Help Center/ SecMaster/ API Reference/ API/ Incident Management/ Querying Details About an Incident
Updated on 2025-06-24 GMT+08:00

Querying Details About an Incident

Function

This API is used to obtain the details about an incident.

Calling Method

For details, see Calling APIs.

URI

GET /v1/{project_id}/workspaces/{workspace_id}/soc/incidents/{incident_id}

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID.

workspace_id

Yes

String

Workspace ID.

incident_id

Yes

String

Incident ID.

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token.

It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is the user token.

content-type

Yes

String

Content type.

Response Parameters

Status code: 200

Table 3 Response body parameters

Parameter

Type

Description

code

String

Error code.

message

String

Error message.

data

IncidentDetail object

Incident details object.

Table 4 IncidentDetail

Parameter

Type

Description

create_time

String

Recording time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

data_object

Incident object

Incident entity information.

dataclass_ref

dataclass_ref object

Data class object.

format_version

Integer

Format version.

id

String

Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters.

project_id

String

ID of the current project.

update_time

String

Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the alert was generated. If this parameter cannot be parsed, the default time zone GMT+8 is used.

version

Integer

Version.

workspace_id

String

ID of the current workspace.

Table 5 Incident

Parameter

Type

Description

version

String

Version of the incident object. The value must be the one released by the SSA service.

id

String

Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters.

domain_id

String

ID of the account (domain_id) to whom the data is delivered and hosted.

region_id

String

ID of the region where the account to whom the data is delivered and hosted.

workspace_id

String

ID of the current workspace.

labels

String

Tag (display only).

environment

environment object

Coordinates of the environment where the incident was generated.

data_source

data_source object

Data source reported for the first time.

first_observed_time

String

First discovery time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

last_observed_time

String

Latest discovery time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

create_time

String

Recording time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

arrive_time

String

Receiving time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

title

String

Incident title.

description

String

Incident description.

source_url

String

Incident URL, which points to the page displaying the current incident description in the data source product.

count

Integer

Incident occurrences.

confidence

Integer

Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or problem.

Value range: 0 to 100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%.

severity

String

Severity level. Value range: Tips | Low | Medium | High | Fatal

Note:

0: Tips. No threats are found.

1: Low. No actions are required for the threat.

2: Medium. The threat needs to be handled but is not urgent.

3: High. The threat must be handled preferentially.

4: Fatal. The threat must be handled immediately to prevent further damage.

criticality

Integer

Criticality, which specifies the importance level of the resources involved in an incident.

Value range: 0 to 100. 0 indicates that the resource is not critical, and 100 indicates that the resource is critical.

incident_type

incident_type object

Incident classification. For details, see the Alert and Incident Type Definition.

network_list

Array of network_list objects

Network information.

resource_list

Array of resource_list objects

Affected resources.

remediation

remediation object

Remedy measure.

verification_state

String

Verification status, which identifies the accuracy of the incident. The options are as follows:

Unknown: The incident is unknown

True_Positive: The incident is confirmed.

False_Positive: The incident is a false positive.

The default value is Unknown.

handle_status

String

Incident handling status. The options are as follows:

Open: Default status.

Block

Closed

The default value is Open.

sla

Integer

Closure time: The deadline by which the incident must be resolved. Unit: hour.

update_time

String

Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

close_time

String

Closure time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

ipdrr_phase

String

Period/Handling phase No.

Preparation: Preparation stage. Detection and Analysis: Detection and analysis stage. Contain, Eradication& Recovery: Containment, eradication, and recovery stage. Post-Incident-Activity: Post-incident activity stage.

simulation

String

Debugging field.

actor

String

Incident investigator.

owner

String

Owner and service owner.

creator

String

Creator.

close_reason

String

Closure reason.

False detection

Resolved

Repeated

Other

close_comment

String

Comment for the closure.

malware

malware object

Malware.

system_info

Object

System information.

process

Array of process objects

Process information.

user_info

Array of user_info objects

User information.

file_info

Array of file_info objects

File information.

system_alert_table

Object

Layout fields in the incident list.

Table 6 environment

Parameter

Type

Description

vendor_type

String

Environment provider.

domain_id

String

Account ID.

region_id

String

Region ID. global is returned for global services.

cross_workspace_id

String

Source workspace ID before data delivery. In the source workspace, the value is null. After data delivery, the value is the ID of the delegated user.

project_id

String

Project ID. The default value is null for global services.

Table 7 data_source

Parameter

Type

Description

source_type

Integer

Data source type. The options are as follows:

1: Cloud service

2: Third-party product

3: Private product

domain_id

String

Account ID to which the data source product belongs.

project_id

String

ID of the project to which the data source product belongs.

region_id

String

Region where the data source product is located. For details about the value range, see "Regions and Endpoints".

company_name

String

Name of the company to which the data source product belongs.

product_name

String

Name of the data source product.

product_feature

String

Name of the feature of the product that detects the incident.

product_module

String

Threat detection model list.

Table 8 incident_type

Parameter

Type

Description

category

String

Category.

incident_type

String

Incident type.

Table 9 network_list

Parameter

Type

Description

direction

String

Direction. The value can be IN or OUT.

protocol

String

Protocol, including Layer 7 and Layer 4 protocols.

Reference: IANA registered name

https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

src_ip

String

Source IP address.

src_port

Integer

Source port. Value range: 0 - 65535.

src_domain

String

Source domain name.

src_geo

src_geo object

Geographical location of the source IP address.

dest_ip

String

Destination IP address.

dest_port

String

Destination port. Value range: 0 to 65535.

dest_domain

String

Destination domain name.

dest_geo

dest_geo object

Geographical location of the destination IP address.

Table 10 src_geo

Parameter

Type

Description

latitude

Number

Latitude.

longitude

Number

Longitude.

city_code

String

City Code.

country_code

String

Country code. For details, see ISO 3166-1 alpha-2. For example, CN|US|DE|IT|SG.

Table 11 dest_geo

Parameter

Type

Description

latitude

Number

Latitude.

longitude

Number

Longitude.

city_code

String

City Code.

country_code

String

Country code. For details, see ISO 3166-1 alpha-2. For example, CN|US|DE|IT|SG.

Table 12 resource_list

Parameter

Type

Description

id

String

Cloud service resource ID.

name

String

Resource name.

type

String

Resource type, which reuses the RMS type field.

provider

String

Cloud service name, which is the same as the provider field in the RMS service.

region_id

String

Region. Enter the value based on the cloud region ID.

domain_id

String

ID of the account to which the resource belongs, in UUID format.

project_id

String

ID of the project to which the resource belongs, in UUID format.

ep_id

String

Enterprise project ID.

ep_name

String

Enterprise project name.

tags

String

Resource tags.

  1. A maximum of 50 key-value pairs are supported.

  2. The value can contain a maximum of 255 characters, including letters, digits, spaces, and special characters (+, -, =, ., _, :, /,@).

Table 13 remediation

Parameter

Type

Description

recommendation

String

Recommended solution.

url

String

URL, which points to the general handling details for the incident. The URL must be accessible from the public network with no credentials required.

Table 14 malware

Parameter

Type

Description

malware_family

String

Malicious family.

malware_class

String

Malware classification.

Table 15 process

Parameter

Type

Description

process_name

String

Process name.

process_path

String

Path of the process execution file.

process_pid

Integer

Process ID.

process_uid

Integer

User ID associated with the process.

process_cmdline

String

Process command line.

process_parent_name

String

Parent process name.

process_parent_path

String

Path of the parent process execution file.

process_parent_pid

Integer

Parent process ID.

process_parent_uid

Integer

User ID associated with the parent process.

process_parent_cmdline

String

Parent process command line.

process_child_name

String

Subprocess name.

process_child_path

String

Path of the subprocess execution file.

process_child_pid

Integer

Subprocess ID.

process_child_uid

Integer

User ID associated with the subprocess.

process_child_cmdline

String

Subprocess command line.

process_launche_time

String

Process start time. The format is ISO 8601: YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

process_terminate_time

String

Process end time. The format is ISO 8601: YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Table 16 user_info

Parameter

Type

Description

user_id

String

User ID (UID).

user_name

String

Username.

Table 17 file_info

Parameter

Type

Description

file_path

String

File path/name.

file_content

String

File content.

file_new_path

String

New file path/name.

file_hash

String

File hashes.

file_md5

String

File MD5 value.

file_sha256

String

SHA256 value of the file.

file_attr

String

File attributes.

Table 18 dataclass_ref

Parameter

Type

Description

id

String

Unique identifier of a data class. The value is in UUID format and can contain a maximum of 36 characters.

name

String

Data class name.

Status code: 400

Table 19 Response body parameters

Parameter

Type

Description

code

String

Error code.

message

String

Error description.

Example Requests

None

Example Responses

Status code: 200

Response body for requests for querying incident details.

{
  "code" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
  "message" : "Error message",
  "data" : {
    "data_object" : {
      "version" : "1.0",
      "environment" : {
        "vendor_type" : "MyXXX",
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      },
      "data_source" : {
        "source_type" : 3,
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      },
      "first_observed_time" : "2021-01-30T23:00:00Z+0800",
      "last_observed_time" : "2021-01-30T23:00:00Z+0800",
      "create_time" : "2021-01-30T23:00:00Z+0800",
      "arrive_time" : "2021-01-30T23:00:00Z+0800",
      "title" : "MyXXX",
      "description" : "This my XXXX",
      "source_url" : "http://xxx",
      "count" : "4",
      "confidence" : 4,
      "severity" : "TIPS",
      "criticality" : 4,
      "incident_type" : { },
      "network_list" : [ {
        "direction" : {
          "IN" : null
        },
        "protocol" : "TCP",
        "src_ip" : "192.168.0.1",
        "src_port" : "1",
        "src_domain" : "xxx",
        "dest_ip" : "192.168.0.1",
        "dest_port" : "1",
        "dest_domain" : "xxx",
        "src_geo" : {
          "latitude" : 90,
          "longitude" : 180
        },
        "dest_geo" : {
          "latitude" : 90,
          "longitude" : 180
        }
      } ],
      "resource_list" : [ {
        "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "name" : "MyXXX",
        "type" : "MyXXX",
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "ep_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "ep_name" : "MyXXX",
        "tags" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      } ],
      "remediation" : {
        "recommendation" : "MyXXX",
        "url" : "MyXXX"
      },
      "verification_state" : "**Unknown**: Unknown; **True_Positive**: Positive; **False_Positive**: False positive. The default value is **Unknown**.",
      "handle_status" : "**Open**: Open; **Block**: Pending; **Closed**: Closed. The default value is **Open**.",
      "sla" : 60000,
      "update_time" : "2021-01-30T23:00:00Z+0800",
      "close_time" : "2021-01-30T23:00:00Z+0800",
      "ipdrr_phase" : "**Preparation**: Preparation stage. **Detection and Analysis**: Detection and analysis stage. **Contain, Eradication& Recovery**: Containment, eradication, and recovery stage. **Post-Incident-Activity**: Post-incident activity stage.",
      "simulation" : "false",
      "actor" : "Tom",
      "owner" : "MyXXX",
      "creator" : "MyXXX",
      "close_reason" : "False positive; Resolved; Duplicate; Others",
      "close_comment" : "False positive; Resolved; Duplicate; Others",
      "malware" : {
        "malware_family" : "family",
        "malware_class" : "Malicious memory occupation."
      },
      "system_info" : { },
      "process" : [ {
        "process_name" : "MyXXX",
        "process_path" : "MyXXX",
        "process_pid" : 123,
        "process_uid" : 123,
        "process_cmdline" : "MyXXX"
      } ],
      "user_info" : [ {
        "user_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "user_name" : "MyXXX"
      } ],
      "file_info" : [ {
        "file_path" : "MyXXX",
        "file_content" : "MyXXX",
        "file_new_path" : "MyXXX",
        "file_hash" : "MyXXX",
        "file_md5" : "MyXXX",
        "file_sha256" : "MyXXX",
        "file_attr" : "MyXXX"
      } ],
      "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca620"
    },
    "create_time" : "2021-01-30T23:00:00Z+0800",
    "update_time" : "2021-01-30T23:00:00Z+0800",
    "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
    "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
  }
}

SDK Sample Code

The SDK sample code is as follows.

Java

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.secmaster.v2.region.SecMasterRegion;
import com.huaweicloud.sdk.secmaster.v2.*;
import com.huaweicloud.sdk.secmaster.v2.model.*;


public class ShowIncidentSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        SecMasterClient client = SecMasterClient.newBuilder()
                .withCredential(auth)
                .withRegion(SecMasterRegion.valueOf("<YOUR REGION>"))
                .build();
        ShowIncidentRequest request = new ShowIncidentRequest();
        request.withWorkspaceId("{workspace_id}");
        request.withIncidentId("{incident_id}");
        try {
            ShowIncidentResponse response = client.showIncident(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

Python

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdksecmaster.v2.region.secmaster_region import SecMasterRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdksecmaster.v2 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = SecMasterClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(SecMasterRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ShowIncidentRequest()
        request.workspace_id = "{workspace_id}"
        request.incident_id = "{incident_id}"
        response = client.show_incident(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

Go

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    secmaster "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := secmaster.NewSecMasterClient(
        secmaster.SecMasterClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ShowIncidentRequest{}
	request.WorkspaceId = "{workspace_id}"
	request.IncidentId = "{incident_id}"
	response, err := client.ShowIncident(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

More

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

Response body for requests for querying incident details.

400

Response body for failed requests for querying incident details.

Error Codes

See Error Codes.