You can call this operation to obtain a list of the alert events.
An alert event is related to multiple exceptions. You can call this operation to obtain a list of the alert events.
Debugging
You can go to API Explorer to debug API operations online. API Explorer allows you to call API operations online, use dynamically generated SDK sample code, and search for API operations. This makes it easier to use cloud APIs.
Request parameters
Name | Type | Required | Example | Description |
---|---|---|---|---|
Action | String | Yes | DescribeAlarmEventList |
The operation that you want to perform. Set the value to DescribeAlarmEventList. |
CurrentPage | Integer | Yes | 1 |
The page number of the list. Starting value: 1. Default value: 1. |
From | String | Yes | sas |
The identifier of the request source. The fixed value is sas. |
PageSize | String | Yes | 20 |
The number of rows per page. Default value: 20. |
AlarmEventName | String | No | DDoS Trojan |
The name of an alert event. |
AlarmEventType | String | No | Malicious Process (Alibaba Cloud Antivirus) |
The type of an alert event. |
Dealed | String | No | Y |
The status of an alert event. Valid values:
|
Lang | String | No | zh |
The language in which the alert information is displayed. Valid values:
|
Levels | String | No | serious |
The severities of the alert events. Separate multiple severities with commas (,).
|
Remark | String | No | database_server |
The name of an alert or the asset information. |
SourceIp | String | No | 1.1.1.1 |
The IP address of the request source. |
Response parameters
Name | Type | Example | Description |
---|---|---|---|
PageInfo |
The pagination information. |
||
└Count | Integer | 1 |
The number of alert events. |
└CurrentPage | Integer | 1 |
The current page number. |
└PageSize | Integer | 20 |
The maximum number of alert events per page. |
└TotalCount | Integer | 1 |
The total number of alert events. |
RequestId | String | 28267723-D857-4DD8-B295-013100000000 |
The GUID generated by Alibaba Cloud for the request. |
SuspEvents |
A list of the alert events. |
||
└AlarmEventName | String | Command Exceptions in Scheduled Linux Tasks |
The name of an alert event. |
└AlarmEventType | String | Suspicious Process |
The type of an alert event. |
└AlarmUniqueInfo | String | 8df914418f4211fbf756efe7a6f40cbc |
The unique identifier of an alert event. |
└CanBeDealOnLine | Boolean | true |
Indicates whether an alert event can be quarantined online. |
└CanCancelFault | Boolean | false |
Indicates whether you can cancel labelling an alert event as a false positive. |
└DataSource | String | aegis_suspicious_event |
The data source. |
└Description | String | After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs. |
The description of an alert event. |
└EndTime | Long | 1543740301000 |
The time when an alert event ends. |
└InstanceName | String | Test Server |
The name of the affected asset. |
└InternetIp | String | 10.1.1.1 |
The public IP address of the affected asset. |
└IntranetIp | String | 10.1.1.1 |
The internal IP address of the affected asset. |
└Level | String | serious |
The severity of the alert event. Valid values:
|
└SaleVersion | String | 4 |
The required service edition.
|
└Solution | String | Check the malicious URLs that have been listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you recognize this URL access request, label the alert as a false positive in the console, and submit a ticket. |
The solution for an alert event. |
└StartTime | Long | 1543740301000 |
The time when an alert event starts. |
└SuspiciousEventCount | Integer | 1 |
The number of exceptions related to an alert event. |
└Uuid | String | 47900178-885d-4fa4-9d77-XXXXXXXXXXXX |
The unique identifier of the affected asset. |
Examples
Sample requests
http(s)://[Endpoint]/? Action=DescribeAlarmEventList
&CurrentPage=1
&From=sas
&PageSize=20
&<Common request parameters>
Successful response examples
XML
format
<DescribeAlarmEventListResponse>
<RequestId>B5446AFA-58B6-41DC-80E6-E0382AC5A1F4</RequestId>
<PageInfo>
<Count>1</Count>
<TotalCount>1</TotalCount>
<PageSize>10</PageSize>
<CurrentPage>1</CurrentPage>
</PageInfo>
<SuspEvents>
<Uuid>47900178-885d-4fa4-9d77-XXXXXXXXXXXX</Uuid>
<Description>After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs. </Description>
<CanCancelFault>false</CanCancelFault>
<InternetIp>10.0.0.10</InternetIp>
<SuspiciousEventCount>1</SuspiciousEventCount>
<AlarmUniqueInfo>8df914418f4211fbf756efe7a6f40cbc</AlarmUniqueInfo>
<AlarmEventName>Command Exceptions in Scheduled Linux Tasks</AlarmEventName>
<AlarmEventType>Suspicious Process</AlarmEventType>
<IntranetIp>10.0.0.10</IntranetIp>
<Level>Urgency</Level>
<EndTime>1543740301000</EndTime>
<StartTime>1543740301000</StartTime>
<SaleVersion>1</SaleVersion>
<CanBeDealOnLine>false</CanBeDealOnLine>
<InstanceName>server01</InstanceName>
</SuspEvents>
</DescribeAlarmEventListResponse>
JSON
format
{
"RequestId":"B5446AFA-58B6-41DC-80E6-E0382AC5A1F4",
"SuspEvents":[
{
"Uuid":"47900178-885d-4fa4-9d77-XXXXXXXXXXXX",
"Description":"After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs.",
"CanCancelFault":false,
"InternetIp":"10.0.0.10",
"SuspiciousEventCount":1,
"AlarmUniqueInfo":"8df914418f4211fbf756efe7a6f40cbc",
"AlarmEventName":"Command Exceptions in Scheduled Linux Tasks",
"AlarmEventType":"Suspicious Process",
"IntranetIp":"10.0.0.10",
"Level":"serious",
"EndTime":1543740301000,
"StartTime":1543740301000,
"CanBeDealOnLine":false,
"SaleVersion":"1",
"InstanceName":"server01"
}
],
"PageInfo":{
"Count":1,
"TotalCount":1,
"PageSize":10,
"CurrentPage":1
}
}