DescribeAlarmEventList - API Reference| Alibaba Cloud Documentation Center

An alert event is related to multiple exceptions. You can call this operation to obtain a list of the alert events.

Debugging

You can go to API Explorer to debug API operations online. API Explorer allows you to call API operations online, use dynamically generated SDK sample code, and search for API operations. This makes it easier to use cloud APIs.

Request parameters


Name	Type	Required	Example	Description
Action	String	Yes	DescribeAlarmEventList	The operation that you want to perform. Set the value to DescribeAlarmEventList.
CurrentPage	Integer	Yes	1	The page number of the list. Starting value: 1. Default value: 1.
From	String	Yes	sas	The identifier of the request source. The fixed value is sas.
PageSize	String	Yes	20	The number of rows per page. Default value: 20.
AlarmEventName	String	No	DDoS Trojan	The name of an alert event.
AlarmEventType	String	No	Malicious Process (Alibaba Cloud Antivirus)	The type of an alert event.
Dealed	String	No	Y	The status of an alert event. Valid values: N: Unhandled Y: Handled
Lang	String	No	zh	The language in which the alert information is displayed. Valid values: zh: Chinese en: English
Levels	String	No	serious	The severities of the alert events. Separate multiple severities with commas (,). serious suspicious remind
Remark	String	No	database_server	The name of an alert or the asset information.
SourceIp	String	No	1.1.1.1	The IP address of the request source.

Response parameters


Name	Type	Example	Description
PageInfo			The pagination information.
└Count	Integer	1	The number of alert events.
└CurrentPage	Integer	1	The current page number.
└PageSize	Integer	20	The maximum number of alert events per page.
└TotalCount	Integer	1	The total number of alert events.
RequestId	String	28267723-D857-4DD8-B295-013100000000	The GUID generated by Alibaba Cloud for the request.
SuspEvents			A list of the alert events.
└AlarmEventName	String	Command Exceptions in Scheduled Linux Tasks	The name of an alert event.
└AlarmEventType	String	Suspicious Process	The type of an alert event.
└AlarmUniqueInfo	String	8df914418f4211fbf756efe7a6f40cbc	The unique identifier of an alert event.
└CanBeDealOnLine	Boolean	true	Indicates whether an alert event can be quarantined online.
└CanCancelFault	Boolean	false	Indicates whether you can cancel labelling an alert event as a false positive.
└DataSource	String	aegis_suspicious_event	The data source.
└Description	String	After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs.	The description of an alert event.
└EndTime	Long	1543740301000	The time when an alert event ends.
└InstanceName	String	Test Server	The name of the affected asset.
└InternetIp	String	10.1.1.1	The public IP address of the affected asset.
└IntranetIp	String	10.1.1.1	The internal IP address of the affected asset.
└Level	String	serious	The severity of the alert event. Valid values: serious suspicious remind
└SaleVersion	String	4	The required service edition. 0: Basic Edition 1: Enterprise Edition
└Solution	String	Check the malicious URLs that have been listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you recognize this URL access request, label the alert as a false positive in the console, and submit a ticket.	The solution for an alert event.
└StartTime	Long	1543740301000	The time when an alert event starts.
└SuspiciousEventCount	Integer	1	The number of exceptions related to an alert event.
└Uuid	String	47900178-885d-4fa4-9d77-XXXXXXXXXXXX	The unique identifier of the affected asset.

Examples

Sample requests


http(s)://[Endpoint]/? Action=DescribeAlarmEventList
&CurrentPage=1 
&From=sas
&PageSize=20
&<Common request parameters>

Successful response examples

XML format

<DescribeAlarmEventListResponse>
  <RequestId>B5446AFA-58B6-41DC-80E6-E0382AC5A1F4</RequestId>
  <PageInfo>
    <Count>1</Count>
    <TotalCount>1</TotalCount> 
    <PageSize>10</PageSize> 
    <CurrentPage>1</CurrentPage> 
  </PageInfo>
  <SuspEvents>
    <Uuid>47900178-885d-4fa4-9d77-XXXXXXXXXXXX</Uuid> 
    <Description>After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs. </Description> 
    <CanCancelFault>false</CanCancelFault> 
    <InternetIp>10.0.0.10</InternetIp> 
    <SuspiciousEventCount>1</SuspiciousEventCount> 
    <AlarmUniqueInfo>8df914418f4211fbf756efe7a6f40cbc</AlarmUniqueInfo> 
    <AlarmEventName>Command Exceptions in Scheduled Linux Tasks</AlarmEventName>
    <AlarmEventType>Suspicious Process</AlarmEventType>
    <IntranetIp>10.0.0.10</IntranetIp>
    <Level>Urgency</Level>
    <EndTime>1543740301000</EndTime>
    <StartTime>1543740301000</StartTime>
    <SaleVersion>1</SaleVersion>
    <CanBeDealOnLine>false</CanBeDealOnLine>
    <InstanceName>server01</InstanceName>
  </SuspEvents>
</DescribeAlarmEventListResponse>

JSON format

{
	"RequestId":"B5446AFA-58B6-41DC-80E6-E0382AC5A1F4",
	"SuspEvents":[
		{
			"Uuid":"47900178-885d-4fa4-9d77-XXXXXXXXXXXX",
			"Description":"After accessing a victim server, the attacker may have imported malicious shell scripts into scheduled tasks such as crontab and systemd, to enable persistent execution of malicious backdoor programs.",
			"CanCancelFault":false,
			"InternetIp":"10.0.0.10",
			"SuspiciousEventCount":1,
			"AlarmUniqueInfo":"8df914418f4211fbf756efe7a6f40cbc",
			"AlarmEventName":"Command Exceptions in Scheduled Linux Tasks",
			"AlarmEventType":"Suspicious Process",
			"IntranetIp":"10.0.0.10",
			"Level":"serious",
			"EndTime":1543740301000,
			"StartTime":1543740301000,
			"CanBeDealOnLine":false,
			"SaleVersion":"1",
			"InstanceName":"server01"
		}
	],
	"PageInfo":{
		"Count":1,
		"TotalCount":1,
		"PageSize":10,
		"CurrentPage":1
	}
}

Error codes

View error codes.