You can call this operation to query the details of an alert event.
An alert event is related to multiple exceptions. You can call this operation to query the details of an alert event.
Debugging
You can go to API Explorer to debug API operations online. API Explorer allows you to call API operations online, use dynamically generated SDK sample code, and search for API operations. This makes it easier to use cloud APIs.
Request parameters
| Name | Type | Required | Example | Description |
|---|---|---|---|---|
| Action | String | Yes | DescribeAlarmEventDetail |
The operation that you want to perform. Set the value to DescribeAlarmEventDetail. |
| AlarmUniqueInfo | String | Yes | 8df914418f4211fbf756efe7a6f40cbc |
The unique identifier of an alert event. |
| From | String | Yes | sas |
The identifier of the request source. The fixed value is sas. |
| Lang | String | No | zh |
The language in which the alert event details are displayed. Valid values:
|
| SourceIp | String | No | 1.1.1.1 |
The IP address of the request source. |
Response parameters
| Name | Type | Example | Description |
|---|---|---|---|
| Data |
The details of the alert event. |
||
| └AlarmEventAliasName | String | Suspicious Process - Command Exceptions in Scheduled Linux Tasks |
The complete name of the alert event. |
| └AlarmEventDesc | String | After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs. |
The description of the alert event. |
| └AlarmUniqueInfo | String | 8df914418f4211fbf756efe700000000 |
The unique identifier of the alert event. |
| └CanBeDealOnLine | Boolean | false |
Indicates whether this alert event can be quarantined online. |
| └CanCancelFault | Boolean | false |
Indicates whether you can cancel labelling this alert event as a false positive. |
| └CauseDetails |
The cause of the alert event. |
||
| └Key | String | item |
The format of the text. Valid values:
|
| └Value |
The value of the diagnosis information field. |
||
| └Name | String | Troubleshooting Solution |
The key of the diagnosis information field. |
| └Type | String | html |
The format of the diagnosis information field. |
| └Value | String | Check for the exploited pages of your Web services and vulnerabilities in parameter configuration, and resolve these issues. |
The value of the diagnosis information field. |
| └DataSource | String | aegis_suspicious_event |
The data source. |
| └EndTime | Long | 1542366542000 |
The time when the alert event ends. |
| └InstanceName | String | Test server |
The name of the affected asset. |
| └InternetIp | String | 10.0.0.0 |
The public IP address of the affected asset. |
| └IntranetIp | String | 10.0.0.0 |
The internal IP address of the affected asset. |
| └Level | String | serious |
The severity of the alert event. Valid values:
|
| └Solution | String | Check the malicious URLs that have been listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you recognize this URL access request, label the alert as a false positive in the console, and submit a ticket. |
The solution for the alert event. |
| └StartTime | Long | 1542378601000 |
The time when the alert event starts. |
| └Type | String | Unusual network connection |
The type of the alert event. |
| └Uuid | String | 47900178-885d-4fa4-9d77-XXXXXXXXXXXX |
The unique identifier of the affected asset. |
| RequestId | String | 5A1DDB3C-798C-4A84-BF6E-3DC700000000 |
The GUID generated by Alibaba Cloud for the request. |
Examples
Sample requests
http(s)://[Endpoint]/? Action=DescribeAlarmEventDetail
&AlarmUniqueInfo=8df914418f4211fbf756efe7a6f40cbc
&From=sas
&<Common request parameters>
Successful response examples
XML format
<DescribeAlarmEventDetailResponse>
<Data>
<Uuid>47900178-885d-4fa4-9d77-XXXXXXXXXXXX</Uuid>
<AlarmEventAliasName>Suspicious Process - Command Exceptions in Scheduled Linux Tasks</AlarmEventAliasName>
<Type>Suspicious Process</Type>
<InternetIp>10.0.0.10</InternetIp>
<AlarmEventDesc>After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs. </AlarmEventDesc>
<IntranetIp>10.0.0.0</IntranetIp>
<CauseDetails>
<Value>
<Type>text</Type>
<Value>An attacker has logged on to your server and has written webshells by editing the configuration file.</Value>
<Name>Intrusion Cause</Name>
</Value>
<Value>
<Type>text</Type>
<Value>2018-11-16 19:09:02</Value>
<Name>Attack Time</Name>
</Value>
<Value>
<Type>text</Type>
<Value>N/A</Value>
<Name>Attack Source IP</Name>
</Value>
<Value>
<Type>text</Type>
<Value>N/A</Value>
<Name>Attack Payload</Name>
</Value>
<Value>
<Type>text</Type>
<Value>Check for the exploited pages of your Web services and vulnerabilities in parameter configuration, and resolve these issues. </Value>
<Name>Troubleshooting Solution</Name>
</Value>
<Key>item</Key>
</CauseDetails>
<Level>Urgency</Level>
<EndTime>1543741201000</EndTime>
<StartTime>1543312803000</StartTime>
<CanBeDealOnLine>false</CanBeDealOnLine>
<InstanceName>server01</InstanceName>
</Data>
<RequestId>5A1DDB3C-798C-4A84-BF6E-3DC7F7D7EB4A</RequestId>
</DescribeAlarmEventDetailResponse>
JSON format
{
"Data":{
"Uuid":"47900178-885d-4fa4-9d77-XXXXXXXXXXXX",
"AlarmEventDesc":"After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs.",
"AlarmEventAliasName":"Suspicious Process - Command Exceptions in Scheduled Linux Tasks",
"Type":"Suspicious Process",
"IntranetIp":"10.0.0.0",
"CauseDetails":[
{
"Value":[
{
"Name":"Intrusion Cause",
"Value":"An attacker has logged on to your server and has written webshells by editing the configuration file.",
"Type":"text"
},
{
"Name":"Attack Time",
"Value":"2018-11-16 19:09:02",
"Type":"text"
},
{
"Name":"Attack Source IP",
"Value":"N/A",
"Type":"text"
},
{
"Name":"Attack Payload",
"Value":"N/A",
"Type":"text"
},
{
"Name":"Troubleshooting Solution",
"Value":"Check for the exploited pages of your Web services and vulnerabilities in parameter configuration, and resolve these issues.",
"Type":"text"
}
],
"Key":"item"
}
],
"InternetIp":"10.0.0.10",
"EndTime":1543741201000,
"Level":"serious",
"StartTime":1543312803000,
"CanBeDealOnLine":false,
"InstanceName":"server01"
},
"RequestId":"5A1DDB3C-798C-4A84-BF6E-3DC7F7D7EB4A"
}