DescribeSuspEvents - Security Center - Alibaba Cloud Documentation Center

Queries a list of alert events that are generated without aggregation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
yundun-sas:DescribeSuspEvents	Read	All Resources *	none	none

Request parameters

Parameter	Type	Required	Description	Example
SourceIp	string	No	The source IP address of the request.	192.168.XX.XX
Dealed	string	No	Specifies whether the alert event is handled. Valid values: N: unhandled Y: handled	N
Name	string	No	The name of the asset that is affected by the alert event.	ecs-xxx
Levels	string	No	The severity of the alert event. Separate multiple severities with commas (,). Valid values: serious suspicious remind	serious
ParentEventTypes	string	No	The alert type of the alert event. Valid values: Suspicious process Webshell Unusual logon Exception Sensitive file tampering Malicious process (cloud threat detection) Suspicious network connection Suspicious account Application intrusion event Cloud threat detection Precise defense Application whitelist Persistent webshell Web application threat detection Malicious script Threat intelligence Malicious network activity Cluster exception Webshell (on-premises threat detection) Vulnerability exploitation Malicious process (on-premises threat detection) Trusted exception Operations to manage other resources	Webshell
EventNames	string	No	The subtype of the alert event. Separate multiple subtypes with commas (,).	WEBSHELL
Remark	string	No	The name of the alert or the information about the asset. Note Fuzzy search is supported. The asset information includes the name, public IP address, and private IP address of an asset.	192.168.XX.XX
Status	string	No	The status of the alert event. Valid values: 0: all 1: pending handling 2: ignored 4: confirmed 8: marked as a false positive 16: handling 32: handled 64: expired 128: deleted 512: automatically blocking 513: automatically blocked	1
PageSize	string	No	The number of entries per page. Default value: 20. Maximum value: 100.	20
CurrentPage	string	No	The number of the page to return. Default value: 1.	1
Lang	string	No	The language of the content within the request and response. Default value: zh. Valid values: zh: Chinese en: English	zh
AlarmUniqueInfo	string	No	The ID of the alert event. Note To query the details of an alert event, you must specify the ID of the alert event. You can call the DescribeSuspEvents operation to query the IDs of alert events.	8df914418f4211fb****
UniqueInfo	string	No	The unique key of the alert.	73fc06fb175a7405697e402f52864****
Id	long	No	The ID of the alert event.	123
From	string	No	The data source of the alert event. Set the value to sas.	sas
Source	string	No	The source of the alert.	aegis_suspicious_file_v2
GroupId	long	No	The ID of the asset group to which the affected asset belongs.	18768
Uuids	string	No	The UUID of the server on which the alert is detected. Separate multiple UUIDs with commas (,).	bb5d2484-f10e-450d-8917-3e79667e**,0e7c2fcd-7100-42c7-a21a-db6e4f32**
ClusterId	string	No	The ID of the cluster of whose alert events you want to query.	c4af4fdf38a98496a9b63c2be5dae****
ContainerFieldName	string	No	The key of the condition that is used to query alert events on containers. Valid values: instanceId: the ID of the asset appName: the name of the application clusterId: the ID of the cluster regionId: the ID of the region nodeName: the name of the node namespace: the namespace clusterName: the name of the cluster image: the name of the image imageRepoName: the name of the image repository imageRepoNamespace: the namespace to which the image repository belongs imageRepoTag: the tag that is added to the image imageDigest: the digest of the image	instanceId
ContainerFieldValue	string	No	The value of the condition that is used to query alert events on containers.	ccf9769c22b844ff9b8d57417683b****
TargetType	string	No	The item that is used to search for the container. Valid values: containerId: the ID of the container uuid: the UUID of the server imageUuid: the UUID of the image	containerId
TacticId	string	No	The tactic ID of ATT&CK.	TA0001
OperateErrorCodeList	array	No	An array that consists of the handling result codes of alert events.
	string	No	The handling result code of the alert event. Set the value in the following format: Operation type.Operation result code. The following operation types are supported: Common: performs common operations. deal: handles the alert event. ignore: ignores the alert event. offline_handled: marks the alert event as handled. mark_mis_info: adds the alert event to the whitelist. rm_mark_mis_info: cancels adding the alert event to the whitelist. quara: quarantines the source file of the malicious process. kill_and_quara: terminates the malicious process and quarantines the source file. kill_virus: deletes the source file of the malicious process. block_ip: blocks the source IP address. manual_handled: marks the alert event as manually handled. advance_mark_mis_info: adds the alert event to the whitelist that is configured for precise defense. advance_mark_mis_info.System: automatically adds the alert event to the whitelist that is configured for precise defense. advance_mark_mis_info.User: manually adds the alert event to the whitelist that is configured for precise defense. The following handling result codes are supported: Success: The operation is successful. Failure: The operation fails. AgentOffline: The agent is offline.	ignore. Success
OperateTimeStart	string	No	The timestamp when the handling operation starts.	2022-07-05 13:50:38
OperateTimeEnd	string	No	The timestamp when the handling operation ends.	2022-07-06 13:50:38
TimeStart	string	No	The start time when the alert event was last detected.	2022-07-05 13:50:38
TimeEnd	string	No	The end time when the alert event was last detected.	2022-07-06 13:50:38
SortColumn	string	No	The custom sorting field. Default value: operateTime. Valid values: lastTime: the latest occurrence time. operateTime: the handling time. Note This parameter takes effect if you set the Dealed parameter to Y.	operateTime
SortType	string	No	The custom sorting order. Default value: desc. Valid values: asc: the ascending order desc: the descending order Note This parameter takes effect if you set the Dealed parameter to Y.	desc
AssetsTypeList	array	No	The types of the assets.
	string	No	The type of the asset. Valid values: ECS: Elastic Compute Service (ECS) instance CONTAINER: container K8S: Kubernetes cluster	ECS
ResourceDirectoryAccountId	long	No	The Alibaba Cloud account ID of the member in the resource directory. Note You can call the DescribeMonitorAccounts operation to query the ID.	16670360956*****

Response parameters

Parameter	Type	Description	Example
	object	The response parameters.
CurrentPage	integer	The page number of the returned page.	1
PageSize	integer	The number of entries returned per page.	20
RequestId	string	The ID of the request.	0D6E20E4-8326-1D03-A553-2182BE9E82F9
TotalCount	integer	The total number of alert events.	100
Count	integer	The number of entries returned on the current page.	20
SuspEvents	object []	The information about the alert event.
Stages	string	The stage at which the attack is detected.	"["authority_maintenance"]"
TacticItems	object []	The display name of the attack stage.
TacticId	string	The ATT&CK stage information.	TA0001
TacticDisplayName	string	The ATT&CK tactic name.	Malicious scripts-Malicious script code execution
InternetIp	string	The public IP address that is associated with instance.	1.2.XX.XX
K8sClusterName	string	The name of the Kubernetes cluster.	k8s-daily
ContainerImageId	string	The ID of the image to which the container belongs.	sha256:2e5a3b0ae5f452b3cb458789a9a7542ef40035a84318469a8528c5e444db1****
LastTimeStamp	long	The timestamp when the alert event was last detected. Unit: milliseconds.	1631699497000
OccurrenceTime	string	The time when the alert event was first detected.	2018-09-26 01:51:01
AlarmUniqueInfo	string	The unique ID of the alert event.	8df914418f****
Desc	string	The impact of the alert event.	webshell
CanCancelFault	boolean	Indicates whether you can cancel marking the alert event as a false positive. Valid values: true false	false
AlarmEventNameDisplay	string	The name of the alert.	Login with unusual location
AppName	string	The name of the application to which the alert event belongs.	pro-deploy-tibasic
SecurityEventIds	string	The ID of the associated alert event.	270789
K8sClusterId	string	The ID of the Kubernetes cluster.	c517b37e1401e4961b3951863a49a****
ContainerImageName	string	The name of the image to which the container belongs.	centos7_apache:v1.0.1
MarkMisRules	string	The advanced whitelist rule.	[{\"uuid\":\"ALL\",\"field\":\"gmtModified\",\"operate\":\"contains\",\"fieldValue\":\"222\"}]
CanBeDealOnLine	boolean	Indicates whether you can handle the alert event online, such as quarantining the source file of the malicious process. Valid values: true false	true
ContainHwMode	boolean	Indicates whether the safeguard mode for major activities is enabled for the server. Valid values: true false	false
K8sNodeId	string	The ID of the Kubernetes node.	i-bp14a1ay8e0aa9t0****
InstanceName	string	The name of the associated instance.	nginx
EventStatus	integer	The status of the alert event. Valid values: 1: pending handling 2: ignored 4: confirmed 8: marked as a false positive 16: handling 32: handled 64: expired	1
SaleVersion	string	The edition of Security Center in which the alert event can be detected. Valid values: 0: Basic edition 1: Enterprise edition	1
OperateErrorCode	string	The handling result code of the alert event.	kill_and_quara.Success
Name	string	The complete name of the alert event.	Unusual Logon-Login with unusual location
HasTraceInfo	boolean	Indicates whether the alert event has tracing information. Valid values: true false	true
DataSource	string	The source of data. This parameter can be ignored.	aegis_suspicious_****
OperateTime	long	The handling timestamp of the alert event. Unit: milliseconds.	1631699497000
EventSubType	string	The subtype of the alert event.	login_common_location
Advanced	boolean	Indicates whether the alert event was analyzed offline.	true
OccurrenceTimeStamp	long	The timestamp when the alert event was first detected. Unit: milliseconds.	1631699497000
InstanceId	string	The ID of the affected asset.	i-9dp6dwsxdl9z5u1e2f****
AlarmEventTypeDisplay	string	The display name of the type of the alert event.	Unusual Logon
IntranetIp	string	The private IP address of the associated instance.	100.100.XX.XX
LastTime	string	The time when the alert event was last detected.	2018-09-26 01:51:01
OperateMsg	string	The handing result message of the alert event.	success
Uuid	string	The unique ID of the associated instance.	bf6b30d3-eea8-4924-9f0a-****
K8sPodName	string	The name of the Kubernetes pod.	myapp-pod
ContainerId	string	The ID of the container.	container_1648601865161_14925_02_000****
AlarmEventType	string	The type of the alert event.	Unusual Logon
K8sNamespace	string	The namespace of the Kubernetes cluster.	default
AutoBreaking	boolean	Indicates whether automatic defense is enabled.	true
K8sNodeName	string	The name of the Kubernetes node.	N/A
AlarmEventName	string	The name of the alert event.	login_common_location
UniqueInfo	string	The unique key of the alert.	e17e****
MaliciousRuleStatus	string	The status of the malicious behavior defense rule. Valid values: open close	open
Level	string	The severity of the alert event. Valid values: serious suspicious remind	serious
Id	long	The unique ID of the alert event.	1000
Details	object []	The details of the alert event.
Type	string	The type of the alert event.	text
Value	string	The path of the alert event.	/etc/crontab
NameDisplay	string	The display name of the alert event.	Login with unusual location
ValueDisplay	string	The display name of the path of the alert event.	/etc/crontab
EventNotes	object []	The note information about the alert event.
Note	string	The note.	Test
NoteId	long	The ID of the note.	123
NoteTime	string	The time when the note was created.	2018-09-26 01:51:01
clusterId	string	The ID of the cluster.	c2051775877374cccbf68af596e6****
ImageUuid	string	The UUID of the image.	70489fb520cea585ad9761d5a842****
DisplaySandboxResult	boolean	Indicates whether the alert event can be detected by cloud sandbox. Valid values: true false	true
LargeModel	boolean	Indicates whether the large model analysis tag is supported. Valid values: true false	true

Examples

Sample success responses

JSONformat

{
  "CurrentPage": 1,
  "PageSize": 20,
  "RequestId": "0D6E20E4-8326-1D03-A553-2182BE9E82F9",
  "TotalCount": 100,
  "Count": 20,
  "SuspEvents": [
    {
      "Stages": "\"[\"authority_maintenance\"]\"",
      "TacticItems": [
        {
          "TacticId": "TA0001",
          "TacticDisplayName": "Malicious scripts-Malicious script code execution"
        }
      ],
      "InternetIp": "1.2.XX.XX",
      "K8sClusterName": "k8s-daily",
      "ContainerImageId": "sha256:2e5a3b0ae5f452b3cb458789a9a7542ef40035a84318469a8528c5e444db1****",
      "LastTimeStamp": 1631699497000,
      "OccurrenceTime": "2018-09-26 01:51:01",
      "AlarmUniqueInfo": "8df914418f****",
      "Desc": "webshell",
      "CanCancelFault": false,
      "AlarmEventNameDisplay": "Login with unusual location",
      "AppName": "pro-deploy-tibasic",
      "SecurityEventIds": "270789",
      "K8sClusterId": "c517b37e1401e4961b3951863a49a****",
      "ContainerImageName": "centos7_apache:v1.0.1",
      "MarkMisRules": "[{\\\"uuid\\\":\\\"ALL\\\",\\\"field\\\":\\\"gmtModified\\\",\\\"operate\\\":\\\"contains\\\",\\\"fieldValue\\\":\\\"222\\\"}]",
      "CanBeDealOnLine": true,
      "ContainHwMode": false,
      "K8sNodeId": "i-bp14a1ay8e0aa9t0****\n",
      "InstanceName": "nginx",
      "EventStatus": 1,
      "SaleVersion": "1",
      "OperateErrorCode": "kill_and_quara.Success",
      "Name": "Unusual Logon-Login with unusual location",
      "HasTraceInfo": true,
      "DataSource": "aegis_suspicious_****",
      "OperateTime": 1631699497000,
      "EventSubType": "login_common_location",
      "Advanced": true,
      "OccurrenceTimeStamp": 1631699497000,
      "InstanceId": "i-9dp6dwsxdl9z5u1e2f****",
      "AlarmEventTypeDisplay": "Unusual Logon",
      "IntranetIp": "100.100.XX.XX",
      "LastTime": "2018-09-26 01:51:01",
      "OperateMsg": "success",
      "Uuid": "bf6b30d3-eea8-4924-9f0a-****",
      "K8sPodName": "myapp-pod\n",
      "ContainerId": "container_1648601865161_14925_02_000****",
      "AlarmEventType": "Unusual Logon",
      "K8sNamespace": "default",
      "AutoBreaking": true,
      "K8sNodeName": "N/A",
      "AlarmEventName": "login_common_location",
      "UniqueInfo": "e17e****",
      "MaliciousRuleStatus": "open",
      "Level": "serious",
      "Id": 1000,
      "Details": [
        {
          "Type": "text",
          "Value": "/etc/crontab",
          "NameDisplay": "Login with unusual location",
          "ValueDisplay": "/etc/crontab"
        }
      ],
      "EventNotes": [
        {
          "Note": "Test",
          "NoteId": 123,
          "NoteTime": "2018-09-26 01:51:01\n"
        }
      ],
      "clusterId": "c2051775877374cccbf68af596e6****",
      "ImageUuid": "70489fb520cea585ad9761d5a842****",
      "DisplaySandboxResult": true,
      "LargeModel": true
    }
  ]
}

Error codes

HTTP status code	Error code	Error message	Description
400	NoPermission	no permission	-
400	UnknownError	UnknownError	-
400	RdCheckNoPermission	Resource directory account verification has no permission.	-
403	NoPermission	caller has no permission	You are not authorized to do this operation.
500	RdCheckInnerError	Resource directory account service internal error.	-
500	ServerError	ServerError	-

For a list of error codes, visit the Service error codes.

Change history

Change time

Summary of changes

Operation

2024-01-24

The Error code has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	delete Error Codes: 400
	delete Error Codes: 500

2023-09-21

The Error code has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	delete Error Codes: 400
	delete Error Codes: 500

2023-09-20

The Error code has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	delete Error Codes: 400
	delete Error Codes: 500

2023-09-13

The Error code has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	delete Error Codes: 400
	delete Error Codes: 500

2023-09-07

The Error code has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	delete Error Codes: 400
	delete Error Codes: 500

2023-08-09

The Error code has changed. The response structure of the API has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	delete Error Codes: 400
	delete Error Codes: 500
Output Parameters	The response structure of the API has changed.

2023-07-20

The Error code has changed. The request parameters of the API has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	Error Codes 400 change
	Added Error Codes: 500
Input Parameters	The request parameters of the API has changed.
	Added Input Parameters: ResourceDirectoryAccountId

2023-04-25

The Error code has changed. The response structure of the API has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	delete Error Codes: 400
Output Parameters	The response structure of the API has changed.