Queries the information about exceptions. An alert event consists of alerts and exceptions. Each alert event is related to multiple exceptions.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeSuspEvents

The operation that you want to perform.

Set the value to DescribeSuspEvents.

From String Yes sas

The data source on which the exception is detected. Set the value to sas.

SourceIp String No 1.2.3.4

The source IP address of the request.

Dealed String No N

The status of the exception. Valid values:

  • N: unhandled
  • Y: handled
Name String No ecs-xxx

The name of the exception or the affected server. Fuzzy match is supported.

Levels String No serious

The risk level of the exception. Separate multiple levels with commas (,). The following levels are listed in descending order:

  • serious
  • suspicious
  • remind
ParentEventTypes String No Webshell

The type of the alert event to which the exception is related.

Remark String No Test server

The IP address or name of the server.

PageSize String No 20

The number of entries to return on each page. Default value: 20.

CurrentPage String No 1

The page number of the current page.

Lang String No zh

The natural language of the request and response. Valid values:

  • zh: Chinese
  • en: English
AlarmUniqueInfo String No 8df914418f4211fbf***

The ID of the alert event to which the exception is related.

Note To query details about the exceptions of an alert event, you must provide the ID of the alert event. You can call the DescribeAlarmEventList operation to query the IDs of alert events.

Response parameters

Parameter Type Example Description
RequestId String 43F670F3-AB40-4E91-BC7D-C57400000000

The ID of the request.

Count Integer 1

The number of entries returned on the current page.

PageSize Integer 20

The number of entries returned per page.

TotalCount Integer 100

The total number of the exceptions.

CurrentPage Integer 1

The page number of the current page.

SuspEvents Array

The details of the exception.

LastTime String 2018-09-26 01:51:01

The time when the exception last occurred.

OccurrenceTime String 2018-09-26 01:51:01

The time when the exception first occurred.

Id Long 1000

The ID of the exception.

UniqueInfo String e17e***

The ID of the exception after processing.

InstanceName String nginx

The name of the associated instance.

InternetIp String 1.2.3.1

The public IP address of the associated instance.

IntranetIp String 1.2.3.5

The private IP address of the associated instance.

Uuid String bf6b30d3-eea8-4924-9f0a-***

The ID of the associated instance.

Name String Malicious process (cloud threat detection) - XOR DDoS trojan

The complete name of the exception.

EventSubType String XOR DDoS trojan

The name of the exception.

Level String serious

The risk level of the exception. Valid values:

  • serious
  • suspicious
  • remind
EventStatus Integer 1

The status of the exception. Valid values:

  • 1: unhandled
  • 2: ignored
  • 4: confirmed
  • 8: marked as a false positive
  • 16: handling
  • 32: handled
  • 64: expired
Desc String webshell

The impact of the exception.

OperateMsg String success

The operation remarks of the exception.

DataSource String aegis_suspicious_***

This parameter is deprecated.

CanBeDealOnLine Boolean true

Indicates whether the online processing of the exception is supported. The processing includes quarantining the exception. Valid values:

  • true: Online processing is supported.
  • false: Online processing is not supported.
SaleVersion String 1

The edition in which exception detection can be enabled. Valid values:

  • 0: the Basic edition
  • 1: the Enterprise edition
AlarmEventType String Suspicious process

The type of the alert event.

AlarmEventName String Execution of suspicious commands in scheduled Linux tasks

The name of the alert event.

AlarmUniqueInfo String 8df914418f***

The ID of the alert event.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeSuspEvents
&From=saas
&<Common request parameters>

Sample success responses

XML format

<DescribeSuspEvents>
  <TotalCount>3</TotalCount>
  <Count>2</Count>
  <PageSize>20</PageSize>
  <RequestId>0C7FAD74-83FA-4671-9250-A5F2A64F437A</RequestId>
  <CurrentPage>1</CurrentPage>
  <SuspEvents>
        <EventStatus>1</EventStatus>
        <SaleVersion>1</SaleVersion>
        <IntranetIp>1.2.3.4</IntranetIp>
        <EventSubType>XOR DDoS trojan</EventSubType>
        <Name>Malicious process (cloud threat detection) - XOR DDoS trojan</Name>
        <DataSource>aegis_suspiciou***</DataSource>
        <OccurrenceTime>2018-09-26 01:51:01</OccurrenceTime>
        <InstanceName>server01</InstanceName>
        <Desc>After accessing your server, the XOR DDoS trojan may inject malicious code into Linux scheduled tasks. </Desc>
        <CanBeDealOnLine>false</CanBeDealOnLine>
        <Uuid>bf6b30d3-eea8-4924***</Uuid>
        <InternetIp>1.2.3.4</InternetIp>
        <Level>serious</Level>
        <Id>3682</Id>
        <LastTime>2018-10-24 21:06:01</LastTime>
  </SuspEvents>
  <SuspEvents>
        <EventStatus>1</EventStatus>
        <SaleVersion>1</SaleVersion>
        <IntranetIp>1.2.3.5</IntranetIp>
        <EventSubType>XOR DDoS trojan</EventSubType>
        <Name>Malicious process (cloud threat detection) - XOR DDoS trojan</Name>
        <DataSource>aegis_suspiciou***</DataSource>
        <OccurrenceTime>2018-09-26 02:01:01</OccurrenceTime>
        <InstanceName>server01</InstanceName>
        <Desc>After accessing your server, the XOR DDoS trojan may inject malicious code into Linux scheduled tasks. </Desc>
        <CanBeDealOnLine>false</CanBeDealOnLine>
        <Uuid>bf6b30d3-eea8-4924-***</Uuid>
        <InternetIp>1.2.3.4</InternetIp>
        <Level>serious</Level>
        <Id>3683</Id>
        <LastTime>2018-10-24 21:01:01</LastTime>
  </SuspEvents>
</DescribeSuspEvents>

JSON format

{
    "TotalCount": 3,
    "Count": 2,
    "PageSize": 20,
    "RequestId": "0C7FAD74-83FA-4671-9250-A5F2A64F437A",
    "CurrentPage": 1,
    "SuspEvents": [
        {
            "EventStatus": 1,
            "SaleVersion": "1",
            "IntranetIp": "1.2.3.4",
            "EventSubType": "XOR DDoS trojan",
            "Name": "Malicious process (cloud threat detection) - XOR DDoS trojan",
            "DataSource": "aegis_suspiciou***",
            "OccurrenceTime": "2018-09-26 01:51:01",
            "InstanceName": "server01",
            "Desc": "After accessing your server, the XOR DDoS trojan may inject malicious code into Linux scheduled tasks.",
            "CanBeDealOnLine": false,
            "Uuid": "bf6b30d3-eea8-4924***",
            "InternetIp": "1.2.3.4",
            "Level": "serious",
            "Id": 3682,
            "LastTime": "2018-10-24 21:06:01"
        },
        {
            "EventStatus": 1,
            "SaleVersion": "1",
            "IntranetIp": "1.2.3.5",
            "EventSubType": "XOR DDoS trojan",
            "Name": "Malicious process (cloud threat detection) - XOR DDoS trojan",
            "DataSource": "aegis_suspiciou***",
            "OccurrenceTime": "2018-09-26 02:01:01",
            "InstanceName": "server01",
            "Desc": "After accessing your server, the XOR DDoS trojan may inject malicious code into Linux scheduled tasks.",
            "CanBeDealOnLine": false,
            "Uuid": "bf6b30d3-eea8-4924-***",
            "InternetIp": "1.2.3.4",
            "Level": "serious",
            "Id": 3683,
            "LastTime": "2018-10-24 21:01:01"
        }
    ]
}

Error codes

For a list of error codes, visit the API Error Center.