GetQuarantine

Available in VPC

Get suspected webshell files quarantined by the user.

Request

The following describes the request format for the endpoint. The request format is as follows:

Method	URI
GET	/api/v1/quarantines

Request headers

For information about the headers common to all Webshell Behavior Detector APIs, see Webshell Behavior Detector request headers.

Request query parameters

You can use the following query parameters with your request:

Field	Type	Required	Description
`pageIndex`	Integer	Required	Page number
`pageSize`	Integer	Required	Number of page outputs

Request example

The following is a sample request.

curl --location --request GET 'https://wbd.apigw.ntruss.com/api/v1/quarantines?pageIndex=0&pageSize=2' \
--header 'x-ncp-apigw-timestamp: {Timestamp}' \
--header 'x-ncp-iam-access-key: {Access Key}' \
--header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
--header 'Content-Type: application/json' \
--header 'X-NCP-USE_PLATFORM_TYPE: VPC'

Response

The following describes the response format.

Response body

The following describes the response body.

Field	Type	Required	Description
`success`	Boolean	-	Request handling status
`code`	Integer	-	Response code
`message`	String	-	Response message
`result`	Array	-	List of suspicious files: result

`result`

The following describes result.

Field	Type	Required	Description
`suspicionFileId`	String	-	File ID
`detectionId`	String	-	Web shell behavior detection history ID
`hostName`	String	-	VM's host name
`osType`	String	-	VM's OS type
`fileOriginName`	String	-	File name
`quarantineFileName`	String	-	Name of the isolated file
`fileSize`	Integer	-	File size
`sha1`	String	-	File's SHA1 hash value
`privateIPofServer`	String	-	VM's private IP
`fileAuthority`	String	-	File's authority
`fileOwner`	String	-	File owner
`fileGroup`	String	-	File owner group
`accessTime`	Integer	-	File access date and time Timestamp format
`modifyTime`	Integer	-	File change date and time Timestamp format
`changeTime`	Integer	-	File modification date and time Timestamp format
`instanceNo`	String	-	VM's instance number
`hashScanResult`	String	-	Hash-based malware determination result `malware` \| `notMalware` `malware`: malicious `notMalware`: normal
`memo`	String	-	Notes
`memberNo`	Integer	-	Member ID for VM usage
`restoreTime`	Integer	-	File recovery date and time Timestamp format
`quarantineTime`	Integer	-	File quarantine date and time Timestamp format
`weight`	Integer	-	Score The higher the score, the more likely it is a webshell
`commandStatus`	String	-	Quarantine/recovery command handling status `restoring` \| `restored` \| `restoreFailed` \| `onQurantine` \| `quarantined` \| `quarantineFailed` `restoring`: recovering `restored`: recovery completed `restoreFailed`: recovery failed `onQurantine`: quarantine in progress `quarantined`: quarantine completed `quarantineFailed`: quarantine failed
`commandResult`	String	-	Detailed messages about the results of the quarantine/recovery command
`isRestore`	Boolean	-	Recovery status `true` \| `false` `true`: recovered `false`: not recovered
`isQuarantine`	Boolean	-	Quarantine status `true` \| `false` `true`: quarantined `false`: not quarantined
`isExcepted`	Boolean	-	Exception handling status `true` \| `false` `true`: exception handled `false`: exception not handled
`lastUpdatedTime`	Integer	-	Last detection history record date and time (timestamp)
`resultCode`	Integer	-	Quarantine/recovery command results code
`platform`	String	-	VM environment `VPC` \| `CLASSIC`
`serverName`	String	-	VM's server name
`containerName`	String	-	VM's container name
`k8sName`	String	-	Workload name Display valid values in Kubernetes environments
`k8sType`	String	-	Workload type for deployed pod Display valid values in Kubernetes environments
`podName`	String	-	Deployed pod name Display valid values in Kubernetes environments
`isDeleted`	Boolean	-	Deletion status of file `true` \| `false` `true`: deleted `false`: not deleted

Response status codes

For information about the HTTP status codes common to all Webshell Behavior Detector APIs, see Webshell Behavior Detector response status codes.

Response example

The following is a sample example.

{
    "success": true,
    "code": 0,
    "message": "success",
    "result": {
        "content": [
            {
                "suspicionFileId": "2024072409172700000036",
                "detectionId": "2024072409172700000036",
                "hostName": null,
                "osType": "WINDOWS",
                "fileOriginName": "{web-root-path}/{suspicious-object-name}",
                "quarantineFileName": "{web-root-path}/{quarantined-object-name}",
                "fileSize": 98,
                "sha1": "*******************************",
                "privateIPofServer": "***.***.***.***",
                "fileAuthority": "[{\"BUILTIN/Administrators\":\"(I)(F)\"},{\"BUILTIN/IIS_IUSRS\":\"(I)(RX)\"},{\"BUILTIN/Users\":\"(I)(RX)\"},{\"NT AUTHORITY/SYSTEM\":\"(I)(F)\"},{\"NT SERVICE/TrustedInstaller\":\"(I)(F)\"}]",
                "fileOwner": "S-1-5-32-544",
                "fileGroup": "S-1-5-32-544",
                "accessTime": 1721742837000,
                "modifyTime": 1721742837000,
                "changeTime": 1721742803000,
                "instanceNo": "23****68",
                "hashScanResult": "notMalware",
                "memo": null,
                "memberNo": 26***90,
                "restoreTime": 1722999457076,
                "quarantineTime": 1722999351039,
                "weight": 29,
                "commandStatus": "restored",
                "commandResult": "OK",
                "isRestore": true,
                "isQuarantine": true,
                "isExcepted": false,
                "lastUpdatedTime": 1722999457125,
                "resultCode": 0,
                "platform": "VPC",
                "serverName": "{servername}",
                "containerName": null,
                "k8sName": null,
                "k8sType": null,
                "podName": null,
                "isDeleted": false
            },
            {
                "suspicionFileId": "2024072323595800000443",
                "detectionId": "2024072323595700000436",
                "hostName": null,
                "osType": "WINDOWS",
                "fileOriginName": "{web-root-path}/{suspicious-object-name}",
                "quarantineFileName": "{web-root-path}/{quarantined-object-name}",
                "fileSize": 306,
                "sha1": "*******************************",
                "privateIPofServer": "***.***.***.***",
                "fileAuthority": "[{\"BUILTIN/Administrators\":\"(I)(F)\"},{\"BUILTIN/IIS_IUSRS\":\"(I)(RX)\"},{\"BUILTIN/Users\":\"(I)(RX)\"},{\"NT AUTHORITY/SYSTEM\":\"(I)(F)\"},{\"NT SERVICE/TrustedInstaller\":\"(I)(F)\"}]",
                "fileOwner": "S-1-5-32-544",
                "fileGroup": "S-1-5-32-544",
                "accessTime": 1721742550000,
                "modifyTime": 1721742550000,
                "changeTime": 1721742542000,
                "instanceNo": "25****97",
                "hashScanResult": "notMalware",
                "memo": null,
                "memberNo": 26***90,
                "restoreTime": 1722994883598,
                "quarantineTime": 1722994682859,
                "weight": 29,
                "commandStatus": "restored",
                "commandResult": "OK",
                "isRestore": true,
                "isQuarantine": true,
                "isExcepted": false,
                "lastUpdatedTime": 1722994883631,
                "resultCode": 0,
                "platform": "VPC",
                "serverName": "{servername}",
                "containerName": null,
                "k8sName": null,
                "k8sType": null,
                "podName": null,
                "isDeleted": false
            }
        ],
        "totalCount": 29,
        "pageSize": 2,
        "pageIndex": 0,
        "totalPages": 15
    }
}