GetExceptedWebshellSuspiciousObject

Article summary

Did you find this summary helpful?

Thank you for your feedback

Available in VPC

Get details about a desired file in the exception-handled webshell behavior detection history.

Request

The following describes the request format for the endpoint. The request format is as follows:

Method	URI
GET	/exceptions/{exception-id}/suspicious-objects

Request headers

For headers common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector headers.

Request path parameters

The following describes the parameters.

Field	Type	Required	Description
`exception-id`	Integer	Required	Exception-handled webshell behavior detection history ID Check `detectionId` through GetExceptedWebshell

Request example

The following is a sample request.

curl --location --request GET 'https://wbd.apigw.ntruss.com/api/v1/exceptions/2024072321234500000010/suspicious-objects' \
--header 'x-ncp-apigw-timestamp: {Timestamp}' \
--header 'x-ncp-iam-access-key: {Access Key}' \
--header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
--header 'Content-Type: application/json' \
--header 'X-NCP-USE_PLATFORM_TYPE: VPC'

Response

The following describes the response format.

Response body

The following describes the response body.

Field	Type	Required	Description
`success`	Boolean	-	Request handling status
`code`	Integer	-	Response code
`message`	String	-	Response message
`result`	Array	-	List of suspicious files

Suspicious file(`result`)

The following describes result.

Field	Type	Required	Description
`suspicionFileId`	String	-	File ID
`detectionId`	String	-	Web shell behavior detection history ID
`hostName`	String	-	VM's host name
`osType`	String	-	VM's OS type
`fileOriginName`	String	-	File name
`quarantineFileName`	String	-	Name of the isolated file
`fileSize`	Integer	-	File size
`sha1`	String	-	File's SHA1 hash value
`privateIPofServer`	String	-	VM's private IP
`fileAuthority`	String	-	File's authority
`fileOwner`	String	-	File owner
`fileGroup`	String	-	File owner group
`accessTime`	Integer	-	File access date and time (timestamp)
`modifyTime`	Integer	-	File change date and time (timestamp)
`changeTime`	Integer	-	File modification date and time (timestamp)
`instanceNo`	String	-	VM's instance number
`hashScanResult`	String	-	Hash-based malware determination result `malware` \| `notMalware` `malware`: malicious `notMalware`: normal
`memo`	String	-	Notes
`memberNo`	Integer	-	Member ID for VM usage
`restoreTime`	Integer	-	File recovery date and time (timestamp)
`quarantineTime`	Integer	-	File quarantine date and time (timestamp)
`weight`	Integer	-	Score The higher the score, the more likely it is a webshell
`commandStatus`	String	-	Quarantine/recovery command handling status `restoring` \| `restored` \| `restoreFailed` \| `onQurantine` \| `quarantined` \| `quarantineFailed` `restoring`: recovering `restored`: recovery completed `restoreFailed`: recovery failed `onQurantine`: quarantine in progress `quarantined`: quarantine completed `quarantineFailed`: quarantine failed
`commandResult`	String	-	Detailed messages about the results of the quarantine/recovery command
`isRestore`	Boolean	-	Recovery status `true` \| `false` `true`: recovered `false`: not recovered
`isQuarantine`	Boolean	-	Quarantine status `true` \| `false` `true`: quarantined `false`: not quarantined
`isExcepted`	Boolean	-	Exception handling status `true` \| `false` `true`: exception handled `false`: exception not handled
`lastUpdatedTime`	Integer	-	Last detection history record date and time (timestamp)
`resultCode`	Integer	-	Quarantine/recovery command results code
`platform`	String	-	VM environment `VPC` \| `CLASSIC`
`serverName`	String	-	VM's server name
`containerName`	String	-	VM's container name
`k8sName`	String	-	Workload name Display valid values in Kubernetes environments
`k8sType`	String	-	Workload type for deployed pod Display valid values in Kubernetes environments
`podName`	String	-	Deployed pod name Display valid values in Kubernetes environments
`isDeleted`	Boolean	-	Deletion status of file `true` \| `false` `true`: deleted `false`: not deleted

Response status codes

For response status codes common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector response status codes.

Response example

The following is a sample example.

{
    "success": true,
    "code": 0,
    "message": "success",
    "result": [
        {
            "suspicionFileId": "2024072321234500000008",
            "detectionId": "2024072321234500000010",
            "hostName": "{hostname}",
            "osType": "LINUX",
            "fileOriginName": "{web-root-path}/{suspicious-object-name}",
            "quarantineFileName": "{web-root-path}/{quarantined-object-name}",
            "fileSize": 222,
            "sha1": "********************************",
            "privateIPofServer": "***.***.***.***",
            "fileAuthority": "rw-r--r--",
            "fileOwner": "root",
            "fileGroup": "root",
            "accessTime": 1721737308457,
            "modifyTime": 1721362317000,
            "changeTime": 1721737326361,
            "instanceNo": "25****17",
            "hashScanResult": "notMalware",
            "memo": null,
            "memberNo": 26***90,
            "restoreTime": 1721737448315,
            "quarantineTime": 1721737443431,
            "weight": 29,
            "commandStatus": "restored",
            "commandResult": "OK",
            "isRestore": true,
            "isQuarantine": true,
            "isExcepted": false,
            "lastUpdatedTime": 1721737448341,
            "resultCode": 0,
            "platform": "VPC",
            "serverName": "{servername}",
            "containerName": "{containername}",
            "k8sName": "my-pod-jsp",
            "k8sType": "Pod",
            "podName": "my-pod-jsp",
            "isDeleted": false
        }
    ]
}

Was this article helpful?

What's Next

QuarantineExceptedWebshellSuspiciousObject

Table of contents

Request
Response