You can call this operation to obtain a list of exceptions.

You can call this operation to obtain a list of exceptions.

Debugging

You can go to API Explorer to debug API operations online. API Explorer allows you to call API operations online, use dynamically generated SDK sample code, and search for API operations. This makes it easier to use cloud APIs.

Request parameters

Name Type Required Example Description
Action String Yes DescribeSuspEvents

The operation that you want to perform. Set the value to DescribeSuspEvents.

From String Yes sas

The identifier of the request source. The fixed value is sas.

AlarmUniqueInfo String No 8df914418f4211fbf756efe7a6f40cbc

The unique identifier of the alert event.

CurrentPage String No 1

The current page number.

Dealed String No N

The status of an exception. Valid values:

  • N: unhandled
  • Y: Handled
Lang String No zh

The language in which the exception information is displayed. Valid values:

  • zh: Chinese
  • en: English
Levels String No serious

The severities of the alert events. Separate multiple severities with commas (,). The following severity levels are listed in descending order.

  • serious
  • suspicious
  • remind
Name String No Mining

The name of the exception or the affected server. Fuzzy match is supported.

PageSize String No 20

The maximum rows on each page. Default: 20.

ParentEventTypes String No Webshells

The type of an exception.

Remark String No Test server

The IP address or name of the server.

SourceIp String No 1.1.1.1

The source IP address of the request.

Response parameters

Name Type Example Description
Count Integer 1

The total number of exceptions.

CurrentPage Integer 1

The current page number.

PageSize Integer 20

The maximum number of exceptions on each page.

RequestId String 43F670F3-AB40-4E91-BC7D-C57400000000

The GUID generated by Alibaba Cloud for the request.

SuspEvents

A list of the exceptions.

└AlarmEventName String Command Exceptions in Scheduled Linux Tasks

The name of the alert event.

└AlarmEventType String Suspicious Process

The type of the alert event.

└AlarmUniqueInfo String 8df914418f4211fbf756efe700000000

The unique identifier of the alert event.

└CanBeDealOnLine Boolean true

Indicates whether you can quarantine an exception online.

└DataSource String N/A

The data source.

└Desc String webshell

The impact of an exception.

└EventStatus Integer 1

The status of an exception. Valid values:

  • 1: unhandled
  • 2: ignored
  • 4: confirmed
  • 8: labelled as false positive
  • 16: handling
  • 32: handled
  • 64: expired
└EventSubType String XorDDoS Trojan

The name of an exception.

└Id Long 1000

The unique identifier of an exception.

└InstanceName String nginx

The name of the affected asset.

└InternetIp String 10.0.0.10

The public IP address of the affected asset.

└IntranetIp String 10.0.0.10

The internal IP address of the affected asset.

└LastTime String 2018-09-26 01:51:01

The time of an exception.

└Level String serious

The severity of the alert event:

  • serious
  • suspicious
  • remind
└Name String Malicious Process - XOR DDoS Trojan

The complete name of an exception.

└OccurrenceTime String 2018-09-26 01:51:01

The time when an exception first occurs.

└OperateMsg String success

Remarks about an operation.

└SaleVersion String 1

Required service edition:

  • 0: Basic Edition
  • 1: Enterprise Edition
└Uuid String bf6b30d3-eea8-4924-9f0a-XXXXXXXXXXXX

The unique identifier of the affected asset.

TotalCount Integer 100

The total number of the returned exceptions.

Examples

Sample requests


http(s)://[Endpoint]/? Action=DescribeSuspEvents
&From=sas
&<Common request parameters>

Successful response examples

XML format

<DescribeSuspEventsResponse>
  <TotalCount>3</TotalCount> 
  <Count>2</Count>
  <PageSize>20</PageSize>
  <RequestId>0C7FAD74-83FA-4671-9250-A5F2A64F437A</RequestId> 
  <CurrentPage>1</CurrentPage>
  <SuspEvents> 
    <EventStatus>1</EventStatus>
    <SaleVersion>1</SaleVersion>
    <IntranetIp>10.0.0.0</IntranetIp>
    <EventSubType>XOR DDoS Trojan</EventSubType>
    <Name>Malicious Process - XOS DDoS Trojan</Name>
    <DataSource>aegis_suspicious_event</DataSource> 
    <OccurrenceTime>2018-09-26 01:51:01</OccurrenceTime> 
    <InstanceName>server01</InstanceName>
    <Desc>After accessing your server, the XOR DDoS trojan may have injected malicious code into Linux crontab files. </Desc>
    <CanBeDealOnLine>false</CanBeDealOnLine> 
    <Uuid>bf6b30d3-eea8-4924-9f0a-XXXXXXXXXXXX</Uuid>
    <InternetIp>10.0.0.0</InternetIp>
    <Level>Urgency</Level>
    <Id>3682</Id>
    <LastTime>2018-10-24 21:06:01</LastTime>
  </SuspEvents>
  <SuspEvents>
    <EventStatus>1</EventStatus>
    <SaleVersion>1</SaleVersion>
    <IntranetIp>172.24.40.51</IntranetIp>
    <EventSubType>XOR DDoS Trojan</EventSubType>
    <Name>Malicious Process - XOS DDoS Trojan</Name>
    <DataSource>aegis_suspicious_event</DataSource>
    <OccurrenceTime>2018-09-26 02:01:01</OccurrenceTime>
    <InstanceName>server01</InstanceName>
    <Desc>After accessing your server, the XOR DDoS trojan may have injected malicious code into Linux crontab files. </Desc>
    <CanBeDealOnLine>false</CanBeDealOnLine>
    <Uuid>bf6b30d3-eea8-4924-9f0a-98461cb8ffeb</Uuid>
    <InternetIp>10.0.0.0</InternetIp>
    <Level>Urgency</Level>
    <Id>3683</Id>
    <LastTime>2018-10-24 21:01:01</LastTime>
  </SuspEvents>
</DescribeSuspEventsResponse>

JSON format

{
	"Count":2,
	"TotalCount":3,
	"PageSize":20,
	"RequestId":"0C7FAD74-83FA-4671-9250-A5F2A64F437A",
	"SuspEvents":[
		{
			"Uuid":"bf6b30d3-eea8-4924-9f0a-XXXXXXXXXXXX",
			"EventStatus":1,
			"LastTime":"2018-10-24 21:06:01",
			"InternetIp":"10.0.0.0",
			"Name":"Malicious Process - XOS DDoS Trojan",
			"DataSource":"aegis_suspicious_event",
			"OccurrenceTime":"2018-09-26 01:51:01",
			"IntranetIp":"10.0.0.0",
			"Id":3682,
			"Level":"serious",
			"SaleVersion":"1",
			"CanBeDealOnLine":false,
			"InstanceName":"server01",
			"Desc":"After accessing your server, the XOR DDoS trojan may have injected malicious code into Linux crontab files.",
			"EventSubType":"XOR DDoS Trojan"
		},
		{
			"Uuid":"bf6b30d3-eea8-4924-9f0a-XXXXXXXXXXXX",
			"EventStatus":1,
			"LastTime":"2018-10-24 21:01:01",
			"InternetIp":"10.0.0.0",
			"Name":"Malicious Process - XOR DDoS Trojan",
			"DataSource":"aegis_suspicious_event",
			"OccurrenceTime":"2018-09-26 02:01:01",
			"IntranetIp":"172.24.40.51",
			"Id":3683,
			"Level":"serious",
			"SaleVersion":"1",
			"CanBeDealOnLine":false,
			"InstanceName":"server01",
			"Desc":"After accessing your server, the XOR DDoS trojan may have injected malicious code into Linux crontab files.",
			"EventSubType":"XOR DDoS Trojan"
		}
	],
	"CurrentPage":1
}

Error codes

View error codes.