Help Center/ Host Security Service/ API Reference/ API Description/ Intrusion Detection/ Querying the Detected Intrusion List
Updated on 2025-08-15 GMT+08:00
Online Debugging
CLI Examples
View PDF
Share

Querying the Detected Intrusion List

Function

This API is used to query the detected intrusion list.

Calling Method

For details, see Calling APIs.

URI

GET /v5/{project_id}/event/events

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Definition

Project ID, which is used to specify the project that an asset belongs to. After the project ID is configured, you can query assets in the project using the project ID. For details about how to obtain it, see Obtaining a Project ID.

Constraints

N/A

Range

The value contains 1 to 256 characters.

Default Value

N/A
Table 2 Query Parameters

Parameter

Mandatory

Type

Description

category

Yes

String

Definition

Event type.

Constraints

N/A

Range

  • host: server security event

  • container: container security event

Default Value

N/A

enterprise_project_id

No

String

Definition

Enterprise project ID, which is used to filter assets in different enterprise projects. For details, see Obtaining an Enterprise Project ID.

To query assets in all enterprise projects, set this parameter to all_granted_eps.

Constraints

You need to set this parameter only after the enterprise project function is enabled.

Range

The value can contain 1 to 256 characters.

Default Value

0: default enterprise project.

last_days

No

Integer

Definition

Number of days to be queried. This parameter is manually exclusive with begin_time and end_time.

Constraints

N/A

Range

The value range is 1 to 30.

Default Value

N/A

host_name

No

String

Definition

Server name.

Constraints

N/A

Range

The value can contain 1 to 256 characters.

Default Value

N/A

host_id

No

String

Definition

Server ID.

Constraints

N/A

Range

The value can contain 0 to 64 characters.

Default Value

N/A

private_ip

No

String

Definition

Server private IP address.

Constraints

N/A

Range

The value can contain 1 to 256 characters.

Default Value

N/A

public_ip

No

String

Definition

Server EIP.

Constraints

N/A

Range

The value can contain 1 to 256 characters.

Default Value

N/A

container_name

No

String

Definition

Container instance name.

Constraints

N/A

Range

The value can contain 1 to 512 characters.

Default Value

N/A

offset

No

Integer

Definition

Offset, which specifies the start position of the record to be returned.

Constraints

N/A

Range

The value range is 0 to 2,000,000.

Default Value

N/A

limit

No

Integer

Definition

Number of records displayed on each page.

Constraints

N/A

Range

The value range is 10 to 1,000.

Default Value

10

event_types

No

Array of integers

Definition

Event type.

Constraints

N/A

Range

  • 1001: common malware

  • 1002: virus

  • 1003: worm

  • 1004: Trojan

  • 1005: botnet

  • 1006: backdoor

  • 1010: rootkit

  • 1011: ransomware

  • 1012: hacker tool

  • 1015: web shell

  • 1016: mining

  • 1017: reverse shell

  • 2001: common vulnerability exploit

  • 2012: remote code execution

  • 2047: Redis vulnerability exploit

  • 2048: Hadoop vulnerability exploit

  • 2049: MySQL vulnerability exploit

  • 3002: file privilege escalation

  • 3003: process privilege escalation

  • 3004: critical file change

  • 3005: file/directory change

  • 3007: abnormal process behavior

  • 3015: high-risk command execution

  • 3018: abnormal shell

  • 3026: crontab privilege escalation

  • 3027: suspicious crontab task

  • 3029: system protection disabled

  • 3030: backup deletion

  • 3031: suspicious registry operations

  • 3036: container image blocking

  • 4002: brute-force attack

  • 4004: abnormal login

  • 4006: invalid accounts

  • 4014: account added

  • 4020: password theft

  • 6002: port scan

  • 6003: server scan

  • 13001: Kubernetes event deletion

  • 13002: abnormal pod behavior

  • 13003: user information enumeration

  • 13004: cluster role binding

Default Value

N/A

handle_status

No

String

Definition

Handling status.

Constraints

N/A

Range

  • unhandled

  • handled

Default Value

N/A

severity

No

String

Definition

Risk level.

Constraints

N/A

Range

  • Security

  • Low

  • Medium

  • High

  • Critical

Default Value

N/A

begin_time

No

String

Definition

Customized start time of a segment. The timestamp is accurate to seconds. The end_time should be no more than two days earlier than the begin_time. This parameter is mutually exclusive with the queried duration.

Constraints

N/A

Range

The value contains 13 characters.

Default Value

N/A

end_time

No

String

Definition

Customized end time of a query time range. The timestamp is accurate to milliseconds. The end_time should be no more than two days earlier than the begin_time. This parameter is mutually exclusive with the queried duration.

Constraints

N/A

Range

The value contains 13 characters.

Default Value

N/A

event_class_ids

No

Array of strings

Definition

Event ID

Constraints

N/A

Range

  • container_1001: container namespace

  • container_1002: container open port

  • container_1003: container security option

  • container_1004: container mount directory

  • containerescape_0001: high-risk system call

  • containerescape_0002: shocker attack

  • containerescape_0003: Dirty Cow attack

  • containerescape_0004: container file escape

  • dockerfile_001: modification of user-defined protected container file

  • dockerfile_002: modification of executable files in the container file system

  • dockerproc_001: abnormal container process

  • fileprotect_0001: file privilege escalation

  • fileprotect_0002: critical file change

  • fileprotect_0003: critical file path change

  • fileprotect_0004: file/directory change

  • av_1002: virus

  • av_1003: worm

  • av_1004: Trojan

  • av_1005: botnet

  • av_1006: backdoor

  • av_1007: spyware

  • av_1008: adware

  • av_1009: phishing

  • av_1010: rootkit

  • av_1011: ransomware

  • av_1012: hacker tool

  • av_1013: grayware

  • av_1015: web shell

  • av_1016: mining software

  • login_0001: brute-force attack attempt

  • login_0002: successful brute-force attack

  • login_1001: successful login

  • login_1002: remote login

  • login_1003: weak password

  • malware_0001: shell change event

  • malware_0002: reverse shell event

  • malware_1001: malicious program

  • procdet_0001: abnormal process behavior

  • procdet_0002: process privilege escalation

  • crontab_0001: crontab script privilege escalation

  • crontab_0002: malicious path privilege escalation

  • procreport_0001: risky command

  • user_1001: account change

  • user_1002: risky account

  • vmescape_0001: VM sensitive command execution

  • vmescape_0002: access from virtualization process to sensitive file

  • vmescape_0003: abnormal VM port access

  • webshell_0001: web shell

  • network_1001: mining

  • network_1002: servers exploited to launch DDoS attacks

  • network_1003: malicious scan

  • network_1004: attack in sensitive areas

  • ransomware_0001: ransomware attack

  • ransomware_0002: ransomware attack

  • ransomware_0003: ransomware attack

  • fileless_0001: process injection

  • fileless_0002: dynamic library injection

  • fileless_0003: critical configuration change

  • fileless_0004: environment variable change

  • fileless_0005: memory file process

  • fileless_0006: VDSO hijacking

  • crontab_1001: suspicious crontab task

  • vul_exploit_0001: Redis vulnerability exploit

  • vul_exploit_0002: Hadoop vulnerability exploit

  • vul_exploit_0003: MySQL vulnerability exploit

  • rootkit_0001: suspicious rootkit file

  • rootkit_0002: suspicious kernel module

  • RASP_0004: web shell upload

  • RASP_0018: fileless web shell

  • blockexec_001: known ransomware attack

  • hips_0001: Windows Defender disabled

  • hips_0002: suspicious hacker tool

  • hips_0003: suspicious ransomware encryption behavior

  • hips_0004: hidden account creation

  • hips_0005: user password and credential reading

  • hips_0006: suspicious SAM file export

  • hips_0007: suspicious shadow copy deletion

  • hips_0008: backup file deletion

  • hips_0009: registry operation probably performed by ransomware

  • hips_0010: suspicious abnormal process

  • hips_0011: suspicious scan

  • hips_0012: suspicious ransomware script execution

  • hips_0013: suspicious mining command execution

  • hips_0014: suspicious Windows security center disabling

  • hips_0015: suspicious firewall disabling

  • hips_0016: suspicious disabling of system automatic recovery

  • hips_0017: executable file creation in Office

  • hips_0018: abnormal file creation with macros in Office

  • hips_0019: suspicious registry operation

  • hips_0020: Confluence remote code execution

  • hips_0021: MSDT remote code execution

  • portscan_0001: common port scan

  • portscan_0002: secret port scan

  • k8s_1001: Kubernetes event deletion

  • k8s_1002: privileged pod creation

  • k8s_1003: interactive shell used in pod

  • k8s_1004: pod created with sensitive directory

  • k8s_1005: pod created with server network

  • k8s_1006: pod created with host PID space

  • k8s_1007: authentication failure when common pods access API server

  • k8s_1008: API server access from common pod using cURL

  • k8s_1009: exec in system management space

  • k8s_1010: pod created in management space

  • k8s_1011: static pod creation

  • k8s_1012: DaemonSet creation

  • k8s_1013: scheduled cluster task creation

  • k8s_1014: operation on secrets

  • k8s_1015: allowed operation enumeration

  • k8s_1016: high privilege RoleBinding or ClusterRoleBinding

  • k8s_1017: ServiceAccount creation

  • k8s_1018: Cronjob creation

  • k8s_1019: interactive shell used for exec in pods

  • k8s_1020: unauthorized access to API server

  • k8s_1021: access to API server with curl

  • k8s_1022: Ingress vulnerability

  • k8s_1023: man-in-the-middle (MITM) attack

  • k8s_1024: worm, mining, or Trojan

  • k8s_1025: K8s event deletion

  • k8s_1026: SelfSubjectRulesReview

  • imgblock_0001: image blocking based on whitelist

  • imgblock_0002: image blocking based on blacklist

  • imgblock_0003: image tag blocking based on whitelist

  • imgblock_0004: image tag blocking based on blacklist

  • imgblock_0005: container creation blocked based on whitelist

  • imgblock_0006: container creation blocked based on blacklist

  • imgblock_0007: container mount proc

  • imgblock_0008: container seccomp unconfined

  • imgblock_0009: container privilege blocking

  • imgblock_0010: container capabilities blocking

Default Value

N/A

severity_list

No

Array of strings

Definition

Risk level.

Constraints

N/A

Range

  • Security

  • Low

  • Medium

  • High

  • Critical

Default Value

N/A

attack_tag

No

String

Definition

Attack tag.

Constraints

N/A

Range

  • attack_success: successful attack

  • attack_attempt: attack attempt

  • attack_blocked: attack blocked

  • abnormal_behavior: abnormal behavior

  • collapsible_host: server compromised

  • system_vulnerability: system vulnerability

Default Value

N/A

asset_value

No

String

Definition

Asset importance.

Constraints

N/A

Range

  • important

  • common

  • test

Default Value

N/A

tag_list

No

Array of strings

Event tag list, for example, ["hot event"].

att_ck

No

String

Definition

ATT&CK phase.

Constraints

N/A

Range

  • Reconnaissance

  • Initial Access

  • Execution

  • Persistence

  • Privilege Escalation

  • Defense Evasion

  • Credential Access

  • Command and Control

  • Impact

Default Value

N/A

event_name

No

String

Definition

Alarm name.

Constraints

N/A

Range

The value can contain 1 to 128 characters.

Default Value

N/A

auto_block

No

Boolean

Definition

Whether to automatically block alarms.

Constraints

N/A

Range

  • true: Automatically block alarms.

  • false: Do not automatically block alarms.

Default Value

N/A

Request Parameters

Table 3 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

Definition

User token, which contains user identity and permissions. The token can be used for identity authentication when an API is called. For details about how to obtain the token, see Obtaining a User Token.

Constraints

N/A

Range

The value can contain 1 to 32,768 characters.

Default Value

N/A

region

No

String

Definition

Region ID, which is used to query assets in the required region. For details about how to obtain a region ID, see Obtaining a Region ID.

Constraints

N/A

Range

The value can contain 0 to 128 characters.

Default Value

N/A

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

total_num

Integer

Definition

Total number of alarm events.

Range

The value range is 0 to 2,147,483,647.

data_list

Array of EventManagementResponseInfo objects

Event list
Table 5 EventManagementResponseInfo

Parameter

Type

Description

event_id

String

Definition

Event ID.

Range

The value can contain 1 to 64 characters.

event_class_id

String

Definition

Event type.

Range

  • container_1001: container namespace

  • container_1002: container open port

  • container_1003: container security option

  • container_1004: container mount directory

  • containerescape_0001: high-risk system call

  • containerescape_0002: shocker attack

  • containerescape_0003: Dirty Cow attack

  • containerescape_0004: container file escape

  • dockerfile_001: modification of user-defined protected container file

  • dockerfile_002: modification of executable files in the container file system

  • dockerproc_001: abnormal container process

  • fileprotect_0001: file privilege escalation

  • fileprotect_0002: critical file change

  • fileprotect_0003: critical file path change

  • fileprotect_0004: file/directory change

  • av_1002: virus

  • av_1003: worm

  • av_1004: Trojan

  • av_1005: botnet

  • av_1006: backdoor

  • av_1007: spyware

  • av_1008: adware

  • av_1009: phishing

  • av_1010: rootkit

  • av_1011: ransomware

  • av_1012: hacker tool

  • av_1013: grayware

  • av_1015: web shell

  • av_1016: mining software

  • login_0001: brute-force attack attempt

  • login_0002: successful brute-force attack

  • login_1001: successful login

  • login_1002: remote login

  • login_1003: weak password

  • malware_0001: shell change event

  • malware_0002: reverse shell event

  • malware_1001: malicious program

  • procdet_0001: abnormal process behavior

  • procdet_0002: process privilege escalation

  • procreport_0001: risky command

  • user_1001: account change

  • user_1002: risky account

  • vmescape_0001: VM sensitive command execution

  • vmescape_0002: access from virtualization process to sensitive file

  • vmescape_0003: abnormal VM port access

  • webshell_0001: web shell

  • network_1001: mining

  • network_1002: servers exploited to launch DDoS attacks

  • network_1003: malicious scan

  • network_1004: attack in sensitive areas

  • ransomware_0001: ransomware attack

  • ransomware_0002: ransomware attack

  • ransomware_0003: ransomware attack

  • fileless_0001: process injection

  • fileless_0002: dynamic library injection

  • fileless_0003: critical configuration change

  • fileless_0004: environment variable change

  • fileless_0005: memory file process

  • fileless_0006: VDSO hijacking

  • crontab_1001: suspicious crontab task

  • vul_exploit_0001: Redis vulnerability exploit

  • vul_exploit_0002: Hadoop vulnerability exploit

  • vul_exploit_0003: MySQL vulnerability exploit

  • rootkit_0001: suspicious rootkit file

  • rootkit_0002: suspicious kernel module

  • RASP_0004: web shell upload

  • RASP_0018: fileless web shell

  • blockexec_001: known ransomware attack

  • hips_0001: Windows Defender disabled

  • hips_0002: suspicious hacker tool

  • hips_0003: suspicious ransomware encryption behavior

  • hips_0004: hidden account creation

  • hips_0005: user password and credential reading

  • hips_0006: suspicious SAM file export

  • hips_0007: suspicious shadow copy deletion

  • hips_0008: backup file deletion

  • hips_0009: registry operation probably performed by ransomware

  • hips_0010: suspicious abnormal process

  • hips_0011: suspicious scan

  • hips_0012: suspicious ransomware script execution

  • hips_0013: suspicious mining command execution

  • hips_0014: suspicious Windows security center disabling

  • hips_0015: suspicious firewall disabling

  • hips_0016: suspicious disabling of system automatic recovery

  • hips_0017: executable file creation in Office

  • hips_0018: abnormal file creation with macros in Office

  • hips_0019: suspicious registry operation

  • hips_0020: Confluence remote code execution

  • hips_0021: MSDT remote code execution

  • portscan_0001: common port scan

  • portscan_0002: secret port scan

  • k8s_1001: Kubernetes event deletion

  • k8s_1002: privileged pod creation

  • k8s_1003: interactive shell used in pod

  • k8s_1004: pod created with sensitive directory

  • k8s_1005: pod created with server network

  • k8s_1006: pod created with host PID space

  • k8s_1007: authentication failure when common pods access API server

  • k8s_1008: API server access from common pod using cURL

  • k8s_1009: exec in system management space

  • k8s_1010: pod created in management space

  • k8s_1011: static pod creation

  • k8s_1012: DaemonSet creation

  • k8s_1013: scheduled cluster task creation

  • k8s_1014: operation on secrets

  • k8s_1015: allowed operation enumeration

  • k8s_1016: high privilege RoleBinding or ClusterRoleBinding

  • k8s_1017: ServiceAccount creation

  • k8s_1018: Cronjob creation

  • k8s_1019: interactive shell used for exec in pods

  • k8s_1020: unauthorized access to API server

  • k8s_1021: access to API server with curl

  • k8s_1022: Ingress vulnerability

  • k8s_1023: man-in-the-middle (MITM) attack

  • k8s_1024: worm, mining, or Trojan

  • k8s_1025: K8s event deletion

  • k8s_1026: SelfSubjectRulesReview

  • imgblock_0001: image blocking based on whitelist

  • imgblock_0002: image blocking based on blacklist

  • imgblock_0003: image tag blocking based on whitelist

  • imgblock_0004: image tag blocking based on blacklist

  • imgblock_0005: container creation blocked based on whitelist

  • imgblock_0006: container creation blocked based on blacklist

  • imgblock_0007: container mount proc

  • imgblock_0008: container seccomp unconfined

  • imgblock_0009: container privilege blocking

  • imgblock_0010: container capabilities blocking

event_type

Integer

Definition

Event type.

Range

  • 1001: common malware

  • 1002: virus

  • 1003: worm

  • 1004: Trojan

  • 1005: botnet

  • 1006: backdoor

  • 1010: rootkit

  • 1011: ransomware

  • 1012: hacker tool

  • 1015: web shell

  • 1016: mining

  • 1017: reverse shell

  • 2001: common vulnerability exploit

  • 2012: remote code execution

  • 2047: Redis vulnerability exploit

  • 2048: Hadoop vulnerability exploit

  • 2049: MySQL vulnerability exploit

  • 3002: file privilege escalation

  • 3003: process privilege escalation

  • 3004: critical file change

  • 3005: file/directory change

  • 3007: abnormal process behavior

  • 3015: high-risk command execution

  • 3018: abnormal shell

  • 3027: suspicious crontab task

  • 3029: system protection disabled

  • 3030: backup deletion

  • 3031: suspicious registry operations

  • 3036: container image blocking

  • 4002: brute-force attack

  • 4004: abnormal login

  • 4006: invalid accounts

  • 4014: account added

  • 4020: password theft

  • 6002: port scan

  • 6003: server scan

  • 13001: Kubernetes event deletion

  • 13002: abnormal pod behavior

  • 13003: user information enumeration

  • 13004: cluster role binding

event_name

String

Definition

Event name.

Range

The value can contain 1 to 256 characters.

severity

String

Definition

Risk level.

Range

  • Security

  • Low

  • Medium

  • High

  • Critical

container_name

String

Definition

Container instance name. This parameter is available only for container alarms.

Range

The value can contain 1 to 256 characters.

image_name

String

Definition

Image name. This parameter is available only for container alarms.

Range

The value can contain 1 to 256 characters.

host_name

String

Definition

Server name.

Range

The value can contain 1 to 256 characters.

host_id

String

Definition

Server ID.

Range

The value can contain 1 to 64 characters.

private_ip

String

Definition

Server private IP address.

Range

The value can contain 1 to 128 characters.

public_ip

String

Definition

EIP.

Range

The value can contain 1 to 256 characters.

os_type

String

Definition

OS type.

Range

  • Linux

  • Windows

host_status

String

Definition

Server status.

Range

  • ACTIVE: running

  • SHUTOFF: shut down

  • BUILDING: creating

  • ERROR: faulty

agent_status

String

Definition

Agent status.

Range

  • installed

  • not_installed

  • online

  • offline

  • install_failed

  • installing

protect_status

String

Definition

Protection status.

Range

  • closed: not protected

  • opened: protected

asset_value

String

Definition

Asset importance.

Range

  • important

  • common

  • test

attack_phase

String

Definition

Attack phase.

Range

  • reconnaissance

  • weaponization

  • delivery

  • exploit

  • installation

  • command_and_control

  • actions

attack_tag

String

Definition

Attack tag.

Range

  • attack_success: successful attack

  • attack_attempt: attack attempt

  • attack_blocked: attack blocked

  • abnormal_behavior: abnormal behavior

  • collapsible_host: server compromised

  • system_vulnerability: system vulnerability

occur_time

Integer

Definition

Occurrence time, accurate to milliseconds

Range

The value range is 0 to 9,223,372,036,854,775,807.

handle_time

Integer

Definition

Handling time, in milliseconds. This parameter is available only for handled alarms.

Range

The value range is 0 to 9,223,372,036,854,775,807.

handle_status

String

Definition

Handling status.

Range

  • unhandled

  • handled

handle_method

String

Definition

Handling method, which is available only for handled alarms.

Range

  • mark_as_handled: Mark as handled

  • ignore: Ignore

  • add_to_alarm_whitelist: Add to alarm whitelist

  • add_to_login_whitelist: Add to login whitelist

  • isolate_and_kill: Isolate and kill

handler

String

Definition

Remarks. This parameter is available only for handled alarms.

Range

The value can contain 1 to 256 characters.

operate_accept_list

Array of strings

Supported processing operation

operate_detail_list

Array of EventDetailResponseInfo objects

Operation details list (not displayed on the page)

forensic_info

Object

Attack information, in JSON format.

resource_info

EventResourceResponseInfo object

Resource information

geo_info

Object

Geographical location, in JSON format.

malware_info

Object

Malware information, in JSON format.

network_info

Object

Network information, in JSON format.

app_info

Object

Application information, in JSON format.

system_info

Object

System information, in JSON format.

extend_info

Object

Extended event information, in JSON format

recommendation

String

Definition

Suggestion.

Range

The value can contain 1 to 256 characters.

description

String

Definition

Alarm description.

Range

The value contains 0 to 1,024 characters.

event_abstract

String

Definition

Alarm summary.

Range

The value can contain 0 to 512 characters.

process_info_list

Array of EventProcessResponseInfo objects

Process information list

user_info_list

Array of EventUserResponseInfo objects

User information list

file_info_list

Array of EventFileResponseInfo objects

File information list

event_details

String

Definition

Brief description of the event.

Range

The value can contain 0 to 204,800 characters.

tag_list

Array of strings

Tags

event_count

Integer

Definition

Event occurrences.

Range

The value range is 0 to 2,147,483,647.
Table 6 EventDetailResponseInfo

Parameter

Type

Description

agent_id

String

Definition

Agent ID

Constraints

N/A

Range

The value can contain 1 to 64 characters.

Default Value

N/A

process_pid

Integer

Definition

Process ID.

Range

The value range is 0 to 2,147,483,647.

is_parent

Boolean

Definition

Whether a process is a parent process.

Range

  • true

  • false

file_hash

String

Definition

File hash.

Range

The value can contain 1 to 256 characters.

file_path

String

Definition

File path.

Range

The value can contain 1 to 256 characters.

file_attr

String

Definition

File attribute.

Range

The value can contain 1 to 256 characters.

private_ip

String

Definition

Server private IP address.

Range

The value can contain 1 to 128 characters.

login_ip

String

Definition

Login source IP address.

Range

The value can contain 1 to 256 characters.

login_user_name

String

Definition

Login username.

Range

The value can contain 1 to 256 characters.

keyword

String

Alarm event keyword, which is used only for the alarm whitelist.

hash

String

Alarm event hash, which is used only for the alarm whitelist.
Table 7 EventResourceResponseInfo

Parameter

Type

Description

domain_id

String

Definition

Tenant account ID.

Range

The value can contain 1 to 256 characters.

project_id

String

Definition

Project ID.

Range

The value can contain 1 to 256 characters.

enterprise_project_id

String

Definition

Enterprise project ID.

Range

The value can contain 1 to 256 characters.

region_name

String

Definition

Region name.

Range

The value can contain 1 to 256 characters.

vpc_id

String

Definition

VPC ID

Range

The value can contain 1 to 256 characters.

cloud_id

String

Definition

Server ID.

Range

The value can contain 1 to 256 characters.

vm_name

String

Definition

VM name.

Range

The value can contain 1 to 256 characters.

vm_uuid

String

Definition

VM UUID, that is, the server ID.

Range

The value can contain 1 to 256 characters.

container_id

String

Definition

Container ID.

Range

The value can contain 1 to 256 characters.

container_status

String

Definition

Container status.

Range

The value can contain 1 to 256 characters.

pod_uid

String

Definition

pod uid

Range

The value can contain 1 to 256 characters.

pod_name

String

Definition

pod name

Range

The value can contain 1 to 256 characters.

namespace

String

Definition

namespace

Range

The value can contain 1 to 256 characters.

cluster_id

String

Definition

Cluster ID.

Range

The value can contain 1 to 256 characters.

cluster_name

String

Definition

Cluster name.

Range

The value can contain 1 to 256 characters.

image_id

String

Definition

Image ID.

Range

The value can contain 1 to 256 characters.

image_name

String

Definition

Image name.

Range

The value can contain 1 to 256 characters.

host_attr

String

Definition

Server attribute.

Range

The value can contain 1 to 256 characters.

service

String

Definition

Service.

Range

The value can contain 1 to 256 characters.

micro_service

String

Definition

Microservice.

Range

The value can contain 1 to 256 characters.

sys_arch

String

Definition

System CPU architecture.

Range

The value can contain 1 to 256 characters.

os_bit

String

Definition

OS bit version.

Range

The value can contain 1 to 256 characters.

os_type

String

Definition

OS type.

Range

The value can contain 1 to 256 characters.

os_name

String

Definition

OS name.

Range

The value can contain 1 to 256 characters.

os_version

String

Definition

OS version.

Range

The value can contain 1 to 256 characters.
Table 8 EventProcessResponseInfo

Parameter

Type

Description

process_name

String

Definition

Process name.

Range

The value can contain 1 to 256 characters.

process_path

String

Definition

Process file path.

Range

The value can contain 1 to 256 characters.

process_pid

Integer

Definition

Process ID.

Range

The value range is 0 to 2,147,483,647.

process_uid

Integer

Definition

Process user ID.

Range

The value range is 0 to 2,147,483,647.

process_username

String

Definition

Process username.

Range

The value can contain 1 to 256 characters.

process_cmdline

String

Definition

Process file command line.

Range

The value can contain 1 to 256 characters.

process_filename

String

Definition

Process file name.

Range

The value can contain 1 to 256 characters.

process_start_time

Long

Definition

Process start time.

Range

The value range is 0 to 9,223,372,036,854,775,807.

process_gid

Integer

Definition

Process group ID.

Range

The value range is 0 to 2,147,483,647.

process_egid

Integer

Definition

Effective process group ID.

Range

The value range is 0 to 2,147,483,647.

process_euid

Integer

Definition

Effective process user ID.

Range

The value range is 0 to 2,147,483,647.

ancestor_process_path

String

Definition

Grandparent process file path.

Range

The value can contain 1 to 256 characters.

ancestor_process_pid

Integer

Definition

Grandparent process ID.

Range

The value range is 0 to 2,147,483,647.

ancestor_process_cmdline

String

Definition

Grandparent process file command line.

Range

The value can contain 1 to 512 characters.

parent_process_name

String

Definition

Parent process name.

Range

The value can contain 1 to 256 characters.

parent_process_path

String

Definition

Parent process file path.

Range

The value can contain 1 to 256 characters.

parent_process_pid

Integer

Definition

Parent process ID.

Range

The value range is 0 to 2,147,483,647.

parent_process_uid

Integer

Definition

Parent process user ID.

Range

The value range is 0 to 2,147,483,647.

parent_process_cmdline

String

Definition

Parent process file command line.

Range

The value can contain 1 to 512 characters.

parent_process_filename

String

Definition

Parent process file name.

Range

The value can contain 1 to 256 characters.

parent_process_start_time

Long

Definition

Parent process start time.

Range

The value range is 0 to 9,223,372,036,854,775,807.

parent_process_gid

Integer

Definition

Parent process group ID.

Range

The value range is 0 to 2,147,483,647.

parent_process_egid

Integer

Definition

Effective parent process group ID.

Range

The value range is 0 to 2,147,483,647.

parent_process_euid

Integer

Definition

Effective parent process user ID.

Range

The value range is 0 to 2,147,483,647.

child_process_name

String

Definition

Subprocess name.

Range

The value can contain 1 to 256 characters.

child_process_path

String

Definition

Subprocess file path.

Range

The value can contain 1 to 256 characters.

child_process_pid

Integer

Definition

Subprocess ID.

Range

The value range is 0 to 2,147,483,647.

child_process_uid

Integer

Definition

User ID associated with the subprocess.

Range

The value range is 0 to 2,147,483,647.

child_process_cmdline

String

Definition

Subprocess file command line.

Range

The value can contain 1 to 256 characters.

child_process_filename

String

Definition

Subprocess file name.

Range

The value can contain 1 to 256 characters.

child_process_start_time

Long

Definition

Subprocess start time.

Range

The value range is 0 to 9,223,372,036,854,775,807.

child_process_gid

Integer

Definition

Subprocess group ID.

Range

The value range is 0 to 2,147,483,647.

child_process_egid

Integer

Definition

Effective subprocess group ID.

Range

The value range is 0 to 2,147,483,647.

child_process_euid

Integer

Definition

Effective subprocess user ID.

Range

The value range is 0 to 2,147,483,647.

virt_cmd

String

Definition

Virtualization command.

Range

The value can contain 1 to 256 characters.

virt_process_name

String

Definition

Virtualization process name.

Range

The value can contain 1 to 256 characters.

escape_mode

String

Definition

Escape method.

Range

The value can contain 1 to 256 characters.

escape_cmd

String

Definition

Commands executed after escape.

Range

The value can contain 1 to 256 characters.

process_hash

String

Definition

Process startup file hash.

Range

The value can contain 1 to 256 characters.

process_file_hash

String

Definition

Process file hash.

Range

The value can contain 1 to 256 characters.

parent_process_file_hash

String

Definition

Hash of the parent process file.

Range

The value can contain 1 to 256 characters.

block

Integer

Indicates whether the blocking is successful. 1: yes 0: no
Table 9 EventUserResponseInfo

Parameter

Type

Description

user_id

Integer

Definition

User ID (UID).

Range

The value range is 0 to 2,147,483,647.

user_gid

Integer

Definition

User GID.

Range

The value range is 0 to 2,147,483,647.

user_name

String

Definition

Username.

Range

The value can contain 1 to 256 characters.

user_group_name

String

Definition

User group name.

Range

The value can contain 1 to 256 characters.

user_home_dir

String

Definition

User home directory.

Range

The value can contain 1 to 256 characters.

login_ip

String

Definition

User login IP address.

Range

The value can contain 1 to 256 characters.

service_type

String

Definition

Service type.

Range

  • system

  • mysql

  • redis

service_port

Integer

Definition

Login service port.

Range

The value range is 0 to 2,147,483,647.

login_mode

Integer

Definition

Login mode.

Range

The value range is 0 to 2,147,483,647.

login_last_time

Long

Definition

Last login time of a user.

Range

The value range is 0 to 9,223,372,036,854,775,807.

login_fail_count

Integer

Definition

Number of failed login attempts.

Range

The value range is 0 to 2,147,483,647.

pwd_hash

String

Definition

Password hash.

Range

The value can contain 1 to 256 characters.

pwd_with_fuzzing

String

Definition

Anonymized password.

Range

The value can contain 1 to 256 characters.

pwd_used_days

Integer

Definition

Password age (days).

Range

The value range is 0 to 2,147,483,647.

pwd_min_days

Integer

Definition

Minimum password validity period.

Range

The value range is 0 to 2,147,483,647.

pwd_max_days

Integer

Definition

Maximum password validity period.

Range

The value range is 0 to 2,147,483,647.

pwd_warn_left_days

Integer

Definition

Advance warning of password expiration (days).

Range

The value range is 0 to 2,147,483,647.
Table 10 EventFileResponseInfo

Parameter

Type

Description

file_path

String

Definition

File path.

Range

The value can contain 1 to 256 characters.

file_alias

String

Definition

File alias.

Range

The value can contain 1 to 256 characters.

file_size

Integer

Definition

File size.

Range

The value range is 0 to 2,147,483,647.

file_mtime

Long

Definition

Time when the file is last modified.

Range

The value range is 0 to 9,223,372,036,854,775,807.

file_atime

Long

Definition

Time when the file is last accessed.

Range

The value range is 0 to 9,223,372,036,854,775,807.

file_ctime

Long

Definition

Time when the file status last changes.

Range

The value range is 0 to 9,223,372,036,854,775,807.

file_hash

String

Definition

File hash. The current value is sha256.

Range

The value can contain 1 to 256 characters.

file_md5

String

Definition

File MD5 value.

Range

The value can contain 1 to 256 characters.

file_sha256

String

Definition

SHA256 value of the file.

Range

The value can contain 1 to 256 characters.

file_type

String

Definition

File type.

Range

The value can contain 1 to 256 characters.

file_content

String

Definition

File content.

Range

The value can contain 1 to 256 characters.

file_attr

String

Definition

File attribute.

Range

The value can contain 1 to 256 characters.

file_operation

Integer

Definition

File operation type.

Range

The value range is 0 to 2,147,483,647.

file_action

String

Definition

File action.

Range

The value can contain 1 to 256 characters.

file_change_attr

String

Definition

Old/New attribute.

Range

The value can contain 1 to 256 characters.

file_new_path

String

Definition

New file path.

Range

The value can contain 1 to 256 characters.

file_desc

String

Definition

File description.

Range

The value can contain 1 to 256 characters.

file_key_word

String

Definition

File keyword.

Range

The value can contain 1 to 256 characters.

is_dir

Boolean

Definition

Whether it is a directory.

Range

  • true

  • false

fd_info

String

Definition

File handle information.

Range

The value can contain 1 to 256 characters.

fd_count

Integer

Definition

Number of file handles.

Range

The value range is 0 to 2,147,483,647.

Example Requests

Query the first 50 unprocessed server events whose enterprise project is xxx.

GET https://{endpoint}/v5/{project_id}/event/events?offset=0&limit=50&handle_status=unhandled&category=host&enterprise_project_id=xxx

Example Responses

Status code: 200

Request succeeded.

{
  "total_num" : 1,
  "data_list" : [ {
    "attack_phase" : "exploit",
    "attack_tag" : "abnormal_behavior",
    "event_class_id" : "lgin_1002",
    "event_id" : "d8a12cf7-6a43-4cd6-92b4-aabf1e917",
    "event_name" : "different locations",
    "event_type" : 4004,
    "forensic_info" : {
      "country" : "China",
      "city" : "Lanzhou",
      "ip" : "127.0.0.1",
      "user" : "zhangsan",
      "sub_division" : "Gansu",
      "city_id" : 3110
    },
    "handle_status" : "unhandled",
    "host_name" : "xxx",
    "occur_time" : 1661593036627,
    "operate_accept_list" : [ "ignore" ],
    "operate_detail_list" : [ {
      "agent_id" : "c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8",
      "file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "file_path" : "/usr/test",
      "process_pid" : 3123,
      "file_attr" : 33261,
      "keyword" : "file_path=/usr/test",
      "hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "login_ip" : "127.0.0.1",
      "private_ip" : "127.0.0.2",
      "login_user_name" : "root",
      "is_parent" : false
    } ],
    "private_ip" : "127.0.0.1",
    "resource_info" : {
      "region_name" : "",
      "project_id" : "",
      "enterprise_project_id" : "0",
      "os_type" : "Linux",
      "os_version" : "2.5",
      "vm_name" : "",
      "vm_uuid" : "71a15ecc",
      "cloud_id" : "",
      "container_id" : "",
      "container_status" : "running / terminated",
      "image_id" : "",
      "pod_uid" : "",
      "pod_name" : "",
      "namespace" : "",
      "cluster_id" : "",
      "cluster_name" : ""
    },
    "severity" : "Medium",
    "extend_info" : "",
    "os_type" : "Linux",
    "agent_status" : "online",
    "asset_value" : "common",
    "protect_status" : "opened",
    "host_status" : "ACTIVE",
    "event_details" : "file_path:/root/test",
    "user_info_list" : [ {
      "login_ip" : "",
      "service_port" : 22,
      "service_type" : "ssh",
      "user_name" : "zhangsan",
      "login_mode" : 0,
      "login_last_time" : 1661593024,
      "login_fail_count" : 0
    } ],
    "process_info_list" : [ {
      "process_path" : "/root/test",
      "process_name" : "test",
      "process_cmdline" : "/bin/bash",
      "process_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "process_filename" : "test",
      "process_file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "process_username" : "root",
      "process_pid" : 372612,
      "process_uid" : 10000,
      "process_gid" : 10000,
      "process_egid" : 10000,
      "process_euid" : 10000,
      "process_start_time" : 1661593024,
      "block" : 0,
      "parent_process_path" : "/usr/bin/bash",
      "parent_process_name" : "test",
      "parent_process_cmdline" : "/bin/bash",
      "parent_process_filename" : "test",
      "parent_process_file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "parent_process_pid" : 372612,
      "parent_process_uid" : 10000,
      "parent_process_gid" : 10000,
      "parent_process_egid" : 10000,
      "parent_process_euid" : 10000,
      "parent_process_start_time" : 1661593024,
      "child_process_path" : "/usr/bin/bash",
      "child_process_name" : "test",
      "child_process_cmdline" : "/bin/bash",
      "child_process_filename" : "test",
      "child_process_pid" : 372612,
      "child_process_uid" : 10000,
      "child_process_gid" : 10000,
      "child_process_egid" : 10000,
      "child_process_euid" : 10000,
      "child_process_start_time" : 1661593024,
      "virt_process_name" : "test",
      "virt_cmd" : "/bin/bash",
      "escape_cmd" : "/bin/bash",
      "escape_mode" : "0",
      "ancestor_process_pid" : 372612,
      "ancestor_process_cmdline" : "/bin/bash",
      "ancestor_process_path" : "/usr/bin/bash"
    } ],
    "description" : "",
    "event_abstract" : "",
    "tag_list" : [ "Hot Event" ]
  } ]
}

SDK Sample Code

The SDK sample code is as follows.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.hss.v5.region.HssRegion;
import com.huaweicloud.sdk.hss.v5.*;
import com.huaweicloud.sdk.hss.v5.model.*;


public class ListSecurityEventsSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        HssClient client = HssClient.newBuilder()
                .withCredential(auth)
                .withRegion(HssRegion.valueOf("<YOUR REGION>"))
                .build();
        ListSecurityEventsRequest request = new ListSecurityEventsRequest();
        try {
            ListSecurityEventsResponse response = client.listSecurityEvents(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkhss.v5.region.hss_region import HssRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkhss.v5 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = HssClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(HssRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ListSecurityEventsRequest()
        response = client.list_security_events(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
 
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    hss "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := hss.NewHssClient(
        hss.HssClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ListSecurityEventsRequest{}
	response, err := client.ListSecurityEvents(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

Request succeeded.

Error Codes

See Error Codes.

Parent Topic: Intrusion Detection