Available in VPC
Get the history of webshell suspicious behavior detected on a resource registered for detection.
Request
The following describes the request format for the endpoint. The request format is as follows:
| Method | URI |
|---|---|
| GET | /api/v1/detections |
Request headers
For information about the headers common to all Webshell Behavior Detector APIs, see Webshell Behavior Detector request headers.
Request query parameters
You can use the following query parameters with your request:
| Field | Type | Required | Description |
|---|---|---|---|
pageIndex |
Integer | Required | Page number |
pageSize |
Integer | Required | Number of page outputs |
Request example
The following is a sample request.
curl --location --request GET 'https://wbd.apigw.ntruss.com/api/v1/detections?pageIndex=1&pageSize=3' \
--header 'x-ncp-apigw-timestamp: {Timestamp}' \
--header 'x-ncp-iam-access-key: {Access Key}' \
--header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
--header 'Content-Type: application/json' \
--header 'X-NCP-USE_PLATFORM_TYPE: VPC'
Response
The following describes the response format.
Response body
The following describes the response body.
| Field | Type | Required | Description |
|---|---|---|---|
success |
Boolean | - | Request handling status |
code |
Integer | - | Response code |
message |
String | - | Response message |
result |
Object | - | Response result |
content |
Array | - | List of web shell behavior detection history: content |
totalCount |
Integer | - | Number of response results |
pageSize |
Integer | - | Number of page outputs |
pageIndex |
Integer | - | Page number |
totalPages |
Integer | - | Total number of pages |
content
The following describes content.
| Field | Type | Required | Description |
|---|---|---|---|
detectionId |
String | - | Web shell behavior detection history ID |
instanceNo |
String | - | VM's instance number |
hostName |
String | - | VM's host name |
serverName |
String | - | VM's server name |
containerName |
String | - | VM's container name |
privateIPofServer |
String | - | VM's private IP |
command |
String | - | File execution command |
processName |
String | - | Process name |
processArg |
String | - | Process argument value |
processId |
String | - | Process ID |
executor |
String | - | Process account |
processIdOfParent |
String | - | Parent process ID |
processNameOfParent |
String | - | Parent process name |
processArgOfParent |
String | - | Parent process argument value |
executorOfParent |
String | - | Parent process account |
uid |
String | - | Detection process UID |
euid |
String | - | Process EUID |
gid |
String | - | Process GID |
egid |
String | - | Process EGID |
actionStatus |
String | - | Response status for the issue
|
memo |
String | - | Notes |
actionTime |
Integer | - | Webshell behavior occurrence date and time
|
detectTime |
Integer | - | Webshell behavior detection date and time
|
collectTime |
Integer | - | Webshell behavior collection date and time
|
lastUpdatedTime |
Integer | - | Last detection history record date and time
|
isChecked |
Boolean | - | Verification status for detection history
|
memberNo |
Integer | - | Member ID for VM usage |
detectionRuleId |
String | - | Detection policy ID |
suspicionFiles |
Array | - | List of suspicious files: suspicionFiles |
suspicionIps |
Array | - | List of suspicious IPs: suspicionIps |
osType |
String | - | VM's OS type |
suspicionFiles
The following describes suspicionFiles.
| Field | Type | Required | Description |
|---|---|---|---|
suspicionFileId |
String | - | File ID |
fileOriginName |
String | - | File name |
fileOwner |
String | - | File owner |
weight |
Integer | - | Score
|
accessTime |
Integer | - | File access date and time
|
modifyTime |
Integer | - | File change date and time
|
changeTime |
Integer | - | File modification date and time
|
detectionId |
String | - | Web shell behavior detection history ID |
suspicionIps
The following describes suspicionIps.
| Field | Type | Required | Description |
|---|---|---|---|
suspicionIpId |
String | - | Suspicious IP's ID |
detectionId |
String | - | Web shell behavior detection history ID |
suspicionIp |
String | - | Suspicious IP |
country |
String | - | Suspicious IP's country |
platform |
String | - | VM environment
|
Response status codes
For information about the HTTP status codes common to all Webshell Behavior Detector APIs, see Webshell Behavior Detector response status codes.
Response example
The following is a sample example.
{
"success": true,
"code": 0,
"message": "success",
"result": {
"content": [
{
"detectionId": "2024072323595700000436",
"instanceNo": "25****97",
"hostName": "{hostname}",
"serverName": "{servername}",
"containerName": "",
"privateIPofServer": "***.***.***.***",
"command": "{command}",
"processName": "{process}",
"processArg": "{process-and-arguments}",
"processId": "{command-process-id}",
"executor": "DefaultAppPool",
"processIdOfParent": "{command-process-id}",
"processNameOfParent": "{process}",
"processArgOfParent": "{process-and-arguments}",
"executorOfParent": "DefaultAppPool",
"uid": "33",
"euid": "33",
"gid": "33",
"egid": "33",
"actionStatus": "confirmed",
"actionTime": 1721742708822,
"detectTime": 1721740066493,
"collectTime": 1721740067452,
"lastUpdatedTime": 1721742708822,
"isChecked": true,
"memberNo": 26***90,
"detectionRuleId": "2024072318114600000013",
"suspicionFiles": [
{
"suspicionFileId": "2024072323595800000443",
"fileOriginName": "{web-root-path}/{suspicious-object-name}",
"fileOwner": "S-1-5-32-544",
"weight": 29,
"accessTime": 1721742550000,
"modifyTime": 1721742550000,
"changeTime": 1721742542000,
"detectionId": "2024072323595700000436"
}
],
"suspicionIps": [
{
"suspicionIpId": "2024072323595800000386",
"detectionId": "2024072323595700000436",
"suspicionIp": "***.***.***.***",
"country": "KR",
"platform": "VPC"
}
],
"osType": "LINUX"
}
],
"totalCount": 51,
"pageSize": 1,
"pageIndex": 22,
"totalPages": 51
}
}