DescribeAlarmEventDetail - Security Center - Alibaba Cloud Documentation Center

Queries the details about an alert event. An alert event consists of an alert and exceptions. Each alert event is associated with multiple exceptions.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
yundun-sas:Get*	Read	All Resources *	none	none

Request parameters

Parameter	Type	Required	Description	Example
SourceIp	string	No	The source IP address of the request.	192.168.XX.XX
Lang	string	No	The language of the content within the request and response. Default value: zh. Valid values: zh: Chinese en: English	zh
AlarmUniqueInfo	string	Yes	The unique identifier of the alert event. Note To query the details of an alert event, you must provide the unique identifier of the alert event. You can call the DescribeSuspEvents operation to obtain the identifier.	9f62555666f177aa84ee1eaf465a****
From	string	Yes	The ID of the request source. Set the value to sas.	sas

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The ID of the request, which is used to locate and troubleshoot issues.	7EA50837-2F0B-5BCC-AB61-4968D88D75AD
Data	object	The details of the alert event.
Type	string	The alert type of the alert event. Valid values: Suspicious process Webshell Unusual logon Exception Sensitive file tampering Malicious process (cloud threat detection) Suspicious network connection Other Abnormal account Application intrusion event Cloud threat detection Precise defense Application whitelist Persistent webshell Web application threat detection Malicious script Threat intelligence Malicious network activity Cluster exception Webshell (on-premises threat detection) Vulnerability exploitation Malicious process (on-premises threat detection) Trusted exception	Webshell
InternetIp	string	The public IP address of the associated instance.	172.16.XX.XX
K8sClusterName	string	The name of the Kubernetes cluster.	TestK8sCluser
ContainerImageId	string	The ID of the image to which the container belongs.	cadb7a725641
AlarmEventDesc	string	The description of the alert event.	The detection model finds that self-mutation is running on your server. A self-mutation Trojan is a Trojan horse program with self-mutation function. It will change its hash or copy a large number of itself to different paths, and run in the background to avoid cleaning.
AlarmUniqueInfo	string	The unique identifier of the alert event. Note To query the details of an alert event, you must provide the unique identifier of the alert event. You can call the DescribeSuspEvents operation to obtain the identifier.	9f62555666f177aa84ee1eaf465a****
CanCancelFault	boolean	Indicates whether you can cancel marking the alert event as a false positive. Valid values: true: yes false: no	false
AppName	string	The name of the container application.	app:msdp-uat-service
CanBeDealOnLine	boolean	Indicates whether the online handling of the alert event is supported. Valid values: true: yes false: no	false
ContainerImageName	string	The name of the image to which the container belongs.	jenkins/jenkins:latest
K8sClusterId	string	The ID of the Kubernetes cluster.	c562cf0d68e9749ee9fe544a7ab2f****
ContainHwMode	boolean	Indicates whether the Safeguard Mode For Major Activities mode is enabled.	true
InstanceName	string	The name of the instance.	i-wz92q7m5hsbgfhdss***
K8sNodeId	string	The ID of the Kubernetes cluster node.	i-bp14a1ay8e0aa9t0l***
Solution	string	The solution to the alert event.	An invalid logon source IP has been detected. If you recognize this logon attempt, we recommend that you add the current logon source IP to the valid logon source IP list to avoid future alerts. If you do not recognize this logon attempt, we recommend that you modify the password.
DataSource	string	The data source of the alert event.	aegis_***
IntranetIp	string	The private IP address of the associated instance.	172.25.30.**
AlarmEventAliasName	string	The name of the alert event.	Login with unusual location
EndTime	long	The timestamp when the alert event ends. Unit: milliseconds.	1542366542000
Uuid	string	The instance UUID of the asset.	6690a46c-0edb-4663-a641-3629d1a9****
StartTime	long	The timestamp when the alert event starts. Unit: milliseconds.	1542378601000
ContainerId	string	The ID of the container application.	container_1606995441910_394868_01_000***
K8sPodName	string	The name of the Kubernetes pod.	myapp-pod
K8sNamespace	string	The namespace of the Kubernetes cluster.	sit-saic-trip
K8sNodeName	string	The name of the Kubernetes cluster node.	cn-hangzhou.10.188.139.**
Level	string	The severity of the alert event. Valid values: serious suspicious remind	serious
CauseDetails	object []	An array consisting of the cause of the alert event, which can be used to trace the alert event.
Key	string	The key that is used to trace the alert event.	842e314e69b1a2c45d5c1a2f88a16***
Value	object []	The value that is used to trace the alert event.
Type	string	The type of the field that displays the tracing information. Valid values: text html	html
Value	string	The value of the field that displays the tracing information.	<p>under a certain small probability, yundun may mistakenly judge the repeated attempts caused by the administrator forgetting or entering the wrong password as successful blasting. Please check according to the account number and time shown in the alarm details. Once it is confirmed that it is not the initiative of the administrator, it is recommended to immediately block the IP, and you can open it at the same time<a href="https://yundun.console.aliyun.com/?p=pam">PAM</a>, hosting host login password, improving remote connection efficiency and security control ability, and according to<a href="https://click.aliyun.com/m/1000226086/">best practice of ECS account security protection</a>Modify login password and convergence asset.</p>↵
Name	string	The name of the field that displays the tracing information.	sshd

Examples

Sample success responses

JSONformat

{
  "RequestId": "7EA50837-2F0B-5BCC-AB61-4968D88D75AD",
  "Data": {
    "Type": "Webshell",
    "InternetIp": "172.16.XX.XX",
    "K8sClusterName": "TestK8sCluser",
    "ContainerImageId": "cadb7a725641",
    "AlarmEventDesc": "The detection model finds that self-mutation is running on your server. A self-mutation Trojan is a Trojan horse program with self-mutation function. It will change its hash or copy a large number of itself to different paths, and run in the background to avoid cleaning.",
    "AlarmUniqueInfo": "9f62555666f177aa84ee1eaf465a****",
    "CanCancelFault": false,
    "AppName": "app:msdp-uat-service",
    "CanBeDealOnLine": false,
    "ContainerImageName": "jenkins/jenkins:latest",
    "K8sClusterId": "c562cf0d68e9749ee9fe544a7ab2f****",
    "ContainHwMode": true,
    "InstanceName": "i-wz92q7m5hsbgfhdss***",
    "K8sNodeId": "i-bp14a1ay8e0aa9t0l***",
    "Solution": "An invalid logon source IP has been detected. If you recognize this logon attempt, we recommend that you add the current logon source IP to the valid logon source IP list to avoid future alerts. If you do not recognize this logon attempt, we recommend that you modify the password.",
    "DataSource": "aegis_***",
    "IntranetIp": "172.25.30.**",
    "AlarmEventAliasName": "Login with unusual location",
    "EndTime": 1542366542000,
    "Uuid": "6690a46c-0edb-4663-a641-3629d1a9****",
    "StartTime": 1542378601000,
    "ContainerId": "container_1606995441910_394868_01_000***",
    "K8sPodName": "myapp-pod",
    "K8sNamespace": "sit-saic-trip",
    "K8sNodeName": "cn-hangzhou.10.188.139.**",
    "Level": "serious",
    "CauseDetails": [
      {
        "Key": "842e314e69b1a2c45d5c1a2f88a16***",
        "Value": [
          {
            "Type": "html",
            "Value": "<p>under a certain small probability, yundun may mistakenly judge the repeated attempts caused by the administrator forgetting or entering the wrong password as successful blasting. Please check according to the account number and time shown in the alarm details. Once it is confirmed that it is not the initiative of the administrator, it is recommended to immediately block the IP, and you can open it at the same time<a href=\"https://yundun.console.aliyun.com/?p=pam\">PAM</a>, hosting host login password, improving remote connection efficiency and security control ability, and according to<a href=\"https://click.aliyun.com/m/1000226086/\">best practice of ECS account security protection</a>Modify login password and convergence asset.</p>↵",
            "Name": "sshd"
          }
        ]
      }
    ]
  }
}

Error codes

HTTP status code	Error code	Error message	Description
403	NoPermission	caller has no permission	You are not authorized to do this operation.
500	ServerError	ServerError	-

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation

No change history