Queries the details of an intrusion event.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeRiskEventGroup

The operation that you want to perform. Set the value to DescribeRiskEventGroup.

DataType String Yes session

The type of risk events.

Default value: session. The value indicates intrusion events.

EndTime String Yes 1534408267

The end of the time range to query. The value is a UNIX timestamp. Unit: seconds.

StartTime String Yes 1534408189

The beginning of the time range to query. The value is a UNIX timestamp. Unit: seconds.

Lang String No zh

The natural language of the request and response. Valid values:

  • zh: Chinese (default)
  • en: English
Direction String No in

The direction of the traffic for the intrusion events. Valid values:

  • in: inbound
  • out: outbound
    Note If you do not specify this parameter, the intrusion events in both inbound and outbound traffic are queried.
PageSize String No 6

The number of entries to return on each page.

Default value: 6.

CurrentPage String No 1

The number of the page to return.

Pages start from page 1. Default value: 1.

RuleSource String No 1

The module of the rule that is used to detect the intrusion events. Valid values:

  • 1: basic protection
  • 2: virtual patching
  • 4: threat intelligence
    Note If you do not specify this parameter, the intrusion events that are detected by all rules are queried.
RuleResult String No 1

The status of the firewall. Valid values:

  • 1: alerting
  • 2: blocking
Note If you do not specify this parameter, the intrusion events that are detected by all firewalls are queried.
SrcIP String No 1.2.XX.XX

The source IP address to query. If you specify this parameter, the intrusion events from the specified source IP addresses are queried.

DstIP String No 2.3.XX.XX

The destination IP address to query. If you specify this parameter, the intrusion events with the specified destination IP addresses are queried.

VulLevel String No 1

The risk level of the intrusion events. Valid values:

  • 1: low
  • 2: medium
  • 3: high
    Note If you do not specify this parameter, the intrusion events that are at all risk levels are queried.
FirewallType String No InternetFirewall

The type of the firewall. Valid values:

  • VpcFirewall: Virtual Private Cloud (VPC) firewall
  • InternetFirewall: Internet firewall (default)
SrcNetworkInstanceId String No vpc-uf6e9a9zyokj2ywuo****

The ID of the source VPC.

Note This parameter takes effect only when FirewallType is set to VpcFirewall.
DstNetworkInstanceId String No vpc-uf6e9a9zyokj2ywuo****

The ID of the destination VPC.

Note This parameter takes effect only when FirewallType is set to VpcFirewall.
AttackType String No 1

The attack type of the intrusion event. Valid values:

  • 1: suspicious connection
  • 2: command execution
  • 3: brute-force attack
  • 4: scanning
  • 5: others
  • 6: information leak
  • 7: denial-of-service (DoS) attack
  • 8: buffer overflow attack
  • 9: web attack
  • 10: trojan backdoor
  • 11: computer worm
  • 12: mining
  • 13: reverse shell
    Note If you do not specify this parameter, the intrusion events of all attack types are queried.
AttackApp String No MySql

The name of the attacked application.

NoLocation String No false

Specifies whether to query the information about the geographical locations of IP addresses.

  • true: does not query the information about the geographical locations of IP addresses.
  • false: queries the information about the geographical locations of IP addresses. This is the default value.

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters.

For more information about sample requests, see the "Examples" section of this topic.

Response parameters

Parameter Type Example Description
DataList Array of Data

The details of the intrusion event.

AttackApp String MySql

The name of the attacked application.

AttackType Integer 1

The attack type of the intrusion event. Valid values:

  • 1: suspicious connection
  • 2: command execution
  • 3: brute-force attack
  • 4: scanning
  • 5: others
  • 6: information leak
  • 7: DoS attack
  • 8: buffer overflow attack
  • 9: web attack
  • 10: trojan backdoor
  • 11: computer worm
  • 12: mining
  • 13: reverse shell
Description String Path traversal attacks are detected in the web access requests over HTTP.

The description of the intrusion event.

Direction String in

The direction of the traffic for the intrusion event. Valid values:

  • in: inbound
  • out: outbound
DstIP String 1.2.XX.XX

The returned destination IP addresses. The intrusion events with the destination IP address are returned.

EventCount Integer 100

The number of intrusion events.

EventId String 2b58efae-4c4b-4d96-9544-a586fb1f****

The ID of the intrusion event.

EventName String Path traversal attack

The name of the intrusion event.

FirstEventTime Integer 1534408189

The time when the intrusion event was first detected. The value is a UNIX timestamp. Unit: seconds.

IPLocationInfo Struct

The information about the geographical location of the IP address.

CityId String 510100

The ID of the city.

CityName String Chengdu, Sichuan Province

The name of the city.

CountryId String CN

The ID of the country.

CountryName String China

The name of the country.

LastEventTime Integer 1534408267

The time when the intrusion event was last detected. The value is a UNIX timestamp. Unit: seconds.

ResourcePrivateIPList Array of ResourcePrivateIPListItem

The private IP addresses of the intrusion event.

RegionNo String cn-hangzhou

The ID of the region to which the private IP address belongs.

ResourceInstanceId String i-wz92jf4scg2zb74p****

The ID of the instance that uses the private IP address.

ResourceInstanceName String LD-shenzhen-zy****

The name of the instance that uses the private IP address.

ResourcePrivateIP String 10.255.XX.XX

The private IP address.

ResourceType String EcsPublicIP

The type of the public IP address in the intrusion event. Valid values:

  • EIP: the elastic IP address (EIP)
  • EcsPublicIP: the public IP address of an Elastic Compute Service (ECS) instance
  • EcsEIP: the EIP of an ECS instance
  • NatPublicIP: the public IP address of a Network Address Translation (NAT) gateway
  • NatEIP: the EIP of a NAT gateway
RuleId String 1000****

The ID of the rule that is used to detect the intrusion event.

RuleResult Integer 2

The status of the firewall. Valid values:

  • 1: alerting
  • 2: blocking
RuleSource Integer 1

The module of the rule that is used to detect the intrusion event. Valid values:

  • 1: basic protection
  • 2: virtual patching
  • 4: threat intelligence
SrcIP String 1.1.XX.XX

The returned sourced IP address. The intrusion events from the source IP address are returned.

SrcPrivateIPList List ["192.168.XX.XX","192.168.XX.XX"]

The source private IP addresses of the intrusion event.

Note The value of this parameter is returned only when you set Direction to out.
Tag String Threat intelligence provided for major events

The tag added to the threat intelligence that is provided for major events.

VpcDstInfo Struct

The information about the destination VPC of the intrusion event.

EcsInstanceId String i-wz92jf4scg2zb74p****

The ID of the ECS instance.

EcsInstanceName String LD-shenzhen-zy****

The name of the ECS instance.

NetworkInstanceId String vpc-uf6e9a9zyokj2ywuo****

The ID of the VPC.

NetworkInstanceName String VPC-SH-TX****

The name of the VPC.

RegionNo String cn-hangzhou

The ID of the region in which the destination VPC resides.

VpcSrcInfo Struct

The information about the source VPC of the intrusion event.

EcsInstanceId String i-wz92jf4scg2zb74p****

The ID of the ECS instance.

EcsInstanceName String LD-shenzhen-zy****

The name of the ECS instance.

NetworkInstanceId String vpc-uf6e9a9zyokj2ywuo****

The ID of the VPC.

NetworkInstanceName String VPC-SH-TX****

The name of the VPC.

RegionNo String cn-hangzhou

The ID of the region in which the source VPC resides.

VulLevel Integer 1

The risk level of the intrusion event. Valid values:

  • 1: low
  • 2: medium
  • 3: high
RequestId String B14757D0-4640-4B44-AC67-7F558FE7E6EF

The ID of the request.

TotalCount Integer 20

The total number of risk events.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeRiskEventGroup
&DataType=session
&EndTime=1534408267
&StartTime=1534408189
&<Common request parameters>

Sample success responses

XML format

<DescribeRiskEventGroupResponse>
  <DataList>
        <RuleSource>1</RuleSource>
        <Description>Path traversal attacks are detected in the web access requests over HTTP. </Description>
        <FirstEventTime>1534408189</FirstEventTime>
        <EventCount>100</EventCount>
        <RuleId>1000****</RuleId>
        <AttackType>1</AttackType>
        <ResourceType>EcsPublicIP</ResourceType>
        <RuleResult>2</RuleResult>
        <EventName>Path traversal attack</EventName>
        <Direction>in</Direction>
        <SrcIP>1.1.XX.XX</SrcIP>
        <DstIP>1.2.XX.XX</DstIP>
        <EventId>2b58efae-4c4b-4d96-9544-a586fb1f****</EventId>
        <Tag>Threat intelligence provided for major events</Tag>
        <LastEventTime>1534408267</LastEventTime>
        <AttackApp>MySql</AttackApp>
        <VulLevel>1</VulLevel>
        <ResourcePrivateIPList>
              <RegionNo>cn-hangzhou</RegionNo>
              <ResourcePrivateIP>10.255.XX.XX</ResourcePrivateIP>
              <ResourceInstanceName>LD-shenzhen-zy****</ResourceInstanceName>
              <ResourceInstanceId>i-wz92jf4scg2zb74p****</ResourceInstanceId>
        </ResourcePrivateIPList>
        <SrcPrivateIPList>["192.168.XX.XX","192.168.XX.XX"]</SrcPrivateIPList>
        <VpcSrcInfo>
              <EcsInstanceName>LD-shenzhen-zy****</EcsInstanceName>
              <EcsInstanceId>i-wz92jf4scg2zb74p****</EcsInstanceId>
              <RegionNo>cn-hangzhou</RegionNo>
              <NetworkInstanceId>vpc-uf6e9a9zyokj2ywuo****</NetworkInstanceId>
              <NetworkInstanceName>VPC-SH-TX****</NetworkInstanceName>
        </VpcSrcInfo>
        <VpcDstInfo>
              <EcsInstanceName>LD-shenzhen-zy****</EcsInstanceName>
              <EcsInstanceId>i-wz92jf4scg2zb74p****</EcsInstanceId>
              <RegionNo>cn-hangzhou</RegionNo>
              <NetworkInstanceId>vpc-uf6e9a9zyokj2ywuo****</NetworkInstanceId>
              <NetworkInstanceName>VPC-SH-TX****</NetworkInstanceName>
        </VpcDstInfo>
        <IPLocationInfo>
              <CountryId>CN</CountryId>
              <CityId>510100</CityId>
              <CountryName>China</CountryName>
              <CityName>Chengdu, Sichuan Province</CityName>
        </IPLocationInfo>
  </DataList>
  <TotalCount>20</TotalCount>
  <RequestId>B14757D0-4640-4B44-AC67-7F558FE7E6EF</RequestId>
</DescribeRiskEventGroupResponse>

JSON format

{
    "DataList": {
        "RuleSource": 1,
        "Description": "Path traversal attacks are detected in the web access requests over HTTP.",
        "FirstEventTime": 1534408189,
        "EventCount": 100,
        "RuleId": "1000****",
        "AttackType": 1,
        "ResourceType": "EcsPublicIP",
        "RuleResult": 2,
        "EventName": "Path traversal attack",
        "Direction": "in",
        "SrcIP": "1.1.XX.XX",
        "DstIP": "1.2.XX.XX",
        "EventId": "2b58efae-4c4b-4d96-9544-a586fb1f****",
        "Tag": "Threat intelligence provided for major events",
        "LastEventTime": 1534408267,
        "AttackApp": "MySql",
        "VulLevel": 1,
        "ResourcePrivateIPList": {
            "RegionNo": "cn-hangzhou",
            "ResourcePrivateIP": "10.255.XX.XX",
            "ResourceInstanceName": "LD-shenzhen-zy****",
            "ResourceInstanceId": "i-wz92jf4scg2zb74p****"
        },
        "SrcPrivateIPList": "[\"192.168.XX.XX\",\"192.168.XX.XX\"]",
        "VpcSrcInfo": {
            "EcsInstanceName": "LD-shenzhen-zy****",
            "EcsInstanceId": "i-wz92jf4scg2zb74p****",
            "RegionNo": "cn-hangzhou",
            "NetworkInstanceId": "vpc-uf6e9a9zyokj2ywuo****",
            "NetworkInstanceName": "VPC-SH-TX****"
        },
        "VpcDstInfo": {
            "EcsInstanceName": "LD-shenzhen-zy****",
            "EcsInstanceId": "i-wz92jf4scg2zb74p****",
            "RegionNo": "cn-hangzhou",
            "NetworkInstanceId": "vpc-uf6e9a9zyokj2ywuo****",
            "NetworkInstanceName": "VPC-SH-TX****"
        },
        "IPLocationInfo": {
            "CountryId": "CN",
            "CityId": 510100,
            "CountryName": "China",
            "CityName": "Chengdu, Sichuan Province"
        }
    },
    "TotalCount": 20,
    "RequestId": "B14757D0-4640-4B44-AC67-7F558FE7E6EF"
}