Queries the details about exceptions.

Description

An alert event consists of alerts and exceptions. Each alert event is related to multiple exceptions.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeSuspEvents

The operation that you want to perform. Set the value to DescribeSuspEvents.

OfficeSiteId String Yes cn-hangzhou+dir-363353****

The ID of the workspace.

RegionId String Yes cn-hangzhou

The ID of the region.

Lang String No zh

The natural language of the request and response. Valid values:

  • zh: Chinese
  • en: English
Dealed String No N

The processing status of the exception. Valid values:

  • N: not processed
  • Y: processed
Levels String No serious

The severity level of the exception. Valid values:

  • serious
  • suspicious
  • remind
ParentEventType String No Webshell

The type of the alert event to which the exception is related.

AlarmUniqueInfo String No 8ff29a086e0ccf4507c55e4ec3af****

The ID of the alert event to which the exception is related.

CurrentPage Integer No 1

The number of the page to return. Pages start from page 1. Default value: 1.

PageSize Integer No 20

The maximum number of entries to return on each page. Default value: 20.

Response parameters

Parameter Type Example Description
CurrentPage Integer 1

The page number of the returned page.

PageSize String 20

The maximum number of entries returned per page.

RequestId String 54EF5D9E-6891-4D25-93A7-A09975C9D3AD

The ID of the request.

SuspEvents Array of SuspEvent

Details about exceptions.

AlarmEventName String Suspicious modification to auto-startup items

The name of the alert event to which the exception is related.

AlarmEventNameDisplay String Suspicious modification to auto-startup items

The description of the alert event to which the exception is related.

AlarmEventType String Suspicious process

The type of the alert event to which the exception is related.

AlarmEventTypeDisplay String Suspicious process

The description of the alert event type to which the exception is related.

AlarmUniqueInfo String 8ff29a086e0ccf4507c55e4ec3af****

The ID of the alert event to which the exception is related.

CanBeDealOnLine String false

Indicates whether the exception can be processed online. Valid values:

  • true: The exception can be processed online.
  • false: The exception cannot be processed online.
CanCancelFault Boolean false

Indicates whether the exception can be ignored. Valid values:

  • true: The exception can be ignored.
  • false: The exception cannot be ignored.
DataSource String aegis_suspicious_event

The source of data. This parameter can be ignored.

Desc String The threat detection model detected that a process was attempting to modify a auto-startup item on your server. The modification may be performed by attackers or trojans to maintain system permissions.

The impact of the exception.

DesktopId String ecd-blbmpzpqjdrdy****

The ID of the affected cloud desktop.

DesktopName String test

The name of the affected cloud desktop.

Details Array of Detail

Details about exceptions.

Name String ${suspicious.property.process_path}

The original property name.

NameDisplay String Process path

The property name displayed after the Name parameter was translated.

Type String text

The way in which the property value is displayed. The property value can be a string or displayed in the HTML or Markdown format.

Value String N/A

The property value.

ValueDisplay String N/A

The property value displayed after the Value parameter was translated.

EventStatus Integer 1

The status of the exception. Valid values:

  • 1: PENDING
  • 2: IGNORE
  • 4: HANDLED
  • 8: FAULT
  • 16: DEALING
  • 32: DONE
  • 64: EXPIRE
EventSubType String Suspicious modification to auto-startup items

The name of the exception.

Id Long 19271054

The ID of the exception.

LastTime String 2021-05-14 14:27:51

The time when the exception last occurred.

Level String suspicious

The severity level of the exception. Valid values:

  • serious
  • suspicious
  • remind
Name String Suspicious processes - suspicious modification to auto-startup items

The complete name of the exception.

OccurrenceTime String 2021-05-13 22:54:17

The time when the exception first occurred.

OperateErrorCode String 1

The error code of the exception operation.

OperateMsg String success

The remarks of the exception operation.

UniqueInfo String ea154b41f2c4b4005cb130af0586****

The ID of the exception.

TotalCount Integer 1

The total number of exceptions returned.

Examples

Sample requests

https://ecd.cn-hangzhou.aliyuncs.com/?Action=DescribeSuspEvents
&OfficeSiteId=cn-hangzhou+dir-363353****
&RegionId=cn-hangzhou
&<Common request parameters>

Sample success responses

XML format

<DescribeSuspEventsResponse>
      <TotalCount>1</TotalCount>
      <PageSize>20</PageSize>
      <RequestId>54EF5D9E-6891-4D25-93A7-A09975C9D3AD</RequestId>
      <CurrentPage>1</CurrentPage>
      <SuspEvents>
            <UniqueInfo>ea154b41f2c4b4005cb130af0586****</UniqueInfo>
            <CanCancelFault>false</CanCancelFault>
            <AlarmEventTypeDisplay> Suspicious processes </AlarmEventTypeDisplay>
            <OperateErrorCode>1</OperateErrorCode>
            <AlarmEventName> Suspicious modification to auto-startup items </AlarmEventName>
            <DesktopName>test</DesktopName>
            <EventStatus>1</EventStatus>
            <DesktopId>ecd-blbmpzpqjdrdy****</DesktopId>
            <EventSubType> Suspicious modification to auto-startup items </EventSubType>
            <DataSource>aegis_suspicious_event</DataSource>
            <Name> Suspicious processes - suspicious modification to auto-startup items </Name>
            <OccurrenceTime>2021-05-13 22:54:17</OccurrenceTime>
            <Desc> The threat detection model detected that a process was attempting to modify a auto-startup item on your server. The modification may be performed by attackers or trojans to maintain system permissions. </Desc>
            <CanBeDealOnLine>false</CanBeDealOnLine>
            <OperateMsg>success</OperateMsg>
            <AlarmEventType> Suspicious processes </AlarmEventType>
            <AlarmUniqueInfo>8ff29a086e0ccf4507c55e4ec3af****</AlarmUniqueInfo>
            <Level>suspicious</Level>
            <Id>19271054</Id>
            <AlarmEventNameDisplay> Suspicious modification to auto-startup items </AlarmEventNameDisplay>
            <LastTime>2021-05-14 14:27:51</LastTime>
            <Details>
                  <Type>text</Type>
                  <Value>N/A</Value>
                  <ValueDisplay>N/A</ValueDisplay>
                  <NameDisplay> Process path </NameDisplay>
                  <Name>${suspicious.property.process_path}</Name>
            </Details>
      </SuspEvents>
</DescribeSuspEventsResponse>

JSON format

{
    "TotalCount": "1",
    "PageSize": "20",
    "RequestId": "54EF5D9E-6891-4D25-93A7-A09975C9D3AD",
    "CurrentPage": "1",
    "SuspEvents": [{
        "UniqueInfo": "ea154b41f2c4b4005cb130af0586****",
        "CanCancelFault": "false",
        "AlarmEventTypeDisplay": "Suspicious processes",
        "OperateErrorCode": "1",
        "AlarmEventName": "Suspicious modification to auto-startup items",
        "DesktopName": "test",
        "EventStatus": "1",
        "DesktopId": "ecd-blbmpzpqjdrdy****",
        "EventSubType": "Suspicious modification to auto-startup items",
        "DataSource": "aegis_suspicious_event",
        "Name": "Suspicious processes - suspicious modification to auto-startup items",
        "OccurrenceTime": "2021-05-13 22:54:17",
        "Desc": "The threat detection model detected that a process was attempting to modify a auto-startup item on your server. The modification may be performed by attackers or trojans to maintain system permissions.",
        "CanBeDealOnLine": "false",
        "OperateMsg": "success",
        "AlarmEventType": "Suspicious processes",
        "AlarmUniqueInfo": "8ff29a086e0ccf4507c55e4ec3af****",
        "Level": "suspicious",
        "Id": "19271054",
        "AlarmEventNameDisplay": "Suspicious modification to auto-startup items",
        "LastTime": "2021-05-14 14:27:51",
        "Details": [{
            "Type": "text",
            "Value": "N/A",
            "ValueDisplay": "N/A",
            "NameDisplay": "Process path",
            "Name": "${suspicious.property.process_path}"
        }]
    }]
}