You can call this operation to query the details of an anomalous activity, including the time when the anomalous activity occurred, description of the anomalous activity, and processing status of the anomalous activity.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeEventDetail

The operation that you want to perform. Set the value to DescribeEventDetail.

Id Long Yes 13456723343

The unique ID of the anomalous activity to query.

Note You can call the DescribeEvents operation to query the ID of the anomalous activity.
Lang String No zh

The language of the request and response. Valid values:

  • zh: Chinese
  • en: English

Response parameters

Parameter Type Example Description
Event

The details of the anomalous activity.

AlertTime Long 1545829129000

The time when an alert was triggered for the anomalous activity. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

Backed Boolean false

Indicates whether the processing result of the anomalous activity was used to enhance the detection of anomalous activities. By enhancing the detection, you can improve the detection accuracy and the rate of triggering alerts for anomalous activities. Valid values:

  • true: The detection was enhanced.
  • false: The detection was not enhanced.
DataInstance String in-222***

The name of the instance in the service where the anomalous activity was detected.

DealDisplayName String yundunsr

The display name of the account used to process the anomalous activity.

DealLoginName String det1111

The username of the account used to process the anomalous activity.

DealReason String Anomaly confirmed

The reason of the way in which the anomalous activity was processed.

DealTime Long 1230000

The time when the anomalous activity was processed. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

DealUserId Long 229157443385014140

The ID of the account used to process the anomalous activity.

Detail

The details of the anomalous activity.

Chart

The baseline behavior profile of the anomalous activity.

Data

The data in the baseline behavior profile of the anomalous activity.

X String [test1,test2,...]

The value of the data item on the X axis.

Y String [1,2,3,...]

The value of the data item on the Y axis.

Label String Baseline behavior profile

The name of the baseline behavior profile of the anomalous activity.

XLabel String Number of days

The descriptive label of data items on the X axis.

YLabel String Value

The descriptive label of data items on the Y axis.

Content

The anomalous activity content.

Label String Anomaly description

The name of the anomalous activity content.

Value String The account was used to access OSS from an unusual terminal (IP address: 1.2.3.4) from September 9 2019, 00:06:45 to September 9 2019, 00:57:37.

The description of the anomalous activity content.

ResourceInfo

The anomalous activity source.

Label String Activity risk

The name of the anomalous activity source.

Value String Based on the record of authentication through an unusual terminal, an external attacker may have obtained the access permission of the account or the employee accessed data from a personal terminal.

The description of the anomalous activity source.

DisplayName String yundunsr

The display name of the account that triggered the anomalous activity.

EventTime Long 1545829129000

The time when the anomalous activity occurred. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

Id Long 52234

The unique ID of the anomalous activity.

LoginName String det1111

The username of the account that triggered the anomalous activity.

ProductCode String  MaxCompute

The name of the service where the anomalous activity was detected. Valid values:

  • MaxCompute
  • RDS
  • OSS
Status Integer 0

The ID of the processing status of the anomalous activity. Valid values:

  • 0: unprocessed
  • 1: confirmed as an anomaly
  • 2: excluded as a false positive
StatusName String Unprocessed

The name of the processing status of the anomalous activity.

SubTypeCode String 020008

The code of the anomalous activity subtype.

SubTypeName String Anomalous downloaded data volume

The name of the anomalous activity subtype.

TypeCode String 02

The code of the anomalous activity type.

TypeName String Anomalous data flow

The name of the anomalous activity type. Valid values:

  • Anomalous permission access
  • Anomalous data flow
  • Anomalous data operation
UserId Long 229157443385014140

The ID of the account that triggered the anomalous activity.

RequestId String 69FB3C1-F4C9-42DF-9B72-7077A8989C13

The ID of the request.

Examples

Sample requests


http(s)://[Endpoint]/? Action=DescribeEventDetail
&<Common request parameters>

Sample success responses

XML format

<DescribeEventDetail>
  <RequestId>769FB3C1-F4C9-42DF-9B72-7077A8989C13</RequestId>
  <Event>
        <Status>0</Status>
        <TypeName>Anomalous data flow</TypeName>
        <Backed>false</Backed>
        <TypeCode>02</TypeCode>
        <ProductCode>MaxCompute</ProductCode>
        <SubTypeName>Anomalous downloaded data volume</SubTypeName>
        <EventTime>1545829129000</EventTime>
        <UserId>229157443385014140</UserId>
        <LoginName>det1111</LoginName>
        <DisplayName>yundunsr</DisplayName>
        <Id>4</Id>
        <SubTypeCode>020008</SubTypeCode>
        <AlertTime>1545829129000</AlertTime>
        <StatusName>Unprocessed</StatusName>
        <DealUserId>229157443385014140</DealUserId>
        <DealLoginName>det1111</DealLoginName>
        <DealDisplayName>yundunsr</DealDisplayName>
        <DepartName>test</DepartName>
        <Detail>
              <Content>
                    <Value>The account was used to access OSS from an unusual terminal (IP address: 1.2.3.4) from September 9 2019, 00:06:45 to September 9 2019, 00:57:37. </Value>
                    <Label>Anomaly description</Label>
              </Content>
              <Chart>
                    <YLabel>Value</YLabel>
                    <Label>Baseline behavior profile</Label>
                    <Data>
                          <X>1</X>
                          <X>2</X>
                          <X>3</X>
                          <X>4</X>
                          <X>5</X>
                          <X>6</X>
                          <Y>1</Y>
                          <Y>2</Y>
                          <Y>3</Y>
                          <Y>4</Y>
                          <Y>5</Y>
                          <Y>6</Y>
                    </Data>
                    <XLabel>Number of days</XLabel>
              </Chart>
        </Detail>
        <DealReason>Anomaly confirmed</DealReason>
  </Event>
</DescribeEventDetail>

JSON format

{
	"Event":{
		"DealDisplayName":"yundunsr",
		"ProductCode":"MaxCompute",
		"LoginName":"det1111",
		"DepartName":"test",
		"Backed":false,
		"TypeName":"Anomalous data flow",
		"UserId":229157443385014132,
		"DisplayName":"yundunsr",
		"DealReason":"Anomaly confirmed",
		"Status":0,
		"Detail":{
			"Chart":[
				{
					"Data":{
						"Y":[
							1,
							2,
							3,
							4,
							5,
							6
						],
						"X":[
							1,
							2,
							3,
							4,
							5,
							6
						]
					},
					"XLabel":"Number of days",
					"Label":"Baseline behavior profile",
					"YLabel":"Value"
				}
			],
			"Content":[
				{
					"Value":"The account was used to access OSS from an unusual terminal (IP address: 1.2.3.4) from September 9 2019, 00:06:45 to September 9 2019, 00:57:37.",
					"Label":"Anomaly description"
				}
			]
		},
		"TypeCode":"02",
		"EventTime":1545829129000,
		"AlertTime":1545829129000,
		"StatusName":"Unprocessed",
		"Id":4,
		"DealLoginName":"det1111",
		"SubTypeName":"Anomalous downloaded data volume",
		"SubTypeCode":"020008",
		"DealUserId":229157443385014132
	},
	"RequestId":"769FB3C1-F4C9-42DF-9B72-7077A8989C13"
}

Error codes

For a list of error codes, visit the API Error Center.