Handles multiple suspicious events at a time.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer automatically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes OperationSuspEvents

The operation that you want to perform.

Set the value to OperationSuspEvents.

Note If operation-specific request parameters contain only this parameter, Security Center does not handle suspicious events.
SourceIp String No 1.2.3.4

The source IP address of the request.

SuspiciousEventIds String No 290852

The list of alert IDs.

Note You can call theDescribeAlarmEventList operation and obtain the IDs from the SecurityEventIds response parameter.
Operation String No deal

The operation that you want to perform on alerts. Valid values:

  • deal: quarantines the source file of the malicious process.
  • ignore: ignores the alerts.
  • mark_mis_info: marks the alerts as false positives by adding them to the whitelist.
  • rm_mark_mis_info: cancels false positives by removing the alerts from the whitelist.
  • offline_handled: marks the alerts as handled.
SubOperation String No killAndQuaraFileByPidAndMd5andPath

The suboperation that you want to perform when you quarantine the source file of the malicious process. Valid values:

  • killAndQuaraFileByPidAndMd5andPath: terminates the process based on its ID and quarantines the source file of the process.
  • quaraFileByMd5andPath: quarantines the source file of the process.
  • killAndQuaraFileByMd5andPath: terminates the process and quarantines the source file of the process.
From String No aqs

The ID of the request.

Set the value to aqs, which specifies the request from the Security Center client.

WarnType String No alarm

The type of the event. Valid values:

  • alarm, which specifies an alert
  • null, which specifies a suspicious event

Response parameters

Parameter Type Example Description
AccessCode String pass

Indicates whether you have access permissions. Valid values:

  • paas, which indicates that you have access permissions
  • no_permission, which indicates that you do not have access permissions
RequestId String 7E0618A9-D5EF-4220-9471-C42B5E92719F

The ID of the request.

Success Boolean true

The result of handling suspicious events. Valid values:

  • true: The suspicious events are handled.
  • false: The suspicious events fail to be handled.

Examples

Sample requests

http(s)://[Endpoint]/?Action=OperationSuspEvents
&<Common request parameters>

Sample success responses

XML format

<OperationSuspEventsResponse>
      <AccessCode>pass</AccessCode>
      <requestId>7E0618A9-D5EF-4220-9471-C42B5E92719F</requestId>
      <success>true</success>
</OperationSuspEventsResponse>

JSON format

{
  "AccessCode": "pass",
  "requestId": "7E0618A9-D5EF-4220-9471-C42B5E92719F",
  "success": true
}

Error codes

For a list of error codes, visit the API Error Center.