Canary project configuration
Used by actions: DescribeABTestConfig.
| Name | Type | Description |
|---|---|---|
| ProjectName | String | Canary project name |
| Status | Boolean | Valid values: true (in canary upgrade); false (not in canary upgrade). |
Container runtime security - Sub-policy information
Used by actions: AddEditAbnormalProcessRule, DescribeAbnormalProcessDetail, DescribeAbnormalProcessRuleDetail, DescribeAbnormalProcessRules.
| Name | Type | Required | Description |
|---|---|---|---|
| ProcessPath | String | Yes | Process path. |
| RuleMode | String | Yes | Policy mode: RULE_MODE_RELEASE: allow |
| CmdLine | String | No | Command line parameters. |
| RuleId | String | No | Sub-policy ID. |
| RuleLevel | String | No | Threat level: HIGH, MIDDLE, and LOW. |
Description of the abnormal container process event at runtime
Used by actions: DescribeAbnormalProcessDetail.
| Name | Type | Description |
|---|---|---|
| Description | String | Event rule |
| Solution | String | Solution |
| Remark | String | Event remark information |
| MatchRule | AbnormalProcessChildRuleInfo | Details of the hit rule |
| RuleName | String | Name of the hit rule. Valid values: PROXY_TOOL (proxy); TRANSFER_CONTROL (lateral movement); ATTACK_CMD (malicious command); REVERSE_SHELL (reverse shell); FILELESS (fileless execution); RISK_CMD (high-risk command); ABNORMAL_CHILD_PROC (unusual start found in the child process of the sensitive service); USER_DEFINED_RULE (custom rule). |
| RuleId | String | ID of the hit rule |
| OperationTime | String | Last Time for Event Handling |
| GroupName | String | Hit Policy Name: SYSTEM_DEFINED_RULE (System Policy) or Custom Policy Name |
Container runtime security - Information of the abnormal process
Used by actions: DescribeAbnormalProcessEvents.
| Name | Type | Description |
|---|---|---|
| ProcessPath | String | Process directory. |
| EventType | String | Event type. MALICE_PROCESS_START: malicious process startup. |
| MatchRuleName | String | Hit rule name. PROXY_TOOL: proxy software; TRANSFER_CONTROL: lateral movement; ATTACK_CMD: malicious command; REVERSE_SHELL: reverse shell; FILELESS: fileless execution; RISK_CMD: high-risk command; ABNORMAL_CHILD_PROC: abnormal child process startup of sensitive service; USER_DEFINED_RULE: user-defined rule |
| FoundTime | Timestamp | Generation time. |
| ContainerName | String | Container name. |
| ImageName | String | Image name. |
| Behavior | String | Action execution result: BEHAVIOR_NONE: none |
| Status | String | Status: EVENT_UNDEAL: event unhandled |
| Id | String | Unique ID of the event record. |
| ImageId | String | Image ID, used for redirection. |
| ContainerId | String | Container ID, used for redirection. |
| Solution | String | Event solution. |
| Description | String | Event detailed description. |
| MatchRuleId | String | Hit policy ID. |
| MatchAction | String | Hit rule action: |
| MatchProcessPath | String | Hit rule process information. |
| RuleExist | Boolean | Whether the rule exists. |
| EventCount | Integer | Number of events. |
| LatestFoundTime | Timestamp | Last generation time. |
| RuleId | String | Rule group ID. |
| MatchGroupName | String | Hit policy name: SYSTEM_DEFINED_RULE (system policy) or user-defined policy name. |
| MatchRuleLevel | String | Hit rule level: HIGH, MIDDLE, and LOW. |
| ContainerNetStatus | String | Network status |
| ContainerNetSubStatus | String | Container sub-status. |
| ContainerIsolateOperationSrc | String | Source of container isolation operation. |
| ContainerStatus | String | Container status. |
| ClusterID | String | Cluster ID. |
| NodeType | String | Node type: NORMAL (normal node) and SUPER (super node). |
| PodName | String | Pod name. |
| PodIP | String | pod ip |
| NodeUniqueID | String | Cluster ID. |
| PublicIP | String | Node public IP address. |
| NodeName | String | Node name. |
| NodeID | String | Node ID. |
| HostID | String | uuid |
| HostIP | String | Node private IP address. |
| ClusterName | String | Cluster name. |
| CmdLine | String | Command line parameters. |
Trend of pending abnormal process events
Used by actions: DescribeAbnormalProcessEventTendency.
| Name | Type | Description |
|---|---|---|
| Date | Date | Date |
| ProxyToolEventCount | Integer | Number of pending proxy events |
| TransferControlEventCount | Integer | Number of pending lateral movement events |
| AttackCmdEventCount | Integer | Number of pending malicious command events |
| ReverseShellEventCount | Integer | Number of pending reverse shell events |
| FilelessEventCount | Integer | Number of pending fileless execution events |
| RiskCmdEventCount | Integer | Number of pending high-risk command events |
| AbnormalChildProcessEventCount | Integer | Number of pending events of unusual startups found in the child process of the sensitive service |
| UserDefinedRuleEventCount | Integer | Number of pending custom rule events |
Abnormal process policy list extension (standalone flat structure with rule content and execution action)
Used by actions: DescribeAbnormalProcessRules.
| Name | Type | Description |
|---|---|---|
| ChildRules | Array of AbnormalProcessChildRuleInfo | Sub-rule list of the user-defined policy. Has a value when IsDefault=false. Note: This field may return null, indicating that no valid values can be obtained. |
| EditUserName | String | Edit username |
| EffectImageCount | Integer | Policy enforcement image count |
| IsDefault | Boolean | true: default policy, false: custom policy |
| IsGlobal | Boolean | Whether the rule applies to all images. true indicates it takes effect on all images. |
| IsEnable | Boolean | true: Policy activation, false: Policy deactivation |
| RuleActions | Array of String | Deduplicated list of ALL execution actions in the rule group. RULE_MODE_ALERT: Alert RULE_MODE_HOLDUP: Block Note: This field may return null, indicating that no valid values can be obtained. |
| RuleId | String | Policy ID |
| RuleName | String | Policy name |
| SystemChildRules | Array of AbnormalProcessSystemChildRuleInfo | Sub-rule list of system policy. Has value when IsDefault=true. Note: This field may return null, indicating that no valid values can be obtained. |
| UpdateTime | String | Policy update time. May be empty. |
Runtime security - Abnormal process detection policy
Used by actions: AddEditAbnormalProcessRule, DescribeAbnormalProcessRuleDetail.
| Name | Type | Required | Description |
|---|---|---|---|
| ChildRules | Array of AbnormalProcessChildRuleInfo | Yes | Array of sub-policies of the user policy |
| ImageIds | Array of String | Yes | IDs of associated images. An empty array indicates all images. |
| IsEnable | Boolean | Yes | Valid values: true (enabled); false (disabled). |
| RuleName | String | Yes | Policy name |
| IsDefault | Boolean | No | Whether it is the default preset policy |
| IsGlobal | Boolean | No | Whether the rule applies to all images. true indicates it takes effect on all images. |
| RuleId | String | No | Policy ID |
| SystemChildRules | Array of AbnormalProcessSystemChildRuleInfo | No | Array of sub-policies of the preset policy |
Information of the sub-policy of the preset policy for abnormal processes
Used by actions: AddEditAbnormalProcessRule, DescribeAbnormalProcessRuleDetail, DescribeAbnormalProcessRules.
| Name | Type | Required | Description |
|---|---|---|---|
| IsEnable | Boolean | Yes | Sub-policy status. Valid values: true (enabled); false (disabled). |
| RuleId | String | Yes | Sub-policy ID |
| RuleMode | String | Yes | Policy mode. RULE_MODE_RELEASE: Allow.RULE_MODE_ALERT: Alert.RULE_MODE_HOLDUP: Block. |
| RuleType | String | Yes | Behavior type detected by the sub-policyPROXY_TOOL: Proxy.TRANSFER_CONTROL: Lateral movement.ATTACK_CMD: Malicious command.REVERSE_SHELL: Reverse shell.FILELESS: Fileless execution.RISK_CMD: High-risk command.ABNORMAL_CHILD_PROC: Unusual start found in the child process of the sensitive service. |
| RuleLevel | String | No | Threat Level. HIGH: High; MIDDLE: Medium; LOW: Low |
Container runtime security - Information of the access control sub-policy
Used by actions: AddEditAccessControlRule, DescribeAccessControlDetail, DescribeAccessControlRuleDetail, DescribeAccessControlRules.
| Name | Type | Required | Description |
|---|---|---|---|
| ProcessPath | String | Yes | Process path. |
| RuleMode | String | Yes | Policy mode: RULE_MODE_RELEASE: allow |
| TargetFilePath | String | Yes | Accessed file path, only effective during access control. |
| CmdLine | String | No | Command line parameters. |
| RuleId | String | No | Sub-policy ID. |
Description of the container access control event at runtime
Used by actions: DescribeAccessControlDetail.
| Name | Type | Description |
|---|---|---|
| Description | String | Event rule |
| Solution | String | Solution |
| Remark | String | Event remark information |
| MatchRule | AccessControlChildRuleInfo | Details of the hit rule |
| RuleName | String | Name of the hit rule |
| RuleId | String | ID of the hit rule |
| OperationTime | String | Last Time for Event Handling |
Container runtime security - Information of the access control event
Used by actions: DescribeAccessControlEvents.
| Name | Type | Description |
|---|---|---|
| ProcessName | String | Process name. |
| MatchRuleName | String | Hit rule name. |
| FoundTime | Timestamp | Generation time. |
| ContainerName | String | Container name. |
| ImageName | String | Image name. |
| Behavior | String | Action execution result: BEHAVIOR_NONE: none |
| Status | String | Status 0: unhandled "EVENT_UNDEAL": event unhandled |
| Id | String | Unique ID of the event record. |
| FileName | String | File name. |
| EventType | String | Event type. FILE_ABNORMAL_READ: abnormal file read. |
| ImageId | String | Image ID, used for redirection. |
| ContainerId | String | Container ID, used for redirection. |
| Solution | String | Event solution. |
| Description | String | Event detailed description. |
| MatchRuleId | String | Hit policy ID. |
| MatchAction | String | Hit rule action: |
| MatchProcessPath | String | Hit rule process information. |
| MatchFilePath | String | Hit rule file information. |
| FilePath | String | File path, including name. |
| RuleExist | Boolean | Whether the rule exists. |
| EventCount | Integer | Number of events. |
| LatestFoundTime | String | Last generation time. |
| RuleId | String | Rule group ID. |
| ContainerNetStatus | String | Network status |
| ContainerNetSubStatus | String | Container sub-status. |
| ContainerIsolateOperationSrc | String | Source of container isolation operation. |
| ContainerStatus | String | Container status. |
| NodeName | String | Node name: For super nodes, the node_id is displayed instead. |
| PodName | String | Pod name. |
| PodIP | String | pod ip |
| NodeType | String | Node type: NORMAL (normal node) and SUPER (super node). |
| ClusterID | String | Cluster ID. |
| NodeUniqueID | String | Unique node ID, primarily used for super nodes. |
| PublicIP | String | Node public IP address. |
| NodeID | String | Node ID. |
| HostID | String | uuid |
| HostIP | String | Node private IP address. |
| ClusterName | String | Cluster name. |
| CmdLine | String | Command line parameters. |
File tampering policy list extension (standalone flat structure with rule content and execution action)
Used by actions: DescribeAccessControlRules.
| Name | Type | Description |
|---|---|---|
| ChildRules | Array of AccessControlChildRuleInfo | Sub-rule list of the user-defined policy. Has a value when IsDefault=false. Note: This field may return null, indicating that no valid values can be obtained. |
| EditUserName | String | Edit username |
| EffectImageCount | Integer | Policy enforcement image count |
| IsDefault | Boolean | true: default policy, false: custom policy |
| IsGlobal | Boolean | Whether the rule applies to all images. true indicates it takes effect on all images. |
| IsEnable | Boolean | true: Policy activation, false: Policy deactivation |
| RuleActions | Array of String | Deduplicated list of ALL execution actions in the rule group. RULE_MODE_ALERT: Alert RULE_MODE_HOLDUP: Block Note: This field may return null, indicating that no valid values can be obtained. |
| RuleId | String | Policy ID |
| RuleName | String | Policy name |
| SystemChildRules | Array of AccessControlSystemChildRuleInfo | Sub-rule list of system policy. Has value when IsDefault=true. Note: This field may return null, indicating that no valid values can be obtained. |
| UpdateTime | String | Policy update time. May be empty. |
Container runtime - Access control policy information
Used by actions: AddEditAccessControlRule, DescribeAccessControlRuleDetail.
| Name | Type | Required | Description |
|---|---|---|---|
| ChildRules | Array of AccessControlChildRuleInfo | Yes | Array of sub-policies of the user policy |
| ImageIds | Array of String | Yes | IDs of associated images. An empty array indicates all images. |
| IsEnable | Boolean | Yes | Switch. Valid values: true (on); false (off). |
| RuleName | String | Yes | Policy name |
| IsDefault | Boolean | No | Whether it is the default preset policy |
| IsGlobal | Boolean | No | true: all images, false: specified images. When IsGlobal=true, ImageIds returns an empty array. |
| RuleId | String | No | Policy ID |
| SystemChildRules | Array of AccessControlSystemChildRuleInfo | No | Array of sub-policies of the preset policy |
Container runtime security - Information of the sub-policy of the preset access control policy
Used by actions: AddEditAccessControlRule, DescribeAccessControlRuleDetail, DescribeAccessControlRules.
| Name | Type | Required | Description |
|---|---|---|---|
| RuleId | String | Yes | Sub-policy ID |
| RuleMode | String | Yes | Policy mode. RULE_MODE_RELEASE: Allow.RULE_MODE_ALERT: Alert.RULE_MODE_HOLDUP: Block. |
| IsEnable | Boolean | Yes | Sub-policy status. Valid values: true (enabled); false (disabled). |
| RuleType | String | Yes | Intrusion behavior type detected by the sub-policyCHANGE_CRONTAB: Tampering with the scheduled task.CHANGE_SYS_BIN: Tampering with the system program.CHANGE_USRCFG: Tampering with user configuration. |
Structure of the affected node type
Used by actions: DescribeAffectedNodeList.
| Name | Type | Required | Description |
|---|---|---|---|
| ClusterId | String | Yes | Cluster ID |
| ClusterName | String | Yes | Cluster name |
| InstanceId | String | Yes | Instance ID |
| PrivateIpAddresses | String | Yes | Private IP |
| InstanceRole | String | Yes | Node role, such as Master and Work. |
| ClusterVersion | String | Yes | K8s version |
| ContainerRuntime | String | Yes | Runtime component. Valid values: docker, containerd. |
| Region | String | Yes | Region |
| VerifyInfo | String | Yes | Verification information of the check result |
| NodeName | String | Yes | Node name |
Affected workload item in the cluster security check
Used by actions: DescribeAffectedWorkloadList.
| Name | Type | Required | Description |
|---|---|---|---|
| ClusterId | String | Yes | Cluster ID |
| ClusterName | String | Yes | Cluster name |
| WorkloadName | String | Yes | Workload name |
| WorkloadType | String | Yes | Workload type |
| Region | String | Yes | Region |
| VerifyInfo | String | Yes | Verification information of the check result |
List of clusters
Used by actions: DescribeAssetClusterList.
| Name | Type | Description |
|---|---|---|
| ClusterID | String | Cluster ID. |
| ClusterName | String | Cluster name. |
| Status | String | Cluster status |
| BindRuleID | String | ID of the bound cluster Note: This field may return null, indicating that no valid values can be obtained. |
| BindRuleName | String | Binding rule name |
| ClusterType | String | ClusterType: |
| ClusterVersion | String | Cluster edition |
| MemLimit | Integer | Memory capacity |
| CpuLimit | Integer | cpu |
| ClusterAuditStatus | String | Cluster audit switch status: |
| AccessedStatus | String | Access status: |
TCSS
Key-value pair filter for conditional filtering queries, such as filter ID, name, and status
If more than one filter exists, the logical relationship between these filters is AND.
If multiple values exist in one filter, the logical relationship between these values is OR.
Used by actions: AddEditImageAutoAuthorizedRule, CreateAssetImageRegistryScanTask, CreateAssetImageScanTask, CreateAssetImageVirusExportJob, CreateComponentExportJob, CreateHostExportJob, CreateProcessEventsExportJob, CreateVulExportJob, DescribeAssetAppServiceList, DescribeAssetComponentList, DescribeAssetContainerList, DescribeAssetDBServiceList, DescribeAssetHostList, DescribeAssetImageHostList, DescribeAssetImageList, DescribeAssetImageRegistryList, DescribeAssetImageRegistryListExport, DescribeAssetImageRegistryRegistryList, DescribeAssetImageRegistryRiskInfoList, DescribeAssetImageRegistryRiskListExport, DescribeAssetImageRegistrySummary, DescribeAssetImageRegistryVirusList, DescribeAssetImageRegistryVirusListExport, DescribeAssetImageRegistryVulList, DescribeAssetImageRegistryVulListExport, DescribeAssetImageRiskList, DescribeAssetImageRiskListExport, DescribeAssetImageSimpleList, DescribeAssetImageVirusList, DescribeAssetImageVirusListExport, DescribeAssetImageVulList, DescribeAssetImageVulListExport, DescribeAssetPortList, DescribeAssetProcessList, DescribeAssetWebServiceList, DescribeImageAutoAuthorizedLogList, DescribeImageAutoAuthorizedTaskList, DescribeImageComponentList, DescribeImageRegistryNamespaceList, DescribeVulRegistryImageList, ModifyAssetImageRegistryScanStop, ModifyAssetImageScanStop, ModifyImageAuthorized.
| Name | Type | Required | Description |
|---|---|---|---|
| Name | String | Yes | Filter name |
| Values | Array of String | Yes | One or more filter values |
| ExactMatch | Boolean | No | Whether to use fuzzy query |
Brief information of the image
Used by actions: DescribeAssetImageSimpleList.
| Name | Type | Description |
|---|---|---|
| ImageID | String | Image ID |
| ImageName | String | Image name |
| ContainerCnt | Integer | Number of associated containers |
| ScanTime | String | Last scan time |
| Size | Integer | Image size |
Result of the automatic image licensing
Used by actions: DescribeImageAutoAuthorizedLogList.
| Name | Type | Description |
|---|---|---|
| ImageId | String | Image ID |
| ImageName | String | Image name |
| AuthorizedTime | String | Licensing time |
| Status | String | Licensing result. Valid values: SUCCESS (success); REACH_LIMIT (reaching the upper limit on licenses); LICENSE_INSUFFICIENT (insufficient licenses). |
| IsAuthorized | Integer | Whether it is licensed. Valid values: 1 (yes); 0 (no). |
List of servers licensed based on the automatic image licensing rule
Used by actions: DescribeAutoAuthorizedRuleHost.
| Name | Type | Description |
|---|---|---|
| HostID | String | Server ID |
| HostIP | String | Server IP, which is the private IP |
| HostName | String | Server name |
| ImageCnt | Integer | Number of images |
| ContainerCnt | Integer | Number of containers |
| PublicIp | String | Public IP |
| InstanceID | String | Server instance ID |
| MachineType | String | Server source. Valid values: CVM, ECM, LH, BM, Other. The first four values indicate Tencent Cloud instances, while the last one indicates non-Tencent Cloud instances. |
| DockerVersion | String | Docker version |
| Status | String | Agent status |
Optional information of the security log Kafka
Used by actions: DescribeSecLogDeliveryKafkaOptions.
| Name | Type | Required | Description |
|---|---|---|---|
| InstanceID | String | No | Instance ID. |
| InstanceName | String | No | Instance name. |
| TopicList | Array of CKafkaTopicInfo | No | Topic list |
| RouteList | Array of CkafkaRouteInfo | No | Routing List |
| KafkaVersion | String | No | Kafka Version Number |
CKafka topic information
Used by actions: DescribeSecLogDeliveryKafkaOptions.
| Name | Type | Required | Description |
|---|---|---|---|
| TopicID | String | Yes | Topic ID |
| TopicName | String | Yes | Topic name |
Ckafka route detail
Used by actions: DescribeSecLogDeliveryKafkaOptions.
| Name | Type | Required | Description |
|---|---|---|---|
| RouteID | Integer | No | Routing ID |
| Domain | String | No | Domain name |
| DomainPort | Integer | No | Domain Port |
| Vip | String | No | Virtual IP |
| VipType | Integer | No | Virtual IP Type |
| AccessType | Integer | No | Access type 0: PLAINTEXT (plaintext mode, no user information included, supported by older versions and community edition) SASL_PLAINTEXT (plaintext mode, however, login authentication with SASL is performed at the start of data transmission, only supported by community version). 2: SSL (SSL encrypted communication, no user information included, supported by older versions and community edition) 3: SASL_SSL (SSL encrypted communication. Authenticate the login with SASL when data transmission starts. Only supported by community version) |
CLS logset information
Used by actions: DescribeSecLogDeliveryClsOptions.
| Name | Type | Required | Description |
|---|---|---|---|
| LogsetID | String | Yes | Logset ID |
| LogsetName | String | No | logset name |
| TopicList | Array of ClsTopicInfo | No | CLS Topic List |
CLS topic information
Used by actions: DescribeSecLogDeliveryClsOptions.
| Name | Type | Required | Description |
|---|---|---|---|
| TopicID | String | No | Topic ID |
| TopicName | String | No | Topic name |
Details of a cluster security check item
Used by actions: DescribeCheckItemList, DescribeRiskList.
| Name | Type | Description |
|---|---|---|
| CheckItemId | Integer | Unique Check Item ID |
| Name | String | Name of the risk item |
| ItemDetail | String | Check Item Details |
| RiskLevel | String | Threat Level: Serious, High, Medium, Hint |
| RiskTarget | String | Check Object and Risk Object: Runc, Kubelet, Containerd, and Pods |
| RiskType | String | Risk Category. CVERisk: Vulnerability Risk; ConfigRisk: Configuration Risk |
| RiskAttribute | String | Risk Type of Check Item. PrivilegePromotion: Privilege Promotion; RefuseService: Refuse of Service; DirectoryEscape: Directory Traversal; UnauthorizedAccess: Unauthorized Access; PrivilegeAndAccessControl: Permission and Access Control Issues; SensitiveInfoLeak: Sensitive Information Leakage |
| RiskProperty | String | Risk Characteristics Tag ExistEXP: With EXP ExistPOC: With POD NoNeedReboot: No Need of Reboot ServerRestart: Service Reboot RemoteInfoLeak: Remote Information Leakage RemoteRefuseService: Remote Refuse Service RemoteExploit: Remote Exploitation RemoteExecute: Remote Execution |
| CVENumber | String | CVE id |
| DiscoverTime | String | Disclosure time |
| Solution | String | Solution |
| CVSS | String | CVSS Information, Used for Drawing |
| CVSSScore | String | CVSS score |
| RelateLink | String | Reference link |
| AffectedType | String | Impact Type: Node or Workload |
| AffectedVersion | String | Affected Version Information |
| IgnoredAssetNum | Integer | Number of Ignored Assets |
| IsIgnored | Boolean | Whether to Ignore the Check Item |
| RiskAssessment | String | Affected Critique |
Input parameters for a cluster check task
Used by actions: CreateClusterCheckTask.
| Name | Type | Required | Description |
|---|---|---|---|
| ClusterId | String | Yes | ID of the specified cluster to be scanned |
| ClusterRegion | String | Yes | Cluster region |
| NodeIp | String | No | IP of the specified node to be scanned |
| WorkloadName | String | No | Name of the specified workload to be scanned |
Input parameters for CreateCheckComponent, which are used to batch install defenders.
Used by actions: CreateCheckComponent.
| Name | Type | Required | Description |
|---|---|---|---|
| ClusterId | String | Yes | ID of the cluster for which to install the component |
| ClusterRegion | String | Yes | Cluster region |
Custom parameters of the cluster
Used by actions: DescribeAgentDaemonSetCmd.
| Name | Type | Required | Description |
|---|---|---|---|
| Name | String | Yes | Parameter name |
| Values | Array of String | Yes | Parameter value |
Response parameters structure of the cluster asset
Used by actions: DescribeUserCluster.
| Name | Type | Description |
|---|---|---|
| ClusterId | String | Cluster ID |
| ClusterName | String | Cluster name |
| ClusterVersion | String | Cluster version |
| ClusterOs | String | Cluster OS |
| ClusterType | String | Cluster type |
| ClusterNodeNum | Integer | Number of nodes in the cluster |
| Region | String | Cluster region |
| DefenderStatus | String | Protection Status Defended Unprotected Partially defended |
| ClusterStatus | String | Cluster status |
| ClusterSubStatus | String | Cluster operation sub-status. |
| ClusterCheckMode | String | Cluster check mode. Valid values: Cluster_Normal, Cluster_Actived. |
| ClusterAutoCheck | Boolean | Whether automatic and regular check is enabled |
| DefenderErrorReason | String | Cause of the failure to deploy the defender. When it is UserDaemonSetNotReady, UnreadyNodeNum is changed to "The defenders on N nodes are ready". If it is another value, the error message is directly displayed. |
| UnreadyNodeNum | Integer | Number of nodes where the defender is not ready |
| SeriousRiskCount | Integer | Number of critical check items |
| HighRiskCount | Integer | Number of high-risk check items |
| MiddleRiskCount | Integer | Number of medium-risk check items |
| HintRiskCount | Integer | Number of prompt-risk check items |
| CheckFailReason | String | Check failure cause |
| CheckStatus | String | Check status. Valid values: Task_Running, NoRisk, HasRisk, Uncheck, Task_Error. |
| TaskCreateTime | String | Task creation time and check time |
| AccessedStatus | String | Access status Not connected Defended Unprotected: AccessedInstalled Partial protection: AccessedPartialDefence Access exception: AccessedException Uninstallation Exception: AccessedUninstallException ACCESSING: installing Uninstalling: AccessedUninstalling |
| AccessedSubStatus | String | Reason for Access Failure |
| AccessedErrorReason | String | Access/Uninstallation failure reason. |
| NodeCount | Integer | Total number of nodes |
| OffLineNodeCount | Integer | Offline Node Count |
| UnInstallAgentNodeCount | Integer | Number of Nodes Without Agent Installed |
| ChargeCoresCnt | Integer | Number of billing cores (elastic billing cores + regular billing cores). |
| MasterAddresses | Array of String | |
| CoresCnt | Integer | |
| ClusterAuditStatus | String | Cluster audit switch status: Closed / Closing / CloseFailed / Opened / Opening / OpenFailed |
| ClusterAuditFailedInfo | String | Information on the failure to enable/disable cluster audit. |
| OwnerName | String | Owner name. |
A risk item is a check item with an issue found in the check, with certain information of the check result.
Used by actions: DescribeRiskList.
| Name | Type | Description |
|---|---|---|
| CheckItem | ClusterCheckItem | Check item information |
| VerifyInfo | String | Verification information |
| ErrorMessage | String | Event description and check error message |
| AffectedClusterCount | Integer | Number of affected clusters |
| AffectedNodeCount | Integer | Number of affected nodes |
Information of the asset affected by the check item
Used by actions: DescribeCompliancePolicyItemAffectedAssetList.
| Name | Type | Description |
|---|---|---|
| CustomerAssetId | Integer | Unique asset item ID allocated to the customer. |
| AssetName | String | Asset item name. |
| AssetType | String | Asset item type. |
| CheckStatus | String | Check status. CHECK_INIT: pending check CHECK_RUNNING: checking CHECK_FINISHED: check completed CHECK_FAILED: check failed |
| NodeName | String | Node name. |
| LastCheckTime | String | Last check time in the format of YYYY-MM-DD HH:m::SS. If never checked, this field will be 0000-00-00 00:00:00. |
| CheckResult | String | Check result. Valid values: RESULT_FAILED: failed RESULT_PASSED: passed |
| HostIP | String | Host IP address. |
| ImageTag | String | Image tag. |
| VerifyInfo | String | Check item verification information. |
| InstanceId | String | Host instance ID. |
| ImageRegistryInfo | ImageRegistryInfo | Image repository information. |
| ClusterID | String | Cluster ID. |
| ClusterName | String | Cluster name. |
| AssetUniqueID | String | Unique asset ID. Default value: - |
Asset details
Used by actions: DescribeComplianceAssetDetailInfo.
| Name | Type | Description |
|---|---|---|
| CustomerAssetId | Integer | Customer asset ID |
| AssetType | String | Asset type |
| AssetName | String | Asset name |
| NodeName | String | Node name of the asset |
| HostName | String | Server name of the asset |
| HostIP | String | Server IP of the asset |
| CheckStatus | String | Check statusCHECK_INIT: To be checked.CHECK_RUNNING: Checking.CHECK_FINISHED: Checked.CHECK_FAILED: Check failed. |
| PassedPolicyItemCount | Integer | Number of check items that the asset passed |
| FailedPolicyItemCount | Integer | Number of check items that the asset failed |
| LastCheckTime | Timestamp | Last detection time. |
| CheckResult | String | Detection result: RESULT_FAILED: failed. RESULT_PASSED: Passed. |
| AssetStatus | String | Asset status |
| AssetCreateTime | Timestamp | Asset creation timeASSET_NORMAL: Running.ASSET_PAUSED: Suspended.ASSET_STOPPED: Stopped.ASSET_ABNORMAL: Abnormal. |
Asset information
Used by actions: DescribeComplianceAssetList.
| Name | Type | Description |
|---|---|---|
| CustomerAssetId | Integer | Customer asset ID. |
| AssetType | String | Asset category. |
| AssetName | String | Asset name. |
| ImageTag | String | When the asset is an image, this field represents the image tag. |
| HostIP | String | The host IP address where the asset is located. |
| NodeName | String | Name of the node to which the asset belongs. |
| CheckStatus | String | Check status. CHECK_INIT: pending check CHECK_RUNNING: checking CHECK_FINISHED: check completed CHECK_FAILED: check failed |
| PassedPolicyItemCount | Integer | Number of check items passed by this type of asset. |
| FailedPolicyItemCount | Integer | Number of check items failed by this type of asset. |
| LastCheckTime | Timestamp | Last check time. |
| CheckResult | String | Check result: |
| InstanceId | String | Host node instance ID. |
| ImageRegistryInfo | ImageRegistryInfo | Image repository information. |
| ClusterID | String | Cluster ID. |
| ClusterName | String | Cluster name. |
| AssetUniqueID | String | Unique asset ID. Default value: - |
Information of a check item
Used by actions: DescribeComplianceAssetPolicyItemList.
| Name | Type | Description |
|---|---|---|
| CustomerPolicyItemId | Integer | Unique ID of the customer check item |
| BasePolicyItemId | Integer | Original ID of the check item |
| Name | String | Check item name |
| Category | String | Category of the check item |
| BenchmarkStandardId | Integer | Compliance standard ID |
| BenchmarkStandardName | String | Compliance standard name |
| RiskLevel | String | Severity |
| CheckStatus | String | Check statusCHECK_INIT: To be checked.CHECK_RUNNING: Checking.CHECK_FINISHED: Checked.CHECK_FAILED: Check failed. |
| CheckResult | String | detection result RESULT_PASSED: Passed. RESULT_FAILED: failed |
| WhitelistId | Integer | ID of the allowlist item corresponding to the detection item. If it exists and is not 0, it means the detection item is ignored by the user. |
| FixSuggestion | String | Handling suggestion |
| LastCheckTime | String | Last detection time. |
| VerifyInfo | String | Verification information |
List of asset IDs and check item IDs
Used by actions: AddComplianceAssetPolicySetToWhitelist.
| Name | Type | Required | Description |
|---|---|---|---|
| CustomerAssetItemId | Integer | Yes | Asset ID |
| CustomerPolicyItemIdSet | Array of Integer | No | List of IDs of check items to be ignored in the specified asset. If it is empty, it indicates all. |
Asset overview
Used by actions: DescribeComplianceTaskAssetSummary.
| Name | Type | Description |
|---|---|---|
| AssetType | String | Asset type |
| IsCustomerFirstCheck | Boolean | Whether it is the first check. This parameter is used together with CheckStatus. |
| CheckStatus | String | Check statusCHECK_UNINIT: Feature not enabled.CHECK_INIT: To be checked.CHECK_RUNNING: Checking.CHECK_FINISHED: Checked.CHECK_FAILED: Check failed. |
| CheckProgress | Float | The detection progress of this category is a number between 0 and 100. If not in progress, field not found. |
| PassedPolicyItemCount | Integer | Number of check items that the asset passed |
| FailedPolicyItemCount | Integer | Number of check items that the asset failed |
| FailedCriticalPolicyItemCount | Integer | Number of critical check items that the asset failed |
| FailedHighRiskPolicyItemCount | Integer | Number of high-risk check items that the asset failed |
| FailedMediumRiskPolicyItemCount | Integer | Number of medium-risk check items that the asset failed |
| FailedLowRiskPolicyItemCount | Integer | Number of low-risk check items that the asset failed |
| NoticePolicyItemCount | Integer | Number of prompt check items of the asset |
| PassedAssetCount | Integer | Number of assets that passed the check |
| FailedAssetCount | Integer | Number of assets that failed the check |
| AssetPassedRate | Float | Asset compliance rate. Value range: 0-100. |
| ScanFailedAssetCount | Integer | Number of assets that failed the check |
| CheckCostTime | Float | Time taken for last detection, in seconds. |
| LastCheckTime | Timestamp | Last detection time. |
| PeriodRule | CompliancePeriodTaskRule | Scheduled check rule |
| OpenPolicyItemCount | Integer | Total Number of Enabled Check Items |
| IgnoredPolicyItemCount | Integer | Total Number of Ignored Check Items |
| TotalPolicyItemCount | Integer | Total number of detection items. |
| DetectHostCount | Integer | Detection hosts |
| LeftTime | Integer | Remaining time of the current task, in seconds. |
Information of a compliance standard
Used by actions: DescribeCompliancePeriodTaskList.
| Name | Type | Description |
|---|---|---|
| StandardId | Integer | Compliance standard ID |
| Name | String | Compliance standard name |
| PolicyItemCount | Integer | Number of items contained in the compliance standard |
| Enabled | Boolean | Whether to enable the standard |
| Description | String | Description of the standard |
Whether to enable the compliance standard
Used by actions: ModifyCompliancePeriodTask.
| Name | Type | Required | Description |
|---|---|---|---|
| StandardId | Integer | Yes | Compliance standard ID |
| Enable | Boolean | Yes | Whether to enable the compliance standard |
Container asset details
Used by actions: DescribeComplianceAssetDetailInfo.
| Name | Type | Description |
|---|---|---|
| ContainerId | String | Container ID on the server |
| PodName | String | Name of the Pod the container belongs to. |
Key-value pair filter for conditional filtering queries, such as filter ID, name, and status. If more than one filter exists, the logical relationship between these filters is AND. If multiple values exist in one filter, the logical relationship between these values is OR.
Used by actions: DescribeAffectedNodeList, DescribeAffectedWorkloadList, DescribeCheckItemList, DescribeComplianceAssetList, DescribeComplianceAssetPolicyItemList, DescribeCompliancePolicyItemAffectedAssetList, DescribeComplianceScanFailedAssetList, DescribeComplianceTaskPolicyItemSummaryList, DescribeComplianceWhitelistItemList, DescribeNetworkFirewallAuditRecord, DescribeNetworkFirewallClusterList, DescribeNetworkFirewallNamespaceLabelList, DescribeNetworkFirewallPodLabelsList, DescribeNetworkFirewallPolicyList, DescribeRiskList, DescribeUserCluster.
| Name | Type | Required | Description |
|---|---|---|---|
| Name | String | Yes | Filter name |
| Values | Array of String | Yes | One or more filter values |
| ExactMatch | Boolean | No | Whether to use fuzzy query. Default value: true. |
Server asset details
Used by actions: DescribeComplianceAssetDetailInfo.
| Name | Type | Description |
|---|---|---|
| DockerVersion | String | Docker version on the host. |
| K8SVersion | String | K8S version on the host. |
| ContainerdVersion | String | Containerd Version on Host |
Image asset details
Used by actions: DescribeComplianceAssetDetailInfo.
| Name | Type | Description |
|---|---|---|
| ImageId | String | Image ID on the server |
| ImageName | String | Image name |
| ImageTag | String | Image tag |
| Repository | String | Path of the remote repository where the mirror resides. |
K8s asset details
Used by actions: DescribeComplianceAssetDetailInfo.
| Name | Type | Description |
|---|---|---|
| ClusterName | String | Name of the K8S cluster. |
| ClusterVersion | String | Kubernetes Cluster Version |
Information of a scheduled task of the compliance baseline check
Used by actions: DescribeCompliancePeriodTaskList.
| Name | Type | Description |
|---|---|---|
| PeriodTaskId | Integer | Scheduled task ID |
| AssetType | String | Asset typeASSET_CONTAINER: Container.ASSET_IMAGE: Image.ASSET_HOST: Server.ASSET_K8S: K8s asset. |
| LastTriggerTime | Timestamp | Last trigger time |
| TotalPolicyItemCount | Integer | Total number of check items |
| PeriodRule | CompliancePeriodTaskRule | Cycle settings |
| BenchmarkStandardSet | Array of ComplianceBenchmarkStandard | List of compliance standards |
Cycle of a scheduled task
Used by actions: DescribeCompliancePeriodTaskList, DescribeComplianceTaskAssetSummary, ModifyCompliancePeriodTask.
| Name | Type | Required | Description |
|---|---|---|---|
| Frequency | Integer | Yes | Execution frequency (days). Valid values: 1, 3, 7. |
| ExecutionTime | String | Yes | Execution time in the format of "HH:mm:SS" |
| Enable | Boolean | No | Whether enabled |
List of check item IDs and asset IDs
Used by actions: DeleteCompliancePolicyAssetSetFromWhitelist.
| Name | Type | Required | Description |
|---|---|---|---|
| CustomerPolicyItemId | Integer | Yes | Check item ID |
| CustomerAssetItemIdSet | Array of Integer | No | List of IDs of assets to be ignored in the specified check item. If it is empty, it indicates all. |
Aggregated information of a check item
Used by actions: DescribeCompliancePolicyItemAffectedSummary, DescribeComplianceTaskPolicyItemSummaryList.
| Name | Type | Description |
|---|---|---|
| CustomerPolicyItemId | Integer | Unique ID of the customer check item |
| BasePolicyItemId | Integer | Original ID of the check item |
| Name | String | Check item name |
| Category | String | Category of the check item, which is an enumerated string. |
| BenchmarkStandardName | String | Compliance standard |
| RiskLevel | String | Severity. Valid values: RISK_CRITICAL, RISK_HIGH, RISK_MEDIUM, RISK_LOW, RISK_NOTICE. |
| AssetType | String | Asset type of the check item |
| LastCheckTime | Timestamp | Last detection time |
| CheckStatus | String | Check statusCHECK_INIT: To be checked.CHECK_RUNNING: Checking.CHECK_FINISHED: Checked.CHECK_FAILED: Check failed. |
| CheckResult | String | Detection result. RESULT_PASSED: Passed. RESULT_FAILED: failed |
| PassedAssetCount | Integer | Number of assets passed detection |
| FailedAssetCount | Integer | Number of assets with detection failed |
| WhitelistId | Integer | ID of the allowlist item corresponding to the detection item. If it exists and is not 0, it means the detection item is ignored by the user. |
| FixSuggestion | String | Handling suggestion |
| BenchmarkStandardId | Integer | Compliance standard ID |
| ApplicableVersion | String | Applicable Version for Check Items |
| Description | String | Check Item Description |
| AuditProcedure | String | Check Item Audit Method |
| IsEnable | Integer | Whether enabled |
Information of the asset that failed the check
Used by actions: DescribeComplianceScanFailedAssetList.
| Name | Type | Description |
|---|---|---|
| CustomerAssetId | Integer | Customer asset ID |
| AssetType | String | Asset type |
| CheckStatus | String | Check statusCHECK_INIT: To be checked.CHECK_RUNNING: Checking.CHECK_FINISHED: Checked.CHECK_FAILED: Check failed. |
| AssetName | String | Asset name |
| FailureReason | String | Cause of the asset check failure |
| Suggestion | String | Suggestion for handling the check failure |
| CheckTime | Timestamp | Check time |
Allowed item
Used by actions: DescribeComplianceWhitelistItemList.
| Name | Type | Description |
|---|---|---|
| WhitelistItemId | Integer | Allowed item ID |
| CustomerPolicyItemId | Integer | ID of the customer check item |
| Name | String | Check item name |
| StandardName | String | Compliance standard name |
| StandardId | Integer | Compliance standard ID |
| AffectedAssetCount | Integer | Number of assets affected by the check item |
| LastUpdateTime | Timestamp | Last update time |
| InsertTime | Timestamp | Allowed time |
Container component information
Used by actions: DescribeAssetComponentList.
| Name | Type | Description |
|---|---|---|
| Name | String | Name |
| Version | String | Version |
Component information
Used by actions: DescribeAssetImageRegistryVulList.
| Name | Type | Description |
|---|---|---|
| Version | String | Component version information |
| FixedVersion | String | Repairable Version |
| Path | String | Path. |
| Type | String | Type. |
| Name | String | Component name |
Used by actions: AddAssetImageRegistryRegistryDetail, UpdateAssetImageRegistryRegistryDetail.
| Name | Type | Required | Description |
|---|---|---|---|
| Quuid | String | No | |
| Uuid | String | No |
List of containers
Used by actions: DescribeAssetContainerList.
| Name | Type | Description |
|---|---|---|
| ContainerID | String | Container ID |
| ContainerName | String | Container name |
| Status | String | Container status |
| CreateTime | String | Creation time |
| RunAs | String | Operator |
| Cmd | String | Command line |
| CPUUsage | Integer | CPU utilization * 1000 |
| RamUsage | Integer | Memory usage in KB |
| ImageName | String | Image name |
| ImageID | String | Image ID |
| POD | String | Image ID |
| HostID | String | Server ID |
| HostIP | String | Server IP |
| UpdateTime | String | Update time |
| HostName | String | Server name |
| PublicIp | String | Public IP |
| NetStatus | String | Network statusNORMAL: Not isolated.ISOLATED: Isolated.ISOLATING: Isolating.ISOLATE_FAILED: Isolation failed.RESTORING: Recovering.RESTORE_FAILED: Recovery failed. |
| NetSubStatus | String | Sub-status of the network |
| IsolateSource | String | Isolate source |
| IsolateTime | String | Isolation time |
| NodeID | String | Super node ID |
| PodIP | String | Pod IP |
| PodName | String | Pod name |
| NodeType | String | Node type. Valid values: NORMAL (general node), SUPER (super node) |
| NodeUniqueID | String | UID of the super node |
| PodCpu | Integer | Number of CPU cores used by the pod |
| PodMem | Integer | Memory specification of the Pod |
| ClusterName | String | |
| ClusterID | String | |
| PodUid | String | pod uid |
Container mount information
Used by actions: DescribeAssetContainerDetail.
| Name | Type | Description |
|---|---|---|
| Type | String | Mount type: bind. |
| Source | String | Host path |
| Destination | String | Path in the container |
| Mode | String | Mode |
| RW | Boolean | Read/Write permission |
| Propagation | String | Propagation type |
| Name | String | Name |
| Driver | String | Driver |
Container network information
Used by actions: DescribeAssetContainerDetail.
| Name | Type | Description |
|---|---|---|
| EndpointID | String | Endpoint ID |
| Mode | String | Mode: bridge. |
| Name | String | Network name |
| NetworkID | String | Network ID |
| Gateway | String | Gateway |
| Ipv4 | String | IPv4 address |
| Ipv6 | String | IPv6 address |
| MAC | String | MAC address |
List of emergency vulnerabilities
Used by actions: DescribeEmergencyVulList.
| Name | Type | Description |
|---|---|---|
| Name | String | Vulnerability name |
| Tags | Array of String | vulnerability tag |
| CVSSV3Score | Float | CVSS V3 score |
| Level | String | Risk level |
| CVEID | String | CVE No. |
| Category | String | Vulnerability type |
| SubmitTime | String | Vulnerability disclosure time |
| LatestFoundTime | String | Last discovery time |
| Status | String | Emergency vulnerability risk information. Valid values: NOT_SCAN (not scanned); SCANNING (scanning); SCANNED_NOT_RISK (scanned and at no risk); SCANNED_RISK (scanned and at risk). |
| ID | Integer | Vulnerability ID |
| PocID | String | POC ID |
| DefenceStatus | String | Defense Status. NO_DEFENDED: Not Defended; DEFENDED: Defended |
| DefenceScope | String | Vulnerability Defense Host Range. MANUAL: Selected Host Nodes; ALL: All |
| DefenceHostCount | Integer | Number of Hosts Defended Against Vulnerabilities |
| DefendedCount | Integer | Number of Attacks Defended |
Description of the container escape event at runtime
Used by actions: DescribeEscapeEventDetail.
| Name | Type | Description |
|---|---|---|
| Description | String | Event rule |
| Solution | String | Solution |
| Remark | String | Event remark information |
| OperationTime | String | Last Time for Event Handling |
List of container escape events
Used by actions: DescribeEscapeEventInfo.
| Name | Type | Description |
|---|---|---|
| EventType | String | Event type.ESCAPE_CGROUPS: Cgroup escape.ESCAPE_TAMPER_SENSITIVE_FILE: File tamper escape.ESCAPE_DOCKER_API: Docker API access escape.ESCAPE_VUL_OCCURRED: Vulnerability exploit.MOUNT_SENSITIVE_PTAH: Sensitive path mount.PRIVILEGE_CONTAINER_START: Privileged container.PRIVILEGE: Program privilege escalation escape. |
| ContainerName | String | Container name |
| ImageName | String | Image name |
| Status | String | Status. Valid values: EVENT_UNDEAL (pending); EVENT_DEALED (processed); EVENT_INGNORE (ignored). |
| EventId | String | Unique event ID |
| NodeName | String | Node name |
| PodName | String | Pod (instance) name |
| FoundTime | Timestamp | Generation time |
| EventName | String | Event name Host file access escape Syscall escape Mount namespace escape Program privilege escalation escape Privileged container startup escape Sensitive path mount |
| ImageId | String | Image ID, which is used for redirect. |
| ContainerId | String | Container ID, which is used for redirect. |
| Solution | String | Event solution |
| Description | String | Event description |
| EventCount | Integer | Number of events |
| LatestFoundTime | Timestamp | Last generation time |
| NodeIP | String | node IP |
| HostID | String | Host IP address |
| ContainerNetStatus | String | Network status. Unisolated NORMAL ISOLATED isolated Isolation FAILED RESTORING isolation Isolation restoration failed RESTORE_FAILED |
| ContainerNetSubStatus | String | container sub-status AGENT_OFFLINE NODE_DESTROYED CONTAINER_EXITED CONTAINER_DESTROYED "SHARED_HOST" // Container shares network with host RESOURCE_LIMIT "UNKNOW": Unknown |
| ContainerIsolateOperationSrc | String | Container Isolation Operation Source |
| ContainerStatus | String | Container statusRUNNING: Running.PAUSED: Paused.STOPPED: Stopped.CREATED: Created.DESTROYED: Terminated.RESTARTING: Restarting.REMOVING: Removing. |
| ClusterID | String | ID of the cluster where the node resides |
| NodeType | String | Node type. Values: NORMAL (general node), SUPER (super node). |
| PodIP | String | Pod IP |
| NodeUniqueID | String | Unique node ID |
| PublicIP | String | Node public IP |
| NodeID | String | Node ID |
| HostIP | String | Private IP of the node |
| ClusterName | String | Cluster name |
Trend of pending escape events
Used by actions: DescribeEscapeEventTendency.
| Name | Type | Description |
|---|---|---|
| RiskContainerEventCount | Integer | Total number of pending containers at risk |
| ProcessPrivilegeEventCount | Integer | Total number of pending program privilege escalation events |
| ContainerEscapeEventCount | Integer | Total number of pending container escape events |
| Date | Date | Date |
Enablement/Disablement of the container escape scan policy
Used by actions: DescribeEscapeRuleInfo.
| Name | Type | Description |
|---|---|---|
| Type | String | Rule type ESCAPE_HOST_ACESS_FILE: Host file access escape.ESCAPE_MOUNT_NAMESPACE: Mount namespace escape.ESCAPE_PRIVILEDGE: Program privilege escalation escape.ESCAPE_PRIVILEDGE_CONTAINER_START: Privileged container startup escape.ESCAPE_MOUNT_SENSITIVE_PTAH: Sensitive path mount.ESCAPE_SYSCALL: Syscall escape. |
| Name | String | Rule name Host file access escape Syscall escape Mount namespace escape Program privilege escalation escape Privileged container startup escape Sensitive path mount |
| IsEnable | Boolean | Whether to enable. Valid values: false (no); true (yes). |
| Group | String | Rule group. Valid values: RISK_CONTAINER (container in risk); PROCESS_PRIVILEGE (program privilege escalation); CONTAINER_ESCAPE (container escape). |
Enablement/Disablement of the container escape scan policy
Used by actions: ModifyEscapeRule.
| Name | Type | Required | Description |
|---|---|---|---|
| Type | String | Yes | Rule type ESCAPE_CGROUPS: Escape by using the cgroup mechanism ESCAPE_TAMPER_SENSITIVE_FILE: Escape by tampering with sensitive files ESCAPE_DOCKER_API: Escape by accessing the Docker API ESCAPE_VUL_OCCURRED: Escape vulnerability exploitation. MOUNT_SENSITIVE_PATH: MOUNT SENSITIVE path PRIVILEGE_CONTAINER_START: Privilege container PRIVILEGE: Escape by program privilege escalation |
| IsEnable | Boolean | Yes | Whether to enable. Valid values: false (no); true (yes). |
Escape allowlist
Used by actions: DescribeEscapeWhiteList.
| Name | Type | Description |
|---|---|---|
| ImageID | String | Image ID |
| ImageName | String | Image name |
| ID | Integer | Allowed item ID |
| HostCount | Integer | Number of associated hosts (including regular nodes and super nodes). |
| SuperNodeCount | Integer | Number of associated super nodes. |
| ContainerCount | Integer | Number of associated containers |
| EventType | Array of String | Allowed event type |
| InsertTime | String | Creation time |
| UpdateTime | String | Update time |
| ImageSize | Integer | Image size |
Export job details
Used by actions: DescribeExportJobManageList.
| Name | Type | Description |
|---|---|---|
| JobID | String | Job ID |
| JobName | String | Job name |
| Source | String | Source |
| ExportStatus | String | Export status |
| ExportProgress | Integer | Export progress |
| FailureMsg | String | Reason for failure |
| Timeout | String | Timeout threshold |
| InsertTime | String | Insertion time |
Container runtime security - File attribute information
Used by actions: DescribeAccessControlDetail.
| Name | Type | Description |
|---|---|---|
| FileName | String | Filename |
| FileType | String | File type |
| FileSize | Integer | File size in bytes |
| FilePath | String | File path |
| FileCreateTime | Timestamp | File creation time |
| LatestTamperedFileMTime | Timestamp | Time when the file is last tampered with |
| NewFile | String | Content of the new file |
| FileDiff | String | Differences between old and new files |
List of server IDs
Used by actions: DescribeAssetHostList.
| Name | Type | Description |
|---|---|---|
| HostID | String | Host ID. |
| HostIP | String | Host IP address, which is the private IP address. |
| HostName | String | Host name. |
| Group | String | Business group. |
| DockerVersion | String | Docker version. |
| DockerFileSystemDriver | String | Docker file system type. |
| ImageCnt | Integer | Number of images. |
| ContainerCnt | Integer | Number of containers. |
| Status | String | Agent running status. |
| IsContainerd | Boolean | Whether it is containerd. |
| MachineType | String | Server source: one of ["CVM", "ECM", "LH", "BM"] is a Tencent Cloud server; one of ["Other"] is a non-Tencent Cloud server; |
| PublicIp | String | Public IP address. |
| Uuid | String | Host UUID. |
| InstanceID | String | Host instance ID. |
| RegionID | Integer | Region ID. |
| Project | ProjectInfo | Project. |
| Tags | Array of TagInfo | Tag. |
| ClusterID | String | Cluster ID. |
| ClusterName | String | Cluster name. |
| ClusterAccessedStatus | String | Cluster access status. |
| ClusterAccessedSubStatus | String | Cluster access sub-status. Enumeration values:
|
| ClusterAccessedErrorReason | String | Detailed description of the failure reason. |
| ChargeCoresCnt | Integer | Billable cores. |
| DefendStatus | String | Protection status: |
| CoresCnt | Integer | Number of cores. |
| LastOnlineTime | String | Last online time. |
Information of the automatic image licensing task
Used by actions: DescribeImageAutoAuthorizedTaskList.
| Name | Type | Description |
|---|---|---|
| TaskId | Integer | Task ID |
| Type | String | Licensing method. Valid values: AUTO (automatic licensing); MANUAL (manual licensing). |
| AuthorizedDate | Date | Task date |
| Source | String | Image source. Valid values: LOCAL (local image); REGISTRY (repository image). |
| LastAuthorizedTime | String | Last licensing time |
| SuccessCount | Integer | Number of images automatically licensed successfully |
| FailCount | Integer | Number of images failed to be automatically licensed |
| LatestFailCode | String | Error code for the last task. Valid values: REACH_LIMIT (reaching the upper limit on licenses); LICENSE_INSUFFICIENT (insufficient licenses). |
Information of a component in the image
Used by actions: DescribeImageComponentList.
| Name | Type | Description |
|---|---|---|
| Name | String | Component name |
| Version | String | Component version |
| Path | String | Component path |
| Type | String | Component type |
| VulCount | Integer | Number of Component Vulnerabilities |
| ImageID | String | Image ID |
Image interception event
Used by actions: DescribeImageDenyEventList.
| Name | Type | Description |
|---|---|---|
| EventType | String | Event Type. EVENT_RISK: Risk Event Type; EVENT_PRIVILEGE: Privilege |
| RuleName | String | Rule name |
| RuleID | String | Rule ID |
| RuleType | String | Rule type |
| RuleStatus | Integer | Rule Enable Status. 0: Enabled; 1: Disabled |
| RuleEffectStatus | String | Rule Policy Status. IN_THE_TEST: Observing; IN_EFFECT: Effective |
| RuleInfo | Array of String | Rule content |
| RuleDescription | String | Rule description |
| ImageID | String | Image ID |
| ImageName | String | Image Name |
| NodeName | String | Node name. |
| NodeIP | String | Private IP address |
| QUUID | String | Host QUUID |
| FoundTime | String | First generation time |
| LatestFoundTime | String | Latest creation time |
| EventCount | Integer | Number of events |
| DealBehavior | String | Execution action BEHAVIOR_ALERT: Alert BEHAVIOR_HOLDUP_SUCCESSED: Interception |
| EventID | Integer | Event ID |
| PublicIP | String | Public IP address |
| NodeID | String | Node ID |
| ClusterID | String | Cluster ID |
| NodeType | String | Node type. |
| NodeUniqueID | String | Super Node Unique ID |
| PodIP | String | pod ip |
| PodName | String | pod name |
| ClusterName | String | Cluster name. |
| ImageRegistryInfo | ImageRegistryInfo | Image repository information. |
Image Interception Event Trends
Used by actions: DescribeImageDenyEventTendency.
| Name | Type | Description |
|---|---|---|
| Date | Date | Date |
| EventCount | Integer | Number of events |
Image blocking rule
Used by actions: DescribeImageDenyRuleList.
| Name | Type | Description |
|---|---|---|
| RuleID | String | Rule ID |
| RuleName | String | Rule name |
| RuleType | String | Rule Type. RULE_RISK: Risk; RULE_PRIVILEGE: Privilege |
| EffectImageCount | Integer | Number of Effective Images |
| IsEffectAllImage | Integer | Application to All Scanned Images. 0: Select All Images; 1: Custom Images |
| EffectTime | String | Rule Effective Start Time |
| UpdateTime | String | Update time |
| OperationUin | String | Operator |
| Status | Integer | Enabled status |
| EffectStatus | String | Effective Status. IN_THE_TEST: Observing; IN_EFFECT: Effective |
| ID | Integer | Rule ID |
List of images associated with servers
Used by actions: DescribeAssetImageHostList.
| Name | Type | Description |
|---|---|---|
| ImageID | String | Image ID |
| HostID | String | Server ID |
Basic image information
Used by actions: CreateAssetImageRegistryScanTask, CreateAssetImageRegistryScanTaskOneKey, DescribeAssetImageRegistryRiskInfoList, DescribeAssetImageRegistryRiskListExport, DescribeAssetImageRegistryScanStatusOneKey, DescribeAssetImageRegistryVirusList, DescribeAssetImageRegistryVirusListExport, DescribeAssetImageRegistryVulList, DescribeAssetImageRegistryVulListExport, DescribeImageRegistryTimingScanTask, ModifyAssetImageRegistryScanStop, ModifyAssetImageRegistryScanStopOneKey, UpdateImageRegistryTimingScanTask.
| Name | Type | Required | Description |
|---|---|---|---|
| InstanceName | String | Yes | Instance name |
| Namespace | String | Yes | Namespace |
| ImageName | String | Yes | Image name |
| ImageTag | String | Yes | Image tag |
| Force | String | Yes | Forced scan |
| ImageDigest | String | No | Image ID |
| RegistryType | String | No | Repository type |
| ImageRepoAddress | String | No | Image repository address |
| InstanceId | String | No | Instance ID |
Basic image information
Used by actions: DescribeAssetImageRegistryScanStatusOneKey.
| Name | Type | Description |
|---|---|---|
| ImageId | String | Image id |
| RegistryType | String | repository type |
| ImageRepoAddress | String | Image repository address |
| InstanceId | String | Instance ID. |
| InstanceName | String | Instance name. |
| Namespace | String | Namespace |
| ImageName | String | repository name |
| ImageTag | String | Image tag |
| ScanStatus | String | Image scan status |
| CveProgress | Integer | Mirror cve scan progress |
| RiskProgress | Integer | Mirror sensitivity scan progress |
| VirusProgress | Integer | Trojan mirror scan progress |
Image repository details.
Used by actions: DescribeComplianceAssetList, DescribeCompliancePolicyItemAffectedAssetList, DescribeImageDenyEventDetail, DescribeImageDenyEventList.
| Name | Type | Description |
|---|---|---|
| Name | String | repository name |
| Type | String | repository type aws ccr harbor jfrog other-tcr quay tcr |
| Address | String | repository address |
List of image repositories
Used by actions: DescribeAssetImageRegistryList.
| Name | Type | Description |
|---|---|---|
| ImageDigest | String | Image digest |
| ImageRepoAddress | String | Image repository address |
| RegistryType | String | Repository type |
| ImageName | String | Image name |
| ImageTag | String | Image tag |
| ImageSize | Integer | Image size |
| ScanTime | String | Last scan time |
| ScanStatus | String | Scanning status |
| VulCnt | Integer | Number of vulnerabilities |
| VirusCnt | Integer | Number of viruses and trojans |
| RiskCnt | Integer | Number of risky behaviors |
| IsTrustImage | Boolean | Whether it is a trusted image |
| OsName | String | Image system |
| ScanVirusError | String | Trojan scan error |
| ScanVulError | String | Vulnerability scan error. |
| InstanceId | String | Instance ID |
| InstanceName | String | Instance name |
| Namespace | String | Namespace |
| ScanRiskError | String | High risk scan error |
| ScanVirusProgress | Integer | Sensitive information scan progress |
| ScanVulProgress | Integer | Trojan scan progress. |
| ScanRiskProgress | Integer | Vulnerability scan progress. |
| ScanRemainTime | Integer | Remaining scan time (seconds) |
| CveStatus | String | cve scan status |
| RiskStatus | String | High risk scan status |
| VirusStatus | String | Trojan scan status |
| Progress | Integer | Overall progress |
| IsAuthorized | Integer | Licensing status |
| RegistryRegion | String | Repository region |
| Id | Integer | List of IDs |
| ImageId | String | Image ID. |
| ImageCreateTime | Timestamp ISO8601 | Image Creation Time |
| IsLatestImage | Boolean | Whether the Latest Version of the Image |
| LowLevelVulCnt | Integer | |
| MediumLevelVulCnt | Integer | |
| HighLevelVulCnt | Integer | |
| CriticalLevelVulCnt | Integer | |
| ContainerCnt | Integer | |
| ComponentCnt | Integer | |
| IsRunning | Boolean | |
| HasNeedFixVul | Boolean | |
| SensitiveInfoCnt | Integer | Sensitive information |
| RecommendedFix | Boolean | |
| Solution | String | Solution |
| Reason | String | Reason. |
Container security image repository list
Used by actions: DescribeAssetImageRegistryRegistryList.
| Name | Type | Description |
|---|---|---|
| RegistryId | Integer | Repository ID |
| Name | String | Repository Name |
| RegistryType | String | Repository type, list: harbor, tcr |
| Url | String | Warehouse url |
| NetType | String | Network type, list: public |
| RegistryRegion | String | Region, list: default |
| RegistryVersion | String | warehouse version |
| ConnectMsg | String | Repository connection error message (to be deprecated). Use ConnDetectException. |
| ConnDetectType | String | Connectivity Check Method |
| ConnDetectHostCount | Integer | Connectivity Check Host Count |
| ConnDetectDetail | Array of RegistryConnDetectResult | Connectivity Check Details |
| InstanceID | String | Instance ID in TCR Scenario |
| LatestSyncTime | String | Most Recent Time for Successful Synchronization |
| SyncStatus | String | Synchronization status |
| SyncFailReason | String | Synchronization Failure Reason |
| SyncSolution | String | Synchronization Failure Solution |
| SyncMessage | String | Synchronization Failure Information |
| SyncMode | Integer | Synchronization method. 0: full synchronization; 1: incremental synchronization. |
Information of a high-risk behavior in the image
Used by actions: DescribeAssetImageRegistryRiskInfoList.
| Name | Type | Description |
|---|---|---|
| Behavior | Integer | high-risk behavior |
| Type | Integer | Type |
| Level | String | Risk level |
| Desc | String | Description |
| InstructionContent | String | Solution |
Image risk details
Used by actions: DescribeAssetImageRiskList.
| Name | Type | Description |
|---|---|---|
| Behavior | Integer | Behavior |
| Type | Integer | Type |
| Level | Integer | Level |
| Desc | String | Details |
| InstructionContent | String | Solution |
Trend information of security events at runtime
Used by actions: DescribeImageRiskTendency.
| Name | Type | Description |
|---|---|---|
| ImageRiskSet | Array of RunTimeTendencyInfo | List of trends |
| ImageRiskType | String | Risk type:IRT_VULNERABILITY: Vulnerability.IRT_MALWARE_VIRUS: Virus and trojan.IRT_RISK: Sensitive data. |
Image scanning billing information.
Used by actions: DescribeImageAuthorizedInfo.
| Name | Type | Description |
|---|---|---|
| InquireKey | String | Billing item |
| Capcity | Integer | Total Capacity |
| Useage | Integer | Used amount |
| StartTime | String | Start time. |
| EndTime | String | End time |
| PurchaseStatus | String | Billing status Pending purchase Normal: Normal. Isolate |
| ResourceID | String | Resource ID |
| PayNum | Integer | Number of purchased scans. |
| TrialNum | Integer | Number of trial scans. |
| PayUsage | Integer | Number of purchased scanning operations that have been used. |
List of images
Used by actions: DescribeImageSimpleList.
| Name | Type | Description |
|---|---|---|
| ImageID | String | Image ID |
| ImageName | String | Image name |
| Size | Integer | Image size |
| ImageType | String | Type |
| ContainerCnt | Integer | Number of associated containers |
| HostCnt | Integer | Associated hosts |
Information of a virus in the image
Used by actions: DescribeAssetImageRegistryVirusList.
| Name | Type | Description |
|---|---|---|
| Path | String | Path. |
| RiskLevel | String | Risk level |
| Category | String | category |
| VirusName | String | Virus name |
| Tags | Array of String | Tag. |
| Desc | String | Description |
| Solution | String | Solution |
| FileType | String | File type |
| FileName | String | File path |
| FileMd5 | String | File md5 |
| FileSize | Integer | Size |
| FirstScanTime | String | First detection time |
| LatestScanTime | String | Last scan time |
Information of a virus in the image
Used by actions: DescribeAssetImageVirusList.
| Name | Type | Description |
|---|---|---|
| Path | String | Path. |
| RiskLevel | Integer | Risk level |
| VirusName | String | Virus name |
| Tags | Array of String | Tag. |
| Desc | String | Description |
| Solution | String | Remediation Suggestions |
| Size | Integer | Size |
| FirstScanTime | String | First detection time |
| LatestScanTime | String | Last scan time |
| Md5 | String | File md5 |
| FileName | String | File name |
| CheckPlatform | Array of String | Detection platform 1: Cloud Killing Engine 2: tav 3: binaryAi 4: Abnormal behavior 5: Threat Intelligence |
Information of a vulnerability in the image
Used by actions: DescribeAssetImageRegistryVulList.
| Name | Type | Description |
|---|---|---|
| CVEID | String | Vulnerability ID |
| POCID | String | viewpoint validation program ID |
| Name | String | Vulnerability name |
| Components | Array of ComponentsInfo | Component Information |
| Category | String | category |
| CategoryType | String | Category 2 |
| Level | String | Risk level |
| Des | String | Description |
| OfficialSolution | String | Solution |
| Reference | String | Refer |
| DefenseSolution | String | defense solution |
| SubmitTime | String | Submission time |
| CvssScore | String | CVSS Score |
| CvssVector | String | CVSS information. |
| IsSuggest | String | Whether repair is suggested. |
| FixedVersions | String | Repair Version Number |
| Tag | Array of String | Vulnerability Tag: "CanBeFixed", "DynamicLevelPoc", and "DynamicLevelExp" |
| Component | String | Component name. |
| Version | String | Component version |
| AttackLevel | Integer | Attack Heat 0-3 |
| LayerInfos | Array of ImageVulLayerInfo | Image Layer Information List |
Used by actions: DescribeAssetImageRegistryVulList.
| Name | Type | Description |
|---|---|---|
| LayerId | String | Layer ID |
| LayerCmd | String | Layer CMD |
Information of the runtime rule bound to the image
Used by actions: DescribeAssetImageBindRuleInfo.
| Name | Type | Description |
|---|---|---|
| ImageId | String | Image ID |
| ImageName | String | Image name |
| ContainerCnt | Integer | Number of associated containers |
| RuleId | String | Binding rule id |
| RuleName | String | Rule name |
| ImageSize | Integer | image size |
| ScanTime | String | Last scan time |
List of image IDs
Used by actions: DescribeAssetImageList.
| Name | Type | Description |
|---|---|---|
| ImageID | String | Image ID |
| ImageName | String | Image name |
| CreateTime | String | Creation time |
| Size | Integer | Image size |
| HostCnt | Integer | Number of hosts (includes regular nodes and super nodes). |
| SuperNodeCnt | Integer | Number of super nodes. |
| ContainerCnt | Integer | Number of containers |
| ScanTime | String | Scan time |
| VulCnt | Integer | Number of vulnerabilities |
| VirusCnt | Integer | Number of viruses |
| RiskCnt | Integer | Number of sensitive data items |
| IsTrustImage | Boolean | Whether it is a trusted image |
| OsName | String | Image system |
| AgentError | String | Image scan error in the agent |
| ScanError | String | Image scan error on the backend |
| ScanStatus | String | Scanning status |
| ScanVirusError | String | Trojan scan error message |
| ScanVulError | String | Vulnerability scan error message |
| ScanRiskError | String | Risk scan error message |
| IsSuggest | Integer | Whether the image is of high priority. Valid values: 0 (no); others (yes). |
| IsAuthorized | Integer | Whether it is licensed. Valid values: 1 (yes); 0 (no). |
| ComponentCnt | Integer | Number of components |
| CriticalLevelVulCnt | Integer | |
| HighLevelVulCnt | Integer | |
| MediumLevelVulCnt | Integer | |
| LowLevelVulCnt | Integer | |
| IsLatestImage | Boolean | |
| RecommendedFix | Boolean | |
| Solution | String | Solution |
| Reason | String | Reason |
Vulnerability in the image
Used by actions: DescribeAssetImageVulList.
| Name | Type | Description |
|---|---|---|
| CVEID | String | Vulnerability ID |
| Name | String | Vulnerability name |
| Component | String | Component |
| Version | String | Version |
| Category | String | Category |
| CategoryType | String | Category 2 |
| Level | Integer | Risk level |
| Des | String | Description |
| OfficialSolution | String | Solution |
| Reference | String | Reference |
| DefenseSolution | String | Defense solution |
| SubmitTime | String | Submission time |
| CVSSV3Score | Float | CVSS V3 score |
| CVSSV3Desc | String | CVSS V3 description |
| IsSuggest | Boolean | Whether it is of high priority. Valid values: true (yes); false (no). |
| FixedVersions | String | Repair Version Number |
| Tag | Array of String | Vulnerability Tag: "CanBeFixed", "DynamicLevelPoc", and "DynamicLevelExp" |
| AttackLevel | Integer | Attack Heat |
K8s alarm types and corresponding numbers of alarms.
Used by actions: DescribeK8sApiAbnormalTendency.
| Name | Type | Description |
|---|---|---|
| RuleType | String | Rule type. Enumeration values:
|
| EventCount | Integer | Number of alarms corresponding to the rule. |
K8s alarm types and corresponding descriptions.
Used by actions: DescribeK8sApiAbnormalEventList, DescribeK8sApiAbnormalTendency.
| Name | Type | Description |
|---|---|---|
| RuleType | String | Rule type. Enumeration values:
|
| RuleTypeZh | String | Description of the rule type. |
K8sApi api abnormal event details
Used by actions: DescribeK8sApiAbnormalEventInfo.
| Name | Type | Description |
|---|---|---|
| MatchRuleName | String | Hit rule name. |
| MatchRuleType | String | Hit rule type. |
| RiskLevel | String | Alarm level. |
| ClusterID | String | Cluster ID. |
| ClusterName | String | Cluster name. |
| ClusterRunningStatus | String | Cluster running status: CSR_RUNNING, CSR_EXCEPTION, and CSR_CREATING |
| FirstCreateTime | String | Initial generation time. |
| LastCreateTime | String | Last generation time. |
| AlarmCount | Integer | Number of alarms. |
| Status | String | Status. |
| ClusterMasterIP | String | Cluster master IP address. |
| K8sVersion | String | K8s version. |
| RunningComponent | Array of String | Runtime component. |
| Desc | String | Description. |
| Suggestion | String | Suggestion. |
| Info | String | Request information. |
| MatchRuleID | String | Rule ID. |
| HighLightFields | Array of String | Array of highlighted fields. |
| MatchRule | K8sApiAbnormalRuleScopeInfo | Hit rule. |
| HighLightFieldsVal | String | Hit rule content corresponding to highlighted fields (JSON string, such as {"field1":"value1","field2":"value2"}) Parameter format: {"field1":"value1","field2":"value2"} |
| RuleTypeZH | String | Rule type. |
Items in the K8sApi abnormal event list
Used by actions: DescribeK8sApiAbnormalEventList.
| Name | Type | Description |
|---|---|---|
| ID | Integer | Event ID |
| MatchRuleType | String | Hit rule type |
| RiskLevel | String | Threat level |
| ClusterID | String | Cluster ID |
| ClusterName | String | Cluster name |
| ClusterRunningStatus | String | Cluster running status |
| FirstCreateTime | String | First creation time |
| LastCreateTime | String | Last creation time |
| AlarmCount | Integer | Number of alarms |
| Status | String | Status |
| RuleType | String | Rule type |
| Desc | String | Description |
| Suggestion | String | Solution |
| RuleName | String | Rule name |
| MatchRule | K8sApiAbnormalRuleScopeInfo | Hit rule |
K8sApi abnormal request rule details
Used by actions: CreateK8sApiAbnormalRuleInfo, DescribeK8sApiAbnormalRuleInfo, ModifyK8sApiAbnormalRuleInfo.
| Name | Type | Required | Description |
|---|---|---|---|
| RuleName | String | Yes | Rule name |
| Status | Boolean | Yes | Status |
| RuleInfoList | Array of K8sApiAbnormalRuleScopeInfo | Yes | Rule information list |
| EffectClusterIDSet | Array of String | Yes | Effective cluster IDSet |
| RuleType | String | Yes | Rule type RT_SYSTEM: System rules RT_USER: User-defined rules |
| EffectAllCluster | Boolean | Yes | Whether all clusters are effective |
| RuleID | String | No | Rule ID |
Items in the list of K8sApi abnormal request rules
Used by actions: DescribeK8sApiAbnormalRuleList.
| Name | Type | Description |
|---|---|---|
| EffectAllCluster | Boolean | Whether take effect on all clusters. true indicates all clusters take effect. false indicates only specified clusters take effect. |
| EffectClusterCount | Integer | Total number of affected clusters |
| OprUin | String | Edit account |
| RuleActions | Array of String | Deduplicated list of ALL execution actions in the rule group. The present blocklist contains only RULE_MODE_ALERT (Alert). Note: This field may return null, indicating that no valid values can be obtained. |
| RuleID | String | Rule ID |
| RuleInfoList | Array of K8sApiAbnormalRuleScopeInfo | Subrule content list, deserialized from rule_details JSON Note: This field may return null, indicating that no valid values can be obtained. |
| RuleName | String | Rule name |
| RuleType | String | Rule type RT_SYSTEM System rules RT_USER User defined |
| Status | Boolean | Status |
| UpdateTime | String | Update time |
Configuration Scope for Kubernetes API Exception Event Rules
Used by actions: CreateK8sApiAbnormalRuleInfo, DescribeK8sApiAbnormalEventInfo, DescribeK8sApiAbnormalEventList, DescribeK8sApiAbnormalRuleInfo, DescribeK8sApiAbnormalRuleList, DescribeK8sApiAbnormalRuleScopeList, ModifyK8sApiAbnormalRuleInfo.
| Name | Type | Required | Description |
|---|---|---|---|
| Action | String | Yes | Execution action. The blocklist rule only supports RULE_MODE_ALERT (alert) and no longer supports RULE_MODE_RELEASE/PASS (allow). To allow, use the allowlist API ModifyK8sApiAbnormalWhitelist. |
| Scope | String | Yes | Scope. |
| IsDelete | Boolean | No | Whether it has been deleted. |
| RiskLevel | String | No | Threat level: HIGH, MIDDLE, LOW, and NOTICE. |
| RuleTypeZH | String | No | Description of the rule type. |
| Status | Boolean | No | Switch status (true: on, false: off) applicable to system rules. |
Items in the list of K8sApi abnormal request trends
Used by actions: DescribeK8sApiAbnormalTendency.
| Name | Type | Description |
|---|---|---|
| Date | String | Date |
| ExceptionUARequestCount | Integer | Number of abnormal UA request events. |
| AnonymousUserRightCount | Integer | Number of anonymous user permission events. |
| CredentialInformationObtainCount | Integer | Number of credential information acquisition events. |
| SensitiveDataMountCount | Integer | Number of sensitive data mount events. |
| CmdExecCount | Integer | Number of command execution events. |
| AbnormalScheduledTaskCount | Integer | Number of abnormal scheduled task events. |
| StaticsPodCreateCount | Integer | Number of static Pod creations. |
| DoubtfulContainerCreateCount | Integer | Number of suspicious container creations. |
| UserDefinedRuleCount | Integer | Number of custom rule events. |
| AnonymousAccessCount | Integer | Number of anonymous access events. |
| PrivilegeContainerCount | Integer | Number of privileged container events. |
| RuleTypeCountSet | Array of K8SAPIRuleTypeCountItem | Number of alarms corresponding to the rule type. |
Malicious External Connection Blocklist and Allowlist Information
Used by actions: DescribeMaliciousConnectionBlackList, DescribeMaliciousConnectionWhiteList.
| Name | Type | Description |
|---|---|---|
| RuleType | String | Enumerate: IP: Indicates ipv4 or ipv6 DOMAIN: Indicates the domain name |
| Address | String | Custom Blocklist/Allowlist Domain/IP |
| CreatedTime | String | Creation time. |
| UpdateTime | String | Update time |
| Remark | String | Remarks |
| RuleID | Integer | Rule ID |
Input parameters for adding and unignoring vulnerabilities in the scan
Used by actions: AddIgnoreVul, DeleteIgnoreVul.
| Name | Type | Required | Description |
|---|---|---|---|
| PocID | String | Yes | POC ID |
| ImageIDs | Array of String | No | IDs of images to be ignored. If it is not specified, it indicates to ignore all. |
| ImageType | String | No | When there is an image Image type. Valid values: LOCAL (local image); REGISTRY (repository image). |
The structure returned by the audit of the network cluster asset
Used by actions: DescribeNetworkFirewallAuditRecord.
| Name | Type | Description |
|---|---|---|
| ClusterId | String | Cluster ID |
| ClusterName | String | Cluster name |
| Region | String | Cluster region |
| Action | String | Action |
| Operation | String | Operator |
| NetworkPolicyName | String | Policy name |
| OperationTime | String | Operation time |
| AppId | Integer | Operator App ID |
| Uin | String | Operator UIN |
| PolicyId | Integer | Policy ID |
Response parameters structure of the network cluster asset
Used by actions: DescribeNetworkFirewallClusterList.
| Name | Type | Description |
|---|---|---|
| ClusterId | String | Cluster ID |
| ClusterName | String | Cluster name |
| ClusterVersion | String | Cluster version |
| ClusterOs | String | Cluster OS |
| ClusterType | String | Cluster type |
| Region | String | Cluster region |
| NetworkPolicyPlugin | String | Cluster network plugin |
| ClusterStatus | String | Cluster status |
| TotalRuleCount | Integer | Total number of policies |
| EnableRuleCount | Integer | Number of enabled policies |
| NetworkPolicyPluginStatus | String | Status of the cluster network plugin. Valid values: Running (normal); Error (abnormal). |
| NetworkPolicyPluginError | String | Cluster Network Plugin Error Message |
| ClusterNetworkSettings | String | container network plugin |
Response parameters structure of the network space label
Used by actions: DescribeNetworkFirewallNamespaceLabelList.
| Name | Type | Description |
|---|---|---|
| Labels | String | Network space label |
| Name | String | Network space name |
Response parameters structure of the network cluster Pod
Used by actions: DescribeNetworkFirewallPodLabelsList.
| Name | Type | Description |
|---|---|---|
| PodName | String | Pod name |
| Namespace | String | Pod Space |
| Labels | String | pod tag |
| WorkloadKind | String | Pod Type |
Custom rule of the network cluster policy
Used by actions: AddAndPublishNetworkFirewallPolicyDetail, AddNetworkFirewallPolicyDetail, DescribeNetworkFirewallPolicyDetail, UpdateAndPublishNetworkFirewallPolicyDetail, UpdateNetworkFirewallPolicyDetail.
| Name | Type | Required | Description |
|---|---|---|---|
| Direction | String | Yes | Network policy direction. Valid values: FROM, TO. |
| Ports | Array of NetworkPorts | No | Network Policy Port |
| Peer | Array of NetworkPeer | No | Network policy object Enable but not confirmed: PublishedNoConfirm Enabled and confirmed: PublishedConfirmed Disabling: unPublishing Enabled: Publishing Enable: unPublishEdit |
Custom rule of the network cluster policy
Used by actions: AddAndPublishNetworkFirewallPolicyDetail, AddNetworkFirewallPolicyDetail, DescribeNetworkFirewallPolicyDetail, UpdateAndPublishNetworkFirewallPolicyDetail, UpdateNetworkFirewallPolicyDetail.
| Name | Type | Required | Description |
|---|---|---|---|
| PeerType | String | Yes | Object type: Namespace: NamespaceSelector, which indicates that NamespaceSelector has a value.Pod type: PodSelector, which indicates that both NamespaceSelector and PodSelector have values.IP type: IPBlock, which indicates that only IPBlock has a value. |
| NamespaceSelector | String | No | Namespace Selector |
| PodSelector | String | No | Pod Selector |
| IPBlock | String | No | IP Selector |
Response parameters structure of the network cluster policy
Used by actions: DescribeNetworkFirewallPolicyList.
| Name | Type | Description |
|---|---|---|
| Name | String | Network policy name |
| Description | String | Network Policy Description |
| PublishStatus | String | Publishing status:PublishedNoConfirm: Enabled and to be confirmed.PublishedConfirmed: Enabled and confirmed.unPublishing: Disabled.Publishing: Enabled.unPublishEdit: To be enabled. |
| PolicySourceType | String | Policy type:System: Synched from the cluster.Manual: Added manually. |
| Namespace | String | Policy space |
| PolicyCreateTime | String | Policy creation date |
| NetworkPolicyPlugin | String | Policy type kube-router: KubeRouter cilium: Cilium |
| PublishResult | String | Policy Distribution Result |
| FromPolicyRule | Integer | Inbound rule1: Allow all.2: Reject all.3: Custom. |
| ToPolicyRule | Integer | Inbound rule1: Allow all.2: Reject all.3: Custom. |
| PodSelector | String | Target Object |
| Id | Integer | Network policy ID |
Port of the custom rule of the network cluster policy
Used by actions: AddAndPublishNetworkFirewallPolicyDetail, AddNetworkFirewallPolicyDetail, DescribeNetworkFirewallPolicyDetail, UpdateAndPublishNetworkFirewallPolicyDetail, UpdateNetworkFirewallPolicyDetail.
| Name | Type | Required | Description |
|---|---|---|---|
| Protocol | String | No | Network Policy Protocol |
| Port | String | No | Network Policy Port |
List of ports
Used by actions: DescribeAssetPortList.
| Name | Type | Description |
|---|---|---|
| Type | String | Type |
| PublicIP | String | Public IP |
| PublicPort | Integer | Server port |
| ContainerPort | Integer | Container port |
| ContainerPID | Integer | Container PID |
| ContainerName | String | Container name |
| HostID | String | Server ID |
| HostIP | String | Server IP |
| ProcessName | String | Process name |
| ListenContainer | String | Monitored address in the container |
| ListenHost | String | Monitored address outside the container |
| RunAs | String | Operating account |
| HostName | String | Server name |
| PublicIp | String | Public IP |
| NodeID | String | Node ID |
| PodIP | String | Pod IP |
| PodName | String | Pod name |
| NodeType | String | Node type. |
| NodeUniqueID | String | UID of the super node |
Runtime security - Basic process information
Used by actions: DescribeAbnormalProcessDetail, DescribeAccessControlDetail, DescribeEscapeEventDetail, DescribeReverseShellDetail, DescribeRiskSyscallDetail.
| Name | Type | Description |
|---|---|---|
| ProcessStartUser | String | process startup user |
| ProcessUserGroup | String | Process user group |
| ProcessPath | String | Process path |
| ProcessParam | String | Process command line parameters |
Runtime security details - Basic process information
Used by actions: DescribeAbnormalProcessDetail, DescribeReverseShellDetail, DescribeRiskSyscallDetail.
| Name | Type | Description |
|---|---|---|
| ProcessName | String | Process name |
| ProcessId | Integer | Process PID |
| ProcessStartUser | String | Process initiator |
| ProcessUserGroup | String | Process user group |
| ProcessPath | String | Process path |
| ProcessParam | String | Process command line parameter |
Runtime security details - Process information
Used by actions: DescribeAbnormalProcessDetail, DescribeAccessControlDetail, DescribeEscapeEventDetail, DescribeReverseShellDetail, DescribeRiskSyscallDetail.
| Name | Type | Description |
|---|---|---|
| ProcessName | String | Process name |
| ProcessAuthority | String | Process permission |
| ProcessId | Integer | Process PID |
| ProcessStartUser | String | Process initiator |
| ProcessUserGroup | String | Process user group |
| ProcessPath | String | Process path |
| ProcessTree | String | Process tree |
| ProcessMd5 | String | Process MD5 |
| ProcessParam | String | Process command line parameter |
List of processes
Used by actions: DescribeAssetProcessList.
| Name | Type | Description |
|---|---|---|
| StartTime | String | Process start time |
| RunAs | String | Operator |
| CmdLine | String | Command line parameter |
| Exe | String | Exe path |
| PID | Integer | Server PID |
| ContainerPID | Integer | Container PID |
| ContainerName | String | Container name |
| HostID | String | Server ID |
| HostIP | String | Server IP |
| ProcessName | String | Process name |
| HostName | String | Server name |
| PublicIp | String | Public IP |
| NodeID | String | Node ID |
| PodIP | String | Pod IP |
| PodName | String | Pod name |
| NodeType | String | Node type. |
| NodeUniqueID | String | UID of the super node |
The project to which the host belongs
Used by actions: DescribeAssetHostDetail, DescribeAssetHostList.
| Name | Type | Description |
|---|---|---|
| ProjectName | String | Project name |
| ProjectID | Integer | Project ID |
Promotion content
Used by actions: DescribePromotionActivity.
| Name | Type | Description |
|---|---|---|
| MonthNum | Integer | Number of months |
| CoresCountLimit | Integer | Minimum number of cores |
| ProfessionalDiscount | Integer | Discount on the Pro Edition |
| ImageAuthorizationNum | Integer | Number of free images |
RASP information of vulnerability defense plugin
Used by actions: DescribeVulDefenceEventDetail.
| Name | Type | Description |
|---|---|---|
| Name | String | RASP name |
| Value | String | RASP description |
RASP allowlist rule.
Used by actions: DescribeRaspRules.
| Name | Type | Description |
|---|---|---|
| Id | Integer | Rule ID |
| URLRegexp | String | Regular expression for a custom request URL range. If this parameter is left blank, saving fails. |
| VulVulsID | Integer | Vulnerability ID |
| VulVulsName | String | Vulnerability name |
| CveID | String | cve_id |
| SupportDefense | Integer | Vulnerability defense type, which comes from the vulnerability table. 1: component vulnerability defense supported, with component vulnerabilities not allowlisted through a regular expression; 2: regular expression defense supported. |
| WhiteType | Integer | Allowlisting scope. 0: Allowlist all requests; 1: Allowlist requests within a custom request scope. |
| Status | Integer | Status. 0: valid. |
| CreateTime | String | Creation time. |
| ModifyTime | String | Modification time. |
List of vulnerabilities in a RASP allowlist.
Used by actions: DescribeRaspRuleVuls.
| Name | Type | Description |
|---|---|---|
| VulVulsID | Integer | Vulnerability ID |
| VulVulsName | String | Vulnerability name |
| CveID | String | cve_id |
| SupportDefense | Integer | Vulnerability defense type, which comes from the vulnerability table. 1: component vulnerability defense supported, with component vulnerabilities not allowlisted through a regular expression; 2: regular expression defense supported. |
Regular Expression Rule Details
Used by actions: DescribeReverseShellRegexpWhiteListInfo.
| Name | Type | Required | Description |
|---|---|---|---|
| RuleName | String | Yes | Rule name Note: This field may return null, indicating that no valid values can be obtained. |
| Status | Boolean | Yes | Enabled status Note: This field may return null, indicating that no valid values can be obtained. |
| ExpressionList | Array of WhiteListRegexpExpressionInfo | Yes | Regular Expression List Note: This field may return null, indicating that no valid values can be obtained. |
| RuleID | String | No | Rule ID Note: This field may return null, indicating that no valid values can be obtained. |
| UpdateTime | String | No | Latest update time Note: This field may return null, indicating that no valid values can be obtained. |
| OperatorUIN | String | No | Latest Operating Account Note: This field may return null, indicating that no valid values can be obtained. |
Regular Expression Rule List Item
Used by actions: DescribeReverseShellRegexpWhiteList.
| Name | Type | Description |
|---|---|---|
| RuleID | String | Rule ID Note: This field may return null, indicating that no valid values can be obtained. |
| RuleName | String | Rule name Note: This field may return null, indicating that no valid values can be obtained. |
| EffectiveExpression | Integer | Number of Effective Expressions Note: This field may return null, indicating that no valid values can be obtained. |
| UpdateTime | String | Latest edit time Note: This field may return null, indicating that no valid values can be obtained. |
| OperatorUin | String | most recently edited account Note: This field may return null, indicating that no valid values can be obtained. |
| Status | Boolean | Enabled status Note: This field may return null, indicating that no valid values can be obtained. |
Region information
Used by actions: DescribeSecLogDeliveryClsOptions, DescribeSecLogDeliveryKafkaOptions.
| Name | Type | Description |
|---|---|---|
| Region | String | Region identifier |
| RegionName | String | Region name |
Used by actions: DescribeAssetImageRegistryRegistryDetail, DescribeAssetImageRegistryRegistryList.
| Name | Type | Description |
|---|---|---|
| Quuid | String | |
| Uuid | String | |
| ConnDetectStatus | String | |
| ConnDetectMessage | String | |
| Solution | String | |
| FailReason | String |
Description of the container reverse shell event at runtime
Used by actions: DescribeReverseShellDetail.
| Name | Type | Description |
|---|---|---|
| Description | String | Description |
| Solution | String | Solution |
| Remark | String | Event remark information |
| DstAddress | String | Destination address |
| OperationTime | String | Last Time for Event Handling |
Container runtime security - Information of the reverse shell
Used by actions: DescribeReverseShellEvents.
| Name | Type | Description |
|---|---|---|
| ProcessName | String | Process name |
| ProcessPath | String | Process path |
| ImageId | String | Image ID |
| ContainerId | String | Container ID |
| ImageName | String | Image name |
| ContainerName | String | Container name |
| FoundTime | String | Generation time |
| Solution | String | Event solution |
| Description | String | Event description |
| Status | String | Status. EVENT_UNDEAL: Pending.EVENT_DEALED: Processed.EVENT_INGNORE: Ignored.EVENT_ADD_WHITE: Allowed. |
| EventId | String | Event ID |
| Remark | String | Remarks |
| PProcessName | String | Parent process name |
| EventCount | Integer | Number of events |
| LatestFoundTime | String | Last generation time |
| DstAddress | String | Destination address |
| ContainerNetStatus | String | Network statusNORMAL: Not isolated.ISOLATED: Isolated.ISOLATING: Isolating.ISOLATE_FAILED: Isolation failed.RESTORING: Recovering.RESTORE_FAILED: Recovery failed. |
| ContainerNetSubStatus | String | Sub-status of the container "AGENT_OFFLINE" // The agent is offline. "NODE_DESTROYED" // The node is terminated. "CONTAINER_EXITED" // The container exited. "CONTAINER_DESTROYED" // The container was terminated. "SHARED_HOST" // The container shares the network with the server. "RESOURCE_LIMIT" // The number of resources to be isolated exceeds the limit. "UNKNOW" // The reason is unknown. |
| ContainerIsolateOperationSrc | String | Container isolation operation source |
| ContainerStatus | String | Container statusRUNNING: Running.PAUSED: Paused.STOPPED: Stopped.CREATED: Created.DESTROYED: Terminated.RESTARTING: Restarting.REMOVING: Removing. |
| ClusterID | String | Cluster ID. |
| NodeType | String | Node Type. NORMAL: Common Node; SUPER: Super Node |
| PodName | String | pod name |
| PodIP | String | pod ip |
| NodeUniqueID | String | Node Unique ID |
| PublicIP | String | Node Public IP |
| NodeName | String | Node name. |
| HostID | String | uuid |
| HostIP | String | Node private network IP. |
| NodeID | String | Node ID. |
| ClusterName | String | Cluster name. |
Information of an allowed reverse shell
Used by actions: DescribeReverseShellWhiteLists.
| Name | Type | Description |
|---|---|---|
| Id | String | Allowed item ID |
| ImageCount | Integer | Number of images |
| ProcessName | String | Connection process name |
| DstIp | String | Destination address IP |
| CreateTime | Timestamp | Creation time |
| UpdateTime | Timestamp | Update time |
| DstPort | String | Target port |
| IsGlobal | Boolean | Whether it is allowed globally. true: Yes. |
| ImageIds | Array of String | Array of image IDs. An empty array indicates all. |
Information of an allowed reverse shell
Used by actions: AddEditReverseShellWhiteList, DescribeReverseShellWhiteListDetail.
| Name | Type | Required | Description |
|---|---|---|---|
| DstIp | String | Yes | Target IP |
| DstPort | String | Yes | Target port |
| ProcessName | String | Yes | Target process |
| ImageIds | Array of String | Yes | Array of image IDs. An empty array indicates all. |
| Id | String | No | Allowed item ID, which is empty if the item is newly created. |
Description of the high-risk container syscall event at runtime
Used by actions: DescribeRiskSyscallDetail.
| Name | Type | Description |
|---|---|---|
| Description | String | Description |
| Solution | String | Solution |
| Remark | String | Event remark information |
| SyscallName | String | Syscall name |
| OperationTime | String | Last Time for Event Handling |
Container runtime security - Information of the high-risk syscall
Used by actions: DescribeRiskSyscallEvents.
| Name | Type | Description |
|---|---|---|
| ProcessName | String | Process name |
| ProcessPath | String | Process path |
| ImageId | String | Image ID |
| ContainerId | String | Container ID |
| ImageName | String | Image name |
| ContainerName | String | Container name |
| FoundTime | String | Generation time |
| Solution | String | Event solution |
| Description | String | Event description |
| SyscallName | String | Syscall name |
| Status | String | Status. EVENT_UNDEAL: Pending.EVENT_DEALED: Processed.EVENT_INGNORE: Ignored.EVENT_ADD_WHITE: Allowed. |
| EventId | String | Event ID |
| NodeName | String | Node name |
| PodName | String | Pod (instance) name |
| Remark | String | Remarks |
| RuleExist | Boolean | Whether the system monitoring rule name exists |
| EventCount | Integer | Number of events |
| LatestFoundTime | String | Last generation time |
| ContainerNetStatus | String | Network statusNORMAL: Not isolated.ISOLATED: Isolated.ISOLATING: Isolating.ISOLATE_FAILED: Isolation failed.RESTORING: Recovering.RESTORE_FAILED: Recovery failed. |
| ContainerNetSubStatus | String | Sub-status of the container "AGENT_OFFLINE" // The agent is offline. "NODE_DESTROYED" // The node is terminated. "CONTAINER_EXITED" // The container exited. "CONTAINER_DESTROYED" // The container was terminated. "SHARED_HOST" // The container shares the network with the server. "RESOURCE_LIMIT" // The number of resources to be isolated exceeds the limit. "UNKNOW" // The reason is unknown. |
| ContainerIsolateOperationSrc | String | Container isolation operation source |
| ContainerStatus | String | Container statusRUNNING: Running.PAUSED: Paused.STOPPED: Stopped.CREATED: Created.DESTROYED: Terminated.RESTARTING: Restarting.REMOVING: Removing. |
| NodeType | String | Node type. Values: NORMAL (general node), SUPER (super node). |
| ClusterID | String | Cluster ID |
| PodIP | String | Pod IP |
| NodeUniqueID | String | Unique node ID |
| PublicIP | String | Node public IP |
| NodeID | String | Node ID |
| HostID | String | uuid |
| HostIP | String | Private IP of the node |
| ClusterName | String | Cluster name |
Information of the allowlist of high-risk syscalls
Used by actions: DescribeRiskSyscallWhiteLists.
| Name | Type | Description |
|---|---|---|
| Id | String | Allowed item ID |
| ImageCount | Integer | Number of images |
| ProcessPath | String | Connection process path |
| SyscallNames | Array of String | List of syscall names |
| CreateTime | Timestamp | Creation time |
| UpdateTime | Timestamp | Update time |
| IsGlobal | Boolean | Whether it is allowed globally. true: Yes. |
| ImageIds | Array of String | Array of image IDs |
Information of the allowlist of high-risk syscalls
Used by actions: AddEditRiskSyscallWhiteList, DescribeRiskSyscallWhiteListDetail.
| Name | Type | Required | Description |
|---|---|---|---|
| ImageIds | Array of String | Yes | Array of image IDs. An empty array indicates all. |
| SyscallNames | Array of String | No | Syscall name. The DescribeRiskSyscallNames API can be called to get the list of enumerated values. |
| ProcessPath | String | No | Target process |
| Id | String | No | Allowed item ID, which is empty if the item is newly created. |
Runtime security - Basic policy information
Used by actions: DescribeAbnormalProcessRules, DescribeAccessControlRules.
| Name | Type | Description |
|---|---|---|
| EditUserName | String | Name of the editing user |
| EffectImageCount | Integer | Number of associated images |
| IsDefault | Boolean | Valid values: true (default policy); false (custom policy). |
| IsGlobal | Boolean | Whether the rule applies to all images. true indicates it takes effect for all images. |
| IsEnable | Boolean | Valid values: true (enable the policy); false (disable the policy). |
| RuleId | String | Policy ID |
| RuleName | String | Policy name |
| UpdateTime | String | Policy update time. Can be empty. |
Runtime security - Basic event information
Used by actions: DescribeAbnormalProcessDetail, DescribeAccessControlDetail, DescribeEscapeEventDetail, DescribeReverseShellDetail, DescribeRiskSyscallDetail.
| Name | Type | Description |
|---|---|---|
| EventId | String | Unique event ID |
| FoundTime | Timestamp | Event discovery time |
| ContainerId | String | Container ID |
| ContainerName | String | Container name |
| ImageId | String | Image ID |
| ImageName | String | Image name |
| NodeName | String | Node name |
| Status | String | Status. EVENT_UNDEAL: Pending.EVENT_DEALED: Processed.EVENT_INGNORE: Ignored. |
| EventName | String | Event name: Host file access escape Syscall escape Mount namespace escape Program privilege escalation escape Privileged container startup escape Sensitive path mount Malicious process startup File tampering |
| EventType | String | Event typeESCAPE_HOST_ACESS_FILE: Host file access escape.ESCAPE_MOUNT_NAMESPACE: Mount namespace escape.ESCAPE_PRIVILEDGE: Program privilege escalation escape.ESCAPE_PRIVILEDGE_CONTAINER_START: Privileged container startup escape.ESCAPE_MOUNT_SENSITIVE_PTAH: Sensitive path mount.ESCAPE_SYSCALL: Syscall escape. |
| EventCount | Integer | Number of events |
| LatestFoundTime | String | Last generation time |
| HostIP | String | Private IP address |
| ClientIP | String | Public IP address |
| ContainerNetStatus | String | Network status. Unisolated NORMAL ISOLATED isolated Isolation FAILED RESTORING isolation Isolation restoration failed RESTORE_FAILED |
| ContainerNetSubStatus | String | container sub-status AGENT_OFFLINE NODE_DESTROYED CONTAINER_EXITED CONTAINER_DESTROYED "SHARED_HOST" // Container shares network with host RESOURCE_LIMIT "UNKNOW": Unknown |
| ContainerIsolateOperationSrc | String | Container Isolation Operation Source |
| NodeID | String | Node ID |
| NodeType | String | Node type. Valid values: NORMAL (general node), SUPER (super node) |
| NodeSubNetID | String | Node subnet ID |
| NodeSubNetName | String | Node subnet name |
| NodeSubNetCIDR | String | Subnet IP range |
| PodName | String | Pod name |
| PodIP | String | Pod IP |
| PodStatus | String | Pod status |
| ClusterID | String | Cluster ID |
| ClusterName | String | Cluster name |
| NodeUniqueID | String | Unique node ID |
| HostID | String | uuid |
| Namespace | String | |
| WorkloadType | String | |
| ContainerStatus | String | Container running status |
TCSS
Key-value pair filter for conditional filtering queries, such as filter ID, name, and status
If more than one filter exists, the logical relationship between these filters is AND.
If multiple values exist in one filter, the logical relationship between these values is OR.
Used by actions: CreateAbnormalProcessRulesExportJob, CreateAccessControlsRuleExportJob, CreateDefenceVulExportJob, CreateEmergencyVulExportJob, CreateEscapeEventsExportJob, CreateEscapeWhiteListExportJob, CreateExportComplianceStatusListJob, CreateImageExportJob, CreateK8sApiAbnormalEventExportJob, CreateK8sApiAbnormalRuleExportJob, CreateRiskDnsEventExportJob, CreateSystemVulExportJob, CreateVulContainerExportJob, CreateVulDefenceEventExportJob, CreateVulDefenceHostExportJob, CreateVulImageExportJob, CreateWebVulExportJob, DescribeAbnormalProcessEvents, DescribeAbnormalProcessRules, DescribeAccessControlEvents, DescribeAccessControlEventsExport, DescribeAccessControlRules, DescribeAssetClusterList, DescribeAssetImageBindRuleInfo, DescribeEmergencyVulList, DescribeEscapeEventInfo, DescribeEscapeWhiteList, DescribeExportJobManageList, DescribeImageDenyEventList, DescribeImageDenyRuleList, DescribeImageSimpleList, DescribeK8sApiAbnormalEventList, DescribeK8sApiAbnormalRuleList, DescribeK8sApiAbnormalRuleScopeList, DescribeMaliciousConnectionBlackList, DescribeMaliciousConnectionWhiteList, DescribeRaspRuleVuls, DescribeRaspRules, DescribeReverseShellEvents, DescribeReverseShellEventsExport, DescribeReverseShellRegexpWhiteList, DescribeReverseShellWhiteLists, DescribeRiskSyscallEvents, DescribeRiskSyscallEventsExport, DescribeRiskSyscallWhiteLists, DescribeScanIgnoreVulList, DescribeSecLogJoinObjectList, DescribeSupportDefenceVul, DescribeSystemVulList, DescribeVirusAutoIsolateSampleList, DescribeVirusList, DescribeVirusTaskList, DescribeVirusWhiteListRules, DescribeVulContainerList, DescribeVulDefenceEvent, DescribeVulDefenceHost, DescribeVulDefencePlugin, DescribeVulImageList, DescribeVulScanLocalImageList, DescribeVulSummary, DescribeWebVulList, ExportVirusList.
| Name | Type | Required | Description |
|---|---|---|---|
| Name | String | Yes | Filter name |
| Values | Array of String | Yes | One or more filter values |
| ExactMatch | Boolean | No | Whether to use fuzzy query |
Runtime risk information
Used by actions: DescribeImageRiskSummary.
| Name | Type | Description |
|---|---|---|
| Cnt | Integer | Number |
| Level | String | Risk level:CRITICAL: Critical.HIGH: High.MEDIUM: Medium.LOW: Low. |
Runtime trend information
Used by actions: DescribeImageRiskTendency, DescribeSecEventsTendency, DescribeVulTendency.
| Name | Type | Description |
|---|---|---|
| CurTime | Date | The time of the day |
| Cnt | Integer | Current quantity |
Scan for ignored vulnerabilities
Used by actions: DescribeScanIgnoreVulList.
| Name | Type | Description |
|---|---|---|
| VulName | String | Vulnerability name |
| CVEID | String | Vulnerability CVE ID |
| PocID | String | POC ID |
| RegistryImageCount | Integer | Number of ignored repository images |
| UpdateTime | String | Update time |
| IsIgnoreAll | Integer | Whether to ignore all images. Valid values: 0 (no); 1 (yes). |
| LocalImageCount | Integer | Number of ignored local images |
Scan Range Information
Used by actions: DescribeVirusScanConfig.
| Name | Type | Required | Description |
|---|---|---|---|
| IsAll | Boolean | No | true: select all; false: partial select |
| RangeType | String | No | SCAN_NORMAL: Regular node; SCAN_SUPER: Super node SCAN_CONTAINER: Container |
| IDs | Array of String | No | Selected ID |
Quick search template
Used by actions: CreateSearchTemplate, DescribeSearchTemplates.
| Name | Type | Required | Description |
|---|---|---|---|
| Name | String | Yes | Search name |
| LogType | String | Yes | Search index type |
| Condition | String | Yes | Search statement |
| TimeRange | String | Yes | Time range |
| Query | String | Yes | Converted search statement content |
| Flag | String | Yes | Search method. Valid values: standard (search in the search box); simple (search by filter). |
| DisplayData | String | Yes | Displayed data |
| Id | Integer | No | Rule ID |
Security log alert message
Used by actions: DescribeSecLogAlertMsg.
| Name | Type | Description |
|---|---|---|
| MsgType | String | Alert type |
| MsgValue | String | Alert value |
| State | Boolean | Status. Valid values: 0 (disabled); 1 (enabled). |
Security log - Settings of delivery to CLS
Used by actions: DescribeSecLogDeliveryClsSetting, ModifySecLogDeliveryClsSetting.
| Name | Type | Required | Description |
|---|---|---|---|
| LogType | String | Yes | Log type |
| State | Boolean | Yes | Delivery status. Valid values: true (enabled); false (disabled). |
| Region | String | Yes | Region |
| LogSet | String | Yes | Logset |
| TopicID | String | Yes | Topic ID |
| LogSetName | String | No | logset name |
| TopicName | String | No | Topic name |
| SubLogType | Array of String | No | Log type |
| ErrMsg | String | No | Error message |
Settings of security log delivery to Kafka
Used by actions: DescribeSecLogDeliveryKafkaSetting, ModifySecLogDeliveryKafkaSetting.
| Name | Type | Required | Description |
|---|---|---|---|
| LogType | String | Yes | Security log module. |
| TopicID | String | Yes | Topic ID |
| TopicName | String | Yes | Topic name |
| State | Boolean | Yes | Delivery status. Valid values: false (disabled); true (enabled). |
| SubLogType | Array of String | No | Log type |
| ErrMsg | String | No | Error message |
Security log access details
Used by actions: DescribeSecLogJoinTypeList.
| Name | Type | Description |
|---|---|---|
| Count | Integer | Number of connected general nodes |
| SuperNodeCount | Integer | Number of connected super nodes |
| IsJoined | Boolean | Whether it is accessed. Valid values: true (accessed); false (not accessed). |
| LogType | String | Log type ( Container bash: "container_bash" Container startup: "container_launch" K8s API: "k8s_api" ) |
| ClusterCount | Integer | Number of accessed clusters. |
Details of the accessed security log object
Used by actions: DescribeSecLogJoinObjectList.
| Name | Type | Description |
|---|---|---|
| HostID | String | Server ID |
| HostName | String | Host name |
| HostIP | String | Host IP address |
| HostStatus | String | Server status |
| ClusterID | String | Cluster ID |
| ClusterName | String | Cluster name. |
| PublicIP | String | Public IP address |
| JoinState | Boolean | Access status. Valid values: true (accessed); false (not accessed). |
| ClusterVersion | String | cluster edition |
| ClusterMainAddress | String | Master node address of the cluster |
| ContainerCnt | Integer | Number of containers |
| ClusterType | String | Cluster type. |
| ClusterStatus | String | Cluster status |
Trend information of security events at runtime
Used by actions: DescribeSecEventsTendency.
| Name | Type | Description |
|---|---|---|
| EventSet | Array of RunTimeTendencyInfo | List of trends |
| EventType | String | Event type: ET_ESCAPE: Container escape ET_REVERSE_SHELL: Reverse shell ET_RISK_SYSCALL: High-risk system calls ET_ABNORMAL_PROCESS: Abnormal process ET_ACCESS_CONTROL: File tampering ET_VIRUS: Trojan event ET_MALICIOUS_CONNECTION: Malicious connection event |
Information list of TCSS
Used by actions: DescribeAssetAppServiceList, DescribeAssetDBServiceList, DescribeAssetWebServiceList.
| Name | Type | Description |
|---|---|---|
| ServiceID | String | Service ID |
| HostID | String | Server ID |
| HostIP | String | Server IP |
| ContainerName | String | Container name |
| Type | String | Service name, such as nginx and redis |
| Version | String | Version |
| RunAs | String | Account |
| Listen | Array of String | Listened port |
| Config | String | Configuration |
| ProcessCnt | Integer | Number of associated processes |
| AccessLog | String | Access log |
| ErrorLog | String | Error log |
| DataPath | String | Data directory |
| WebRoot | String | Web directory |
| Pids | Array of Integer | ID of the associated process |
| MainType | String | Service type. Valid values: app, web, db. |
| Exe | String | Execution file |
| Parameter | String | Service command line parameter |
| ContainerId | String | Container ID |
| HostName | String | Server name |
| PublicIp | String | Public IP |
| NodeID | String | Node ID |
| PodIP | String | Pod IP |
| PodName | String | Pod name |
| NodeType | String | Node type. |
| NodeUniqueID | String | UID of the super node |
Pay-as-you-go billing details
Used by actions: DescribePostPayDetail.
| Name | Type | Description |
|---|---|---|
| PayTime | String | Deduction time |
| CoresCnt | Integer | Number of billed cores |
Vulnerability that can be prevented
Used by actions: DescribeSupportDefenceVul.
| Name | Type | Description |
|---|---|---|
| PocID | String | POC ID |
| Name | String | Vulnerability name |
| Tags | Array of String | Vulnerability tag |
| CVSSV3Score | Float | Vulnerability CVSS |
| Level | String | Vulnerability severity |
| CVEID | String | Vulnerability CVE ID |
| SubmitTime | String | Vulnerability disclosure time |
| VulId | Integer | Vulnerability ID |
| Status | Integer | Status. 0: defending; 1: allowlisted. It indicates that the vulnerability is included in an allowlist, which may not be a global allowlist. |
Host tag information
Used by actions: DescribeAssetHostDetail, DescribeAssetHostList.
| Name | Type | Description |
|---|---|---|
| TagKey | String | Tag key |
| TagValue | String | Tag value |
Trend of unlicensed cores
Used by actions: DescribeUnauthorizedCoresTendency.
| Name | Type | Description |
|---|---|---|
| DateTime | String | Date |
| CoresCount | Integer | Number of unlicensed cores |
Resource details for log analysis.
Used by actions: DescribeSecLogVasInfo.
| Name | Type | Description |
|---|---|---|
| ResourceId | String | Resource ID |
| StartTime | String | Start time. |
| EndTime | String | Expiration time. |
| SourceType | Integer | 0: paid order; 1: trial use; 2: offered for free. |
| InquireNum | Integer | purchase quantity |
Information of the automatically isolated trojan sample
Used by actions: DescribeVirusAutoIsolateSampleList.
| Name | Type | Description |
|---|---|---|
| MD5 | String | MD5 checksum of the file |
| VirusName | String | Virus name |
| ModifyTime | Timestamp ISO8601 | Last edit time |
| AutoIsolateSwitch | Boolean | Automatic isolation switch. Valid values: true (on); false (off). |
List of trojans at runtime
Used by actions: DescribeVirusList.
| Name | Type | Description |
|---|---|---|
| FileName | String | File name |
| FilePath | String | File path |
| VirusName | String | Virus name |
| CreateTime | String | Creation time. |
| ModifyTime | String | Update time |
| ContainerName | String | Container name |
| ContainerId | String | container id |
| ContainerStatus | String | Container status. RUNNING: running Suspend: PAUSED Stop: STOPPED CREATED DESTROYED RESTARTING Migrating: REMOVING |
| ImageName | String | Image Name |
| ImageId | String | Image id |
| Status | String | DEAL_NONE: File pending DEAL_IGNORE: Already ignored DEAL_ADD_WHITELIST: Add to whitelist DEAL_DEL: File deleted DEAL_ISOLATE: Has been isolated DEAL_ISOLATING: Isolated DEAL_ISOLATE_FAILED: Isolation failed DEAL_RECOVERING: Recovering DEAL_RECOVER_FAILED: Recovery failed |
| Id | String | Event ID |
| HarmDescribe | String | Event description |
| SuggestScheme | String | Recommended solution |
| SubStatus | String | Failed sub-status FILE_NOT_FOUND: File does not exist FILE_ABNORMAL: abnormal file FILE_ABNORMAL_DEAL_RECOVER: Abnormal file when recovering file. BACKUP_FILE_NOT_FOUND: Backup file not found CONTAINER_NOT_FOUND_DEAL_ISOLATE: Container not found in isolation CONTAINER_NOT_FOUND_DEAL_RECOVER: Container not found when recovering TIMEOUT: Timeout TOO_MANY: Too many tasks OFFLINE: Offline INTERNAL Server Error VALIDATION: Invalid parameter |
| ContainerNetStatus | String | Network status. Unisolated NORMAL ISOLATED isolated Isolation FAILED RESTORING isolation Isolation restoration failed RESTORE_FAILED |
| ContainerNetSubStatus | String | container sub-status AGENT_OFFLINE NODE_DESTROYED CONTAINER_EXITED "CONTAINER_DESTROYED" //Container destroyed SHARED_HOST RESOURCE_LIMIT "UNKNOW": Unknown |
| ContainerIsolateOperationSrc | String | Container Isolation Operation Source |
| MD5 | String | MD5 Value |
| RiskLevel | String | Risk Level: RISK_CRITICAL, RISK_HIGH, RISK_MEDIUM, RISK_LOW, and RISK_NOTICE |
| CheckPlatform | Array of String | Detection platform 1: Cloud Killing Engine 2: tav 3: binaryAi 4: Abnormal behavior 5: Threat Intelligence |
| NodeID | String | Node ID |
| NodeName | String | Node name. |
| PodIP | String | pod ip |
| PodName | String | Name of the pod (instance) |
| ClusterID | String | Node Cluster ID |
| NodeType | String | Node Type. NORMAL: Common Node; SUPER: Super Node |
| PublicIP | String | Public IP of the node |
| InnerIP | String | Node private network IP |
| NodeUniqueID | String | Node Unique ID |
| HostID | String | Common Node ID |
| ClusterName | String | Cluster name. |
| HostIP | String | Private IP address of the node, which is the same as the value of InnerIP. |
List of containers in the virus scanning task at runtime
Used by actions: DescribeVirusTaskList.
| Name | Type | Description |
|---|---|---|
| ContainerName | String | Container name |
| ContainerId | String | Container ID |
| ImageName | String | Image name |
| ImageId | String | Image ID |
| HostName | String | Node name |
| HostIp | String | Private IP of the node |
| Status | String | Scanning status:WAIT: Pending scanning.FAILED: Failed.SCANNING: Scanning.FINISHED: Ended.CANCELING: Canceling.CANCELED: Canceled.CANCEL_FAILED: Failed to cancel. |
| StartTime | String | Check start time |
| EndTime | String | Check end time |
| RiskCnt | Integer | Number of risks |
| Id | String | Event ID |
| ErrorMsg | String | Cause:SEND_SUCCESSED: Task submitted.SCAN_WAIT: Waiting to scan...OFFLINE: Offline.SEND_FAILED: Failed to deploy.TIMEOUT: Timed out.LOW_AGENT_VERSION: The Agent version is too old.AGENT_NOT_FOUND: The image's agent doesn't exist.TOO_MANY: Too many tasks.VALIDATION: Invalid parameter.INTERNAL: Internal service error.MISC: Other errors.UNAUTH: The image is not assigned with a license.SEND_CANCEL_SUCCESSED: Task submitted. |
| NodeType | String | Node type. Values: NORMAL (general node), SUPER (super node). |
| PublicIP | String | Public IP of the node |
| NodeID | String | Node ID |
Trojan trend details
Used by actions: DescribeVirusEventTendency.
| Name | Type | Description |
|---|---|---|
| Date | Date | Date |
| PendingEventCount | Integer | Total number of pending events |
| RiskContainerCount | Integer | Total number of containers at risk |
| EventCount | Integer | Total number of events |
| IsolateEventCount | Integer | Total number of isolated events |
VirusWhiteListRuleInfo
Used by actions: DescribeVirusWhiteListRules.
| Name | Type | Required | Description |
|---|---|---|---|
| Id | Integer | No | Allowlist ID. |
| Md5List | Array of String | No | MD5 allowlist content. |
| ImageIds | Array of String | No | Image ID. |
| Scope | Integer | No | Scope. |
| ImageCount | Integer | No | Number of images. |
| Md5Count | Integer | No | MD5 count. |
| Remark | String | No | Mark. |
| InsertTime | String | No | Insertion time. |
| UpdateTime | String | No | Update time. |
Information of the component affected by the vulnerability
Used by actions: DescribeVulDetail.
| Name | Type | Description |
|---|---|---|
| Name | String | Component name |
| Version | Array of String | Component version |
| FixedVersion | Array of String | Component Repair Version |
Information of the container affected by the vulnerability
Used by actions: DescribeVulContainerList.
| Name | Type | Description |
|---|---|---|
| HostIP | String | Private IP |
| ContainerID | String | Container ID |
| ContainerName | String | Container name |
| PodName | String | Pod name |
| PodIP | String | Pod IP |
| HostName | String | Server name |
| HostID | String | Server ID |
| PublicIP | String | Public IP |
| ClusterID | String | Cluster ID |
| ClusterName | String | Cluster name |
| NodeType | String | Node type. Values: NORMAL (general node), SUPER (super node). |
| NodeUniqueID | String | UID of a super node |
| NodeID | String | ID of a super node |
| NodeName | String | Super node name |
| ContainerStatus | String | Container status. "RUNNING": running; "PAUSED": paused; "STOPPED": stopped; "CREATED": created; "DESTROYED": terminated; "RESTARTING": restarting; "REMOVING": migrating; "DEAD": dead; "UNKNOWN": unknown. |
Information of the component affected by the vulnerability
Used by actions: DescribeVulImageList, DescribeVulRegistryImageList.
| Name | Type | Description |
|---|---|---|
| Name | String | Component name |
| Version | String | Component version |
| FixedVersion | String | Component Repair Version |
| Path | String | Component path |
Information of the image affected by the vulnerability
Used by actions: DescribeVulImageList.
| Name | Type | Description |
|---|---|---|
| ImageID | String | Image ID |
| ImageName | String | Image name |
| HostCount | Integer | Number of associated hosts (including regular nodes and super nodes). |
| SuperNodeCount | Integer | Number of associated super nodes. |
| ContainerCount | Integer | Number of associated containers |
| ComponentList | Array of VulAffectedImageComponentInfo | List of components |
This API is used to query the list of repository images affected by a specific vulnerability.
Used by actions: DescribeVulRegistryImageList.
| Name | Type | Description |
|---|---|---|
| ImageID | String | Image ID |
| ImageName | String | Image Name |
| ImageTag | String | Mirror version |
| Namespace | String | Image Namespace |
| ImageRepoAddress | String | Image address. |
| ComponentList | Array of VulAffectedImageComponentInfo | Component List |
| IsLatestImage | Boolean | Whether the Latest Version of the Image |
| ImageAssetId | Integer | Internal Image Asset ID |
Exploit prevention event details
Used by actions: DescribeVulDefenceEvent.
| Name | Type | Description |
|---|---|---|
| CVEID | String | Vulnerability CVE ID |
| VulName | String | Vulnerability name |
| PocID | String | POC ID |
| EventType | String | Intrusion status |
| SourceIP | String | Attacker IP |
| City | String | Region of the attacker IP |
| EventCount | Integer | Number of events |
| ContainerID | String | Container ID |
| ContainerName | String | Container name |
| ImageID | String | Image ID |
| ImageName | String | Image name |
| Status | String | Processing status |
| EventID | Integer | Event ID |
| CreateTime | String | First detection time |
| ContainerNetStatus | String | Isolation statusNORMAL: Not isolated.ISOLATED: Isolated.ISOLATING: Isolating.ISOLATE_FAILED: Isolation failed.RESTORING: Recovering.RESTORE_FAILED: Recovery failed. |
| MergeTime | String | Last discovery time |
| ContainerStatus | String | Container status. RUNNING: running PAUSED Stop: STOPPED CREATED DESTROYED RESTARTING Migrating: REMOVING |
| ContainerNetSubStatus | String | Container sub-status AGENT_OFFLINE NODE_DESTROYED CONTAINER_EXITED "CONTAINER_DESTROYED" //Container destroyed "SHARED_HOST" // Container shares network with host RESOURCE_LIMIT "UNKNOW" // Reason unknown |
| ContainerIsolateOperationSrc | String | Container Isolation Operation Source |
| QUUID | String | Host QUUID/Super Node ID |
| HostIP | String | Host private IP address |
| HostName | String | Host Name/Super Node Name |
| NodeType | String | Node type. Values: NORMAL (general node), SUPER (super node). |
| PublicIP | String | Public IP |
| NodeUniqueID | String | UID of a super node |
| NodeID | String | ID of a super node |
| ClusterID | String | Cluster ID |
| ClusterName | String | Cluster name |
| PodName | String | Pod name |
| PodIP | String | pod ip |
Exploit prevention event details
Used by actions: DescribeVulDefenceEventDetail.
| Name | Type | Description |
|---|---|---|
| CVEID | String | Vulnerability CVE ID |
| VulName | String | Vulnerability name |
| PocID | String | POC ID |
| EventType | String | Intrusion status |
| SourceIP | String | Attacker IP |
| City | String | Region of the attacker IP |
| EventCount | Integer | Number of events |
| ContainerID | String | Container ID |
| ContainerName | String | Container name |
| ImageID | String | Image ID |
| ImageName | String | Image name |
| Status | String | Processing status |
| SourcePort | Array of String | Attacker port |
| EventID | Integer | Event ID |
| HostName | String | General node/Super node name |
| HostIP | String | Server private IP |
| PublicIP | String | Server public IP |
| PodName | String | Pod name |
| Description | String | Harm description |
| OfficialSolution | String | Fix suggestion |
| NetworkPayload | String | Attack packet |
| PID | Integer | Process PID |
| MainClass | String | Main class name of process |
| StackTrace | String | Stack information |
| ServerAccount | String | Listen to account |
| ServerPort | String | Listening port |
| ServerExe | String | Process path |
| ServerArg | String | Process command line parameter |
| QUUID | String | Host QUUID/Super Node ID |
| ContainerNetStatus | String | Isolation status UNISOLATED NORMAL ISOLATED ISOLATING Isolation FAILED RESTORING isolation Isolation restoration failed RESTORE_FAILED |
| ContainerNetSubStatus | String | Container sub-status AGENT_OFFLINE NODE_DESTROYED CONTAINER_EXITED "CONTAINER_DESTROYED" //Container destroyed "SHARED_HOST" // Container shares network with host RESOURCE_LIMIT "UNKNOW" // Reason unknown |
| ContainerIsolateOperationSrc | String | Container Isolation Operation Source |
| ContainerStatus | String | Container status. RUNNING: running PAUSED Stop: STOPPED CREATED DESTROYED RESTARTING Migrating: REMOVING |
| JNDIUrl | String | API URL |
| RaspDetail | Array of RaspInfo | rasp detail |
| NodeSubNetName | String | Super node subnet name |
| NodeSubNetCIDR | String | Super node subnet IP range |
| PodIP | String | Pod IP |
| NodeType | String | Node type. Values: NORMAL (general node), SUPER (super node). |
| NodeID | String | ID of a super node |
| NodeUniqueID | String | UID of a super node |
| NodeSubNetID | String | Super node subnet ID |
| ClusterID | String | Cluster ID |
| ClusterName | String | Cluster name |
| Namespace | String | |
| WorkloadType | String |
Trend of exploit prevention events
Used by actions: DescribeVulDefenceEventTendency.
| Name | Type | Description |
|---|---|---|
| Date | Date | Date |
| EventCount | Integer | Number of events |
Information of the server with exploit prevention enabled
Used by actions: DescribeVulDefenceHost.
| Name | Type | Description |
|---|---|---|
| HostName | String | General node/Super node name |
| HostIP | String | Server IP, which is the private IP |
| HostID | String | Node QUuid/Super node ID |
| Status | String | Plugin status. Valid values: SUCCESS (normal); FAIL (abnormal); NO_DEFENDED (not defended). |
| PublicIP | String | Public IP |
| CreateTime | String | First enablement time |
| ModifyTime | String | Update time |
| NodeType | String | Node type. Values: NORMAL (general node), SUPER (super node). |
| NodeSubNetName | String | Super node subnet name |
| NodeSubNetCIDR | String | Super node subnet IP range |
| NodeSubNetID | String | Super node subnet ID |
| NodeUniqueID | String | UID of a super node |
| NodeID | String | ID of a super node |
| PodIP | String | Pod IP |
| PodName | String | Pod name |
Vulnerability protection plugin information
Used by actions: DescribeVulDefencePlugin.
| Name | Type | Description |
|---|---|---|
| PID | Integer | PID of the Java process |
| MainClass | String | Main class name of the process |
| Status | String | Plugin status. Valid values: INJECTING (injecting); SUCCESS (injected successfully); FAIL (injection failed); TIMEOUT (plugin timed out); QUIT (plugin exited). |
| ErrorLog | String | Error log |
Vulnerability details
Used by actions: DescribeVulDetail.
| Name | Type | Description |
|---|---|---|
| CVEID | String | CVE No. |
| Name | String | Vulnerability name |
| Tags | Array of String | vulnerability tag |
| CategoryType | String | Vulnerability type |
| Level | String | Vulnerability threat level |
| SubmitTime | String | Vulnerability disclosure time |
| Description | String | Vulnerability description |
| CVSSV3Desc | String | CVSS V3 description |
| OfficialSolution | String | Vulnerability fix suggestion |
| DefenseSolution | String | Mitigation measure |
| Reference | Array of String | Reference link |
| CVSSV3Score | Float | CVSS V3 score |
| ComponentList | Array of VulAffectedComponentInfo | List of components affected by vulnerabilities |
| LocalImageCount | Integer | Number of affected local images |
| ContainerCount | Integer | Number of affected containers |
| RegistryImageCount | Integer | Number of affected repository images |
| Category | String | Vulnerability sub-category |
| LocalNewestImageCount | Integer | Number of affected local images on the latest version |
| RegistryNewestImageCount | Integer | Number of affected repository images on the latest version |
| PocID | String | POC ID |
| DefenceStatus | String | Defense Status. NO_DEFENDED: Not Defended; DEFENDED: Defended |
| DefenceScope | String | Vulnerability Defense Host Range. MANUAL: Selected Host Nodes; ALL: All |
| DefenceHostCount | Integer | Number of Hosts Defended Against Vulnerabilities |
| DefendedCount | Integer | Number of Attacks Defended |
| ScanStatus | String | Scanned. NOT_SCAN: Not Scanned; SCANNED: Scanned |
Local images ignored by the vulnerability scan
Used by actions: DescribeVulIgnoreLocalImageList.
| Name | Type | Description |
|---|---|---|
| ID | Integer | Record ID |
| ImageID | String | Image ID |
| ImageName | String | Image name |
| ImageSize | Integer | Image size |
| PocID | String | POC ID |
Repository images ignored by the vulnerability scan
Used by actions: DescribeVulIgnoreRegistryImageList.
| Name | Type | Description |
|---|---|---|
| ID | Integer | Record ID |
| RegistryName | String | Repository name |
| ImageVersion | String | Image tag |
| RegistryPath | String | Repository address |
| ImageID | String | Image ID |
| PocID | String | POC ID |
List of vulnerabilities
Used by actions: DescribeSystemVulList, DescribeWebVulList.
| Name | Type | Description |
|---|---|---|
| Name | String | Vulnerability name |
| Tags | Array of String | vulnerability tag |
| CVSSV3Score | Float | CVSS V3 score |
| Level | String | Risk level |
| CVEID | String | CVE No. |
| Category | String | Vulnerability Subtype |
| FoundTime | String | First detection time |
| LatestFoundTime | String | Last discovery time |
| ID | Integer | Vulnerability ID |
| LocalImageCount | Integer | Number of affected local images |
| ContainerCount | Integer | Affected Container Count |
| RegistryImageCount | Integer | Affected Repository Image Count |
| PocID | String | Vulnerability Poc ID |
| DefenceStatus | String | Defense Status. NO_DEFENDED: Not Defended; DEFENDED: Defended |
| DefenceScope | String | Vulnerability Defense Host Range. MANUAL: Selected Host Nodes; ALL: All |
| DefenceHostCount | Integer | Number of Hosts Defended Against Vulnerabilities |
| DefendedCount | Integer | Number of Attacks Defended |
| RaspOpenNodeCount | Integer | Number of hosts with application protection enabled for the vulnerability. |
| RaspClosedNodeCount | Integer | Number of hosts with application protection disabled for the vulnerability. |
Information of the scanned image
Used by actions: DescribeVulScanLocalImageList.
| Name | Type | Description |
|---|---|---|
| ImageID | String | Image ID |
| ImageName | String | Image name |
| Size | Float | Image size |
| ScanStatus | String | Task status. Valid values: SCANNING (scanning); FAILED (failed); FINISHED (completed); CANCELED (canceled). |
| ScanDuration | Float | Scan duration |
| HighLevelVulCount | Integer | Number of high-risk vulnerabilities |
| MediumLevelVulCount | Integer | Number of medium-risk vulnerabilities |
| LowLevelVulCount | Integer | Number of low-risk vulnerabilities |
| CriticalLevelVulCount | Integer | Number of critical vulnerabilities |
| TaskID | Integer | ID of the task to scan local images for vulnerabilities |
| ScanStartTime | String | Start time of the vulnerability scan |
| ScanEndTime | String | End time of the vulnerability scan |
| ErrorStatus | String | Cause of the failure. Valid values: TIMEOUT (timeout); TOO_MANY (too many tasks); OFFLINE (offline). |
Vulnerability trend information
Used by actions: DescribeVulTendency.
| Name | Type | Description |
|---|---|---|
| VulSet | Array of RunTimeTendencyInfo | List of vulnerability trends |
| ImageType | String | Image type affected by vulnerabilities:LOCAL: Local image.REGISTRY: Repository image. |
Ranking of top vulnerabilities
Used by actions: DescribeVulTopRanking.
| Name | Type | Description |
|---|---|---|
| VulName | String | Vulnerability name |
| Level | String | Severity. Valid values: CRITICAL (critical); HIGH (high);MIDDLE (medium);LOW (low). |
| AffectedImageCount | Integer | Number of affected images |
| AffectedContainerCount | Integer | Number of affected containers |
| ID | Integer | Vulnerability ID |
| PocID | String | POC ID |
Alert configuration policy
Used by actions: AddEditWarningRules, DescribeWarningRules.
| Name | Type | Required | Description |
|---|---|---|---|
| Type | String | Yes | Alert event type: Image repository security - Trojan: IMG_REG_VIRUS.Image repository security - Vulnerability: IMG_REG_VUL.Image repository security - Sensitive data: IMG_REG_RISK.Image security - Trojan: IMG_VIRUS.Image security - Vulnerability: IMG_VUL.Image security - Sensitive data: IMG_RISK.Image security - Image blocking: IMG_INTERCEPT.Runtime security - Container escape: RUNTIME_ESCAPE.Runtime security - Abnormal process: RUNTIME_FILE.Runtime security - Abnormal file access: RUNTIME_PROCESS.Runtime security - High-risk syscall: RUNTIME_SYSCALL.Runtime security - Reverse shell: RUNTIME_REVERSE_SHELL.Runtime security - Trojan: RUNTIME_VIRUS. |
| Switch | String | Yes | Switch status:ON: On.OFF: Off. |
| BeginTime | String | Yes | Alert start time in the format of "HH:mm" |
| EndTime | String | Yes | Alert end time in the format of "HH:mm" |
| ControlBits | String | Yes | Alert level policy control. Each binary bit represents a meaning, and the value is passed as a string. The control switch can be high, medium, or low, corresponding to the third, second, and first binary bit, respectively. Valid values: 0 (off); 1 (on).For example, if the high and medium levels indicate to enable the alert and the low level indicates to disable it, the binary value is 110.If level control does not take effect for the alert type, pass in 1. |
Allowlist Regular Expression Information
Used by actions: DescribeReverseShellRegexpWhiteListInfo.
| Name | Type | Required | Description |
|---|---|---|---|
| LogicSymbol | String | No | Logic symbol AND OR NOT |
| MatchField | String | No | Matching field |
| MatchContent | String | No | Matching content |
Esta página foi útil?
Você também pode entrar em contato com a Equipe de vendas ou Enviar um tíquete em caso de ajuda.
comentários