You can call this operation to query the details of an exception.
An alert event is related to multiple exceptions. You can call this operation to query the details of an exception.
Debugging
You can go to API Explorer to debug API operations online. API Explorer allows you to call API operations online, use dynamically generated SDK sample code, and search for API operations. This makes it easier to use cloud APIs.
Request parameters
Name | Type | Required | Example | Description |
---|---|---|---|---|
Action | String | Yes | DescribeSuspEventDetail |
The operation that you want to perform. Set the value to DescribeSuspEventDetail. |
From | String | Yes | sas |
The request source. The fixed value is sas. |
Lang | String | No | zh |
The language in which the exception details are displayed. Valid values:
|
SourceIp | String | No | 1.1.1.1 |
The IP address of the request source. |
SuspiciousEventId | Integer | No | 1 |
The ID of the queried exception. |
Response parameters
Name | Type | Example | Description |
---|---|---|---|
CanBeDealOnLine | Boolean | true |
Indicates whether this exception can be quarantined online. |
DataSource | String | aegis_suspicious_file_v2 |
The data source. |
Details |
The details of the queried exception. |
||
└InfoType | String | download_url |
The type of the icon. |
└Name | String | Malicious Process - Mining Program |
The name of the exception. |
└Type | String | html |
The format of the text. Valid values:
|
└Value | String | 2018-12-12 12:00:00 |
The time of the exception. |
EventDesc | String | This file may have been uploaded by an attacker that has intruded into your website. Check the validity of this file. |
The description of the exception. |
EventName | String | WEBSHELL |
The name of the exception. |
EventStatus | String | 1 |
The status of the exception. Valid values:
|
EventTypeDesc | String | Webshell - Webshell |
The type of the exception. |
Id | Integer | 1991 |
The ID of the exception. |
InstanceName | String | ca_cpm_test1 |
The name of the affected asset. |
InternetIp | String | 10.0.0.0 |
The public IP address of the affected asset. |
IntranetIp | String | 10.0.0.10 |
The internal IP address of the affected asset. |
LastTime | String | 2018-10-30 11:43:46 |
The time when the exception last occurred. |
Level | String | Urgency |
The severity of the alert event. Valid values:
|
OperateMsg | String | success |
Other information about this operation. |
RequestId | String | 1 |
The GUID generated by Alibaba Cloud for the request. |
SaleVersion | String | 17F3C8C2-0504-48D5-8B8F-9CF000000000 |
The edition of Threat Detection Service. Valid values:
|
SasId | String | 1 |
The ID of the Threat Detection Service system. |
Type | String | text |
The format of the exception information. |
Uuid | String | bffb12c3-590a-4db2-b538-XXXXXXXXXXXX |
The unique identifier of the affected asset. |
Examples
Sample requests
http(s)://[Endpoint]/? Action=DescribeSuspEventDetail
&From=sas
&<Common request parameters>
Successful response examples
XML
format
<DescribeSuspEventDetailResponse>
<RequestId>43F670F3-AB40-4E91-BC7D-C57468834F67</RequestId>
<HostId>aegis.cn-hangzhou.aliyuncs.com</HostId>
<Code>200</Code>
<Message>
illegal parameter, xxxx
</Message>
<EventDesc>This file may have been uploaded by an attacker that has intruded into your website. Check the validity of this file. </EventDesc>
<EventTypeDesc>Webshell-Webshell</EventTypeDesc>
<EventStatus>1</EventStatus>
<EventName>WEBSHELL</EventName>
<SaleVersion>1</SaleVersion>
<IntranetIp>10.0.0.0</IntranetIp>
<DataSource>aegis_suspicious_file_v2</DataSource>
<InstanceName>ca_cpm_test1</InstanceName>
<Type>normal</Type>
<CanBeDealOnLine>true</CanBeDealOnLine>
<OperateMsg/>
<Uuid>bffb12c3-590a-4db2-b538-XXXXXXXXXXXX</Uuid>
<Details>
<Type>text</Type>
<Value>/data/ftpUser/pub/f12cd3bc5b484b0326309b48afb463fb</Value>
<InfoType>trojan_path</InfoType>
<Name>Trojan Path</Name>
</Details>
<Details>
<Type>text</Type>
<Value>--</Value>
<Name>Affected Domain</Name>
</Details>
<Details>
<Type>text</Type>
<Value>2018-10-30 05:00:56</Value>
<InfoType>frist_found_time</InfoType>
<Name>Last Detected At</Name>
</Details>
<Details>
<Type>text</Type>
<Value>2018-10-30 11:43:45</Value>
<InfoType>update_time</InfoType>
<Name>Malicious Process - Mining Program</Name>
</Details>
<Details>
<Type>text</Type>
<Value>Webshell</Value>
<InfoType>trojan_type</InfoType>
<Name>Trojan Type</Name>
</Details>
<Details>
<Type>html</Type>
<Value><a href="http://yundun-aegis-webshell-file.oss-cn-shanghai.aliyuncs.com/XXXXXXXXXXX?Expires=1540899863&OSSAccessKeyId=XXXXXX&Signature=XXXXXX;response-content-disposition=attachment%3Bfilename%3Df12cd3bc5b484b0326309b48afb463fb">Download</a></Value>
<InfoType>download_url</InfoType>
<Name>Source File Download</Name>
</Details>
<InternetIp>39.105.41.176</InternetIp>
<Level>Urgency</Level>
<Id>129636</Id>
<LastTime>2018-10-30 11:43:46</LastTime>
<SasId>39938056</SasId>
</DescribeSuspEventDetailResponse>
JSON
format
{
"Uuid":"bffb12c3-590a-4db2-b538-XXXXXXXXXXXX",
"EventName":"WEBSHELL",
"EventStatus":1,
"Message":"illegal parameter, xxxx\n",
"LastTime":"2018-10-30 11:43:46",
"Details":[
{
"Name":"Trojan Path",
"Value":"/data/ftpUser/pub/f12cd3bc5b484b0326309b48afb463fb",
"Type":"text",
"InfoType":"trojan_path"
},
{
"Name":"Affected Domain",
"Value":"--",
"Type":"text"
},
{
"Name":"First Detected At",
"Value":"2018-10-30 05:00:56",
"Type":"text",
"InfoType":"frist_found_time"
},
{
"Name":"Malicious Process - Mining Program",
"Value":"2018-10-30 11:43:45",
"Type":"text",
"InfoType":"update_time"
},
{
"Name":"Trojan Type",
"Value":"Webshell",
"Type":"text",
"InfoType":"trojan_type"
},
{
"Name":"Source File Download",
"Value":"<a href=\"http://yundun-aegis-webshell-file.oss-cn-shanghai.aliyuncs.com/XXXXXXXXXX?Expires=1540899863&OSSAccessKeyId=XXXXXX&Signature=XXXXXX&response-content-disposition=attachment%3Bfilename%3Df12cd3bc5b484b0326309b48afb463fb\">Download</a>",
"Type":"html",
"InfoType":"download_url"
}
],
"Type":"normal",
"InternetIp":"39.105.41.176",
"HostId":"aegis.cn-hangzhou.aliyuncs.com",
"EventTypeDesc":"Webshell - Webshell",
"Code":"200",
"DataSource":"aegis_suspicious_file_v2",
"SasId":"39938056",
"RequestId":"43F670F3-AB40-4E91-BC7D-C57468834F67",
"IntranetIp":"10.0.0.0",
"Id":129636,
"Level":"serious",
"EventDesc":"This file may have been uploaded by an attacker that has intruded into your website. Check the validity of this file.",
"OperateMsg":"",
"CanBeDealOnLine":true,
"SaleVersion":"1",
"InstanceName":"ca_cpm_test1"
}