Queries the details of an alert event. An alert event consists of alerts and exceptions. Each alert event is related to multiple exceptions.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeAlarmEventDetail

The operation that you want to perform.

Set the value to DescribeAlarmEventDetail.

AlarmUniqueInfo String Yes 8df914418f4211fbf756efe7a6f4****

The ID of the alert event.

Note To query the details of an alert event, you must specify the ID of the alert event. You can call the DescribeAlarmEventList operation to query the IDs of alert events.
From String Yes sas

The ID of the request source. Set the value to sas.

SourceIp String No 1.2.3.4

The source IP address of the request.

Lang String No zh

The natural language of the request and response. Valid values:

  • zh: Chinese
  • en: English

Response parameters

Parameter Type Example Description
Data Struct

The details of the alert event.

AlarmEventAliasName String Suspicious process behavior - Execution of suspicious commands in scheduled Linux tasks

The complete name of the alert event.

AlarmEventDesc String After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep the malicious programs running. The scheduled tasks include crontab and systemd.

The description of the alert event.

AlarmUniqueInfo String 8df914418f4211fbf756efe70000****

The ID of the alert event.

CanBeDealOnLine Boolean false

Indicates whether the online processing of alert events online is supported, such as blocking an alert, adding an alert to the whitelist, and ignoring an alert. Valid values:

  • true: Online processing is supported.
  • false: Online processing is not supported.
CanCancelFault Boolean false

Indicates whether you can cancel marking this alert event as a false positive. Valid values:

  • true: You can cancel marking this alert event as a false positive.
  • false: You cannot cancel marking this alert event as a false positive.
CauseDetails Array of CauseDetail

The cause of the alert event, which can be used to trace the alert.

Key String html

The format in the alert event details. Valid values:

  • text
  • html
Value Array of Value

The value of the field that displays the information used to trace alerts.

Name String Solutions

The name of the field that displays the information used to trace alerts.

Type String html

The format of the field that displays the information used to trace alerts. Valid values:

  • text
  • html
Value String Check for the exploited pages of your web services and vulnerabilities in parameter configuration, and resolve these issues.

The value of the field that displays the information used to trace alerts.

ContainHwMode Boolean true

Indicates whether the Safeguard Mode For Major Activities mode is enabled for the server. Valid values:

  • true: The mode is enabled.
  • false: The mode is disabled.
DataSource String aegis_***

The source of data.

Note This parameter is deprecated.
EndTime Long 1542366542000

The end time of the alert event.

InstanceName String Test server

The name of the associated instance.

InternetIp String 1.2.3.1

The public IP address of the associated instance.

IntranetIp String 1.2.3.5

The private IP address of the associated instance.

Level String serious

The risk level of the alert event. Valid values:

  • serious
  • suspicious
  • remind
Solution String Check the malicious URLs that are listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you trust the processes, mark the alert as a false positive in the console, and submit a ticket to notify security engineers.

The solution to the alert event.

StartTime Long 1542378601000

The timestamp when the alert event was detected.

Type String Suspicious network connection

The type of the alert event. Valid values:

  • Suspicious Process
  • Webshell
  • Unusual Logon
  • Suspicious Event
  • Sensitive File Tampering
  • Malicious Process
  • Suspicious Network Connection
  • Other
  • Suspicious Account
  • Application intrusion event
  • Cloud threat detection
  • Precision defense
  • Application Whitelist
  • Persistence
  • Web Application Threat Detection
  • Malicious scripts
  • Threat intelligence
  • Malicious Network Activity
Uuid String 47900178-885d-4fa4-9d77-XXXXXXXXXXXX

The ID of the associated instance.

RequestId String 5A1DDB3C-798C-4A84-BF6E-3DC700000000

The ID of the request.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeAlarmEventDetail
&AlarmUniqueInfo=8df914418f4211fbf756efe7a6f4****
&From=sas
&<Common request parameters>

Sample success responses

XML format

<DescribeAlarmEventDetailResponse>
      <RequestId>5A1DDB3C-798C-4A84-BF6E-3DC700000000</RequestId>
      <Data>
            <CanCancelFault>false</CanCancelFault>
            <EndTime>1542366542000</EndTime>
            <ContainHwMode>true</ContainHwMode>
            <CauseDetails>
                  <Key>html</Key>
            </CauseDetails>
            <CauseDetails>
                  <Value>
                        <Type>html</Type>
                        <Value>Check for the exploited pages of your web services and vulnerabilities in parameter configuration, and resolve these issues. </Value>
                        <Name>Solutions</Name>
                  </Value>
            </CauseDetails>
            <StartTime>1542378601000</StartTime>
            <IntranetIp>1.2.3.5</IntranetIp>
            <DataSource>aegis_***</DataSource>
            <InstanceName>Test server</InstanceName>
            <Type>Suspicious network connection</Type>
            <CanBeDealOnLine>false</CanBeDealOnLine>
            <Uuid>47900178-885d-4fa4-9d77-XXXXXXXXXXXX</Uuid>
            <InternetIp>1.2.3.1</InternetIp>
            <AlarmEventDesc>After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep the malicious programs running. The scheduled tasks include crontab and systemd. </AlarmEventDesc>
            <AlarmUniqueInfo>8df914418f4211fbf756efe70000****</AlarmUniqueInfo>
            <Level>serious</Level>
            <AlarmEventAliasName>Suspicious process behavior - Execution of suspicious commands in scheduled Linux tasks</AlarmEventAliasName>
            <Solution>Check the malicious URLs that are listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you trust the processes, mark the alert as a false positive in the console, and submit a ticket to notify security engineers. </Solution>
      </Data>
</DescribeAlarmEventDetailResponse>

JSON format

{
    "RequestId": "5A1DDB3C-798C-4A84-BF6E-3DC700000000",
    "Data": {
        "CanCancelFault": "false",
        "EndTime": "1542366542000",
        "ContainHwMode": "true",
        "CauseDetails": [{
            "Key": "html"
        }, {
            "Value": [{
                "Type": "html",
                "Value": "Check for the exploited pages of your web services and vulnerabilities in parameter configuration, and resolve these issues.",
                "Name": "Solutions"
            }]
        }],
        "StartTime": "1542378601000",
        "IntranetIp": "1.2.3.5",
        "DataSource": "aegis_***",
        "InstanceName": "Test server",
        "EventType": "Suspicious network connection",
        "CanBeDealOnLine": "false",
        "Uuid": "47900178-885d-4fa4-9d77-XXXXXXXXXXXX",
        "InternetIp": "1.2.3.1",
        "AlarmEventDesc": "After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep the malicious programs running. The scheduled tasks include crontab and systemd.",
        "AlarmUniqueInfo": "8df914418f4211fbf756efe70000****",
        "Level": "serious",
        "AlarmEventAliasName": "Suspicious process behavior - Execution of suspicious commands in scheduled Linux tasks",
        "Solution": "Check the malicious URLs that have been listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you trust the processes, mark the alert as a false positive in the console, and submit a ticket to notify security engineers.
    }
}

Error codes

For a list of error codes, visit the API Error Center.