Querying the List of Isolated Files

Function

This API is used to query the list of isolated files.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
If you are using identity policy-based authorization, no identity policy-based permission required for calling this API.

URI

GET /v5/{project_id}/event/isolated-file

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	ID of the enterprise project that a server belongs. An enterprise project can be configured only after the enterprise project function is enabled. Enterprise project ID. The value 0 indicates the default enterprise project. To query servers in all enterprise projects, set this parameter to all_granted_eps. If you have only the permission on an enterprise project, you need to transfer the enterprise project ID to query the server in the enterprise project. Otherwise, an error is reported due to insufficient permission.
file_path	No	String	File path
host_name	No	String	Server name
private_ip	No	String	Server private IP address
public_ip	No	String	Server public IP address
file_hash	No	String	File hash. The current value is sha256.
asset_value	No	String	Asset importance. The options are as follows: important common test
offset	No	Integer	Offset, which specifies the start position of the record to be returned.
limit	No	Integer	Number of records displayed on each page.
isolation_status	No	String	Isolation status. The options are as follows: isolated restored isolating restoring
last_days	No	Integer	Number of days to be queried. This parameter is manually exclusive with begin_time and end_time.
begin_time	No	Long	Start time of the custom query.
end_time	No	Long	End time of the custom query.

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.
region	No	String	Region ID

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
total_num	Integer	Definition Total number. Range The value range is 0 to 2,147,483,647.
data_list	Array of IsolatedFileResponseInfo objects	Isolated file details

**Table 5** IsolatedFileResponseInfo
Parameter	Type	Description
os_type	String	Definition OS Type Range Linux Windows
host_id	String	Definition Unique ID of a server (host). Range The value can contain 1 to 64 characters.
host_name	String	Definition Server name. Range The value can contain 1 to 256 characters.
file_hash	String	Definition File hash. Range The value can contain 1 to 256 characters.
file_path	String	Definition File path. Range The value can contain 1 to 256 characters.
file_attr	String	Definition System attributes of a file (such as read and write permissions, hidden attributes, and execution permissions). Range The value can contain 1 to 256 characters.
isolation_status	String	Isolation status. The options are as follows: isolated restored isolating restoring
private_ip	String	Definition Server private IP address. Range The value can contain 1 to 128 characters.
public_ip	String	Definition Elastic IP Address (EIP) Range The value is a string of 1 to 256 characters and can be an IPv4 or IPv6 address. (An IPv4 address can contain 7 to 15 characters. An IPv6 address can contain 15 to 39 characters.)
asset_value	String	Definition Asset importance. Range important common test
update_time	Integer	Update time, in milliseconds
agent_version	String	Agent version
isolate_source	String	Isolation source. The options are as follows: event: security alarm event antivirus: virus scanning and removal
event_name	String	Definition Event name. Range The value can contain 1 to 256 characters.
agent_event_info	IsolateEventResponseInfo object	Isolation event details
antivirus_result_info	AntivirusResultDetailInfo object	Results of virus scanning and removal

**Table 6** IsolateEventResponseInfo
Parameter	Type	Description
event_id	String	Definition Event ID. Range The value can contain 1 to 64 characters.
event_class_id	String	Definition Event Category Range container_1001: container namespace container_1002: container open port container_1003: container security option container_1004: container mount directory containerescape_0001: high-risk system call containerescape_0002: shocker attack containerescape_0003: Dirty Cow attack containerescape_0004: container file escape dockerfile_001: modification of user-defined protected container file dockerfile_002: modification of executable files in the container file system dockerproc_001: abnormal container process fileprotect_0001: file privilege escalation fileprotect_0002: critical file change fileprotect_0003: critical file path change fileprotect_0004: file/directory change av_1002: virus av_1003: worm av_1004: Trojan av_1005: botnet av_1006: backdoor av_1007: spyware av_1008: adware av_1009: phishing av_1010: rootkit av_1011: ransomware av_1012: hacker tool av_1013: grayware av_1015: web shell av_1016: mining software login_0001: brute-force attack attempt login_0002: successful brute-force attack login_1001: successful login login_1002: remote login login_1003: weak password malware_0001: shell change event malware_0002: reverse shell event malware_1001: malicious program procdet_0001: abnormal process behavior procdet_0002: process privilege escalation procreport_0001: risky command user_1001: account change user_1002: risky account vmescape_0001: VM sensitive command execution vmescape_0002: access from virtualization process to sensitive file vmescape_0003: abnormal VM port access webshell_0001: web shell network_1001: mining network_1002: servers exploited to launch DDoS attacks network_1003: malicious scan network_1004: attack in sensitive areas ransomware_0001: ransomware attack ransomware_0002: ransomware attack ransomware_0003: ransomware attack fileless_0001: process injection fileless_0002: dynamic library injection fileless_0003: critical configuration change fileless_0004: environment variable change fileless_0005: memory file process fileless_0006: VDSO hijacking crontab_1001: suspicious crontab task vul_exploit_0001: Redis vulnerability exploit vul_exploit_0002: Hadoop vulnerability exploit vul_exploit_0003: MySQL vulnerability exploit rootkit_0001: suspicious rootkit file rootkit_0002: suspicious kernel module RASP_0004: web shell upload RASP_0018: fileless web shell blockexec_001: known ransomware attack hips_0001: Windows Defender disabled hips_0002: suspicious hacker tool hips_0003: suspicious ransomware encryption behavior hips_0004: hidden account creation hips_0005: user password and credential reading hips_0006: suspicious SAM file export hips_0007: suspicious shadow copy deletion hips_0008: backup file deletion hips_0009: registry operation probably performed by ransomware hips_0010: suspicious abnormal process hips_0011: suspicious scan hips_0012: suspicious ransomware script execution hips_0013: suspicious mining command execution hips_0014: suspicious Windows security center disabling hips_0015: suspicious firewall disabling hips_0016: suspicious disabling of system automatic recovery hips_0017: executable file creation in Office hips_0018: abnormal file creation with macros in Office hips_0019: suspicious registry operation hips_0020: Confluence remote code execution hips_0021: MSDT remote code execution portscan_0001: common port scan portscan_0002: secret port scan k8s_1001: Kubernetes event deletion k8s_1002: privileged pod creation k8s_1003: interactive shell used in pod k8s_1004: pod created with sensitive directory k8s_1005: pod created with server network k8s_1006: pod created with host PID space k8s_1007: authentication failure when common pods access API server k8s_1008: API server access from common pod using cURL k8s_1009: exec in system management space k8s_1010: pod created in management space k8s_1011: static pod creation k8s_1012: DaemonSet creation k8s_1013: scheduled cluster task creation k8s_1014: operation on secrets k8s_1015: allowed operation enumeration k8s_1016: high privilege RoleBinding or ClusterRoleBinding k8s_1017: ServiceAccount creation k8s_1018: Cronjob creation k8s_1019: interactive shell used for exec in pods k8s_1020: unauthorized access to API server k8s_1021: access to API server with curl k8s_1022: Ingress vulnerability k8s_1023: man-in-the-middle (MITM) attack k8s_1024: worm, mining, or Trojan k8s_1025: K8s event deletion k8s_1026: SelfSubjectRulesReview imgblock_0001: image blocking based on whitelist imgblock_0002: image blocking based on blacklist imgblock_0003: image tag blocking based on whitelist imgblock_0004: image tag blocking based on blacklist imgblock_0005: container creation blocked based on whitelist imgblock_0006: container creation blocked based on blacklist imgblock_0007: container mount proc imgblock_0008: container seccomp unconfined imgblock_0009: container privilege blocking imgblock_0010: container capabilities blocking
event_type	Integer	Definition Event type. Range 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010: rootkit 1011: ransomware 1012: hacker tool 1015: web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid accounts 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: user information enumeration 13004: cluster role binding
event_name	String	Definition Event name. Range The value can contain 1 to 256 characters.
severity	String	Definition Risk level. Range Security, Low, Medium, High, and Critical
container_name	String	Definition Container instance name. This parameter is available only for container alarms. Range The value can contain 1 to 256 characters.
image_name	String	Definition Image name. This parameter is available only for container alarms. Range The value can contain 1 to 256 characters.
host_name	String	Definition Server name. Range The value can contain 1 to 256 characters.
host_id	String	Definition Unique ID of a server (host). Range The value can contain 1 to 64 characters.
private_ip	String	Definition Server private IP address. Range The value can contain 1 to 128 characters.
public_ip	String	Definition Elastic IP Address (EIP) Range The value is a string of 1 to 256 characters and can be an IPv4 or IPv6 address. (An IPv4 address can contain 7 to 15 characters. An IPv6 address can contain 15 to 39 characters.)
os_type	String	Definition OS Type Range Linux Windows
host_status	String	Server status. The options are as follows: ACTIVE SHUTOFF BUILDING ERROR
agent_status	String	Agent status. Its value can be: installed not_installed: online offline install_failed installing
protect_status	String	Protection status. Its value can be: closed opened
asset_value	String	Asset importance. The options are as follows: important common test
attack_phase	String	Definition Attack phase. Range reconnaissance weaponization delivery exploit installation command_and_control actions
attack_tag	String	Definition Attack tag. Range attack_success: successful attack attack_attempt: attack attempt attack_blocked: attack blocked abnormal_behavior: abnormal behavior collapsible_host: server compromised system_vulnerability: system vulnerability
occur_time	Integer	Definition Occurrence time, accurate to milliseconds Range The value ranges from 0 to 9223372036854775807. The time format is a timestamp (UTC time zone, starting from 1970-01-01 00:00:00), in milliseconds.
recent_time	Integer	Occurrence time, accurate to milliseconds
handle_time	Integer	Definition Handling time, in milliseconds. This parameter is available only for handled alarms. Range The value range is 0 to 9,223,372,036,854,775,807.
handle_status	String	Definition Handling status. Range unhandled handled
handle_method	String	Definition Handling method, which is available only for handled alarms. Range mark_as_handled: Mark as handled ignore: Ignore add_to_alarm_whitelist: Add to alarm whitelist add_to_login_whitelist: Add to login whitelist isolate_and_kill: Isolate and kill
handler	String	Definition Remarks. This parameter is available only for handled alarms. Range The value can contain 1 to 256 characters.
memo	String	Remarks for manual handling
operate_accept_list	Array of strings	Supported processing operations
operate_detail_list	Array of EventDetailResponseInfo objects	Operation details list (Not displayed on the page)
forensic_info	Object	Forensic data
resource_info	Object	Resource information
geo_info	Object	Geographic information
network_info	Object	Network information
app_info	Object	Application information
system_info	Object	System information
malware_info	Object	Malware information
extend_info	Object	Extension information
recommendation	String	Handling suggestion
att_ck	String	att_ck identifier
event_details	String	Event summary
confidence	Integer	Confidence This field is displayed only for intelligence and antivirus alarms.
process_info_list	Object	Process information list
user_info_list	Object	User information list
file_info_list	Object	File information list
registry_info_list	Object	Registry information list
cluster_info	Object	Registry information list
tag_list	Array of strings	Tag list
description	String	Alarm description
event_abstract	String	Alarm summary
event_count	Integer	Event occurrences
cluster_id	String	Cluster ID

**Table 7** EventDetailResponseInfo
Parameter	Type	Description
agent_id	String	Definition Unique ID of the antivirus agent installed on a server, which is used to associate the server with the antivirus service. Constraints N/A Range The value can contain 1 to 64 characters. Default Value N/A
process_pid	Integer	Definition Process ID. Range The value range is 0 to 2,147,483,647.
is_parent	Boolean	Definition Whether a process is a parent process. Range true false
file_hash	String	Definition File hash. Range The value can contain 1 to 256 characters.
file_path	String	Definition File path. Range The value can contain 1 to 256 characters.
file_attr	String	Definition System attributes of a file (such as read and write permissions, hidden attributes, and execution permissions). Range The value can contain 1 to 256 characters.
private_ip	String	Definition Server private IP address. Range The value can contain 1 to 128 characters.
login_ip	String	Definition Login source IP address. Range The value can contain 1 to 256 characters.
login_user_name	String	Definition Login username. Range The value can contain 1 to 256 characters.
keyword	String	Alarm event keyword, which is used only for the alarm whitelist.
hash	String	Alarm event hash, which is used only for the alarm whitelist.

**Table 8** AntivirusResultDetailInfo
Parameter	Type	Description
result_id	String	Definition Virus scan and removal result ID Range The value can contain 1 to 64 characters.
malware_name	String	Definition Virus Name Range The value can contain 1 to 128 characters.
file_path	String	Definition File path. Range The value can contain 1 to 256 characters.
file_hash	String	Definition File hash. Range The value can contain 1 to 256 characters.
file_size	Integer	Definition File size. Constraints N/A Range The value range is 0 to 9,223,372,036,854,775,807. Default Value N/A
file_owner	String	Definition File attribute Range The value contains 0 to 64 characters.
file_attr	String	Definition System attributes of a file (such as read and write permissions, hidden attributes, and execution permissions). Range The value can contain 1 to 256 characters.
file_ctime	Integer	Definition File creation time. Range Non-negative long integer. The time format is a digit timestamp (UTC time, starting from 1970-01-01 00:00:00), in milliseconds.
file_mtime	Integer	Definition File update time Range Non-negative long integer. The time format is a digit timestamp (UTC time, starting from 1970-01-01 00:00:00), in milliseconds.
update_time	Integer	Update time, in milliseconds
agent_id	String	Definition Unique ID of the antivirus agent installed on a server, which is used to associate the server with the antivirus service. Constraints N/A Range The value can contain 1 to 64 characters. Default Value N/A

Example Requests

Query the first 10 isolated files.

GET https://{endpoint}/v5/{project_id}/event/isolated-file?limit=10&offset=0&enterprise_project_id=xxx

Example Responses

Status code: 200

Request succeeded.

{
  "total_num" : 1409,
  "data_list" : [ {
    "host_id" : "b44***1be-4c28-4bf3-8070-fde5****6689",
    "host_name" : "h00657476-linux",
    "private_ip" : "192.168.0.93",
    "public_ip" : "100.93.10.247",
    "asset_value" : "common",
    "os_type" : "Linux",
    "file_hash" : "32d62a995215243********a611134e9891b1264e222e55d78",
    "file_path" : "/root/***e_Samples/****-CVE/39d46a0*****20c915db30d",
    "isolation_status" : "isolated",
    "file_attr" : "33261",
    "update_time" : 1737512051632,
    "agent_version" : "3.2.15.10",
    "isolate_source" : "event",
    "event_name" : "Unclassified Malware",
    "agent_event_info" : {
      "severity" : "High",
      "recommendation" : "For malicious program alarms, you are advised to perform the following operations:\n1. If you receive an alarm, check whether the file or process mentioned in the alarm is normal. If it is normal, select the alarm, click **Handle**, and ignore it or add it to the alarm whitelist.\n2. If you receive an alarm, check whether the file or process mentioned in the alarm is normal. If it is malicious, select the alarm, click **Handle**, isolate and kill it, or manually clear viruses.\n3. If your data is lost due to malicious programs and you have subscribed to CBR, try using CBR to restore data.\n4. To prevent future intrusions, fix vulnerabilities on the **Vulnerabilities** page under the HSS risk prevention menu item.",
      "description" : "A malicious program alarm is triggered by security software upon detecting potential malware within a system or network. Malware, or malicious software, is a program that can infect and damage authorized users' computers in multiple ways. Malicious program alarms are used to remind users to take measures to prevent malicious software threats.",
      "event_id" : "ac04***86-d7a9-11ef-9fd1-fa1****8dea",
      "event_class_id" : "av_1001",
      "event_type" : 1001,
      "event_name" : "Unclassified Malware",
      "host_name" : "h00657476-linux",
      "host_id" : "b44d***be-4c28-4bf3-8070-fde59***c6689",
      "attack_phase" : "installation",
      "attack_tag" : "abnormal_behavior",
      "occur_time" : 1737430920000,
      "recent_time" : 1737465583543,
      "handle_time" : 1737512072882,
      "handle_status" : "handled",
      "handle_method" : "isolate_and_kill",
      "handler" : "scc_hss_g00840938_01",
      "memo" : "Two alarms have been handled.",
      "resource_info" : {
        "project_id" : "84b5266c14ae489fa6549827f032dc62",
        "enterprise_project_id" : "0",
        "region_name" : "cn-north-7",
        "host_name" : "h00657476-linux",
        "host_ip" : "192.168.0.***",
        "public_ip" : "1**.93.10.***",
        "host_id" : "b4***1be-4c28-4bf3-8070-fde***6689",
        "asset_value" : "common",
        "cloud_id" : "",
        "vm_name" : "h00657476-linux",
        "vm_uuid" : "b4***1be-4c28-4bf3-8070-fde5***6689",
        "os_type" : "Linux",
        "os_name" : "HCE OS",
        "os_version" : "2.0",
        "agent_version" : "3.2.15.10"
      },
      "malware_info" : {
        "malware_family" : "Generic",
        "severity" : 0
      },
      "att_ck" : "Impact",
      "confidence" : 90,
      "file_info_list" : {
        "file_path" : "/root/******les/*****-CVE/39d46a0cd603*****db30d",
        "file_hash" : "32d62a995215243f******34e9891b1264e222e55d78"
      },
      "event_abstract" : "A suspicious program was detected on server A at 11:42:00 on 2025-01-21. Confidence: medium. Access path: /root/Malware_Samples/Common-CVE/39d46a0cd60393e5571b720c915db30d",
      "event_count" : 4
    }
  } ]
}

Status Codes

Status Code	Description
200	Request succeeded.

Error Codes

See Error Codes.

Parent Topic: Event Management

Previous topic: Exporting Vulnerability Reports

Next topic: Restoring Isolated Files

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot