You can call this operation to query the details of an alert event.

An alert event is related to multiple exceptions. You can call this operation to query the details of an alert event.

Debugging

You can go to API Explorer to debug API operations online. API Explorer allows you to call API operations online, use dynamically generated SDK sample code, and search for API operations. This makes it easier to use cloud APIs.

Request parameters

Name Type Required Example Description
Action String Yes DescribeAlarmEventDetail

The operation that you want to perform. Set the value to DescribeAlarmEventDetail.

AlarmUniqueInfo String Yes 8df914418f4211fbf756efe7a6f40cbc

The unique identifier of an alert event.

From String Yes sas

The identifier of the request source. The fixed value is sas.

Lang String No zh

The language in which the alert event details are displayed. Valid values:

  • zh: Chinese
  • en: English
SourceIp String No 1.1.1.1

The IP address of the request source.

Response parameters

Name Type Example Description
Data

The details of the alert event.

└AlarmEventAliasName String Suspicious Process - Command Exceptions in Scheduled Linux Tasks

The complete name of the alert event.

└AlarmEventDesc String After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs.

The description of the alert event.

└AlarmUniqueInfo String 8df914418f4211fbf756efe700000000

The unique identifier of the alert event.

└CanBeDealOnLine Boolean  false

Indicates whether this alert event can be quarantined online.

└CanCancelFault Boolean false

Indicates whether you can cancel labelling this alert event as a false positive.

└CauseDetails

The cause of the alert event.

└Key String item

The format of the text. Valid values:

  • text
  • html
└Value

The value of the diagnosis information field.

└Name String Troubleshooting Solution

The key of the diagnosis information field.

└Type String html

The format of the diagnosis information field.

└Value String Check for the exploited pages of your Web services and vulnerabilities in parameter configuration, and resolve these issues.

The value of the diagnosis information field.

└DataSource String aegis_suspicious_event

The data source.

└EndTime Long 1542366542000

The time when the alert event ends.

└InstanceName String Test server

The name of the affected asset.

└InternetIp String 10.0.0.0

The public IP address of the affected asset.

└IntranetIp String 10.0.0.0

The internal IP address of the affected asset.

└Level String serious

The severity of the alert event. Valid values:

  • serious
  • suspicious
  • remind
└Solution String Check the malicious URLs that have been listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you recognize this URL access request, label the alert as a false positive in the console, and submit a ticket.

The solution for the alert event.

└StartTime Long 1542378601000

The time when the alert event starts.

└Type String Unusual network connection

The type of the alert event.

└Uuid String 47900178-885d-4fa4-9d77-XXXXXXXXXXXX

The unique identifier of the affected asset.

RequestId String 5A1DDB3C-798C-4A84-BF6E-3DC700000000

The GUID generated by Alibaba Cloud for the request.

Examples

Sample requests


http(s)://[Endpoint]/? Action=DescribeAlarmEventDetail
&AlarmUniqueInfo=8df914418f4211fbf756efe7a6f40cbc
&From=sas
&<Common request parameters>

Successful response examples

XML format

<DescribeAlarmEventDetailResponse>
  <Data>
    <Uuid>47900178-885d-4fa4-9d77-XXXXXXXXXXXX</Uuid>
    <AlarmEventAliasName>Suspicious Process - Command Exceptions in Scheduled Linux Tasks</AlarmEventAliasName>
    <Type>Suspicious Process</Type>
    <InternetIp>10.0.0.10</InternetIp>
    <AlarmEventDesc>After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs. </AlarmEventDesc>
    <IntranetIp>10.0.0.0</IntranetIp>
    <CauseDetails>
      <Value>
        <Type>text</Type>
        <Value>An attacker has logged on to your server and has written webshells by editing the configuration file.</Value>
        <Name>Intrusion Cause</Name>
      </Value>
      <Value>
        <Type>text</Type>
        <Value>2018-11-16 19:09:02</Value>
        <Name>Attack Time</Name>
      </Value>
      <Value>
        <Type>text</Type>
        <Value>N/A</Value>
        <Name>Attack Source IP</Name>
      </Value>
      <Value>
        <Type>text</Type>
        <Value>N/A</Value>
        <Name>Attack Payload</Name>
      </Value>
      <Value>
        <Type>text</Type>
        <Value>Check for the exploited pages of your Web services and vulnerabilities in parameter configuration, and resolve these issues. </Value>
        <Name>Troubleshooting Solution</Name>
      </Value>
      <Key>item</Key>
    </CauseDetails>
    <Level>Urgency</Level>
    <EndTime>1543741201000</EndTime>
    <StartTime>1543312803000</StartTime> 
    <CanBeDealOnLine>false</CanBeDealOnLine> 
    <InstanceName>server01</InstanceName>
  </Data> 
  <RequestId>5A1DDB3C-798C-4A84-BF6E-3DC7F7D7EB4A</RequestId> 
</DescribeAlarmEventDetailResponse>

JSON format

{
	"Data":{
		"Uuid":"47900178-885d-4fa4-9d77-XXXXXXXXXXXX",
		"AlarmEventDesc":"After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs.",
		"AlarmEventAliasName":"Suspicious Process - Command Exceptions in Scheduled Linux Tasks",
		"Type":"Suspicious Process",
		"IntranetIp":"10.0.0.0",
		"CauseDetails":[
			{
				"Value":[
					{
						"Name":"Intrusion Cause",
						"Value":"An attacker has logged on to your server and has written webshells by editing the configuration file.",
						"Type":"text"
					},
					{
						"Name":"Attack Time",
						"Value":"2018-11-16 19:09:02",
						"Type":"text"
					},
					{
						"Name":"Attack Source IP",
						"Value":"N/A",
						"Type":"text"
					},
					{
						"Name":"Attack Payload",
						"Value":"N/A",
						"Type":"text"
					},
					{
						"Name":"Troubleshooting Solution",
						"Value":"Check for the exploited pages of your Web services and vulnerabilities in parameter configuration, and resolve these issues.",
						"Type":"text"
					}
				],
				"Key":"item"
			}
		],
		"InternetIp":"10.0.0.10",
		"EndTime":1543741201000,
		"Level":"serious",
		"StartTime":1543312803000,
		"CanBeDealOnLine":false,
		"InstanceName":"server01"
	},
	"RequestId":"5A1DDB3C-798C-4A84-BF6E-3DC7F7D7EB4A"
}

Error codes

View error codes.