Querying the Statistics of ATT&CK Phases

Function

This API is used to query statistics of ATT&CK phases.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
If you are using identity policy-based authorization, no identity policy-based permission required for calling this API.

URI

GET /v5/{project_id}/event/att-ck

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Definition Project ID, which is used to specify the project that an asset belongs to. After the project ID is configured, you can query assets in the project using the project ID. For details about how to obtain it, see Obtaining a Project ID. Constraints N/A Range Length: 1 to 256 characters Default Value N/A

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Definition Enterprise project ID, which is used to filter assets in different enterprise projects. For details, see Obtaining an Enterprise Project ID. To query assets in all enterprise projects, set this parameter to all_granted_eps. Constraints You need to set this parameter only after the enterprise project function is enabled. Range Length: 1 to 256 characters Default Value 0: default enterprise project.
last_days	No	Integer	Definition Number of days to be queried. This parameter is manually exclusive with begin_time and end_time. Constraints N/A Range Minimum value: 1; maximum value: 30 Default Value N/A
category	Yes	String	Definition Event type. Constraints N/A Range host: server security event container: container security event serverless: serverless security event Default Value N/A
host_name	No	String	Definition Server name. Constraints N/A Range Length: 1 to 256 characters Default Value N/A
host_id	No	String	Definition Server ID. Constraints N/A Range Length: 1 to 256 characters Default Value N/A
private_ip	No	String	Definition Server private IP address. Constraints N/A Range Length: 1 to 256 characters Default Value N/A
public_ip	No	String	Definition Server EIP. Constraints N/A Range Length: 1 to 256 characters Default Value N/A
container_name	No	String	Definition Container instance name. Constraints N/A Range Length: 1 to 512 characters Default Value N/A
event_type	No	Integer	Definition Event type. Constraints N/A Range 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: Botnet 1006: backdoor 1010: Rootkit 1011: Ransomware 1012: hacker tool 1015: Webshell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3026: crontab privilege escalation 3027: crontab suspicious task 3029: system protection disabled 3030: backup deletion 3031: abnormal registry operation 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid system account 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: user information enumeration 13004: cluster role binding Default Value N/A
handle_status	No	String	Definition Handling status. Constraints N/A Range unhandled: unhandled handled: handled Default Value N/A
severity	No	String	Definition Risk level. Constraints N/A Range Security: security Low: low-risk Medium: medium-risk High: high-risk Critical: critical Default Value N/A
severity_list	No	Array of strings	Definition Risk level. Constraints N/A Range Security: security Low: low-risk Medium: medium-risk High: high-risk Critical: critical Default Value N/A
attack_tag	No	String	Definition Attack tag. Constraints N/A Range attack_success: The attack is successful. attack_attempt: attack attempt attack_blocked: The attack is blocked. abnormal_behavior: abnormal behavior collapsible_host: The server is compromised. system_vulnerability: system vulnerability Default Value N/A
asset_value	No	String	Definition Asset importance. Constraints N/A Range important common test Default Value N/A
tag_list	No	Array of strings	Event tag list, for example, ["hot event"].
event_name	No	String	Definition Alarm name Constraints N/A Range Length: 1 to 128 characters Default Value N/A

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Definition User token, which contains user identity and permissions. The token can be used for identity authentication when an API is called. For details about how to obtain the token, see Obtaining a User Token. Constraints N/A Range Length: 1 to 32768 characters Default Value N/A
region	Yes	String	Definition Region ID, which is used to query assets in the required region. For details about how to obtain a region ID, see Obtaining a Region ID. Constraints N/A Range Length: 0 to 128 characters Default Value N/A

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
data_list	Array of EventAttCkDetailResponseInfo objects	Attack phase details

**Table 5** EventAttCkDetailResponseInfo
Parameter	Type	Description
att_ck	String	Definition Attack phase name. Chinese or English is returned based on the locale of the page. Range Length: 1 to 64 characters
num	Integer	Definition Quantity. Range Minimum value: 0; maximum value: 2147483647

Example Requests

None

Example Responses

Status code: 200

Request succeeded.

{
  "data_list" : [ {
    "att_ck" : "Privilege escalation",
    "num" : 10
  } ]
}

Status Codes

Status Code	Description
200	Request succeeded.

Error Codes

See Error Codes.

Parent Topic: Event Management

Previous topic: Downloading Export Files

Next topic: Querying the Attack Identifier Distribution Statistics List

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot