SearchWebshell
- Print
- PDF
SearchWebshell
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Available in VPC
Search for the desired item in the saved webshell behavior detection history.
Request
The following describes the request format for the endpoint. The request format is as follows:
| Method | URI |
|---|---|
| POST | /detections |
Request headers
For headers common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector headers.
Request body
The following describes the request body.
| Field | Type | Required | Description |
|---|---|---|---|
actionStatus | String | Optional | Response status for the issue
|
detectTimeFrom | Integer | Optional | Search start date and time (timestamp) |
detectTimeTo | Integer | Optional | Search end date and time (timestamp) |
executor | String | Optional | Process account |
executorOfParent | String | Optional | Parent process account |
hostName | String | Optional | VM's host name |
memo | String | Optional | Notes |
pageIndex | Integer | Required | Page number |
pageSize | Integer | Required | Number of page outputs |
privateIPofServer | String | Optional | VM's private IP |
processArg | String | Optional | Process argument value |
processArgOfParent | String | Optional | Parent process argument value |
processName | String | Optional | Process name |
processNameOfParent | String | Optional | Parent process name |
serverName | String | Optional | VM's server name |
suspiciousIP | String | Optional | Suspicious IP |
Request example
The following is a sample request.
curl --location --request POST 'https://wbd.apigw.ntruss.com/api/v1/detections' \
--header 'x-ncp-apigw-timestamp: {Timestamp}' \
--header 'x-ncp-iam-access-key: {Access Key}' \
--header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
--header 'Content-Type: application/json' \
--header 'X-NCP-USE_PLATFORM_TYPE: VPC' \
--data '{
"detectTimeFrom": 0,
"detectTimeTo": 0,
"executor": "DefaultAppPool",
"pageIndex": 1,
"pageSize": 2,
"suspiciousIP": "***.***.***.***"
}'
Response
The following describes the response format.
Response body
The following describes the response body.
| Field | Type | Required | Description |
|---|---|---|---|
success | Boolean | - | Request handling status |
code | Integer | - | Response code |
message | String | - | Response message |
result | Object | - | Response result |
content | Array | - | List of web shell behavior detection history |
totalCount | Integer | - | Number of response results |
pageSize | Integer | - | Number of page outputs |
pageIndex | Integer | - | Page number |
totalPages | Integer | - | Total number of pages |
content
The following describes content.
| Field | Type | Required | Description |
|---|---|---|---|
detectionId | String | - | Web shell behavior detection history ID |
instanceNo | String | - | VM's instance number |
hostName | String | - | VM's host name |
serverName | String | - | VM's server name |
containerName | String | - | VM's container name |
privateIPofServer | String | - | VM's private IP |
command | String | - | File execution command |
processName | String | - | Process name |
processArg | String | - | Process argument value |
processId | String | - | Process ID |
executor | String | - | Process account |
processIdOfParent | String | - | Parent process ID |
processNameOfParent | String | - | Parent process name |
processArgOfParent | String | - | Parent process argument value |
executorOfParent | String | - | Parent process account |
uid | String | - | Detection process UID |
euid | String | - | Process EUID |
gid | String | - | Process GID |
egid | String | - | Process EGID |
actionStatus | String | - | Response status for the issue
|
memo | String | - | Notes |
actionTime | Integer | - | Webshell behavior occurrence date and time (timestamp) |
detectTime | Integer | - | Webshell behavior detection date and time (timestamp) |
collectTime | Integer | - | Webshell behavior collection date and time (timestamp) |
lastUpdatedTime | Integer | - | Last detection history record date and time (timestamp) |
isChecked | Boolean | - | Verification status for detection history
|
memberNo | Integer | - | Member ID for VM usage |
detectionRuleId | String | - | Detection policy ID |
suspicionFiles | Array | - | List of suspicious files |
suspicionIps | Array | - | List of suspicious IPs |
osType | String | - | VM's OS type |
suspicionFiles
The following describes suspicionFiles.
| Field | Type | Required | Description |
|---|---|---|---|
suspicionFileId | String | - | File ID |
fileOriginName | String | - | File name |
fileOwner | String | - | File owner |
weight | Integer | - | Score
|
accessTime | Integer | - | File access date and time (timestamp) |
modifyTime | Integer | - | File change date and time (timestamp) |
changeTime | Integer | - | File modification date and time (timestamp) |
detectionId | String | - | Web shell behavior detection history ID |
suspicionIps
The following describes suspicionIps.
| Field | Type | Required | Description |
|---|---|---|---|
suspicionIpId | String | - | Suspicious IP's ID |
detectionId | String | - | Web shell behavior detection history ID |
suspicionIp | String | - | Suspicious IP |
country | String | - | Suspicious IP's country |
platform | String | - | VM environment
|
Response status codes
For response status codes common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector response status codes.
Response example
The following is a sample example.
{
"success": true,
"code": 0,
"message": "success",
"result": {
"content": [
{
"detectionId": "2024072323585700000434",
"instanceNo": "25****97",
"serverName": "{servername}",
"privateIPofServer": "***.***.***.***",
"command": "{command}",
"processName": "{process}",
"processArg": "{process-and-arguments}",
"processId": "{command-process-id}",
"executor": "DefaultAppPool",
"processIdOfParent": "{command-process-id}",
"processNameOfParent": "{process}",
"processArgOfParent": "{process-and-arguments}",
"executorOfParent": "DefaultAppPool",
"uid": "{uid}",
"euid": "0",
"gid": "",
"egid": "0",
"actionStatus": "blank",
"detectTime": 1721746705146,
"collectTime": 1721746738108,
"lastUpdatedTime": 1721746738108,
"isChecked": false,
"memberNo": 26***90,
"detectionRuleId": "2024072318114600000013",
"suspicionIps": [
{
"suspicionIpId": "2024072323585800000384",
"detectionId": "2024072323585700000434",
"suspicionIp": "***.***.***.***",
"country": "KR",
"platform": "VPC"
}
],
"osType": "WINDOWS"
},
{
"detectionId": "2024072323575700000433",
"instanceNo": "25****97",
"serverName": "{servername}",
"privateIPofServer": "***.***.***.***",
"command": "{command}",
"processName": "{process}",
"processArg": "{process-and-arguments}",
"processId": "{command-process-id}",
"executor": "DefaultAppPool",
"processIdOfParent": "{command-process-id}",
"processNameOfParent": "{process}",
"processArgOfParent": "{process-and-arguments}",
"executorOfParent": "DefaultAppPool",
"uid": "{uid}",
"euid": "0",
"gid": "",
"egid": "0",
"actionStatus": "blank",
"detectTime": 1721746675977,
"collectTime": 1721746678163,
"lastUpdatedTime": 1721746678163,
"isChecked": false,
"memberNo": 26***90,
"detectionRuleId": "2024072318114600000013",
"suspicionIps": [
{
"suspicionIpId": "2024072323575800000383",
"detectionId": "2024072323575700000433",
"suspicionIp": "***.***.***.***",
"country": "KR",
"platform": "VPC"
}
],
"osType": "WINDOWS"
}
],
"totalCount": 11,
"pageSize": 2,
"pageIndex": 1,
"totalPages": 6
}
}
Was this article helpful?