GetWebshell
- Print
- PDF
GetWebshell
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Available in VPC
Get the history of webshell suspicious behavior detected on a resource registered for detection.
Request
The following describes the request format for the endpoint. The request format is as follows:
| Method | URI |
|---|---|
| GET | /detections |
Request headers
For headers common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector headers.
Request query parameters
The following describes the parameters.
| Field | Type | Required | Description |
|---|---|---|---|
pageIndex | Integer | Required | Page number |
pageSize | Integer | Required | Number of page outputs |
Request example
The following is a sample request.
curl --location --request GET 'https://wbd.apigw.ntruss.com/api/v1/detections?pageIndex=1&pageSize=3' \
--header 'x-ncp-apigw-timestamp: {Timestamp}' \
--header 'x-ncp-iam-access-key: {Access Key}' \
--header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
--header 'Content-Type: application/json' \
--header 'X-NCP-USE_PLATFORM_TYPE: VPC'
Response
The following describes the response format.
Response body
The following describes the response body.
| Field | Type | Required | Description |
|---|---|---|---|
success | Boolean | - | Request handling status |
code | Integer | - | Response code |
message | String | - | Response message |
result | Object | - | Response result |
content | Array | - | List of web shell behavior detection history |
totalCount | Integer | - | Number of response results |
pageSize | Integer | - | Number of page outputs |
pageIndex | Integer | - | Page number |
totalPages | Integer | - | Total number of pages |
content
The following describes content.
| Field | Type | Required | Description |
|---|---|---|---|
detectionId | String | - | Web shell behavior detection history ID |
instanceNo | String | - | VM's instance number |
hostName | String | - | VM's host name |
serverName | String | - | VM's server name |
containerName | String | - | VM's container name |
privateIPofServer | String | - | VM's private IP |
command | String | - | File execution command |
processName | String | - | Process name |
processArg | String | - | Process argument value |
processId | String | - | Process ID |
executor | String | - | Process account |
processIdOfParent | String | - | Parent process ID |
processNameOfParent | String | - | Parent process name |
processArgOfParent | String | - | Parent process argument value |
executorOfParent | String | - | Parent process account |
uid | String | - | Detection process UID |
euid | String | - | Process EUID |
gid | String | - | Process GID |
egid | String | - | Process EGID |
actionStatus | String | - | Response status for the issue
|
memo | String | - | Notes |
actionTime | Integer | - | Webshell behavior occurrence date and time (timestamp) |
detectTime | Integer | - | Webshell behavior detection date and time (timestamp) |
collectTime | Integer | - | Webshell behavior collection date and time (timestamp) |
lastUpdatedTime | Integer | - | Last detection history record date and time (timestamp) |
isChecked | Boolean | - | Verification status for detection history
|
memberNo | Integer | - | Member ID for VM usage |
detectionRuleId | String | - | Detection policy ID |
suspicionFiles | Array | - | List of suspicious files |
suspicionIps | Array | - | List of suspicious IPs |
osType | String | - | VM's OS type |
suspicionFiles
The following describes suspicionFiles.
| Field | Type | Required | Description |
|---|---|---|---|
suspicionFileId | String | - | File ID |
fileOriginName | String | - | File name |
fileOwner | String | - | File owner |
weight | Integer | - | Score
|
accessTime | Integer | - | File access date and time (timestamp) |
modifyTime | Integer | - | File change date and time (timestamp) |
changeTime | Integer | - | File modification date and time (timestamp) |
detectionId | String | - | Web shell behavior detection history ID |
suspicionIps
The following describes suspicionIps.
| Field | Type | Required | Description |
|---|---|---|---|
suspicionIpId | String | - | Suspicious IP's ID |
detectionId | String | - | Web shell behavior detection history ID |
suspicionIp | String | - | Suspicious IP |
country | String | - | Suspicious IP's country |
platform | String | - | VM environment
|
Response status codes
For response status codes common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector response status codes.
Response example
The following is a sample example.
{
"success": true,
"code": 0,
"message": "success",
"result": {
"content": [
{
"detectionId": "2024072323595700000436",
"instanceNo": "25****97",
"hostName": "{hostname}",
"serverName": "{servername}",
"containerName": "",
"privateIPofServer": "***.***.***.***",
"command": "{command}",
"processName": "{process}",
"processArg": "{process-and-arguments}",
"processId": "{command-process-id}",
"executor": "DefaultAppPool",
"processIdOfParent": "{command-process-id}",
"processNameOfParent": "{process}",
"processArgOfParent": "{process-and-arguments}",
"executorOfParent": "DefaultAppPool",
"uid": "33",
"euid": "33",
"gid": "33",
"egid": "33",
"actionStatus": "confirmed",
"actionTime": 1721742708822,
"detectTime": 1721740066493,
"collectTime": 1721740067452,
"lastUpdatedTime": 1721742708822,
"isChecked": true,
"memberNo": 26***90,
"detectionRuleId": "2024072318114600000013",
"suspicionFiles": [
{
"suspicionFileId": "2024072323595800000443",
"fileOriginName": "{web-root-path}/{suspicious-object-name}",
"fileOwner": "S-1-5-32-544",
"weight": 29,
"accessTime": 1721742550000,
"modifyTime": 1721742550000,
"changeTime": 1721742542000,
"detectionId": "2024072323595700000436"
}
],
"suspicionIps": [
{
"suspicionIpId": "2024072323595800000386",
"detectionId": "2024072323595700000436",
"suspicionIp": "***.***.***.***",
"country": "KR",
"platform": "VPC"
}
],
"osType": "LINUX"
}
],
"totalCount": 51,
"pageSize": 1,
"pageIndex": 22,
"totalPages": 51
}
}
Was this article helpful?