
type	Integer	Definition Type. Range N/A
owner	String	Definition User Range N/A
name	String	Definition Command Range N/A
run_interval	String	Definition Running Interval Range N/A
hash	String	Definition hash Range N/A
mtime	String	Definition hash Range N/A
description	String	Definition Startup Items Range N/A
path	String	Definition Process file command line. Range N/A

**Table 16** KernelForensicInfo
Parameter	Type	Description
read_addr	Integer	Definition Address Range N/A
syscall_num	Integer	Definition System call ID Range N/A
function	String	Definition System function Range N/A
module	String	Definition Kernel modules Range N/A
ext_info	String	Definition Extended information. Range N/A

**Table 17** geo_forensic
Parameter	Type	Description
src_country	String	Definition Source Country Range N/A
src_city	String	Definition Source city. Range N/A
src_latitude	Integer	Definition Source Latitude Range N/A
src_longitude	Integer	Definition Source Longitude Range N/A
dest_country	String	Definition Destination Country Range N/A
dest_city	String	Definition Destination City Range N/A
dest_latitude	Integer	Definition Destination Latitude Range N/A
dest_longitude	Integer	Definition Destination Longitude Range N/A

**Table 18** stack_forensic
Parameter	Type	Description
attack_input_value	String	Definition Attack Payload Range N/A
app_stack	String	Definition Stack Information Range N/A
chk_probe	Integer	Definition Attack probe Range N/A
chk_rule	Integer	Definition Feature rule Range N/A
plugin_name	Integer	Definition Rule Range N/A

**Table 19** image_block_forensic
Parameter	Type	Description
type	String	Definition Block type. Range N/A
msg	String	Definition Reason for Blocking Range N/A
path	String	Definition Path Range N/A
image	String	Definition Image name. Range N/A
version	Boolean	Definition Image tag. Range N/A
result	String	Definition Blocking result Range N/A
time	String	Definition Occurred On Range N/A

**Table 20** HoneyForensicInfo
Parameter	Type	Description
attack_ip	String	Definition Attack source IP address Range N/A
sandbox_name	String	Definition Sandbox Name Range N/A
service_name	String	Definition Spoofing service Range N/A
attack_type	String	Definition Attack Type Range probe: probe invade: intrusion
attack_method_desc	String	Definition Attack methods Range N/A
attack_desc	String	Definition Attack behavior Range N/A

Example Requests

None

Example Responses

Status code: 200

Request succeeded.

{
  "event_type" : 1001,
  "event_class_id" : "av_1008",
  "support_download_file" : true,
  "malware_file_hash" : "d36b44b1cd6d5767f788ba326",
  "event_forensic_info" : {
    "occur_time" : 1615564800000,
    "network_forensic" : {
      "local_address" : "1.1.1.1",
      "local_port" : 0,
      "src_ip" : "1.1.1.2",
      "remote_address" : "1.1.1.3",
      "remote_port" : 0,
      "count" : 1,
      "first_time" : 1615564800000,
      "last_time" : 1615564800000
    }
  }
}

Status Codes

Status Code	Description
200	Request succeeded.

Error Codes

See Error Codes.

Parent Topic: Event Management

Previous topic: Submitting a Vulnerability Export Request

Next topic: Querying the List of Isolated Files

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot