Querying the Attack Identifier Distribution Statistics List

Function

This API is used to query attack identifier distribution statistics.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
If you are using identity policy-based authorization, no identity policy-based permission required for calling this API.

URI

GET /v5/{project_id}/event/attack-tag

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Definition Project ID, which is used to specify the project that an asset belongs to. After the project ID is configured, you can query assets in the project using the project ID. For details about how to obtain it, see Obtaining a Project ID. Constraints N/A Range Length: 1 to 256 characters Default Value N/A

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Definition Enterprise project ID, which is used to filter assets in different enterprise projects. For details, see Obtaining an Enterprise Project ID. To query assets in all enterprise projects, set this parameter to all_granted_eps. Constraints You need to set this parameter only after the enterprise project function is enabled. Range Length: 1 to 256 characters Default Value 0: default enterprise project.
last_days	No	Integer	Definition Number of days to be queried. This parameter is manually exclusive with begin_time and end_time. Constraints N/A Range Minimum value: 1; maximum value: 30 Default Value N/A
category	Yes	String	Definition Event type. Constraints Mandatory Range host: server security event container: container security event serverless: serverless security event Default Value N/A
host_name	No	String	Definition Server name. Constraints N/A Range Length: 1 to 256 characters Default Value N/A
host_id	No	String	Definition Server ID. Constraints N/A Range Length: 1 to 256 characters Default Value N/A
private_ip	No	String	Definition Server private IP address. Constraints N/A Range Length: 1 to 128 characters Default Value N/A
public_ip	No	String	Definition Server EIP. Constraints N/A Range Length: 1 to 128 characters Default Value N/A
container_name	No	String	Definition Container instance name. Constraints N/A Range Length: 1 to 512 characters Default Value N/A
event_type	No	Integer	Definition Event type. Constraints N/A Range 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: Botnet 1006: backdoor 1010: Rootkit 1011: Ransomware 1012: hacker tool 1015: Webshell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3026: crontab privilege escalation 3027: crontab suspicious task 3029: system protection disabled 3030: backup deletion 3031: abnormal registry operation 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid system account 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: user information enumeration 13004: cluster role binding Default Value N/A
handle_status	No	String	Definition Handling status. Constraints N/A Range unhandled: unhandled handled: handled Default Value N/A
severity	No	String	Definition Risk level. Constraints N/A Range Security: security Low: low-risk Medium: medium-risk High: high-risk Critical: critical Default Value N/A
severity_list	No	Array of strings	Definition Risk level. Constraints N/A Range Security: security Low: low-risk Medium: medium-risk High: high-risk Critical: critical Default Value N/A
attack_tag	No	String	Definition Attack tag. Constraints N/A Range attack_success: The attack is successful. attack_attempt: attack attempt attack_blocked: The attack is blocked. abnormal_behavior: abnormal behavior collapsible_host: The server is compromised. system_vulnerability: system vulnerability Default Value N/A
asset_value	No	String	Definition Asset importance. Constraints N/A Range important: important asset common: common asset test: test asset Default Value N/A
tag_list	No	Array of strings	Event tag list, for example, ["hot event"].
att_ck	No	String	Definition ATT&CK phase. Constraints N/A Range Reconnaissance: reconnaissance Initial Access: initial access Execution: execution Persistence: persistence Privilege Escalation: privilege escalation Defense Evasion: defense bypass Credential Access: credential access Command and Control: command and control Impact: impact Default Value N/A
event_name	No	String	Definition Alarm name Constraints N/A Range Length: 1 to 128 characters Default Value N/A

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Definition User token, which contains user identity and permissions. The token can be used for identity authentication when an API is called. For details about how to obtain the token, see Obtaining a User Token. Constraints N/A Range Length: 1 to 32768 characters Default Value N/A
region	Yes	String	Definition Region ID, which is used to query assets in the required region. For details about how to obtain a region ID, see Obtaining a Region ID. Constraints N/A Range Length: 0 to 128 characters Default Value N/A

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
attack_success_num	Integer	Definition Number of successful attacks Range Minimum value: 0; maximum value: 2147483647
attack_attempt_num	Integer	Definition Number of attack attempts Range Minimum value: 0; maximum value: 2147483647
attack_blocked_num	Integer	Definition Number of blocked attacks Range Minimum value: 0; maximum value: 2147483647
abnormal_behavior_num	Integer	Definition Number of attacks in the abnormal behavior phase Range Minimum value: 0; maximum value: 2147483647
collapsible_host_num	Integer	Definition Number of attacks in the server compromise phase Range Minimum value: 0; maximum value: 2147483647
system_vulnerability_num	Integer	Definition Number of attacks in the system vulnerability phase Range Minimum value: 0; maximum value: 2147483647

Example Requests

None

Example Responses

Status code: 200

Request succeeded.

{
  "attack_success_num" : 10,
  "attack_attempt_num" : 10,
  "attack_blocked_num" : 10,
  "abnormal_behavior_num" : 10,
  "collapsible_host_num" : 10,
  "system_vulnerability_num" : 10
}

Status Codes

Status Code	Description
200	Request succeeded.

Error Codes

See Error Codes.

Parent Topic: Event Management

Previous topic: Querying the Statistics of ATT&CK Phases

Next topic: Querying the List of Blocked IP Addresses

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot