You can call this operation to obtain a list of the alert events.

An alert event is related to multiple exceptions. You can call this operation to obtain a list of the alert events.

Debugging

You can go to API Explorer to debug API operations online. API Explorer allows you to call API operations online, use dynamically generated SDK sample code, and search for API operations. This makes it easier to use cloud APIs.

Request parameters

Name Type Required Example Description
Action String Yes DescribeAlarmEventList

The operation that you want to perform. Set the value to DescribeAlarmEventList.

CurrentPage Integer Yes 1

The page number of the list. Starting value: 1. Default value: 1.

From String Yes sas

The identifier of the request source. The fixed value is sas.

PageSize String Yes 20

The number of rows per page. Default value: 20.

AlarmEventName String No DDoS Trojan

The name of an alert event.

AlarmEventType String No Malicious Process (Alibaba Cloud Antivirus)

The type of an alert event.

Dealed String No Y

The status of an alert event. Valid values:

  • N: Unhandled
  • Y: Handled
Lang String No zh

The language in which the alert information is displayed. Valid values:

  • zh: Chinese
  • en: English
Levels String No serious

The severities of the alert events. Separate multiple severities with commas (,).

  • serious
  • suspicious
  • remind
Remark String No database_server

The name of an alert or the asset information.

SourceIp String No 1.1.1.1

The IP address of the request source.

Response parameters

Name Type Example Description
PageInfo

The pagination information.

└Count Integer 1

The number of alert events.

└CurrentPage Integer 1

The current page number.

└PageSize Integer 20

The maximum number of alert events per page.

└TotalCount Integer 1

The total number of alert events.

RequestId String 28267723-D857-4DD8-B295-013100000000

The GUID generated by Alibaba Cloud for the request.

SuspEvents

A list of the alert events.

└AlarmEventName String Command Exceptions in Scheduled Linux Tasks

The name of an alert event.

└AlarmEventType String Suspicious Process

The type of an alert event.

└AlarmUniqueInfo String 8df914418f4211fbf756efe7a6f40cbc

The unique identifier of an alert event.

└CanBeDealOnLine Boolean true

Indicates whether an alert event can be quarantined online.

└CanCancelFault Boolean false

Indicates whether you can cancel labelling an alert event as a false positive.

└DataSource String aegis_suspicious_event

The data source.

└Description String After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs.

The description of an alert event.

└EndTime Long 1543740301000

The time when an alert event ends.

└InstanceName String Test Server

The name of the affected asset.

└InternetIp String 10.1.1.1

The public IP address of the affected asset.

└IntranetIp String 10.1.1.1

The internal IP address of the affected asset.

└Level String serious

The severity of the alert event. Valid values:

  • serious
  • suspicious
  • remind
└SaleVersion String 4

The required service edition.

  • 0: Basic Edition
  • 1: Enterprise Edition
└Solution String Check the malicious URLs that have been listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you recognize this URL access request, label the alert as a false positive in the console, and submit a ticket.

The solution for an alert event.

└StartTime Long 1543740301000

The time when an alert event starts.

└SuspiciousEventCount Integer 1

The number of exceptions related to an alert event.

└Uuid String 47900178-885d-4fa4-9d77-XXXXXXXXXXXX

The unique identifier of the affected asset.

Examples

Sample requests


http(s)://[Endpoint]/? Action=DescribeAlarmEventList
&CurrentPage=1 
&From=sas
&PageSize=20
&<Common request parameters>

Successful response examples

XML format

<DescribeAlarmEventListResponse>
  <RequestId>B5446AFA-58B6-41DC-80E6-E0382AC5A1F4</RequestId>
  <PageInfo>
    <Count>1</Count>
    <TotalCount>1</TotalCount> 
    <PageSize>10</PageSize> 
    <CurrentPage>1</CurrentPage> 
  </PageInfo>
  <SuspEvents>
    <Uuid>47900178-885d-4fa4-9d77-XXXXXXXXXXXX</Uuid> 
    <Description>After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs. </Description> 
    <CanCancelFault>false</CanCancelFault> 
    <InternetIp>10.0.0.10</InternetIp> 
    <SuspiciousEventCount>1</SuspiciousEventCount> 
    <AlarmUniqueInfo>8df914418f4211fbf756efe7a6f40cbc</AlarmUniqueInfo> 
    <AlarmEventName>Command Exceptions in Scheduled Linux Tasks</AlarmEventName>
    <AlarmEventType>Suspicious Process</AlarmEventType>
    <IntranetIp>10.0.0.10</IntranetIp>
    <Level>Urgency</Level>
    <EndTime>1543740301000</EndTime>
    <StartTime>1543740301000</StartTime>
    <SaleVersion>1</SaleVersion>
    <CanBeDealOnLine>false</CanBeDealOnLine>
    <InstanceName>server01</InstanceName>
  </SuspEvents>
</DescribeAlarmEventListResponse>

JSON format

{
	"RequestId":"B5446AFA-58B6-41DC-80E6-E0382AC5A1F4",
	"SuspEvents":[
		{
			"Uuid":"47900178-885d-4fa4-9d77-XXXXXXXXXXXX",
			"Description":"After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs.",
			"CanCancelFault":false,
			"InternetIp":"10.0.0.10",
			"SuspiciousEventCount":1,
			"AlarmUniqueInfo":"8df914418f4211fbf756efe7a6f40cbc",
			"AlarmEventName":"Command Exceptions in Scheduled Linux Tasks",
			"AlarmEventType":"Suspicious Process",
			"IntranetIp":"10.0.0.10",
			"Level":"serious",
			"EndTime":1543740301000,
			"StartTime":1543740301000,
			"CanBeDealOnLine":false,
			"SaleVersion":"1",
			"InstanceName":"server01"
		}
	],
	"PageInfo":{
		"Count":1,
		"TotalCount":1,
		"PageSize":10,
		"CurrentPage":1
	}
}

Error codes

View error codes.