You can call this operation to query the details of an exception.

An alert event is related to multiple exceptions. You can call this operation to query the details of an exception.

Debugging

You can go to API Explorer to debug API operations online. API Explorer allows you to call API operations online, use dynamically generated SDK sample code, and search for API operations. This makes it easier to use cloud APIs.

Request parameters

Name Type Required Example Description
Action String Yes DescribeSuspEventDetail

The operation that you want to perform. Set the value to DescribeSuspEventDetail.

From String Yes sas

The request source. The fixed value is sas.

Lang String No zh

The language in which the exception details are displayed. Valid values:

  • zh: Chinese
  • en: English
SourceIp String No 1.1.1.1

The IP address of the request source.

SuspiciousEventId Integer No 1

The ID of the queried exception.

Response parameters

Name Type Example Description
CanBeDealOnLine Boolean true

Indicates whether this exception can be quarantined online.
DataSource String aegis_suspicious_file_v2

The data source.

Details

The details of the queried exception.

└InfoType String download_url

The type of the icon.

└Name String Malicious Process - Mining Program

The name of the exception.

└Type String html

The format of the text. Valid values:

  • text
  • html
└Value String 2018-12-12 12:00:00

The time of the exception.

EventDesc String This file may have been uploaded by an attacker that has intruded into your website. Check the validity of this file.

The description of the exception.

EventName String WEBSHELL

The name of the exception.

EventStatus String 1

The status of the exception. Valid values:

  • 1: unhandled
  • 2: ignored
  • 4: confirmed
  • 8: labelled as false positive
  • 16: handling
  • 32: handled
  • 64: expired
EventTypeDesc String Webshell - Webshell

The type of the exception.
Id Integer 1991

The ID of the exception.
InstanceName String ca_cpm_test1

The name of the affected asset.

InternetIp String 10.0.0.0

The public IP address of the affected asset.
IntranetIp String 10.0.0.10

The internal IP address of the affected asset.
LastTime String 2018-10-30 11:43:46

The time when the exception last occurred.
Level String Urgency

The severity of the alert event. Valid values:

  • serious
  • suspicious
  • remind
OperateMsg String success

Other information about this operation.
RequestId String 1

The GUID generated by Alibaba Cloud for the request.
SaleVersion String 17F3C8C2-0504-48D5-8B8F-9CF000000000

The edition of Threat Detection Service. Valid values:

  • 0: Basic Edition
  • 1: Enterprise Edition
SasId String 1

The ID of the Threat Detection Service system.
Type String text

The format of the exception information.
Uuid String bffb12c3-590a-4db2-b538-XXXXXXXXXXXX

The unique identifier of the affected asset.

Examples

Sample requests


http(s)://[Endpoint]/? Action=DescribeSuspEventDetail
&From=sas
&<Common request parameters>

Successful response examples

XML format 

<DescribeSuspEventDetailResponse>
  <RequestId>43F670F3-AB40-4E91-BC7D-C57468834F67</RequestId>
  <HostId>aegis.cn-hangzhou.aliyuncs.com</HostId> 
  <Code>200</Code> 
  <Message> 
		illegal parameter, xxxx
	</Message> 
  <EventDesc>This file may have been uploaded by an attacker that has intruded into your website. Check the validity of this file. </EventDesc>
  <EventTypeDesc>Webshell-Webshell</EventTypeDesc>
  <EventStatus>1</EventStatus>
  <EventName>WEBSHELL</EventName>
  <SaleVersion>1</SaleVersion>
  <IntranetIp>10.0.0.0</IntranetIp>
  <DataSource>aegis_suspicious_file_v2</DataSource> 
  <InstanceName>ca_cpm_test1</InstanceName>
  <Type>normal</Type>
  <CanBeDealOnLine>true</CanBeDealOnLine>
  <OperateMsg/>
  <Uuid>bffb12c3-590a-4db2-b538-XXXXXXXXXXXX</Uuid> 
  <Details>
    <Type>text</Type>
    <Value>/data/ftpUser/pub/f12cd3bc5b484b0326309b48afb463fb</Value> 
    <InfoType>trojan_path</InfoType>
    <Name>Trojan Path</Name>
  </Details>
  <Details>
    <Type>text</Type>
    <Value>--</Value>
    <Name>Affected Domain</Name>
  </Details>
  <Details>
    <Type>text</Type>
    <Value>2018-10-30 05:00:56</Value> 
    <InfoType>frist_found_time</InfoType> 
    <Name>Last Detected At</Name>
  </Details>
  <Details>
    <Type>text</Type>
    <Value>2018-10-30 11:43:45</Value> 
    <InfoType>update_time</InfoType> 
    <Name>Malicious Process - Mining Program</Name>
  </Details>
  <Details>
    <Type>text</Type>
    <Value>Webshell</Value>
    <InfoType>trojan_type</InfoType>
    <Name>Trojan Type</Name>
  </Details>
  <Details>
    <Type>html</Type>
    <Value>&lt;a href="http://yundun-aegis-webshell-file.oss-cn-shanghai.aliyuncs.com/XXXXXXXXXXX?Expires=1540899863&amp;OSSAccessKeyId=XXXXXX&amp;Signature=XXXXXX;response-content-disposition=attachment%3Bfilename%3Df12cd3bc5b484b0326309b48afb463fb"&gt;Download&lt;/a&gt;</Value> 
    <InfoType>download_url</InfoType>
    <Name>Source File Download</Name>
  </Details>
  <InternetIp>39.105.41.176</InternetIp>
  <Level>Urgency</Level>
  <Id>129636</Id>
  <LastTime>2018-10-30 11:43:46</LastTime>
  <SasId>39938056</SasId>
</DescribeSuspEventDetailResponse>

JSON format 

{
	"Uuid":"bffb12c3-590a-4db2-b538-XXXXXXXXXXXX",
	"EventName":"WEBSHELL",
	"EventStatus":1,
	"Message":"illegal parameter, xxxx\n",
	"LastTime":"2018-10-30 11:43:46",
	"Details":[
		{
			"Name":"Trojan Path",
			"Value":"/data/ftpUser/pub/f12cd3bc5b484b0326309b48afb463fb",
			"Type":"text",
			"InfoType":"trojan_path"
		},
		{
			"Name":"Affected Domain",
			"Value":"--",
			"Type":"text"
		},
		{
			"Name":"First Detected At",
			"Value":"2018-10-30 05:00:56",
			"Type":"text",
			"InfoType":"frist_found_time"
		},
		{
			"Name":"Malicious Process - Mining Program",
			"Value":"2018-10-30 11:43:45",
			"Type":"text",
			"InfoType":"update_time"
		},
		{
			"Name":"Trojan Type",
			"Value":"Webshell",
			"Type":"text",
			"InfoType":"trojan_type"
		},
		{
			"Name":"Source File Download",
			"Value":"<a href=\"http://yundun-aegis-webshell-file.oss-cn-shanghai.aliyuncs.com/XXXXXXXXXX?Expires=1540899863&OSSAccessKeyId=XXXXXX&Signature=XXXXXX&response-content-disposition=attachment%3Bfilename%3Df12cd3bc5b484b0326309b48afb463fb\">Download</a>",
			"Type":"html",
			"InfoType":"download_url"
		}
	],
	"Type":"normal",
	"InternetIp":"39.105.41.176",
	"HostId":"aegis.cn-hangzhou.aliyuncs.com",
	"EventTypeDesc":"Webshell - Webshell",
	"Code":"200",
	"DataSource":"aegis_suspicious_file_v2",
	"SasId":"39938056",
	"RequestId":"43F670F3-AB40-4E91-BC7D-C57468834F67",
	"IntranetIp":"10.0.0.0",
	"Id":129636,
	"Level":"serious",
	"EventDesc":"This file may have been uploaded by an attacker that has intruded into your website. Check the validity of this file.",
	"OperateMsg":"",
	"CanBeDealOnLine":true,
	"SaleVersion":"1",
	"InstanceName":"ca_cpm_test1"
}

Error codes

View error codes.