MENU
      GetWebshellSuspiciousObject

        GetWebshellSuspiciousObject


        Article summary

        Available in VPC

        Get detailed information about the desired file in the webshell behavior detection history.

        Request

        The following describes the request format for the endpoint. The request format is as follows:

        MethodURI
        GET/detections/{detection-id}/suspicious-objects

        Request headers

        For headers common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector headers.

        Request path parameters

        The following describes the parameters.

        FieldTypeRequiredDescription
        detection-idStringRequiredWebshell behavior detection history ID

        Request example

        The following is a sample request.

        curl --location --request GET 'https://wbd.apigw.ntruss.com/api/v1/detections/2024072323595700000436/suspicious-objects' \
        --header 'x-ncp-apigw-timestamp: {Timestamp}' \
        --header 'x-ncp-iam-access-key: {Access Key}' \
        --header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
        --header 'Content-Type: application/json' \
        --header 'X-NCP-USE_PLATFORM_TYPE: VPC'
        Shell

        Response

        The following describes the response format.

        Response body

        The following describes the response body.

        FieldTypeRequiredDescription
        successBoolean-Request handling status
        codeInteger-Response code
        messageString-Response message
        resultArray-List of suspicious files

        result

        The following describes result.

        FieldTypeRequiredDescription
        suspicionFileIdString-File ID
        detectionIdString-Web shell behavior detection history ID
        hostNameString-VM's host name
        osTypeString-VM's OS type
        fileOriginNameString-File name
        quarantineFileNameString-Name of the isolated file
        fileSizeInteger-File size
        sha1String-File's SHA1 hash value
        privateIPofServerString-VM's private IP
        fileAuthorityString-File's authority
        fileOwnerString-File owner
        fileGroupString-File owner group
        accessTimeInteger-File access date and time (timestamp)
        modifyTimeInteger-File change date and time (timestamp)
        changeTimeInteger-File modification date and time (timestamp)
        instanceNoString-VM's instance number
        hashScanResultString-Hash-based malware determination result
        • malware | notMalware
          • malware: malicious
          • notMalware: normal
        memoString-Notes
        memberNoInteger-Member ID for VM usage
        restoreTimeInteger-File recovery date and time (timestamp)
        quarantineTimeInteger-File quarantine date and time (timestamp)
        weightInteger-Score
        • The higher the score, the more likely it is a webshell
        commandStatusString-Quarantine/recovery command handling status
        • restoring | restored | restoreFailed | onQurantine | quarantined | quarantineFailed
          • restoring: recovering
          • restored: recovery completed
          • restoreFailed: recovery failed
          • onQurantine: quarantine in progress
          • quarantined: quarantine completed
          • quarantineFailed: quarantine failed
        commandResultString-Detailed messages about the results of the quarantine/recovery command
        isRestoreBoolean-Recovery status
        • true | false
          • true: recovered
          • false: not recovered
        isQuarantineBoolean-Quarantine status
        • true | false
          • true: quarantined
          • false: not quarantined
        isExceptedBoolean-Exception handling status
        • true | false
          • true: exception handled
          • false: exception not handled
        lastUpdatedTimeInteger-Last detection history record date and time (timestamp)
        resultCodeInteger-Quarantine/recovery command results code
        platformString-VM environment
        • VPC | CLASSIC
        serverNameString-VM's server name
        containerNameString-VM's container name
        k8sNameString-Workload name
        • Display valid values in Kubernetes environments
        k8sTypeString-Workload type for deployed pod
        • Display valid values in Kubernetes environments
        podNameString-Deployed pod name
        • Display valid values in Kubernetes environments
        isDeletedBoolean-Deletion status of file
        • true | false
          • true: deleted
          • false: not deleted

        Response status codes

        For response status codes common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector response status codes.

        Response example

        The following is a sample example.

        {
            "success": true,
            "code": 0,
            "message": "success",
            "result": [
                {
                    "suspicionFileId": "2024072323595800000443",
                    "detectionId": "2024072323595700000436",
                    "hostName": null,
                    "osType": "WINDOWS",
                    "fileOriginName": "{web-root-path}/{suspicious-object-name}",
                    "quarantineFileName": null,
                    "fileSize": 306,
                    "sha1": "***************************",
                    "privateIPofServer": "***.***.***.***",
                    "fileAuthority": "[{\"BUILTIN/Administrators\":\"(I)(F)\"},{\"BUILTIN/IIS_IUSRS\":\"(I)(RX)\"},{\"BUILTIN/Users\":\"(I)(RX)\"},{\"NT AUTHORITY/SYSTEM\":\"(I)(F)\"},{\"NT SERVICE/TrustedInstaller\":\"(I)(F)\"}]",
                    "fileOwner": "S-1-5-32-544",
                    "fileGroup": "S-1-5-32-544",
                    "accessTime": 1721742550000,
                    "modifyTime": 1721742550000,
                    "changeTime": 1721742542000,
                    "instanceNo": "25****97",
                    "hashScanResult": "notMalware",
                    "memo": null,
                    "memberNo": 26***90,
                    "restoreTime": null,
                    "quarantineTime": null,
                    "weight": 29,
                    "commandStatus": null,
                    "commandResult": null,
                    "isRestore": false,
                    "isQuarantine": false,
                    "isExcepted": false,
                    "lastUpdatedTime": 1721746798057,
                    "resultCode": null,
                    "platform": "VPC",
                    "serverName": "{servername}",
                    "containerName": null,
                    "k8sName": null,
                    "k8sType": null,
                    "podName": null,
                    "isDeleted": false
                }
            ]
        }
        JSON

        Was this article helpful?

        Changing your password will log you out immediately. Use the new password to log back in.
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.