tencent cloud

Cloud Workload Protection Platform

Release Notes and Announcements
Release Notes
Announcements
Getting Started
Product Introduction
Overview
Advantages
Basic Concepts
Scenarios
Associated Products
Features in Different Editions
Purchase Guide
Purchase Security Protection Licenses
Purchasing Log Analysis Service
Quick Start
Operation Guide
Security Dashboard
Asset Overview
Server List
Asset Fingerprint
Vulnerability Management
Baseline Management
Malicious File Scan
Unusual Login
Password Cracking
Malicious Requests
High-risk Commands
Local Privilege Escalation
Reverse Shell
Java Webshell
Critical File Monitor
Network Attack
A Ransomware Defense
Log Analysis
License Management
Alarm Setting
Cloud Access Management
Hybrid Cloud Installation Guide
FAQs for Beginners
Cloud Workload Protection Description
Feature Description
Agent Process Description
A Security Baseline Detection List
Parsing of JSON Format Alarm Data
Log Field Data Parsing
Agent Installation Guide
Security Score Overview
Practical Tutorial
Auto Fix of Vulnerabilities
Malicious File Processing
Troubleshooting
Intrusions on Linux
Intrusions on Windows
Offline Agent on Linux
Offline Agent on Windows
An Abnormal Log-in Notification
API Documentation
History
Introduction
API Category
Asset Management APIs
Virus Scanning APIs
Abnormal Log-in APIs
Password Cracking APIs
Malicious Request APIs
High-Risk Command APIs
Local Privilege Escalation APIs
Reverse Shell APIs
Vulnerability Management APIs
New Baseline Management APIs
Baseline Management APIs
Advanced Defense APIs
Security Operation APIs
Expert Service APIs
Other APIs
Overview Statistics APIs
Settings Center APIs
Making API Requests
Intrusion Detection APIs
Data Types
Error Codes
FAQs
Agreements
Terms of Service
Service Level Agreement
Data Processing And Security Agreement
Contact Us
Glossary
DocumentationCloud Workload Protection PlatformCloud Workload Protection DescriptionParsing of JSON Format Alarm Data

Parsing of JSON Format Alarm Data

PDF
Focus Mode
Font Size
Last updated: 2024-08-13 16:31:31
This document will introduce the transmission fields and descriptions of various alarms received after you set JSON format alarm data reception in alarm settings > Robot Notification.
Note
Currently, robot notification is in a grayscale status and is only open to customers with a clear demand for it. If you want to receive CWPP webhook robot alarms in real-time, you can contact us to apply for use.
Alarm settings > Robot Notification is independent of the message center robot and is not related to it.

Public Fields

Sample

{
    "uin": "1000xxxxxx21",
    "nickname": "Test Account",
    "server": "172.x.x.41 [Test Machine]",
    "instance_id": "ins-xxxxxxxx",
    "region": "Southwest China (Chengdu)",
    "time": "October 30, 2023 09:24:20"
}

Field Description

Field name
Description
uin
User UIN
nickname
User's nickname
server
Machine IP [Machine alias]
instance_id
Machine instance ID
region
Region where the machine located
time
Event time

Exceptional Log-in

Sample

{
    "event_type": "Exceptional Log-in",
    "src_ip": "43.x.x.41",
    "area": "Hong Kong (China)",
    "level": "High-risk"
}

Field Description

Field name
Description
src_ip
Source IP
area
Source location
level
Risk level

Password Cracking

Sample

{
    "event_type": "Password Cracking",
    "src_ip": "43.x.x.41",
    "area": "Hong Kong (China)",
    "count": "3",
    "banned": "Block Success"
}

Field Description

Field name
Description
src_ip
Source IP
area
Source location
count
Number of attempts
banned
Blocking status

Malicious File Scan

Malicious Files

Sample

{
    "event_type": "Malicious Files",
    "file_type": "Malicious",
    "path": "/root/bebinder_shell.jsp",
    "level": "Severe. Your server may have been hacked. It is recommended to verify promptly to avoid serious damage."
}

Field Description

Field name
Description
file_type
File type
path
File path
level
Danger level

Exceptional Processes

Sample

{
    "event_type": "Exceptional Processes",
    "pid": "5916",
    "path": "/root/2/ISHELL-v0.2/ishd"
}

Field Description

Field name
Description
pid
Process ID
path
Process path

Malicious Requests

Sample

{
    "event_type": "Malicious Requests",
    "url": "massdns.ran6066.com",
    "count": "1"
}

Field Description

Field name
Description
url
Malicious domain
count
Number of requests

High Risk Commands

Sample

{
    "event_type": "High Risk Commands",
    "cmd": "iptables-restore -w 5 --noflush",
    "level": "High-risk",
    "status": "Processing"
}

Field Description

Field name
Description
cmd
Command content
level
Threat level
status
Processing status

Local Privilege Escalation

Sample

{
    "event_type": "Local Privilege Escalation",
    "user": "0",
    "process": "Privilege"
}

Field Description

Field name
Description
user
Privilege escalation user
process
Privilege escalation process

Reverse Shell

Sample

{
    "event_type": "Reverse Shell",
    "process": "mass_0",
    "dst_ip": "125.x.x.220",
    "dst_port": "8888"
}

Field Description

Field name
Description
process
Process name
dst_ip
Target host
dst_port
Target port

Java Webshell

Sample

{
    "event_type": "Java Webshell",
    "type": "Java Webshell - Servlet",
    "pid": "3333",
    "argv": "masstest",
    "class_name": "massTest"
}

Field Description

Field name
Description
type
Java Webshell type
pid
Process ID
argv
Process parameters
class_name
Java Webshell class name

Core File Monitoring

Sample

{
    "event_type": "CoreFiles",
    "rule_name": "adwqdadwqd",
    "exe_path": "/usr/bin/systemd-tmpfiles",
    "file_path": "/home",
    "count": "1",
    "level": "High-risk"
}

Field Description

Field name
Description
rule_name
Hit rule name
exe_path
Process path
file_path
File path
count
Event count
level
Threat level

Network Attacks

Sample

{
    "event_type": "Network Attacks",
    "src_ip": "129.x.x.166",
    "city": "Nanjing City, Jiangsu Province",
    "vul_name": "showdoc File Upload Vulnerability",
    "dst_port": "80",
    "status": "Attempted Attacks"
}

Field Description

Field name
Description
src_ip
Source IP
city
Source city
vul_name
Vulnerability name
dst_port
Target port
status
Attack status

Offline Client

Sample

{
    "event_type": "Offline Client",
    "offline_hour": "1"
}

Field Description

Field name
Description
offline_hour
Client offline duration

##Client Uninstallation

{
    "event_type": "Client Uninstallation"
}

Vulnerability Notification

Sample

{
    "event_type": "Vulnerability",
    "category": "Linux Software Vulnerabilities",
    "vul_name": "libexpat Code Execution Vulnerability (CVE-2022-40674)",
    "level": "Critical"
}

Field Description

Field name
Description
category
Vulnerability category
vul_name
Vulnerability name
level
Threat level

Baseline Notification

Sample

{
    "event_type": "Baseline",
    "category": "Linux System Weak Password Detection",
    "rule_name": "Linux System Weak Password Detection",
    "level": "High-risk"
}

Field Description

Field name
Description
category
Baseline category
rule_name
Rule name
level
Threat level

Ransomware Defense

Sample

{
    "event_type": "Ransomware Defense",
    "file_path": "/usr/bin/vi"
}

Field Description

Field name
Description
file_path
File directory

Web Tamper Protection

Successful Tampering

Sample


{
    "event_type": "Web Tamper Protection (Successful Tampering)",
    "protect_name": "Important File",
    "protect_path": "/tmp",
    "recover_type": "New File Creation",
    "recovered_status": "Not Recovered",
}

Field Description

Field name
Description
protect_name
Protection name
protect_path
Protection directory
recover_type
Event type
recovered_status
Event status

Recovery Failed

Sample

{
    "event_type": "Web Tamper Protection (Recovery Failed)",
    "protect_name": "Important File",
    "protect_path": "/tmp",
    "exception": "Client Offline"
}

Field Description

Field name
Description
protect_name
Protection name
protect_path
Protection directory
exception
Reason for failure

Previous Topic: A Security Baseline Detection ListNext Topic: Log Field Data Parsing

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback