Queries the details of the alert events on the Alerts page. An alert event consists of alerts and exceptions. Each alert event is related to multiple exceptions.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeAlarmEventList

The operation that you want to perform. Set the value to DescribeAlarmEventList.

CurrentPage Integer Yes 1

The page number of the current page. Pages start from page 1. Default value: 1.

From String Yes sas

The ID of the request source. Set the value to sas.

PageSize String Yes 20

The number of entries to return on each page. Default value: 20.

SourceIp String No 1.2.3.4

The source IP address of the request.

Lang String No zh

The natural language of the request and response.

  • zh: Chinese
  • en: English
Dealed String No Y

The status of the alert event. Valid values:

  • N: unhandled
  • Y: handled
Levels String No serious

The risk level of the alert event. Separate multiple levels with commas (,). Valid values:

  • serious
  • suspicious
  • remind
Remark String No database_server

The name of the alert, or the asset information.

GroupId String No tst***

The group ID of the affected asset.

AlarmEventName String No DDoS trojans

The name of the alert event.

AlarmEventType String No Malicious process (cloud threat detection)

The type of the alert event.

OperateErrorCodeList.N RepeatList No ignore. Success

The handling result code N of the alert event. The value is in the following format: Operation type.Operation result code.

Operation types:

  • Common: performs common operations.
  • deal: handles the alert.
  • ignore: ignores the alert.
  • offline_handled: marks the alert as handled.
  • mark_mis_info: marks the alert as a false positive by adding it to the whitelist.
  • rm_mark_mis_info: cancels a false positive by removing the alert from the whitelist.
  • quara: quarantines the source file of the malicious process.
  • kill_and_quara: terminates the malicious process and quarantines the source file.
  • kill_virus: deletes the source file of the malicious process.
  • block_ip: blocks the source IP address.
  • manual_handled: manually handles the alert.

Operation result codes:

  • Success: The operation is successful.
  • Failure: The operation fails.
  • AgentOffline: The agent is offline.

Response parameters

Parameter Type Example Description
RequestId String 28267723-D857-4DD8-B295-013100000000

The ID of the request.

SuspEvents Array

The information about the alert event.

AlarmUniqueInfo String 8df914418f4211fbf756efe7a6f40cbc

The ID of the alert event.

Solution String Check the malicious URLs that are listed in the alert. Check the directory for malicious files. Terminate the malicious processes. If you manually run the processes, you can mark them as false positives in the console.

The solution to handle the alert event.

Level String serious

The risk level of the alert event. Valid values:

  • serious
  • suspicious
  • remind
CanBeDealOnLine Boolean true

Indicates whether the online processing of the alert event is supported, such as quarantining the source file of the malicious process, adding the alert event to the whitelist, and ignoring the alert event.

  • true: Online processing is supported.
  • false: Online processing is not supported.
Description String After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep the malicious programs running. The scheduled tasks include crontab and systemd.

The description of the alert event.

StartTime Long 1543740301000

The time when the alert event was detected. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

EndTime Long 1543740301000

The time when the alert event ends. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

AlarmEventType String Suspicious process

The type of the alert event.

SuspiciousEventCount Integer 1

The number of exceptions associated with the alert event.

Uuid String 47900178-885d-4fa4-9d77-***

The ID of the associated instance.

InstanceName String Test server

The name of the associated instance.

InternetIp String 1.2.3.4

The public IP address of the associated instance.

IntranetIp String 1.2.3.5

The private IP address of the associated instance.

AlarmEventName String Execution of malicious commands

The name of the alert event.

SaleVersion String 1

The edition in which the alert event detection can be enabled. Valid values:

  • 0: the Basic edition
  • 1: the Enterprise edition
DataSource String aegis_***

The source of data.

CanCancelFault Boolean false

Indicates whether you can cancel marking this alert as a false positive.

Dealed Boolean false

Indicates whether the alert is handled. Valid values:

  • true: handled
  • false: unhandled
GmtModified Long 1569235879000

The time when the alert event was last detected. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

HasTraceInfo Boolean true

Indicates whether the alert event has trace information.

  • true: The alert event has trace information.
  • false: The alert event does not have trace information.
SecurityEventIds String 270789

The ID of the associated exception.

OperateErrorCode String kill_and_quara.Success

The handling result code of the alert event.

AlarmEventNameOriginal String Precise defense against malicious commands

The original parent name of the alert event.

InstanceId String i-e***

The ID of the associated instance.

PageInfo Struct

The page information.

Count Integer 1

The number of entries returned on the current page.

PageSize Integer 20

The number of entries returned per page.

TotalCount Integer 1

The total number of the alert events.

CurrentPage Integer 1

The page number of the current page.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeAlarmEventList
&CurrentPage=1
&From=sas
&PageSize=20
&<Common request parameters>

Sample success responses

XML format

<DescribeAlarmEventList>
  <RequestId>1D7FB2DD-4B80-41F4-94CF-C484EF6A5CAC</RequestId>
  <PageInfo>
        <Count>1</Count>
        <TotalCount>58</TotalCount>
        <PageSize>1</PageSize>
        <CurrentPage>1</CurrentPage>
  </PageInfo>
  <SuspEvents>
        <Uuid>c4678332-ef35-4ad4-8358-681ebbc0ccab</Uuid>
        <Dealed>true</Dealed>
        <SecurityEventIds>261401</SecurityEventIds>
        <Description>Cloud threat detection (mining programs)</Description>
        <CanCancelFault>false</CanCancelFault>
        <InstanceId>i-bp***</InstanceId>
        <OperateErrorCode></OperateErrorCode>
        <InternetIp>1.2.3.5</InternetIp>
        <GmtModified>1572524936000</GmtModified>
        <SuspiciousEventCount>1</SuspiciousEventCount>
        <HasTraceInfo>false</HasTraceInfo>
        <AlarmUniqueInfo>8b59e7bd134797758709983c26ece2a2</AlarmUniqueInfo>
        <AlarmEventName>Mining programs</AlarmEventName>
        <AlarmEventType>Precise defense</AlarmEventType>
        <IntranetIp>1.2.3.4</IntranetIp>
        <Level>serious</Level>
        <EndTime>1572524936000</EndTime>
        <StartTime>1572524936000</StartTime>
        <AlrmEventNameOriginal>Precise defense against mining programs</AlarmEventNameOriginal>
        <SaleVersion>0</SaleVersion>
        <CanBeDealOnLine>false</CanBeDealOnLine>
        <InstanceName>cit***</InstanceName>
  </SuspEvents>
</DescribeAlarmEventList>

JSON format

{
    "RequestId": "1D7FB2DD-4B80-41F4-94CF-C484EF6A5CAC",
    "PageInfo": {
        "Count": 1,
        "TotalCount": 58,
        "PageSize": 1,
        "CurrentPage": 1
    },
    "SuspEvents": [
        {
            "Uuid": "c4678332-ef35-4ad4-8358-681ebbc0ccab",
            "Dealed": true,
            "SecurityEventIds": "261401",
            "Description": "Cloud threat detection (mining programs)",
            "CanCancelFault": false,
            "InstanceId": "i-bp***",
            "OperateErrorCode": "",
            "InternetIp": "1.2.3.5",
            "GmtModified": 1572524936000,
            "SuspiciousEventCount": 1,
            "HasTraceInfo": false,
            "AlarmUniqueInfo": "8b59e7bd134797758709983c26ece2a2",
            "AlarmEventName": "Mining programs",
            "AlarmEventType": "Precise defense",
            "IntranetIp": "1.2.3.4",
            "Level": "serious",
            "EndTime": 1572524936000,
            "StartTime": 1572524936000,
            "AlarmEventNameOriginal": "Precise defense against mining programs",
            "SaleVersion": "0",
            "CanBeDealOnLine": false,
            "InstanceName": "cit***"
        }
    ]
}

Error codes

For a list of error codes, visit the API Error Center.