Cloud Workload Protection Platform
- Release Notes and Announcements
- Product Introduction
- Operation Guide
- Critical File Monitor
- Hybrid Cloud Installation Guide
- Cloud Workload Protection Description
- Practical Tutorial
- Troubleshooting
- API Documentation
- Asset Management APIs
- Virus Scanning APIs
- Abnormal Log-in APIs
- Password Cracking APIs
- Malicious Request APIs
- High-Risk Command APIs
- Local Privilege Escalation APIs
- Reverse Shell APIs
- Vulnerability Management APIs
- New Baseline Management APIs
- Baseline Management APIs
- Advanced Defense APIs
- Security Operation APIs
- Expert Service APIs
- Other APIs
- Overview Statistics APIs
- Settings Center APIs
- Making API Requests
- Intrusion Detection APIs
DocumentationCloud Workload Protection PlatformCloud Workload Protection DescriptionParsing of JSON Format Alarm Data
Parsing of JSON Format Alarm Data
Last updated: 2024-08-13 16:31:31
This document will introduce the transmission fields and descriptions of various alarms received after you set JSON format alarm data reception in alarm settings > Robot Notification.
Note
Currently, robot notification is in a grayscale status and is only open to customers with a clear demand for it. If you want to receive CWPP webhook robot alarms in real-time, you can contact us to apply for use.
Alarm settings > Robot Notification is independent of the message center robot and is not related to it.
Public Fields
Sample
{"uin": "1000xxxxxx21","nickname": "Test Account","server": "172.x.x.41 [Test Machine]","instance_id": "ins-xxxxxxxx","region": "Southwest China (Chengdu)","time": "October 30, 2023 09:24:20"}
Field Description
Field name | Description |
uin | User UIN |
nickname | User's nickname |
server | Machine IP [Machine alias] |
instance_id | Machine instance ID |
region | Region where the machine located |
time | Event time |
Exceptional Log-in
Sample
{"event_type": "Exceptional Log-in","src_ip": "43.x.x.41","area": "Hong Kong (China)","level": "High-risk"}
Field Description
Field name | Description |
src_ip | Source IP |
area | Source location |
level | Risk level |
Password Cracking
Sample
{"event_type": "Password Cracking","src_ip": "43.x.x.41","area": "Hong Kong (China)","count": "3","banned": "Block Success"}
Field Description
Field name | Description |
src_ip | Source IP |
area | Source location |
count | Number of attempts |
banned | Blocking status |
Malicious File Scan
Malicious Files
Sample
{"event_type": "Malicious Files","file_type": "Malicious","path": "/root/bebinder_shell.jsp","level": "Severe. Your server may have been hacked. It is recommended to verify promptly to avoid serious damage."}
Field Description
Field name | Description |
file_type | File type |
path | File path |
level | Danger level |
Exceptional Processes
Sample
{"event_type": "Exceptional Processes","pid": "5916","path": "/root/2/ISHELL-v0.2/ishd"}
Field Description
Field name | Description |
pid | Process ID |
path | Process path |
Malicious Requests
Sample
{"event_type": "Malicious Requests","url": "massdns.ran6066.com","count": "1"}
Field Description
Field name | Description |
url | Malicious domain |
count | Number of requests |
High Risk Commands
Sample
{"event_type": "High Risk Commands","cmd": "iptables-restore -w 5 --noflush","level": "High-risk","status": "Processing"}
Field Description
Field name | Description |
cmd | Command content |
level | Threat level |
status | Processing status |
Local Privilege Escalation
Sample
{"event_type": "Local Privilege Escalation","user": "0","process": "Privilege"}
Field Description
Field name | Description |
user | Privilege escalation user |
process | Privilege escalation process |
Reverse Shell
Sample
{"event_type": "Reverse Shell","process": "mass_0","dst_ip": "125.x.x.220","dst_port": "8888"}
Field Description
Field name | Description |
process | Process name |
dst_ip | Target host |
dst_port | Target port |
Java Webshell
Sample
{"event_type": "Java Webshell","type": "Java Webshell - Servlet","pid": "3333","argv": "masstest","class_name": "massTest"}
Field Description
Field name | Description |
type | Java Webshell type |
pid | Process ID |
argv | Process parameters |
class_name | Java Webshell class name |
Core File Monitoring
Sample
{"event_type": "CoreFiles","rule_name": "adwqdadwqd","exe_path": "/usr/bin/systemd-tmpfiles","file_path": "/home","count": "1","level": "High-risk"}
Field Description
Field name | Description |
rule_name | Hit rule name |
exe_path | Process path |
file_path | File path |
count | Event count |
level | Threat level |
Network Attacks
Sample
{"event_type": "Network Attacks","src_ip": "129.x.x.166","city": "Nanjing City, Jiangsu Province","vul_name": "showdoc File Upload Vulnerability","dst_port": "80","status": "Attempted Attacks"}
Field Description
Field name | Description |
src_ip | Source IP |
city | Source city |
vul_name | Vulnerability name |
dst_port | Target port |
status | Attack status |
Offline Client
Sample
{"event_type": "Offline Client","offline_hour": "1"}
Field Description
Field name | Description |
offline_hour | Client offline duration |
##Client Uninstallation
{"event_type": "Client Uninstallation"}
Vulnerability Notification
Sample
{"event_type": "Vulnerability","category": "Linux Software Vulnerabilities","vul_name": "libexpat Code Execution Vulnerability (CVE-2022-40674)","level": "Critical"}
Field Description
Field name | Description |
category | Vulnerability category |
vul_name | Vulnerability name |
level | Threat level |
Baseline Notification
Sample
{"event_type": "Baseline","category": "Linux System Weak Password Detection","rule_name": "Linux System Weak Password Detection","level": "High-risk"}
Field Description
Field name | Description |
category | Baseline category |
rule_name | Rule name |
level | Threat level |
Ransomware Defense
Sample
{"event_type": "Ransomware Defense","file_path": "/usr/bin/vi"}
Field Description
Field name | Description |
file_path | File directory |
Web Tamper Protection
Successful Tampering
Sample
{"event_type": "Web Tamper Protection (Successful Tampering)","protect_name": "Important File","protect_path": "/tmp","recover_type": "New File Creation","recovered_status": "Not Recovered",}
Field Description
Field name | Description |
protect_name | Protection name |
protect_path | Protection directory |
recover_type | Event type |
recovered_status | Event status |
Recovery Failed
Sample
{"event_type": "Web Tamper Protection (Recovery Failed)","protect_name": "Important File","protect_path": "/tmp","exception": "Client Offline"}
Field Description
Field name | Description |
protect_name | Protection name |
protect_path | Protection directory |
exception | Reason for failure |
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No