Updated on 2024-12-13 GMT+08:00

Querying Alert Detail

Function

Querying Alert Detail

Calling Method

For details, see Calling APIs.

URI

GET /v1/{project_id}/workspaces/{workspace_id}/soc/alerts/{alert_id}

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID.

workspace_id

Yes

String

Workspace ID

alert_id

Yes

String

Alert ID.

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token.

It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

content-type

Yes

String

Content type.

Response Parameters

Status code: 200

Table 3 Response header parameters

Parameter

Type

Description

X-request-id

String

Request ID, in the format request_uuid-timestamp-hostname.

Table 4 Response body parameters

Parameter

Type

Description

code

String

Error code

message

String

Error Message

data

AlertDetail object

Alert Detail

Table 5 AlertDetail

Parameter

Type

Description

create_time

String

Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

data_object

Alert object

Alert entity information.

dataclass_ref

dataclass_ref object

Data class object.

format_version

Integer

Format version.

id

String

Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters.

type

String

Data Types.

project_id

String

ID of the current project.

update_time

String

Update time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

version

Integer

Version.

workspace_id

String

ID of the current workspace.

Table 6 Alert

Parameter

Type

Description

version

String

Version of the data source of the alert. The value must be one officially released by the Cloud SSA service.

id

String

Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters.

domain_id

String

ID of the account (domain_id) to whom the data is delivered and hosted.

region_id

String

ID of the region where the account to whom the data is delivered and hosted belongs to.

workspace_id

String

ID of the current workspace.

labels

String

Tag (display only)

environment

environment object

Coordinates of the environment where the alert was generated.

data_source

data_source object

Source the data is first reported.

first_observed_time

String

First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

last_observed_time

String

First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

create_time

String

Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

arrive_time

String

Data receiving time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

title

String

Alert title.

description

String

Alert description.

source_url

String

Alert URL, which points to the page of the current incident description in the data source product.

count

Integer

Incident occurrences

confidence

Integer

Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or incident.

Value range -- 0-100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%.

severity

String

Severity level. Value range: Tips | Low | Medium | High | Fatal

Description:

  • 0: TIPS: No threats are found.

  • 1: LOW: No actions are required for the threat.

  • 2: MEDIUM: The threat needs to be handled but is not urgent.

  • 3: HIGH: The threat must be handled preferentially.

  • 4: FATAL: The threat must be handled immediately to prevent further damage.

criticality

Integer

Criticality, which specifies the importance level of the resources involved in an incident.

Value range -- 0 to 100. The value 0 indicates that the resource is not critical, and 100 indicates that the resource is critical.

alert_type

alert_type object

Alert classification. For details, see the Alert Type Definition.

network_list

Array of network_list objects

Network Information

resource_list

Array of resource_list objects

Affected resources.

remediation

remediation object

Remedy measure.

verification_state

String

Verification status, which identifies the accuracy of an incident. The options are as follows:

– Unknown

– True_Positive

– False_Positive

Enter Unknown by default.

handle_status

String

Incident handling status. The options are as follows:

  • Open: enabled.

  • Block: blocked.

  • Closed: closed.

    The default value is Open.

sla

Integer

Risk close time -- Set the acceptable risk duration. Unit -- Hour

update_time

String

Update time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the alert occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

close_time

String

Closing time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

ipdrr_phase

String

Period/Handling phase No.

Prepartion|Detection and Analysis|Containm,Eradication& Recovery|Post-Incident-Activity

simulation

String

Debugging field.

actor

String

Alert investigator.

owner

String

Owner and service owner.

creator

String

Creator

close_reason

String

Close reason.

  • False detection.

  • Resolved

  • Repeated

  • Other

close_comment

String

Whether to close comment.

malware

malware object

Malware

system_info

Object

System information.

process

Array of process objects

Process information.

user_info

Array of user_info objects

User Details

file_info

Array of file_info objects

Document information.

system_alert_table

Object

Layout fields in the alerts list.

Table 7 environment

Parameter

Type

Description

vendor_type

String

Environment provider.

domain_id

String

Tenant ID.

region_id

String

Region ID. global is returned for global services.

cross_workspace_id

String

ID of the source workspace for the data delivery. If the source workspace ID is null, then the destination workspace account ID is used.

project_id

String

Project ID. The default value is null for global services.

Table 8 data_source

Parameter

Type

Description

source_type

Integer

Data source type. The options are as follows-- 1- cloud product 2- Third-party product 3- Tenant product

domain_id

String

Account ID to which the data source product belongs.

project_id

String

ID of the project to which the data source product belongs.

region_id

String

Region where the data source is located, for example, cn-north1. For details about the value range, see Regions and Endpoints.

company_name

String

Name of the company to which a data source belongs.

product_name

String

Name of the data source.

product_feature

String

Name of the feature of the product that detects the incident.

product_module

String

Threat detection module list.

Table 9 alert_type

Parameter

Type

Description

category

String

Type

alert_type

String

Alert type.

Table 10 network_list

Parameter

Type

Description

direction

String

Direction. The value can be IN or OUT.

protocol

String

Protocol, including Layer 7 and Layer 4 protocols.

For details, see IANA registered name.

https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

src_ip

String

Source IP address

src_port

Integer

Source port. The value ranges from 0 to 65535.

src_domain

String

Source domain name.

src_geo

src_geo object

Geographical location of the source IP address.

dest_ip

String

Destination IP address

dest_port

String

Destination port. The value ranges from 0 to 65535.

dest_domain

String

Destination domain name

dest_geo

dest_geo object

Geographical location of the destination IP address.

Table 11 src_geo

Parameter

Type

Description

latitude

Number

Latitude

longitude

Number

Longitude

city_code

String

City code. For example, Beijing or Shanghai.

country_code

String

Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG.

Table 12 dest_geo

Parameter

Type

Description

latitude

Number

Latitude

longitude

Number

Longitude

city_code

String

City code. For example, Beijing or Shanghai.

country_code

String

Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG.

Table 13 resource_list

Parameter

Type

Description

id

String

Cloud service resource ID.

name

String

Resource name.

type

String

Resource type. This parameter references the value of RMS type on Cloud.

provider

String

Cloud service name, which is the same as the provider field in the RMS service.

region_id

String

Region ID in Cloud, for example, cn-north-1.

domain_id

String

ID of the account to which the resource belongs, in UUID format.

project_id

String

ID of the account to which the resource belongs, in UUID format.

ep_id

String

Specifies the enterprise project ID.

ep_name

String

Enterprise Project Name

tags

String

Resource tag.

  1. A maximum of 50 key/value pairs are supported.

  2. Value: a maximum of 255 characters, including letters, digits, spaces, and +, -, =, ., _, :, /,@

Table 14 remediation

Parameter

Type

Description

recommendation

String

Recommended solution.

url

String

Link to the general fix information for the incident. The URL must be accessible from the public network with no credentials required.

Table 15 malware

Parameter

Type

Description

malware_family

String

Malicious family.

malware_class

String

Malware category.

Table 16 process

Parameter

Type

Description

process_name

String

Process name.

process_path

String

Process execution file path.

process_pid

Integer

Process ID.

process_uid

Integer

Process user ID.

process_cmdline

String

Process command line.

process_parent_name

String

Parent process name.

process_parent_path

String

Parent process execution file path.

process_parent_pid

Integer

Parent process ID.

process_parent_uid

Integer

Parent process user ID.

process_parent_cmdline

String

Parent process command line.

process_child_name

String

Subprocess name.

process_child_path

String

Subprocess execution file path.

process_child_pid

Integer

Subprocess ID.

process_child_uid

Integer

Subprocess user ID.

process_child_cmdline

String

Subprocess command line

process_launche_time

String

Incident start time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

process_terminate_time

String

Process end time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Table 17 user_info

Parameter

Type

Description

user_id

String

User UID

user_name

String

Username

Table 18 file_info

Parameter

Type

Description

file_path

String

File path/name.

file_content

String

File path/name.

file_new_path

String

New file path/name.

file_hash

String

File Hash

file_md5

String

File MD5

file_sha256

String

File SHA256

file_attr

String

File attribute.

Table 19 dataclass_ref

Parameter

Type

Description

id

String

Unique identifier of a data class. The value is in UUID format and can contain a maximum of 36 characters.

name

String

Data class name.

Status code: 400

Table 20 Response header parameters

Parameter

Type

Description

X-request-id

String

Request ID, in the format request_uuid-timestamp-hostname.

Table 21 Response body parameters

Parameter

Type

Description

code

String

Error Code

message

String

Error Description

Example Requests

None

Example Responses

Status code: 200

Response body for obtaining alert condition details.

{
  "code" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
  "message" : "Error message",
  "data" : {
    "data_object" : {
      "version" : "1.0",
      "environment" : {
        "vendor_type" : "MyXXX",
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      },
      "data_source" : {
        "source_type" : 3,
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      },
      "first_observed_time" : "2021-01-30T23:00:00Z+0800",
      "last_observed_time" : "2021-01-30T23:00:00Z+0800",
      "create_time" : "2021-01-30T23:00:00Z+0800",
      "arrive_time" : "2021-01-30T23:00:00Z+0800",
      "title" : "MyXXX",
      "description" : "This my XXXX",
      "source_url" : "http://xxx",
      "count" : "4",
      "confidence" : 4,
      "severity" : "TIPS",
      "criticality" : 4,
      "alert_type" : { },
      "network_list" : [ {
        "direction" : {
          "IN" : null
        },
        "protocol" : "TCP",
        "src_ip" : "192.168.0.1",
        "src_port" : "1",
        "src_domain" : "xxx",
        "dest_ip" : "192.168.0.1",
        "dest_port" : "1",
        "dest_domain" : "xxx",
        "src_geo" : {
          "latitude" : 90,
          "longitude" : 180
        },
        "dest_geo" : {
          "latitude" : 90,
          "longitude" : 180
        }
      } ],
      "resource_list" : [ {
        "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "name" : "MyXXX",
        "type" : "MyXXX",
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "ep_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "ep_name" : "MyXXX",
        "tags" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      } ],
      "remediation" : {
        "recommendation" : "MyXXX",
        "url" : "MyXXX"
      },
      "verification_state" : "Unknown,True_Positive,False_Positive. The default value is Unknown.",
      "handle_status" : "Open – enabled.Block – blocked.Closed – closed.The default value is Open.",
      "sla" : 60000,
      "update_time" : "2021-01-30T23:00:00Z+0800",
      "close_time" : "2021-01-30T23:00:00Z+0800",
      "ipdrr_phase" : "Prepartion|Detection and Analysis|Containm,Eradication& Recovery| Post-Incident-Activity",
      "simulation" : "false",
      "actor" : "Tom",
      "owner" : "MyXXX",
      "creator" : "MyXXX",
      "close_reason" : "False positive; Resolved; Duplicate; Others",
      "close_comment" : "False positive; Resolved; Duplicate; Others",
      "malware" : {
        "malware_family" : "family",
        "malware_class" : "Malicious memory occupation."
      },
      "system_info" : { },
      "process" : [ {
        "process_name" : "MyXXX",
        "process_path" : "MyXXX",
        "process_pid" : 123,
        "process_uid" : 123,
        "process_cmdline" : "MyXXX"
      } ],
      "user_info" : [ {
        "user_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "user_name" : "MyXXX"
      } ],
      "file_info" : [ {
        "file_path" : "MyXXX",
        "file_content" : "MyXXX",
        "file_new_path" : "MyXXX",
        "file_hash" : "MyXXX",
        "file_md5" : "MyXXX",
        "file_sha256" : "MyXXX",
        "file_attr" : "MyXXX"
      } ],
      "system_alert_table" : { },
      "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca620"
    },
    "create_time" : "2021-01-30T23:00:00Z+0800",
    "update_time" : "2021-01-30T23:00:00Z+0800",
    "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
    "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
    "id" : "MyXXX",
    "version" : 11,
    "format_version" : 11,
    "dataclass_ref" : {
      "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "name" : "MyXXX"
    }
  }
}

SDK Sample Code

The SDK sample code is as follows.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.secmaster.v2.region.SecMasterRegion;
import com.huaweicloud.sdk.secmaster.v2.*;
import com.huaweicloud.sdk.secmaster.v2.model.*;


public class ShowAlertSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        SecMasterClient client = SecMasterClient.newBuilder()
                .withCredential(auth)
                .withRegion(SecMasterRegion.valueOf("<YOUR REGION>"))
                .build();
        ShowAlertRequest request = new ShowAlertRequest();
        request.withWorkspaceId("{workspace_id}");
        request.withAlertId("{alert_id}");
        try {
            ShowAlertResponse response = client.showAlert(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdksecmaster.v2.region.secmaster_region import SecMasterRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdksecmaster.v2 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = SecMasterClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(SecMasterRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ShowAlertRequest()
        request.workspace_id = "{workspace_id}"
        request.alert_id = "{alert_id}"
        response = client.show_alert(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    secmaster "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := secmaster.NewSecMasterClient(
        secmaster.SecMasterClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ShowAlertRequest{}
	request.WorkspaceId = "{workspace_id}"
	request.AlertId = "{alert_id}"
	response, err := client.ShowAlert(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

Response body for obtaining alert condition details.

400

Response body for request failures of obtaining alert condition details.

Error Codes

See Error Codes.