You can call this operation to query the details of an anomalous activity, including the time when the anomalous activity occurred, description of the anomalous activity, and processing status of the anomalous activity.
Debugging
Request parameters
| Parameter | Type | Required | Example | Description |
|---|---|---|---|---|
| Action | String | Yes | DescribeEventDetail | The operation that you want to perform. Set the value to DescribeEventDetail. |
| Id | Long | Yes | 13456723343 | The unique ID of the anomalous activity to query.
Note You can call the
DescribeEvents operation to query the ID of the anomalous activity.
|
| Lang | String | No | zh | The language of the request and response. Valid values:
|
Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
| Event | The details of the anomalous activity. |
||
| AlertTime | Long | 1545829129000 | The time when an alert was triggered for the anomalous activity. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. |
| Backed | Boolean | false | Indicates whether the processing result of the anomalous activity was used to enhance the detection of anomalous activities. By enhancing the detection, you can improve the detection accuracy and the rate of triggering alerts for anomalous activities. Valid values:
|
| DataInstance | String | in-222*** | The name of the instance in the service where the anomalous activity was detected. |
| DealDisplayName | String | yundunsr | The display name of the account used to process the anomalous activity. |
| DealLoginName | String | det1111 | The username of the account used to process the anomalous activity. |
| DealReason | String | Anomaly confirmed | The reason of the way in which the anomalous activity was processed. |
| DealTime | Long | 1230000 | The time when the anomalous activity was processed. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. |
| DealUserId | Long | 229157443385014140 | The ID of the account used to process the anomalous activity. |
| Detail | The details of the anomalous activity. |
||
| Chart | The baseline behavior profile of the anomalous activity. |
||
| Data | The data in the baseline behavior profile of the anomalous activity. |
||
| X | String | [test1,test2,...] | The value of the data item on the X axis. |
| Y | String | [1,2,3,...] | The value of the data item on the Y axis. |
| Label | String | Baseline behavior profile | The name of the baseline behavior profile of the anomalous activity. |
| XLabel | String | Number of days | The descriptive label of data items on the X axis. |
| YLabel | String | Value | The descriptive label of data items on the Y axis. |
| Content | The anomalous activity content. |
||
| Label | String | Anomaly description | The name of the anomalous activity content. |
| Value | String | The account was used to access OSS from an unusual terminal (IP address: 1.2.3.4) from September 9 2019, 00:06:45 to September 9 2019, 00:57:37. | The description of the anomalous activity content. |
| ResourceInfo | The anomalous activity source. |
||
| Label | String | Activity risk | The name of the anomalous activity source. |
| Value | String | Based on the record of authentication through an unusual terminal, an external attacker may have obtained the access permission of the account or the employee accessed data from a personal terminal. | The description of the anomalous activity source. |
| DisplayName | String | yundunsr | The display name of the account that triggered the anomalous activity. |
| EventTime | Long | 1545829129000 | The time when the anomalous activity occurred. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. |
| Id | Long | 52234 | The unique ID of the anomalous activity. |
| LoginName | String | det1111 | The username of the account that triggered the anomalous activity. |
| ProductCode | String | MaxCompute | The name of the service where the anomalous activity was detected. Valid values:
|
| Status | Integer | 0 | The ID of the processing status of the anomalous activity. Valid values:
|
| StatusName | String | Unprocessed | The name of the processing status of the anomalous activity. |
| SubTypeCode | String | 020008 | The code of the anomalous activity subtype. |
| SubTypeName | String | Anomalous downloaded data volume | The name of the anomalous activity subtype. |
| TypeCode | String | 02 | The code of the anomalous activity type. |
| TypeName | String | Anomalous data flow | The name of the anomalous activity type. Valid values:
|
| UserId | Long | 229157443385014140 | The ID of the account that triggered the anomalous activity. |
| RequestId | String | 69FB3C1-F4C9-42DF-9B72-7077A8989C13 | The ID of the request. |
Examples
Sample requests
http(s)://[Endpoint]/? Action=DescribeEventDetail
&<Common request parameters>
Sample success responses
XML format
<DescribeEventDetail>
<RequestId>769FB3C1-F4C9-42DF-9B72-7077A8989C13</RequestId>
<Event>
<Status>0</Status>
<TypeName>Anomalous data flow</TypeName>
<Backed>false</Backed>
<TypeCode>02</TypeCode>
<ProductCode>MaxCompute</ProductCode>
<SubTypeName>Anomalous downloaded data volume</SubTypeName>
<EventTime>1545829129000</EventTime>
<UserId>229157443385014140</UserId>
<LoginName>det1111</LoginName>
<DisplayName>yundunsr</DisplayName>
<Id>4</Id>
<SubTypeCode>020008</SubTypeCode>
<AlertTime>1545829129000</AlertTime>
<StatusName>Unprocessed</StatusName>
<DealUserId>229157443385014140</DealUserId>
<DealLoginName>det1111</DealLoginName>
<DealDisplayName>yundunsr</DealDisplayName>
<DepartName>test</DepartName>
<Detail>
<Content>
<Value>The account was used to access OSS from an unusual terminal (IP address: 1.2.3.4) from September 9 2019, 00:06:45 to September 9 2019, 00:57:37. </Value>
<Label>Anomaly description</Label>
</Content>
<Chart>
<YLabel>Value</YLabel>
<Label>Baseline behavior profile</Label>
<Data>
<X>1</X>
<X>2</X>
<X>3</X>
<X>4</X>
<X>5</X>
<X>6</X>
<Y>1</Y>
<Y>2</Y>
<Y>3</Y>
<Y>4</Y>
<Y>5</Y>
<Y>6</Y>
</Data>
<XLabel>Number of days</XLabel>
</Chart>
</Detail>
<DealReason>Anomaly confirmed</DealReason>
</Event>
</DescribeEventDetail>JSON format
{
"Event":{
"DealDisplayName":"yundunsr",
"ProductCode":"MaxCompute",
"LoginName":"det1111",
"DepartName":"test",
"Backed":false,
"TypeName":"Anomalous data flow",
"UserId":229157443385014132,
"DisplayName":"yundunsr",
"DealReason":"Anomaly confirmed",
"Status":0,
"Detail":{
"Chart":[
{
"Data":{
"Y":[
1,
2,
3,
4,
5,
6
],
"X":[
1,
2,
3,
4,
5,
6
]
},
"XLabel":"Number of days",
"Label":"Baseline behavior profile",
"YLabel":"Value"
}
],
"Content":[
{
"Value":"The account was used to access OSS from an unusual terminal (IP address: 1.2.3.4) from September 9 2019, 00:06:45 to September 9 2019, 00:57:37.",
"Label":"Anomaly description"
}
]
},
"TypeCode":"02",
"EventTime":1545829129000,
"AlertTime":1545829129000,
"StatusName":"Unprocessed",
"Id":4,
"DealLoginName":"det1111",
"SubTypeName":"Anomalous downloaded data volume",
"SubTypeCode":"020008",
"DealUserId":229157443385014132
},
"RequestId":"769FB3C1-F4C9-42DF-9B72-7077A8989C13"
}Error codes
For a list of error codes, visit the API Error Center.