GetWebshellSuspiciousObject

Article summary

Did you find this summary helpful?

Thank you for your feedback

Available in VPC

Get detailed information about the desired file in the webshell behavior detection history.

Request

The following describes the request format for the endpoint. The request format is as follows:

Method	URI
GET	/detections/{detection-id}/suspicious-objects

Request headers

For headers common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector headers.

Request path parameters

The following describes the parameters.

Field	Type	Required	Description
`detection-id`	String	Required	Webshell behavior detection history ID Check through GetWebshell

Request example

The following is a sample request.

curl --location --request GET 'https://wbd.apigw.ntruss.com/api/v1/detections/2024072323595700000436/suspicious-objects' \
--header 'x-ncp-apigw-timestamp: {Timestamp}' \
--header 'x-ncp-iam-access-key: {Access Key}' \
--header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
--header 'Content-Type: application/json' \
--header 'X-NCP-USE_PLATFORM_TYPE: VPC'

Response

The following describes the response format.

Response body

The following describes the response body.

Field	Type	Required	Description
`success`	Boolean	-	Request handling status
`code`	Integer	-	Response code
`message`	String	-	Response message
`result`	Array	-	List of suspicious files

`result`

The following describes result.

Field	Type	Required	Description
`suspicionFileId`	String	-	File ID
`detectionId`	String	-	Web shell behavior detection history ID
`hostName`	String	-	VM's host name
`osType`	String	-	VM's OS type
`fileOriginName`	String	-	File name
`quarantineFileName`	String	-	Name of the isolated file
`fileSize`	Integer	-	File size
`sha1`	String	-	File's SHA1 hash value
`privateIPofServer`	String	-	VM's private IP
`fileAuthority`	String	-	File's authority
`fileOwner`	String	-	File owner
`fileGroup`	String	-	File owner group
`accessTime`	Integer	-	File access date and time (timestamp)
`modifyTime`	Integer	-	File change date and time (timestamp)
`changeTime`	Integer	-	File modification date and time (timestamp)
`instanceNo`	String	-	VM's instance number
`hashScanResult`	String	-	Hash-based malware determination result `malware` \| `notMalware` `malware`: malicious `notMalware`: normal
`memo`	String	-	Notes
`memberNo`	Integer	-	Member ID for VM usage
`restoreTime`	Integer	-	File recovery date and time (timestamp)
`quarantineTime`	Integer	-	File quarantine date and time (timestamp)
`weight`	Integer	-	Score The higher the score, the more likely it is a webshell
`commandStatus`	String	-	Quarantine/recovery command handling status `restoring` \| `restored` \| `restoreFailed` \| `onQurantine` \| `quarantined` \| `quarantineFailed` `restoring`: recovering `restored`: recovery completed `restoreFailed`: recovery failed `onQurantine`: quarantine in progress `quarantined`: quarantine completed `quarantineFailed`: quarantine failed
`commandResult`	String	-	Detailed messages about the results of the quarantine/recovery command
`isRestore`	Boolean	-	Recovery status `true` \| `false` `true`: recovered `false`: not recovered
`isQuarantine`	Boolean	-	Quarantine status `true` \| `false` `true`: quarantined `false`: not quarantined
`isExcepted`	Boolean	-	Exception handling status `true` \| `false` `true`: exception handled `false`: exception not handled
`lastUpdatedTime`	Integer	-	Last detection history record date and time (timestamp)
`resultCode`	Integer	-	Quarantine/recovery command results code
`platform`	String	-	VM environment `VPC` \| `CLASSIC`
`serverName`	String	-	VM's server name
`containerName`	String	-	VM's container name
`k8sName`	String	-	Workload name Display valid values in Kubernetes environments
`k8sType`	String	-	Workload type for deployed pod Display valid values in Kubernetes environments
`podName`	String	-	Deployed pod name Display valid values in Kubernetes environments
`isDeleted`	Boolean	-	Deletion status of file `true` \| `false` `true`: deleted `false`: not deleted

Response status codes

For response status codes common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector response status codes.

Response example

The following is a sample example.

{
    "success": true,
    "code": 0,
    "message": "success",
    "result": [
        {
            "suspicionFileId": "2024072323595800000443",
            "detectionId": "2024072323595700000436",
            "hostName": null,
            "osType": "WINDOWS",
            "fileOriginName": "{web-root-path}/{suspicious-object-name}",
            "quarantineFileName": null,
            "fileSize": 306,
            "sha1": "***************************",
            "privateIPofServer": "***.***.***.***",
            "fileAuthority": "[{\"BUILTIN/Administrators\":\"(I)(F)\"},{\"BUILTIN/IIS_IUSRS\":\"(I)(RX)\"},{\"BUILTIN/Users\":\"(I)(RX)\"},{\"NT AUTHORITY/SYSTEM\":\"(I)(F)\"},{\"NT SERVICE/TrustedInstaller\":\"(I)(F)\"}]",
            "fileOwner": "S-1-5-32-544",
            "fileGroup": "S-1-5-32-544",
            "accessTime": 1721742550000,
            "modifyTime": 1721742550000,
            "changeTime": 1721742542000,
            "instanceNo": "25****97",
            "hashScanResult": "notMalware",
            "memo": null,
            "memberNo": 26***90,
            "restoreTime": null,
            "quarantineTime": null,
            "weight": 29,
            "commandStatus": null,
            "commandResult": null,
            "isRestore": false,
            "isQuarantine": false,
            "isExcepted": false,
            "lastUpdatedTime": 1721746798057,
            "resultCode": null,
            "platform": "VPC",
            "serverName": "{servername}",
            "containerName": null,
            "k8sName": null,
            "k8sType": null,
            "podName": null,
            "isDeleted": false
        }
    ]
}

Was this article helpful?

What's Next

QuarantineWebshellSuspiciousObject

Table of contents

Request
Response