Querying the Detected Intrusion List

Function

This API is used to query the detected intrusion list.

URI

GET /v5/{project_id}/event/events

Table 1 Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID

Table 2 Query Parameters
Parameter	Mandatory	Type	Description
category	Yes	String	Event category. Its value can be: host: host security event container: container security event
enterprise_project_id	No	String	Enterprise project ID. To query all enterprise projects, set this parameter to all_granted_eps.
last_days	No	Integer	Number of days to be queried. This parameter is mutually exclusive with begin_time and end_time.
host_name	No	String	Server name
host_id	No	String	Host ID
private_ip	No	String	Server IP address
public_ip	No	String	Server public IP address
container_name	No	String	Container instance name
offset	No	Integer	Offset, which specifies the start position of the record to be returned.
limit	No	Integer	Number of records displayed on each page
event_types	No	Array of integers	Event type. Its value can be: 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010 :Rootkit 1011: ransomware 1012: hacker tool 1015 : web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3026: crontab privilege escalation 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid accounts 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: enumerating user information 13004: cluster role binding
handle_status	No	String	Status. Its value can be: unhandled handled
severity	No	String	Threat level. Its value can be: Security Low Medium High Critical
begin_time	No	String	Customized start time of a segment. The timestamp is accurate to seconds. The begin_time should be no more than two days earlier than the end_time. This parameter is mutually exclusive with the queried duration.
end_time	No	String	Customized end time of a segment. The timestamp is accurate to seconds. The begin_time should be no more than two days earlier than the end_time. This parameter is mutually exclusive with the queried duration.
event_class_ids	No	Array of strings	Event ID. Its value can be: container_1001: container namespace container_1002: container port enabled container_1003: container security options container_1004: container mount directory containerescape_0001: high-risk system call containerescape_0002: shocker attack containerescape_0003: Dirty Cow attack containerescape_0004: container file escape dockerfile_001: modification of user-defined protected container file dockerfile_002: modification of executable files in the container file system dockerproc_001: abnormal container process fileprotect_0001: file privilege escalation fileprotect_0002: key file change fileprotect_0003: key file path change fileprotect_0004: file/directory change av_1002: virus av_1003: worm av_1004: Trojan av_1005: botnet av_1006: backdoor av_1007: spyware av_1008: malicious adware av_1009: phishing av_1010 : Rootkit av_1011: ransomware av_1012: hacker tool av_1013: grayware av_1015 : web shell av_1016: mining software login_0001: brute-force cracking login_0002: successful cracking login_1001: successful login login_1002: remote login login_1003: weak password malware_0001: shell change report malware_0002: reverse shell report malware_1001: malicious program procdet_0001: abnormal process behavior detection procdet_0002: process privilege escalation crontab_0001: crontab script privilege escalation crontab_0002: malicious path privilege escalation procreport_0001: risky commands user_1001: account change user_1002: risky account vmescape_0001: VM sensitive command execution vmescape_0002: access from virtualization process to sensitive file vmescape_0003: abnormal VM port access webshell_0001: web shell network_1001: malicious mining network_1002: DDoS attacks network_1003: malicious scan network_1004: attack in sensitive areas ransomware_0001: ransomware attack ransomware_0002: ransomware attack ransomware_0003: ransomware attack fileless_0001: process injection fileless_0002: dynamic library injection fileless_0003: key configuration change fileless_0004: environment variable change fileless_0005: memory file process fileless_0006: VDSO hijacking crontab_1001: suspicious crontab task vul_exploit_0001: Redis vulnerability exploit vul_exploit_0002: Hadoop vulnerability exploit vul_exploit_0003: MySQL vulnerability exploit rootkit_0001: suspicious rootkit file rootkit_0002: suspicious kernel module RASP_0004: web shell upload RASP_0018: fileless web shell blockexec_001: known ransomware attack hips_0001: Windows Defender disabled hips_0002: suspicious hacker tool hips_0003: suspicious ransomware encryption behavior hips_0004: hidden account creation hips_0005: user password and credential reading hips_0006: suspicious SAM file export hips_0007: suspicious shadow copy deletion hips_0008: backup file deletion hips_0009: registry of suspicious ransomware hips_0010: suspicious abnormal process hips_0011: suspicious scan hips_0012: suspicious ransomware script running hips_0013: suspicious mining command execution hips_0014: suspicious windows security center disabling hips_0015: suspicious behavior of disabling the firewall service hips_0016: suspicious system automatic recovery disabling hips_0017: executable file execution in Office hips_0018: abnormal file creation with macros in Office hips_0019: suspicious registry operation hips_0020: Confluence remote code execution hips_0021: MSDT remote code execution portscan_0001: common port scan portscan_0002: secret port scan k8s_1001: Kubernetes event deletion k8s_1002: privileged pod creations k8s_1003: interactive shell used in pod k8s_1004: pod created with sensitive directory k8s_1005: pod created with server network k8s_1006: pod created with host PID space k8s_1007: authentication failure when common pods access API server k8s_1008: API server access from common pod using cURL k8s_1009: exec in system management space k8s_1010: pod created in management space k8s_1011: static pod creation k8s_1012: DaemonSet creation k8s_1013: scheduled cluster task creation k8s_1014: operation on secrets k8s_1015: allowed operation enumeration k8s_1016: high privilege RoleBinding or ClusterRoleBinding k8s_1017: ServiceAccount creation k8s_1018: Cronjob creation k8s_1019: interactive shell used for exec in pods k8s_1020: unauthorized access to API server k8s_1021: access to API server with curl k8s_1022: Ingress vulnerability k8s_1023: man-in-the-middle (MITM) attack k8s_1024: worm, mining, or Trojan k8s_1025: K8s event deletion k8s_1026: SelfSubjectRulesReview imgblock_0001: image blocking based on whitelist imgblock_0002: image blocking based on blacklist imgblock_0003: image tag blocking based on whitelist imgblock_0004: image tag blocking based on blacklist imgblock_0005: container creation blocked based on whitelist imgblock_0006: container creation blocked based on blacklist imgblock_0007: container mount proc blocking imgblock_0008: container seccomp unconfined blocking imgblock_0009: container privilege blocking imgblock_0010: container capabilities blocking
severity_list	No	Array of strings	Threat level. The options are as follows: Security Low Medium High Critical
attack_tag	No	String	Indicates the attack flag. The options are as follows: attack_success: attack success attack_attempt: attack attempt attack_blocked: blocked attack abnormal_behavior: abnormal behavior collapsible_host: compromised host system_vulnerability: system vulnerability
asset_value	No	String	Asset importance. The options are as follows: important common test
tag_list	No	Array of strings	Event tag list, for example, ["hot event"].
att_ck	No	String	ATT&CK attack stage, including: Reconnaissance: Initial Access: Execution: Persistence: Privilege Escalation: Defense Evasion: defense bypass Credential Access: Command and Control: Impact: Damage is affected.
event_name	No	String	Alarm name

Request Parameters

Table 3 Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.
region	Yes	String	Region ID

Response Parameters

Status code: 200

Table 4 Response body parameters
Parameter	Type	Description
total_num	Integer	Total number of alarm events
data_list	Array of EventManagementResponseInfo objects	Event list

Table 5 EventManagementResponseInfo
Parameter	Type	Description
event_id	String	Event ID
event_class_id	String	Event category. Its value can be: container_1001: Container namespace container_1002: Container open port container_1003: Container security option container_1004: Container mount directory containerescape_0001: High-risk system call containerescape_0002: Shocker attack containerescape_0003: Dirty Cow attack containerescape_0004: Container file escape dockerfile_001: Modification of user-defined protected container file dockerfile_002: Modification of executable files in the container file system dockerproc_001: Abnormal container process fileprotect_0001: File privilege escalation fileprotect_0002: Key file change fileprotect_0003: AuthorizedKeysFile path change fileprotect_0004: File directory change login_0001: Brute-force attack attempt login_0002: Brute-force attack succeeded login_1001: Succeeded login login_1002: Remote login login_1003: Weak password malware_0001: Shell change malware_0002: Reverse shell malware_1001: Malicious program procdet_0001: Abnormal process behavior procdet_0002: Process privilege escalation procreport_0001: High-risk command user_1001: Account change user_1002: Unsafe account vmescape_0001: Sensitive command executed on VM vmescape_0002: Sensitive file accessed by virtualization process vmescape_0003: Abnormal VM port access webshell_0001: Web shell network_1001: Mining network_1002: DDoS attacks network_1003: Malicious scanning network_1004: Attack in sensitive areas ransomware_0001: ransomware attack ransomware_0002: ransomware attack ransomware_0003: ransomware attack fileless_0001: process injection fileless_0002: dynamic library injection fileless_0003: key configuration change fileless_0004: environment variable change fileless_0005: memory file process fileless_0006: VDSO hijacking crontab_1001: suspicious crontab task vul_exploit_0001: Redis vulnerability exploit vul_exploit_0002: Hadoop vulnerability exploit vul_exploit_0003: MySQL vulnerability exploit rootkit_0001: suspicious rootkit file rootkit_0002: suspicious kernel module RASP_0004: web shell upload RASP_0018: fileless web shell blockexec_001: known ransomware attack hips_0001: Windows Defender disabled hips_0002: suspicious hacker tool hips_0003: suspicious ransomware encryption behavior hips_0004: hidden account creation hips_0005: user password and credential reading hips_0006: suspicious SAM file export hips_0007: suspicious shadow copy deletion hips_0008: backup file deletion hips_0009: registry of suspicious ransomware hips_0010: suspicious abnormal process hips_0011: suspicious scan hips_0012: suspicious ransomware script running hips_0013: suspicious mining command execution hips_0014: suspicious windows security center disabling hips_0015: suspicious behavior of disabling the firewall service hips_0016: suspicious system automatic recovery disabling hips_0017: executable file execution in Office hips_0018: abnormal file creation with macros in Office hips_0019: suspicious registry operation hips_0020: Confluence remote code execution hips_0021: MSDT remote code execution portscan_0001: common port scan portscan_0002: secret port scan k8s_1001: Kubernetes event deletion k8s_1002: privileged pod creations k8s_1003: interactive shell used in pod k8s_1004: pod created with sensitive directory k8s_1005: pod created with server network k8s_1006: pod created with host PID space k8s_1007: authentication failure when common pods access API server k8s_1008: API server access from common pod using cURL k8s_1009: exec in system management space k8s_1010: pod created in management space k8s_1011: static pod creation k8s_1012: DaemonSet creation k8s_1013: scheduled cluster task creation k8s_1014: operation on secrets k8s_1015: allowed operation enumeration k8s_1016: high privilege RoleBinding or ClusterRoleBinding k8s_1017: ServiceAccount creation k8s_1018: Cronjob creation k8s_1019: interactive shell used for exec in pods k8s_1020: unauthorized access to API server k8s_1021: access to API server with curl k8s_1022: Ingress vulnerability k8s_1023: man-in-the-middle (MITM) attack k8s_1024: worm, mining, or Trojan k8s_1025: K8s event deletion k8s_1026: SelfSubjectRulesReview imgblock_0001: image blocking based on whitelist imgblock_0002: image blocking based on blacklist imgblock_0003: image tag blocking based on whitelist imgblock_0004: image tag blocking based on blacklist imgblock_0005: container creation blocked based on whitelist imgblock_0006: container creation blocked based on blacklist imgblock_0007: container mount proc blocking imgblock_0008: container seccomp unconfined blocking imgblock_0009: container privilege blocking imgblock_0010: container capabilities blocking
event_type	Integer	Event type. Its value can be: 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010 : Rootkit 1011: ransomware 1012: hacker tool 1015 : web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid accounts 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: enumerating user information 13004: cluster role binding
event_name	String	Event name
severity	String	Threat level. Its value can be: Security Low Medium High Critical
container_name	String	Container instance name. This parameter is available only for container alarms.
image_name	String	Image name. This parameter is available only for container alarms.
host_name	String	Server name
host_id	String	Host ID
private_ip	String	Server private IP address
public_ip	String	Elastic IP address
os_type	String	OS type. Its value can be: Linux Windows
host_status	String	Server status. The options are as follows: ACTIVE SHUTOFF BUILDING ERROR
agent_status	String	Agent status. Its value can be: installed not_installed online offline install_failed installing
protect_status	String	Protection status. Its value can be: closed opened
asset_value	String	Asset importance. The options are as follows: important common test
attack_phase	String	Attack phase. Its value can be: reconnaissance weaponization delivery exploit installation command_and_control actions
attack_tag	String	Attack tag. Its value can be: attack_success attack_attempt attack_blocked abnormal_behavior collapsible_host system_vulnerability
occur_time	Integer	Occurrence time, accurate to milliseconds.
handle_time	Integer	Handling time, in milliseconds. This parameter is available only for handled alarms.
handle_status	String	Processing status. Its value can be: unhandled handled
handle_method	String	Handling method. This parameter is available only for handled alarms. The options are as follows: mark_as_handled ignore add_to_alarm_whitelist add_to_login_whitelist isolate_and_kill
handler	String	Remarks. This parameter is available only for handled alarms.
operate_accept_list	Array of strings	Supported processing operation
operate_detail_list	Array of EventDetailResponseInfo objects	Operation details list (not displayed on the page)
forensic_info	Object	Attack information, in JSON format.
resource_info	EventResourceResponseInfo object	Resource information
geo_info	Object	Geographical location, in JSON format.
malware_info	Object	Malware information, in JSON format.
network_info	Object	Network information, in JSON format.
app_info	Object	Application information, in JSON format.
system_info	Object	System information, in JSON format.
extend_info	Object	Extended event information, in JSON format
recommendation	String	Handling suggestions
description	String	Alarm description
event_abstract	String	Event abstract
process_info_list	Array of EventProcessResponseInfo objects	Process information list
user_info_list	Array of EventUserResponseInfo objects	User information list
file_info_list	Array of EventFileResponseInfo objects	File information list
event_details	String	Brief description of the event.
tag_list	Array of strings	Tags
event_count	Integer	Event occurrences

Table 6 EventDetailResponseInfo
Parameter	Type	Description
agent_id	String	Agent ID
process_pid	Integer	Process ID
is_parent	Boolean	Whether a process is a parent process
file_hash	String	File hash
file_path	String	File path
file_attr	String	File attribute
private_ip	String	Server private IP address
login_ip	String	Login source IP address
login_user_name	String	Login username
keyword	String	Alarm event keyword, which is used only for the alarm whitelist.
hash	String	Alarm event hash, which is used only for the alarm whitelist.

Table 7 EventResourceResponseInfo
Parameter	Type	Description
domain_id	String	User account ID
project_id	String	Project ID
enterprise_project_id	String	Enterprise project ID
region_name	String	Region name
vpc_id	String	VPC ID
cloud_id	String	ECS ID
vm_name	String	VM name
vm_uuid	String	VM UUID, that is, the server ID
container_id	String	Container ID
container_status	String	Container status
pod_uid	String	pod uid
pod_name	String	pod name
namespace	String	namespace
cluster_id	String	Cluster ID
cluster_name	String	Cluster name
image_id	String	Image ID
image_name	String	Image name
host_attr	String	Host attribute
service	String	Service
micro_service	String	Microservice
sys_arch	String	System CPU architecture
os_bit	String	OS bit version
os_type	String	OS type
os_name	String	OS name
os_version	String	OS version

Table 8 EventProcessResponseInfo
Parameter	Type	Description
process_name	String	Process name
process_path	String	Process file path
process_pid	Integer	Process ID
process_uid	Integer	Process user ID
process_username	String	Process username
process_cmdline	String	Process file command line
process_filename	String	Process file name
process_start_time	Long	Process start time
process_gid	Integer	Process group ID
process_egid	Integer	Valid process group ID
process_euid	Integer	Valid process user ID
ancestor_process_path	String	Grandparent process file path
ancestor_process_pid	Integer	Grandfather process ID
ancestor_process_cmdline	String	Grandparent process file command line
parent_process_name	String	Parent process name
parent_process_path	String	Parent process file path
parent_process_pid	Integer	Parent process ID
parent_process_uid	Integer	Parent process user ID
parent_process_cmdline	String	Parent process file command line
parent_process_filename	String	Parent process file name
parent_process_start_time	Long	Parent process start time
parent_process_gid	Integer	Parent process group ID
parent_process_egid	Integer	Valid parent process group ID
parent_process_euid	Integer	Valid parent process user ID
child_process_name	String	Subprocess name
child_process_path	String	Subprocess file path
child_process_pid	Integer	Subprocess ID
child_process_uid	Integer	Subprocess user ID
child_process_cmdline	String	Subprocess file command line
child_process_filename	String	Subprocess file name
child_process_start_time	Long	Subprocess start time
child_process_gid	Integer	Subprocess group ID
child_process_egid	Integer	Valid subprocess group ID
child_process_euid	Integer	Valid subprocess user ID
virt_cmd	String	Virtualization command
virt_process_name	String	Virtualization process name
escape_mode	String	Escape mode
escape_cmd	String	Commands executed after escape
process_hash	String	Process startup file hash
process_file_hash	String	Process file hash
parent_process_file_hash	String	Parent process file hash
block	Integer	Indicates whether the blocking is successful. 1: yes 0: no

Table 9 EventUserResponseInfo
Parameter	Type	Description
user_id	Integer	User UID
user_gid	Integer	User GID
user_name	String	User name
user_group_name	String	User group name
user_home_dir	String	User home directory
login_ip	String	User login IP address
service_type	String	Service type. The options are as follows: system mysql redis
service_port	Integer	Login service port
login_mode	Integer	Login mode
login_last_time	Long	Last login time
login_fail_count	Integer	Number of failed login attempts
pwd_hash	String	Password hash
pwd_with_fuzzing	String	Masked password
pwd_used_days	Integer	Password age (days)
pwd_min_days	Integer	Minimum password validity period
pwd_max_days	Integer	Maximum password validity period
pwd_warn_left_days	Integer	Advance warning of password expiration (days)

Table 10 EventFileResponseInfo
Parameter	Type	Description
file_path	String	File path
file_alias	String	File alias
file_size	Integer	File size
file_mtime	Long	Time when a file was last modified
file_atime	Long	Time when a file was last accessed
file_ctime	Long	Time when the status of a file was last changed
file_hash	String	The hash value calculated using the SHA256 algorithm.
file_md5	String	File MD5
file_sha256	String	File SHA256
file_type	String	File type
file_content	String	File content
file_attr	String	File attribute
file_operation	Integer	File operation type
file_action	String	File action
file_change_attr	String	Old/New attribute
file_new_path	String	New file path
file_desc	String	File description
file_key_word	String	File keyword
is_dir	Boolean	Whether it is a directory
fd_info	String	File handle information
fd_count	Integer	Number of file handles

Example Requests

Query the first 50 unprocessed server events whose enterprise project is xxx.

GET https://{endpoint}/v5/{project_id}/event/events?offset=0&limit=50&handle_status=unhandled&category=host&enterprise_project_id=xxx

Example Responses

Status code: 200

Request succeeded.

{
  "total_num" : 1,
  "data_list" : [ {
    "attack_phase" : "exploit",
    "attack_tag" : "abnormal_behavior",
    "event_class_id" : "lgin_1002",
    "event_id" : "d8a12cf7-6a43-4cd6-92b4-aabf1e917",
    "event_name" : "different locations",
    "event_type" : 4004,
    "forensic_info" : {
      "country" : "China",
      "city" : "Lanzhou",
      "ip" : "127.0.0.1",
      "user" : "zhangsan",
      "sub_division" : "Gansu",
      "city_id" : 3110
    },
    "handle_status" : "unhandled",
    "host_name" : "xxx",
    "occur_time" : 1661593036627,
    "operate_accept_list" : [ "ignore" ],
    "operate_detail_list" : [ {
      "agent_id" : "c9bed5397db449ebdfba15e85fcfc36accee125c68954daf5cab0528bab59bd8",
      "file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "file_path" : "/usr/test",
      "process_pid" : 3123,
      "file_attr" : 33261,
      "keyword" : "file_path=/usr/test",
      "hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "login_ip" : "127.0.0.1",
      "private_ip" : "127.0.0.2",
      "login_user_name" : "root",
      "is_parent" : false
    } ],
    "private_ip" : "127.0.0.1",
    "resource_info" : {
      "region_name" : "",
      "project_id" : "",
      "enterprise_project_id" : "0",
      "os_type" : "Linux",
      "os_version" : "2.5",
      "vm_name" : "",
      "vm_uuid" : "71a15ecc",
      "cloud_id" : "",
      "container_id" : "",
      "container_status" : "running / terminated",
      "image_id" : "",
      "pod_uid" : "",
      "pod_name" : "",
      "namespace" : "",
      "cluster_id" : "",
      "cluster_name" : ""
    },
    "severity" : "Medium",
    "extend_info" : "",
    "os_type" : "Linux",
    "agent_status" : "online",
    "asset_value" : "common",
    "protect_status" : "opened",
    "host_status" : "ACTIVE",
    "event_details" : "file_path:/root/test",
    "user_info_list" : [ {
      "login_ip" : "",
      "service_port" : 22,
      "service_type" : "ssh",
      "user_name" : "zhangsan",
      "login_mode" : 0,
      "login_last_time" : 1661593024,
      "login_fail_count" : 0
    } ],
    "process_info_list" : [ {
      "process_path" : "/root/test",
      "process_name" : "test",
      "process_cmdline" : "/bin/bash",
      "process_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "process_filename" : "test",
      "process_file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "process_username" : "root",
      "process_pid" : 372612,
      "process_uid" : 10000,
      "process_gid" : 10000,
      "process_egid" : 10000,
      "process_euid" : 10000,
      "process_start_time" : 1661593024,
      "block" : 0,
      "parent_process_path" : "/usr/bin/bash",
      "parent_process_name" : "test",
      "parent_process_cmdline" : "/bin/bash",
      "parent_process_filename" : "test",
      "parent_process_file_hash" : "e8b50f0b91e3dce0885ccc5902846b139d28108a0a7976c9b8d43154c5dbc44d",
      "parent_process_pid" : 372612,
      "parent_process_uid" : 10000,
      "parent_process_gid" : 10000,
      "parent_process_egid" : 10000,
      "parent_process_euid" : 10000,
      "parent_process_start_time" : 1661593024,
      "child_process_path" : "/usr/bin/bash",
      "child_process_name" : "test",
      "child_process_cmdline" : "/bin/bash",
      "child_process_filename" : "test",
      "child_process_pid" : 372612,
      "child_process_uid" : 10000,
      "child_process_gid" : 10000,
      "child_process_egid" : 10000,
      "child_process_euid" : 10000,
      "child_process_start_time" : 1661593024,
      "virt_process_name" : "test",
      "virt_cmd" : "/bin/bash",
      "escape_cmd" : "/bin/bash",
      "escape_mode" : "0",
      "ancestor_process_pid" : 372612,
      "ancestor_process_cmdline" : "/bin/bash",
      "ancestor_process_path" : "/usr/bin/bash"
    } ],
    "description" : "",
    "event_abstract" : "",
    "tag_list" : [ "Hot Event" ]
  } ]
}

Status Codes

Status Code	Description
200	Request succeeded.

Error Codes

See Error Codes.

Parent topic: Intrusion Detection

Предыдущая статья

Handling Alarm Events

Следующая статья

Querying the Alarm Whitelist

Была ли эта статья полезна?

Поддержка Юридические документы