Querying the Detected Intrusion List
Function
This API is used to query the detected intrusion list.
Calling Method
For details, see Calling APIs.
URI
GET /v5/{project_id}/event/events
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
project_id |
Yes |
String |
Project ID |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
category |
Yes |
String |
Event category. Its value can be:
|
|
enterprise_project_id |
No |
String |
Enterprise project ID. To query all enterprise projects, set this parameter to all_granted_eps. |
|
last_days |
No |
Integer |
Number of days to be queried. This parameter is mutually exclusive with begin_time and end_time. |
|
host_name |
No |
String |
Server name |
|
host_id |
No |
String |
Host ID |
|
private_ip |
No |
String |
Server IP address |
|
public_ip |
No |
String |
Server public IP address |
|
container_name |
No |
String |
Container instance name |
|
offset |
No |
Integer |
Offset, which specifies the start position of the record to be returned. |
|
limit |
No |
Integer |
Number of records displayed on each page |
|
event_types |
No |
Array of integers |
Event type. Its value can be:
|
|
handle_status |
No |
String |
Status. Its value can be:
|
|
severity |
No |
String |
Threat level. Its value can be:
|
|
begin_time |
No |
String |
Customized start time of a segment. The timestamp is accurate to seconds. The begin_time should be no more than two days earlier than the end_time. This parameter is mutually exclusive with the queried duration. |
|
end_time |
No |
String |
Customized end time of a segment. The timestamp is accurate to seconds. The begin_time should be no more than two days earlier than the end_time. This parameter is mutually exclusive with the queried duration. |
|
event_class_ids |
No |
Array of strings |
Event ID. Its value can be:
|
|
severity_list |
No |
Array of strings |
Threat level. The options are as follows:
|
|
attack_tag |
No |
String |
Indicates the attack flag. The options are as follows:
|
|
asset_value |
No |
String |
Asset importance. The options are as follows:
|
|
tag_list |
No |
Array of strings |
Event tag list, for example, ["hot event"]. |
|
att_ck |
No |
String |
ATT&CK attack stage, including:
|
|
event_name |
No |
String |
Alarm name |
Request Parameters
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
X-Auth-Token |
Yes |
String |
User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token. |
|
region |
Yes |
String |
Region ID |
Response Parameters
Status code: 200
|
Parameter |
Type |
Description |
|---|---|---|
|
total_num |
Integer |
Total number of alarm events |
|
data_list |
Array of EventManagementResponseInfo objects |
Event list |
|
Parameter |
Type |
Description |
|---|---|---|
|
event_id |
String |
Event ID |
|
event_class_id |
String |
Event category. Its value can be:
|
|
event_type |
Integer |
Event type. Its value can be:
|
|
event_name |
String |
Event name |
|
severity |
String |
Threat level. Its value can be:
|
|
container_name |
String |
Container instance name. This parameter is available only for container alarms. |
|
image_name |
String |
Image name. This parameter is available only for container alarms. |
|
host_name |
String |
Server name |
|
host_id |
String |
Host ID |
|
private_ip |
String |
Server private IP address |
|
public_ip |
String |
Elastic IP address |
|
os_type |
String |
OS type. Its value can be:
|
|
host_status |
String |
Server status. The options are as follows:
|
|
agent_status |
String |
Agent status. Its value can be:
|
|
protect_status |
String |
Protection status. Its value can be:
|
|
asset_value |
String |
Asset importance. The options are as follows:
|
|
attack_phase |
String |
Attack phase. Its value can be:
|
|
attack_tag |
String |
Attack tag. Its value can be:
|
|
occur_time |
Integer |
Occurrence time, accurate to milliseconds. |
|
handle_time |
Integer |
Handling time, in milliseconds. This parameter is available only for handled alarms. |
|
handle_status |
String |
Processing status. Its value can be:
|
|
handle_method |
String |
Handling method. This parameter is available only for handled alarms. The options are as follows:
|
|
handler |
String |
Remarks. This parameter is available only for handled alarms. |
|
operate_accept_list |
Array of strings |
Supported processing operation |
|
operate_detail_list |
Array of EventDetailResponseInfo objects |
Operation details list (not displayed on the page) |
|
forensic_info |
Object |
Attack information, in JSON format. |
|
resource_info |
EventResourceResponseInfo object |
Resource information |
|
geo_info |
Object |
Geographical location, in JSON format. |
|
malware_info |
Object |
Malware information, in JSON format. |
|
network_info |
Object |
Network information, in JSON format. |
|
app_info |
Object |
Application information, in JSON format. |
|
system_info |
Object |
System information, in JSON format. |
|
extend_info |
Object |
Extended event information, in JSON format |
|
recommendation |
String |
Handling suggestions |
|
description |
String |
Alarm description |
|
event_abstract |
String |
Event abstract |
|
process_info_list |
Array of EventProcessResponseInfo objects |
Process information list |
|
user_info_list |
Array of EventUserResponseInfo objects |
User information list |
|
file_info_list |
Array of EventFileResponseInfo objects |
File information list |
|
event_details |
String |
Brief description of the event. |
|
tag_list |
Array of strings |
Tags |
|
event_count |
Integer |
Event occurrences |
|
Parameter |
Type |
Description |
|---|---|---|
|
agent_id |
String |
Agent ID |
|
process_pid |
Integer |
Process ID |
|
is_parent |
Boolean |
Whether a process is a parent process |
|
file_hash |
String |
File hash |
|
file_path |
String |
File path |
|
file_attr |
String |
File attribute |
|
private_ip |
String |
Server private IP address |
|
login_ip |
String |
Login source IP address |
|
login_user_name |
String |
Login username |
|
keyword |
String |
Alarm event keyword, which is used only for the alarm whitelist. |
|
hash |
String |
Alarm event hash, which is used only for the alarm whitelist. |
|
Parameter |
Type |
Description |
|---|---|---|
|
domain_id |
String |
User account ID |
|
project_id |
String |
Project ID |
|
enterprise_project_id |
String |
Enterprise project ID |
|
region_name |
String |
Region name |
|
vpc_id |
String |
VPC ID |
|
cloud_id |
String |
ECS ID |
|
vm_name |
String |
VM name |
|
vm_uuid |
String |
VM UUID, that is, the server ID |
|
container_id |
String |
Container ID |
|
container_status |
String |
Container status |
|
pod_uid |
String |
pod uid |
|
pod_name |
String |
pod name |
|
namespace |
String |
namespace |
|
cluster_id |
String |
Cluster ID |
|
cluster_name |
String |
Cluster name |
|
image_id |
String |
Image ID |
|
image_name |
String |
Image name |
|
host_attr |
String |
Host attribute |
|
service |
String |
Service |
|
micro_service |
String |
Microservice |
|
sys_arch |
String |
System CPU architecture |
|
os_bit |
String |
OS bit version |
|
os_type |
String |
OS type |
|
os_name |
String |
OS name |
|
os_version |
String |
OS version |
|
Parameter |
Type |
Description |
|---|---|---|
|
process_name |
String |
Process name |
|
process_path |
String |
Process file path |
|
process_pid |
Integer |
Process ID |
|
process_uid |
Integer |
Process user ID |
|
process_username |
String |
Process username |
|
process_cmdline |
String |
Process file command line |
|
process_filename |
String |
Process file name |
|
process_start_time |
Long |
Process start time |
|
process_gid |
Integer |
Process group ID |
|
process_egid |
Integer |
Valid process group ID |
|
process_euid |
Integer |
Valid process user ID |
|
ancestor_process_path |
String |
Grandparent process file path |
|
ancestor_process_pid |
Integer |
Grandfather process ID |
|
ancestor_process_cmdline |
String |
Grandparent process file command line |
|
parent_process_name |
String |
Parent process name |
|
parent_process_path |
String |
Parent process file path |
|
parent_process_pid |
Integer |
Parent process ID |
|
parent_process_uid |
Integer |
Parent process user ID |
|
parent_process_cmdline |
String |
Parent process file command line |
|
parent_process_filename |
String |
Parent process file name |
|
parent_process_start_time |
Long |
Parent process start time |
|
parent_process_gid |
Integer |
Parent process group ID |
|
parent_process_egid |
Integer |
Valid parent process group ID |
|
parent_process_euid |
Integer |
Valid parent process user ID |
|
child_process_name |
String |
Subprocess name |
|
child_process_path |
String |
Subprocess file path |
|
child_process_pid |
Integer |
Subprocess ID |
|
child_process_uid |
Integer |
Subprocess user ID |
|
child_process_cmdline |
String |
Subprocess file command line |
|
child_process_filename |
String |
Subprocess file name |
|
child_process_start_time |
Long |
Subprocess start time |
|
child_process_gid |
Integer |
Subprocess group ID |
|
child_process_egid |
Integer |
Valid subprocess group ID |
|
child_process_euid |
Integer |
Valid subprocess user ID |
|
virt_cmd |
String |
Virtualization command |
|
virt_process_name |
String |
Virtualization process name |
|
escape_mode |
String |
Escape mode |
|
escape_cmd |
String |
Commands executed after escape |
|
process_hash |
String |
Process startup file hash |
|
process_file_hash |
String |
Process file hash |
|
parent_process_file_hash |
String |
Parent process file hash |
|
block |
Integer |
Indicates whether the blocking is successful. 1: yes 0: no |
|
Parameter |
Type |
Description |
|---|---|---|
|
user_id |
Integer |
User UID |
|
user_gid |
Integer |
User GID |
|
user_name |
String |
User name |
|
user_group_name |
String |
User group name |
|
user_home_dir |
String |
User home directory |
|
login_ip |
String |
User login IP address |
|
service_type |
String |
Service type. The options are as follows:
|
|
service_port |
Integer |
Login service port |
|
login_mode |
Integer |
Login mode |
|
login_last_time |
Long |
Last login time |
|
login_fail_count |
Integer |
Number of failed login attempts |
|
pwd_hash |
String |
Password hash |
|
pwd_with_fuzzing |
String |
Masked password |
|
pwd_used_days |
Integer |
Password age (days) |
|
pwd_min_days |
Integer |
Minimum password validity period |
|
pwd_max_days |
Integer |
Maximum password validity period |
|
pwd_warn_left_days |
Integer |
Advance warning of password expiration (days) |
|
Parameter |
Type |
Description |
|---|---|---|
|
file_path |
String |
File path |
|
file_alias |
String |
File alias |
|
file_size |
Integer |
File size |
|
file_mtime |
Long |
Time when a file was last modified |
|
file_atime |
Long |
Time when a file was last accessed |
|
file_ctime |
Long |
Time when the status of a file was last changed |
|
file_hash |
String |
The hash value calculated using the SHA256 algorithm. |
|
file_md5 |
String |
File MD5 |
|
file_sha256 |
String |
File SHA256 |
|
file_type |
String |
File type |
|
file_content |
String |
File content |
|
file_attr |
String |
File attribute |
|
file_operation |
Integer |
File operation type |
|
file_action |
String |
File action |
|
file_change_attr |
String |
Old/New attribute |
|
file_new_path |
String |
New file path |
|
file_desc |
String |
File description |
|
file_key_word |
String |
File keyword |
|
is_dir |
Boolean |
Whether it is a directory |
|
fd_info |
String |
File handle information |
|
fd_count |
Integer |
Number of file handles |
Example Requests
Query the first 50 unprocessed server events whose enterprise project is xxx.
GET https://{endpoint}/v5/{project_id}/event/events?offset=0&limit=50&handle_status=unhandled&category=host&enterprise_project_id=xxx
Example Responses
Status code: 200
Intrusion list
{
"total_num" : 1,
"data_list" : [ {
"attack_phase" : "exploit",
"attack_tag" : "abnormal_behavior",
"event_class_id" : "lgin_1002",
"event_id" : "d8a12cf7-6a43-4cd6-92b4-aabf1e917",
"event_name" : "different locations",
"event_type" : 4004,
"forensic_info" : {
"country" : "China",
"city" : "Lanzhou",
"ip" : "127.0.0.1",
"user" : "zhangsan",
"sub_division" : "Gansu",
"city_id" : 3110
},
"handle_status" : "unhandled",
"host_name" : "xxx",
"occur_time" : 1661593036627,
"operate_accept_list" : [ "ignore" ],
"operate_detail_list" : [ {
"agent_id" : "c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8",
"file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
"file_path" : "/usr/test",
"process_pid" : 3123,
"file_attr" : 33261,
"keyword" : "file_path=/usr/test",
"hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
"login_ip" : "127.0.0.1",
"private_ip" : "127.0.0.2",
"login_user_name" : "root",
"is_parent" : false
} ],
"private_ip" : "127.0.0.1",
"resource_info" : {
"region_name" : "",
"project_id" : "",
"enterprise_project_id" : "0",
"os_type" : "Linux",
"os_version" : "2.5",
"vm_name" : "",
"vm_uuid" : "71a15ecc",
"cloud_id" : "",
"container_id" : "",
"container_status" : "running / terminated",
"image_id" : "",
"pod_uid" : "",
"pod_name" : "",
"namespace" : "",
"cluster_id" : "",
"cluster_name" : ""
},
"severity" : "Medium",
"extend_info" : "",
"os_type" : "Linux",
"agent_status" : "online",
"asset_value" : "common",
"protect_status" : "opened",
"host_status" : "ACTIVE",
"event_details" : "file_path:/root/test",
"user_info_list" : [ {
"login_ip" : "",
"service_port" : 22,
"service_type" : "ssh",
"user_name" : "zhangsan",
"login_mode" : 0,
"login_last_time" : 1661593024,
"login_fail_count" : 0
} ],
"process_info_list" : [ {
"process_path" : "/root/test",
"process_name" : "test",
"process_cmdline" : "/bin/bash",
"process_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
"process_filename" : "test",
"process_file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
"process_username" : "root",
"process_pid" : 372612,
"process_uid" : 10000,
"process_gid" : 10000,
"process_egid" : 10000,
"process_euid" : 10000,
"process_start_time" : 1661593024,
"block" : 0,
"parent_process_path" : "/usr/bin/bash",
"parent_process_name" : "test",
"parent_process_cmdline" : "/bin/bash",
"parent_process_filename" : "test",
"parent_process_file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
"parent_process_pid" : 372612,
"parent_process_uid" : 10000,
"parent_process_gid" : 10000,
"parent_process_egid" : 10000,
"parent_process_euid" : 10000,
"parent_process_start_time" : 1661593024,
"child_process_path" : "/usr/bin/bash",
"child_process_name" : "test",
"child_process_cmdline" : "/bin/bash",
"child_process_filename" : "test",
"child_process_pid" : 372612,
"child_process_uid" : 10000,
"child_process_gid" : 10000,
"child_process_egid" : 10000,
"child_process_euid" : 10000,
"child_process_start_time" : 1661593024,
"virt_process_name" : "test",
"virt_cmd" : "/bin/bash",
"escape_cmd" : "/bin/bash",
"escape_mode" : "0",
"ancestor_process_pid" : 372612,
"ancestor_process_cmdline" : "/bin/bash",
"ancestor_process_path" : "/usr/bin/bash"
} ],
"description" : "",
"event_abstract" : "",
"tag_list" : [ "Hot Event" ]
} ]
}
SDK Sample Code
The SDK sample code is as follows.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
package com.huaweicloud.sdk.test; import com.huaweicloud.sdk.core.auth.ICredential; import com.huaweicloud.sdk.core.auth.BasicCredentials; import com.huaweicloud.sdk.core.exception.ConnectionException; import com.huaweicloud.sdk.core.exception.RequestTimeoutException; import com.huaweicloud.sdk.core.exception.ServiceResponseException; import com.huaweicloud.sdk.hss.v5.region.HssRegion; import com.huaweicloud.sdk.hss.v5.*; import com.huaweicloud.sdk.hss.v5.model.*; public class ListSecurityEventsSolution { public static void main(String[] args) { // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment String ak = System.getenv("CLOUD_SDK_AK"); String sk = System.getenv("CLOUD_SDK_SK"); String projectId = "{project_id}"; ICredential auth = new BasicCredentials() .withProjectId(projectId) .withAk(ak) .withSk(sk); HssClient client = HssClient.newBuilder() .withCredential(auth) .withRegion(HssRegion.valueOf("<YOUR REGION>")) .build(); ListSecurityEventsRequest request = new ListSecurityEventsRequest(); try { ListSecurityEventsResponse response = client.listSecurityEvents(request); System.out.println(response.toString()); } catch (ConnectionException e) { e.printStackTrace(); } catch (RequestTimeoutException e) { e.printStackTrace(); } catch (ServiceResponseException e) { e.printStackTrace(); System.out.println(e.getHttpStatusCode()); System.out.println(e.getRequestId()); System.out.println(e.getErrorCode()); System.out.println(e.getErrorMsg()); } } } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# coding: utf-8 import os from huaweicloudsdkcore.auth.credentials import BasicCredentials from huaweicloudsdkhss.v5.region.hss_region import HssRegion from huaweicloudsdkcore.exceptions import exceptions from huaweicloudsdkhss.v5 import * if __name__ == "__main__": # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment ak = os.environ["CLOUD_SDK_AK"] sk = os.environ["CLOUD_SDK_SK"] projectId = "{project_id}" credentials = BasicCredentials(ak, sk, projectId) client = HssClient.new_builder() \ .with_credentials(credentials) \ .with_region(HssRegion.value_of("<YOUR REGION>")) \ .build() try: request = ListSecurityEventsRequest() response = client.list_security_events(request) print(response) except exceptions.ClientRequestException as e: print(e.status_code) print(e.request_id) print(e.error_code) print(e.error_msg) |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
package main import ( "fmt" "github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic" hss "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5" "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/model" region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/hss/v5/region" ) func main() { // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment ak := os.Getenv("CLOUD_SDK_AK") sk := os.Getenv("CLOUD_SDK_SK") projectId := "{project_id}" auth := basic.NewCredentialsBuilder(). WithAk(ak). WithSk(sk). WithProjectId(projectId). Build() client := hss.NewHssClient( hss.HssClientBuilder(). WithRegion(region.ValueOf("<YOUR REGION>")). WithCredential(auth). Build()) request := &model.ListSecurityEventsRequest{} response, err := client.ListSecurityEvents(request) if err == nil { fmt.Printf("%+v\n", response) } else { fmt.Println(err) } } |
For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.
Status Codes
|
Status Code |
Description |
|---|---|
|
200 |
Intrusion list |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
