Queries the details of the alert events on the Alerts page. An alert event consists of alerts and exceptions. Each alert event is related to multiple exceptions.
Debugging
Request parameters
| Parameter | Type | Required | Example | Description |
|---|---|---|---|---|
| Action | String | Yes | DescribeAlarmEventList | The operation that you want to perform. Set the value to DescribeAlarmEventList. |
| CurrentPage | Integer | Yes | 1 | The page number of the current page. Pages start from page 1. Default value: 1. |
| From | String | Yes | sas | The ID of the request source. Set the value to sas. |
| PageSize | String | Yes | 20 | The number of entries to return on each page. Default value: 20. |
| SourceIp | String | No | 1.2.3.4 | The source IP address of the request. |
| Lang | String | No | zh | The natural language of the request and response.
|
| Dealed | String | No | Y | The status of the alert event. Valid values:
|
| Levels | String | No | serious | The risk level of the alert event. Separate multiple levels with commas (,). Valid values:
|
| Remark | String | No | database_server | The name of the alert, or the asset information. |
| GroupId | String | No | tst*** | The group ID of the affected asset. |
| AlarmEventName | String | No | DDoS trojans | The name of the alert event. |
| AlarmEventType | String | No | Malicious process (cloud threat detection) | The type of the alert event. |
| OperateErrorCodeList.N | RepeatList | No | ignore. Success | The handling result code N of the alert event. The value is in the following format: Operation type.Operation result code. Operation types:
Operation result codes:
|
Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
| RequestId | String | 28267723-D857-4DD8-B295-013100000000 | The ID of the request. |
| SuspEvents | Array | The information about the alert event. |
|
| AlarmUniqueInfo | String | 8df914418f4211fbf756efe7a6f40cbc | The ID of the alert event. |
| Solution | String | Check the malicious URLs that are listed in the alert. Check the directory for malicious files. Terminate the malicious processes. If you manually run the processes, you can mark them as false positives in the console. | The solution to handle the alert event. |
| Level | String | serious | The risk level of the alert event. Valid values:
|
| CanBeDealOnLine | Boolean | true | Indicates whether the online processing of the alert event is supported, such as quarantining the source file of the malicious process, adding the alert event to the whitelist, and ignoring the alert event.
|
| Description | String | After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep the malicious programs running. The scheduled tasks include crontab and systemd. | The description of the alert event. |
| StartTime | Long | 1543740301000 | The time when the alert event was detected. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. |
| EndTime | Long | 1543740301000 | The time when the alert event ends. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. |
| AlarmEventType | String | Suspicious process | The type of the alert event. |
| SuspiciousEventCount | Integer | 1 | The number of exceptions associated with the alert event. |
| Uuid | String | 47900178-885d-4fa4-9d77-*** | The ID of the associated instance. |
| InstanceName | String | Test server | The name of the associated instance. |
| InternetIp | String | 1.2.3.4 | The public IP address of the associated instance. |
| IntranetIp | String | 1.2.3.5 | The private IP address of the associated instance. |
| AlarmEventName | String | Execution of malicious commands | The name of the alert event. |
| SaleVersion | String | 1 | The edition in which the alert event detection can be enabled. Valid values:
|
| DataSource | String | aegis_*** | The source of data. |
| CanCancelFault | Boolean | false | Indicates whether you can cancel marking this alert as a false positive. |
| Dealed | Boolean | false | Indicates whether the alert is handled. Valid values:
|
| GmtModified | Long | 1569235879000 | The time when the alert event was last detected. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. |
| HasTraceInfo | Boolean | true | Indicates whether the alert event has trace information.
|
| SecurityEventIds | String | 270789 | The ID of the associated exception. |
| OperateErrorCode | String | kill_and_quara.Success | The handling result code of the alert event. |
| AlarmEventNameOriginal | String | Precise defense against malicious commands | The original parent name of the alert event. |
| InstanceId | String | i-e*** | The ID of the associated instance. |
| PageInfo | Struct | The page information. |
|
| Count | Integer | 1 | The number of entries returned on the current page. |
| PageSize | Integer | 20 | The number of entries returned per page. |
| TotalCount | Integer | 1 | The total number of the alert events. |
| CurrentPage | Integer | 1 | The page number of the current page. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=DescribeAlarmEventList
&CurrentPage=1
&From=sas
&PageSize=20
&<Common request parameters>Sample success responses
XML format
<DescribeAlarmEventList>
<RequestId>1D7FB2DD-4B80-41F4-94CF-C484EF6A5CAC</RequestId>
<PageInfo>
<Count>1</Count>
<TotalCount>58</TotalCount>
<PageSize>1</PageSize>
<CurrentPage>1</CurrentPage>
</PageInfo>
<SuspEvents>
<Uuid>c4678332-ef35-4ad4-8358-681ebbc0ccab</Uuid>
<Dealed>true</Dealed>
<SecurityEventIds>261401</SecurityEventIds>
<Description>Cloud threat detection (mining programs)</Description>
<CanCancelFault>false</CanCancelFault>
<InstanceId>i-bp***</InstanceId>
<OperateErrorCode></OperateErrorCode>
<InternetIp>1.2.3.5</InternetIp>
<GmtModified>1572524936000</GmtModified>
<SuspiciousEventCount>1</SuspiciousEventCount>
<HasTraceInfo>false</HasTraceInfo>
<AlarmUniqueInfo>8b59e7bd134797758709983c26ece2a2</AlarmUniqueInfo>
<AlarmEventName>Mining programs</AlarmEventName>
<AlarmEventType>Precise defense</AlarmEventType>
<IntranetIp>1.2.3.4</IntranetIp>
<Level>serious</Level>
<EndTime>1572524936000</EndTime>
<StartTime>1572524936000</StartTime>
<AlrmEventNameOriginal>Precise defense against mining programs</AlarmEventNameOriginal>
<SaleVersion>0</SaleVersion>
<CanBeDealOnLine>false</CanBeDealOnLine>
<InstanceName>cit***</InstanceName>
</SuspEvents>
</DescribeAlarmEventList>JSON format
{
"RequestId": "1D7FB2DD-4B80-41F4-94CF-C484EF6A5CAC",
"PageInfo": {
"Count": 1,
"TotalCount": 58,
"PageSize": 1,
"CurrentPage": 1
},
"SuspEvents": [
{
"Uuid": "c4678332-ef35-4ad4-8358-681ebbc0ccab",
"Dealed": true,
"SecurityEventIds": "261401",
"Description": "Cloud threat detection (mining programs)",
"CanCancelFault": false,
"InstanceId": "i-bp***",
"OperateErrorCode": "",
"InternetIp": "1.2.3.5",
"GmtModified": 1572524936000,
"SuspiciousEventCount": 1,
"HasTraceInfo": false,
"AlarmUniqueInfo": "8b59e7bd134797758709983c26ece2a2",
"AlarmEventName": "Mining programs",
"AlarmEventType": "Precise defense",
"IntranetIp": "1.2.3.4",
"Level": "serious",
"EndTime": 1572524936000,
"StartTime": 1572524936000,
"AlarmEventNameOriginal": "Precise defense against mining programs",
"SaleVersion": "0",
"CanBeDealOnLine": false,
"InstanceName": "cit***"
}
]
}Error codes
For a list of error codes, visit the API Error Center.