Queries the details of an alert event. An alert event consists of alerts and exceptions. Each alert event is related to multiple exceptions.
Debugging
Request parameters
| Parameter | Type | Required | Example | Description |
|---|---|---|---|---|
| Action | String | Yes | DescribeAlarmEventDetail | The operation that you want to perform. Set the value to DescribeAlarmEventDetail. |
| AlarmUniqueInfo | String | Yes | 8df914418f4211fbf756efe7a6f4**** | The ID of the alert event.
Note To query the details of an alert event, you must specify the ID of the alert event. You can call the
DescribeAlarmEventList operation to query the IDs of alert events.
|
| From | String | Yes | sas | The ID of the request source. Set the value to sas. |
| SourceIp | String | No | 1.2.3.4 | The source IP address of the request. |
| Lang | String | No | zh | The natural language of the request and response. Valid values:
|
Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
| Data | Struct | The details of the alert event. |
|
| AlarmEventAliasName | String | Suspicious process behavior - Execution of suspicious commands in scheduled Linux tasks | The complete name of the alert event. |
| AlarmEventDesc | String | After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep the malicious programs running. The scheduled tasks include crontab and systemd. | The description of the alert event. |
| AlarmUniqueInfo | String | 8df914418f4211fbf756efe70000**** | The ID of the alert event. |
| CanBeDealOnLine | Boolean | false | Indicates whether the online processing of alert events online is supported, such as blocking an alert, adding an alert to the whitelist, and ignoring an alert. Valid values:
|
| CanCancelFault | Boolean | false | Indicates whether you can cancel marking this alert event as a false positive. Valid values:
|
| CauseDetails | Array of CauseDetail | The cause of the alert event, which can be used to trace the alert. |
|
| Key | String | html | The format in the alert event details. Valid values:
|
| Value | Array of Value | The value of the field that displays the information used to trace alerts. |
|
| Name | String | Solutions | The name of the field that displays the information used to trace alerts. |
| Type | String | html | The format of the field that displays the information used to trace alerts. Valid values:
|
| Value | String | Check for the exploited pages of your web services and vulnerabilities in parameter configuration, and resolve these issues. | The value of the field that displays the information used to trace alerts. |
| ContainHwMode | Boolean | true | Indicates whether the Safeguard Mode For Major Activities mode is enabled for the server. Valid values:
|
| DataSource | String | aegis_*** | The source of data.
Note This parameter is deprecated.
|
| EndTime | Long | 1542366542000 | The end time of the alert event. |
| InstanceName | String | Test server | The name of the associated instance. |
| InternetIp | String | 1.2.3.1 | The public IP address of the associated instance. |
| IntranetIp | String | 1.2.3.5 | The private IP address of the associated instance. |
| Level | String | serious | The risk level of the alert event. Valid values:
|
| Solution | String | Check the malicious URLs that are listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you trust the processes, mark the alert as a false positive in the console, and submit a ticket to notify security engineers. | The solution to the alert event. |
| StartTime | Long | 1542378601000 | The timestamp when the alert event was detected. |
| Type | String | Suspicious network connection | The type of the alert event. Valid values:
|
| Uuid | String | 47900178-885d-4fa4-9d77-XXXXXXXXXXXX | The ID of the associated instance. |
| RequestId | String | 5A1DDB3C-798C-4A84-BF6E-3DC700000000 | The ID of the request. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=DescribeAlarmEventDetail
&AlarmUniqueInfo=8df914418f4211fbf756efe7a6f4****
&From=sas
&<Common request parameters>Sample success responses
XML format
<DescribeAlarmEventDetailResponse>
<RequestId>5A1DDB3C-798C-4A84-BF6E-3DC700000000</RequestId>
<Data>
<CanCancelFault>false</CanCancelFault>
<EndTime>1542366542000</EndTime>
<ContainHwMode>true</ContainHwMode>
<CauseDetails>
<Key>html</Key>
</CauseDetails>
<CauseDetails>
<Value>
<Type>html</Type>
<Value>Check for the exploited pages of your web services and vulnerabilities in parameter configuration, and resolve these issues. </Value>
<Name>Solutions</Name>
</Value>
</CauseDetails>
<StartTime>1542378601000</StartTime>
<IntranetIp>1.2.3.5</IntranetIp>
<DataSource>aegis_***</DataSource>
<InstanceName>Test server</InstanceName>
<Type>Suspicious network connection</Type>
<CanBeDealOnLine>false</CanBeDealOnLine>
<Uuid>47900178-885d-4fa4-9d77-XXXXXXXXXXXX</Uuid>
<InternetIp>1.2.3.1</InternetIp>
<AlarmEventDesc>After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep the malicious programs running. The scheduled tasks include crontab and systemd. </AlarmEventDesc>
<AlarmUniqueInfo>8df914418f4211fbf756efe70000****</AlarmUniqueInfo>
<Level>serious</Level>
<AlarmEventAliasName>Suspicious process behavior - Execution of suspicious commands in scheduled Linux tasks</AlarmEventAliasName>
<Solution>Check the malicious URLs that are listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you trust the processes, mark the alert as a false positive in the console, and submit a ticket to notify security engineers. </Solution>
</Data>
</DescribeAlarmEventDetailResponse>JSON format
{
"RequestId": "5A1DDB3C-798C-4A84-BF6E-3DC700000000",
"Data": {
"CanCancelFault": "false",
"EndTime": "1542366542000",
"ContainHwMode": "true",
"CauseDetails": [{
"Key": "html"
}, {
"Value": [{
"Type": "html",
"Value": "Check for the exploited pages of your web services and vulnerabilities in parameter configuration, and resolve these issues.",
"Name": "Solutions"
}]
}],
"StartTime": "1542378601000",
"IntranetIp": "1.2.3.5",
"DataSource": "aegis_***",
"InstanceName": "Test server",
"EventType": "Suspicious network connection",
"CanBeDealOnLine": "false",
"Uuid": "47900178-885d-4fa4-9d77-XXXXXXXXXXXX",
"InternetIp": "1.2.3.1",
"AlarmEventDesc": "After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep the malicious programs running. The scheduled tasks include crontab and systemd.",
"AlarmUniqueInfo": "8df914418f4211fbf756efe70000****",
"Level": "serious",
"AlarmEventAliasName": "Suspicious process behavior - Execution of suspicious commands in scheduled Linux tasks",
"Solution": "Check the malicious URLs that have been listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you trust the processes, mark the alert as a false positive in the console, and submit a ticket to notify security engineers.
}
}Error codes
For a list of error codes, visit the API Error Center.