Last Updated: 1/22/2020 12:11:06 AM
Query detail logs.
Request
HTTP Request
GET /SMPI/{version}/service/wfbss/api/customers/logs
Parameters
Name |
Type |
Description |
Validation |
|---|---|---|---|
|
Required Parameters |
|||
cids |
string |
Customer ID |
One and only one customer id must be specified. |
type |
string |
Log type |
virus, spyware, or wtp |
|
Optional Parameters |
|||
start_time |
integer |
Start time of the query interval. |
UNIX timestamp (seconds since 1970-01-01 00:00:00 UTC). Default is (end_time - 3600). |
end_time |
integer |
End time of the query interval. |
UNIX timestamp(seconds since 1970-01-01 00:00:00 UTC). Default is now. end_time - start_time should not greater than 3600. If end_time - start_time > 3600, start_time will be changed to (end_time - 3600) |
limit |
integer |
The limit of returned records. |
0 to 100. Default is 100. If exceeding 100, it will be set to 100. |
results |
string |
The list of action results seperated by comma. If set, only the specified results will be returned. Otherwise, all results will be returned. * This parameter is only available for virus and spyware. |
- virus: 0 = {"first": {"action": "clean", "result": "clean_success"}} 1 = {"first": {"action": "quarantine", "result": "quarantine_success"}} 2 = {"first": {"action": "delete", "result": "delete_success"}} 3 = {"first": {"action": "rename", "result": "rename_success"}} 4 = {"first": {"action": "pass", "result": "pass_success"}} 5 = {"first": {"action": "clean", "result": "clean_fail"}} 6 = {"first": {"action": "quarantine", "result": "quarantine_fail"}} 7 ={"first": {"action": "delete", "result": "delete_fail"}} 8 = {"first": {"action": "rename", "result": "rename_fail"}} 9 = {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "quarantine", "result": "quarantine_success"}} 10 = {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "delete", "result": "delete_success"}} 11 = {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "rename", "result": "rename_success"}} 12 = {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "pass", "result": "pass_success"}} 13 = {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "quarantine", "result": "quarantine_fail"}} 14 = {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "delete", "result": "delete_fail"}} 15 = {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "rename", "result": "rename_fail"}} 18, 19, 81, 82, 90, 91 = {"first": {"action": "na", "result": "na_success"}} Red-light incidents: 5,6,7,8,14,15 Please refer to customers[].logs[].details[].scan_result in response for detailed description. - spyware: 0 = unknown 1 = na_success 2 = clean_success 4 = reboot_success 8 = unsafe_to_delete_success 16 = block_success 32 = incomplete_scan_success Red-light incidents: 4 Please refer to customers[].logs[].details[].scan_result in response for detailed description. |
cursor |
integer |
The cursor of returned records. Only records which log ID is larger than the specified cursor will be returned. To retrieve first batch of records, you should pass a cursor with a value of 0. If the customers[].cursor is in the response of this request, you can pass a cursor with this value to get the next batch of records. |
Cursor is only available for log type virus and spyware. Also, results parameter should be set; otherwise cursor will be ignored. Valid value is from 1 to max. If not set, default is 0. |
HTTP Request Example
1. Query virus incidents
GET /SMPI/{version}/service/wfbss/api/customers/logs?cids=0C7AE057-7B6E-4E9A-AFBA-69904BA1ED06&type=virus&start_time=1412647200&end_time=1412650800&limit=100
2. Query cursored virus red-light incidents
(1) Get first batch of records
GET /SMPI/{version}/service/wfbss/api/customers/logs?cids=0C7AE057-7B6E-4E9A-AFBA-69904BA1ED06&type=virus&start_time=1412647200&end_time=1412650800&limit=100&results=5,6,7,8,14,15&cursor=0
(2) If customers[].cursor in the response is 1122. Get next batch of records.
GET /SMPI/{version}/service/wfbss/api/customers/logs?cids=0C7AE057-7B6E-4E9A-AFBA-69904BA1ED06&type=virus&start_time=1412647200&end_time=1412650800&limit=100&results=5,6,7,8,14,15&cursor=1122
(3) Repeat until customers array in the response is empty.
3. Query spyware incidents
GET /SMPI/{version}/service/wfbss/api/customers/logs?cids=0C7AE057-7B6E-4E9A-AFBA-69904BA1ED06&type=spyware&start_time=1412647200&end_time=1412650800&limit=100
4. Query cursored spyware red-light incidents
(1) Get first batch of records
GET /SMPI/{version}/service/wfbss/api/customers/logs?cids=0C7AE057-7B6E-4E9A-AFBA-69904BA1ED06&type=spyware&start_time=1412647200&end_time=1412650800&limit=100&results=4&cursor=0
(2) If customers[].cursor in the response is 213. Get next batch of records.
GET /SMPI/{version}/service/wfbss/api/customers/logs?cids=0C7AE057-7B6E-4E9A-AFBA-69904BA1ED06&type=spyware&start_time=1412647200&end_time=1412650800&limit=100&results=4&cursor=213
(3) Repeat until customers array in the response is empty.
5. Query wtp logs
GET /SMPI/{version}/service/wfbss/api/customers/logs?cids=0C7AE057-7B6E-4E9A-AFBA-69904BA1ED06&type=wtp&start_time=1412647200&end_time=1412650800&limit=100
Request Body
Do not supply a request body with this method.
Response
Response
If successful, this method returns an HTTP 200 OK status code and a response body with the following structure:
1. Response of querying virus logs
{
"customers":[
{
"cursor":36775,
"id":"0C7AE057-7B6E-4E9A-AFBA-69904BA1ED06",
"eid":"35199BC2-C795-48E5-8B25-9439C5493C0A",
"logs":[
{
"scan_result":{
"first":{
"action":"clean",
"result":"clean_fail"
}
},
"virus_name":"123Banners",
"timestamp":1412649921,
"computer":{
"id":"1c28921125682d41b03cb7e80aa0c0be",
"components":{
"engine":[
{
"version":"1.234.56",
"type":4
}
],
"pattern":[
{
"version":"1.234.56",
"type":1208090624
}
]
},
"name":"Computer_1c28921125682d41b03cb7e80aa0c0be"
},
"file":"$winnt$.inf",
"id":36598,
"dir":"C:\\WINDOWS\\system32"
},
{
"scan_result":{
"first":{
"action":"quarantine",
"result":"quarantine_fail"
}
},
"virus_name":"123Mania",
"timestamp":1412649921,
"computer":{
"id":"1c28921125682d41b03cb7e80aa0c0be",
"components":{
"engine":[
{
"version":"1.234.56",
"type":4
}
],
"pattern":[
{
"version":"1.234.56",
"type":1208090624
}
]
},
"name":"Computer_1c28921125682d41b03cb7e80aa0c0be"
},
"file":"dwintl.dll",
"id":36601,
"dir":"C:\\WINDOWS\\system32\\1028"
}
]
}
]
}
2. Response of querying spyware logs
{
"customers":[
{
"cursor":51484,
"id":"0C7AE057-7B6E-4E9A-AFBA-69904BA1ED06",
"eid":"35199BC2-C795-48E5-8B25-9439C5493C0A",
"logs":[
{
"spyware_name":"Adware_180Solutions.Seekmo",
"timestamp":1412649922,
"scan_type":"scan_scheduled",
"computer":{
"id":"1c28921125682d41b03cb7e80aa0c0be",
"name":"Computer_1c28921125682d41b03cb7e80aa0c0be"
},
"details":[
{
"spyware_type":6,
"scan_result":"unsafe_to_delete_success",
"resource_path":"RT_SHELL",
"risk_level":"low",
"resource_type":18
}
],
"id":51202
},
{
"spyware_name":"Adware_180Solutions.Zango",
"timestamp":1412649922,
"scan_type":"scan_realtime",
"computer":{
"id":"1c28921125682d41b03cb7e80aa0c0be",
"name":"Computer_1c28921125682d41b03cb7e80aa0c0be"
},
"details":[
{
"spyware_type":7,
"scan_result":"block_success",
"resource_path":"RT_COOKIE",
"risk_level":"high",
"resource_type":19
}
],
"id":51205
}
]
}
]
}
3. Response of querying wtp logs
{
"customers":[
{
"cursor":86449,
"id":"0C7AE057-7B6E-4E9A-AFBA-69904BA1ED06",
"eid":"35199BC2-C795-48E5-8B25-9439C5493C0A",
"logs":[
{
"risk_level":"low",
"url":"http://dl.google.com/update2/1.2.145.5/GoogleInstaller_en.application?appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B406246FB-03ED-2320-6C12-07795259D522%7D%26lang%3Den%26browser%3D2%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dfalse",
"timestamp":1412649926,
"computer":{
"client_ip":"1.0.168.192",
"id":"1c28921125682d41b03cb7e80aa0c0be",
"name":"Computer_1c28921125682d41b03cb7e80aa0c0be"
},
"action":"block",
"id":86152
},
{
"risk_level":"medium",
"url":"http://dotnet.sys-con.com/index.rss",
"timestamp":1412649926,
"computer":{
"client_ip":"1.0.168.192",
"id":"1c28921125682d41b03cb7e80aa0c0be",
"name":"Computer_1c28921125682d41b03cb7e80aa0c0be"
},
"action":"block",
"id":86155
}
]
}
]
}
Name |
Type |
Description |
Length |
|---|---|---|---|
|
Virus |
|||
customers[].cursor |
integer |
The cursor that you should send to receive the next batch of records. |
|
customers[].logs[].scan_result.first.action |
string |
First action taken |
{"first": {"action": "clean", "result": "clean_success"}} = Cleaned successfully; {"first": {"action": "quarantine", "result": "quarantine_success"}} = Infected file was successfully quarantined; {"first": {"action": "delete", "result": "delete_success"}} = Infected file was successfully deleted; {"first": {"action": "rename", "result": "rename_success"}} = Infected file was successfully renamed; {"first": {"action": "pass", "result": "pass_success"}} = Infected file was successfully passed; {"first": {"action": "clean", "result": "clean_fail"}} = Virus successfully detected but failed to clean; {"first": {"action": "quarantine", "result": "quarantine_fail"}} = Virus successfully detected, but infected file cannot be quarantined; {"first": {"action": "delete", "result": "delete_fail"}} = Virus successfully detected, but infected file cannot be deleted; {"first": {"action": "rename", "result": "rename_fail"}} = Virus successfully detected, but infected file cannot be renamed; {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "quarantine", "result": "quarantine_success"}} = Virus successfully detected, but infected file cannot be cleaned. File was quarantined.; {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "delete", "result": "delete_success"}} = Virus successfully detected, but infected file cannot be cleaned. File was deleted.; {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "rename", "result": "rename_success"}} = Virus successfully detected, but infected file cannot be cleaned. File was renamed.; {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "pass", "result": "pass_success"}} = Virus successfully detected, but infected file cannot be cleaned. File was passed.; {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "quarantine", "result": "quarantine_fail"}} = Virus successfully detected, but infected file can neither be cleaned nor quarantined; {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "delete", "result": "delete_fail"}} = Virus successfully detected, but infected file can neither be cleaned nor deleted; {"first": {"action": "clean", "result": "clean_fail"}, "second": {"action": "rename", "result": "rename_fail"}} = Virus successfully detected, but infected file can neither be cleaned nor renamed; {"first": {"action": "na", "result": "na_success"}} = Infected file was successfully detected, no action taken on probable virus/malware OR See scan result in compressed file OR Action Index Value Product Encrypt Success OR Action Index Value Product Encrypt Fail OR Action Index Value Rootkit Detect Success OR Action Index Value Rootkit Need FullScan Success |
customers[].logs[].scan_result.first.result |
string |
Result of the first action |
Please refer to customers[].logs[].scan_result.first.action for the possible values. |
customers[].logs[].scan_result.second.action |
string |
Second action taken |
Optional. Please refer to customers[].logs[].scan_result.first.action for the possible values. |
customers[].logs[].scan_result.second.result |
string |
Result of the second action |
Optional. Please refer to customers[].logs[].scan_result.first.action for the possible values.. |
customers[].logs[].virus_name |
string |
Virus/malware Name |
|
customers[].logs[].timestamp |
integer |
Date/time |
Unix timestamp (seconds since 1970-01-01 00:00:00 UTC) |
customers[].logs[].computer.id |
string |
Device ID |
|
customers[].logs[].computer.name |
string |
Device name |
|
customers[].logs[].computer.components.engine[].version |
string |
Virus engine |
|
customers[].logs[].computer.components.engine[].type |
integer |
Engine type |
0x00000004 (4) = TM_AU_ENGINE_VSAPI32_NT_I386; 0x20000100 (536871168) = TM_AU_ENGINE_VSAPI_X64_DLL; 0x24000040 (603979840) = TM_AU_ENGINE_VSAPI_MACOS_X_UNIVERSAL; 0x00000011 (11) = the type has no definition in AU. Using self defined value. |
customers[].logs[].computer.components.pattern[].version |
string |
Virus pattern |
|
customers[].logs[].computer.components.pattern[].type |
integer |
Pattern type |
0x00000004 (4) = TM_AU_PATTERN_VSAPI; 0x48020000 (1208090624) = TM_AU_PATTERN_ICRC_NONCRC; 0x48040072 (1208221810) = TM_AU_PATTERN_ANDROID_V2 |
customers[].logs[].file |
string |
File name |
|
customers[].logs[].id |
integer |
Log ID |
|
customers[].logs[].dir |
string |
Path |
|
customers[].id |
string |
Customer ID |
|
customers[].eid |
string |
For internal use only. |
|
|
Spyware |
|||
customers[].cursor |
integer |
The cursor that you should send to receive the next batch of records. |
|
customers[].logs[].spyware_name |
string |
Spyware/grayware name |
|
customers[].logs[].timestamp |
integer |
Date/time |
Unix timestamp (seconds since 1970-01-01 00:00:00 UTC) |
customers[].logs[].scan_type |
string |
Scan type |
scan_realtime, scan_manual, scan_scheduled, or unknown |
customers[].logs[].computer.id |
string |
Device ID |
|
customers[].logs[].computer.name |
string |
Device name |
|
customers[].logs[].details[].spyware_type |
integer |
Spyware/grayware type |
1 = Trackware, 2 = Adware, 3 = Cookie, 4 = Dialer, 5 = Security Weakness, 6 = General, 7 = Keylogger, 8 = Trojan, 9 = Suspect, 10 = Hijack, 11 = Parasite, 12 = Internet Explorer Plugins, 13 = Layered Service Providers, 15 = Shortcut Link, 16 = P2P, 17 = Worm, 19 = Downloader, 20 = Virus, 21 = EULA Software, 25 = Variant, and 0 = Others |
customers[].logs[].details[].scan_result |
string |
Scan result |
unknown = Unknown Result, na_success = Spyware/Grayware was detected but no action taken, clean_success = Spyware/Grayware was cleaned successfully, reboot_success = System restart required to finish cleaning, unsafe_to_delete_success = Spyware/Grayware is considered unsafe to clean, block_success = Spyware/Grayware was access denied, and incomplete_scan_success = Spyware/Grayware scan was stopped prematurely |
customers[].logs[].details[].resource_path |
string |
Infected resource |
|
customers[].logs[].details[].risk_level |
string |
Risk level |
high, medium, or low |
customers[].logs[].details[].resource_type |
integer |
Resource type |
14 = Process, 15 = Startup Area, 16 = Internet Explorer Plugins, 17 = Layered Service Providers, 18 = Hosts, 19 = Policy, 20 = Browser, 23 = Shell, 24 = ActiveX, 26 = Services, 10 = File System, 11 = System Registry, 12 = Cookies, 13 = Shortcut Link, and -1 = Others |
customers[].logs[].id |
integer |
Log ID |
|
customers[].id |
string |
Customer ID |
GUID |
customers[].eid |
string |
For internal use only. |
GUID |
|
WTP |
|||
customers[].cursor |
integer |
For internal use only. |
|
customers[].logs[].risk_level |
string |
Risk level |
high, medium, or low |
customers[].logs[].url |
string |
URL |
|
customers[].logs[].timestamp |
integer |
Date/time |
Unix timestamp (seconds since 1970-01-01 00:00:00 UTC) |
customers[].logs[].computer.client_ip |
string |
Device IP |
|
customers[].logs[].computer.id |
string |
Device ID |
|
customers[].logs[].computer.name |
string |
Device name |
|
customers[].logs[].action |
string |
Action taken |
pass or block |
customers[].logs[].id |
integer |
Log ID |
|
customers[].id |
string |
Customer ID |
|
customers[].eid |
string |
For internal use only. |