Queries the details of intrusion events.

Description

You can call the DescribeRiskEventGroup operation to query and download the details of intrusion events. We recommend that you query the details of 5 to 10 intrusion events at a time. If you do not need to query the information about the geographical locations of IP addresses, set the NoLocation parameter to true. This prevents query timeout.

Limits

You can call this operation up to 10 times per second per account. If the number of the calls per second exceeds the limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limit when you call this operation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeRiskEventGroup

The operation that you want to perform.

Set the value to DescribeRiskEventGroup.

DataType String Yes session

The type of risk events.

Set the value to session. The value indicates intrusion events.

EndTime String Yes 1534408267

The end of the time range to query. The value is a UNIX timestamp. Unit: seconds.

StartTime String Yes 1534408189

The beginning of the time range to query. The value is a UNIX timestamp. Unit: seconds.

Lang String No zh

The natural language of the request and response. Valid values:

  • zh: Chinese (default)
  • en: English
Direction String No in

The direction of the traffic for the intrusion events. Valid values:

  • in: inbound
  • out: outbound
Note If you do not specify this parameter, the intrusion events in both inbound and outbound traffic are queried.
PageSize String No 6

The number of entries to return on each page.

Default value: 6. Maximum value: 10.

CurrentPage String No 1

The number of the page to return.

Pages start from page 1. Default value: 1.

RuleSource String No 1

The module of the rule that is used to detect the intrusion events. Valid values:

  • 1: basic protection
  • 2: virtual patching
  • 4: threat intelligence
Note If you do not specify this parameter, the intrusion events that are detected by all rules are queried.
RuleResult String No 1

The status of the firewall. Valid values:

  • 1: alerting
  • 2: blocking
Note If you do not specify this parameter, the intrusion events that are detected by all firewalls are queried.
SrcIP String No 192.0.XX.XX

The source IP address to query. If you specify this parameter, all intrusion events from the specified source IP address are queried.

DstIP String No 192.0.XX.XX

The destination IP address to query. If you specify this parameter, all intrusion events with the specified destination IP address are queried.

VulLevel String No 1

The risk level of the intrusion events. Valid values:

  • 1: low
  • 2: medium
  • 3: high
Note If you do not specify this parameter, the intrusion events that are at all risk levels are queried.
FirewallType String No InternetFirewall

The type of the firewall. Valid values:

  • VpcFirewall: virtual private cloud (VPC) firewall
  • InternetFirewall: Internet firewall (default)
SrcNetworkInstanceId String No vpc-uf6e9a9zyokj2ywuo****

The ID of the source VPC.

Note You must specify this parameter only when the FirewallType parameter is set to VpcFirewall.
DstNetworkInstanceId String No vpc-uf6e9a9zyokj2ywuo****

The ID of the destination VPC.

Note You must specify this parameter only when the FirewallType parameter is set to VpcFirewall.
AttackType String No 1

The attack type of the intrusion events. Valid values:

  • 1: suspicious connection
  • 2: command execution
  • 3: brute-force attack
  • 4: scanning
  • 5: others
  • 6: information leak
  • 7: denial-of-service (DoS) attack
  • 8: buffer overflow attack
  • 9: web attack
  • 10: trojan backdoor
  • 11: computer worm
  • 12: mining
  • 13: reverse shell
Note If you do not specify this parameter, the intrusion events of all attack types are queried.
AttackApp.N RepeatList No ["MySql","DNS"]

The names of attacked applications. The value is in the ["AttackApp1","AttackApp2"] format.

NoLocation String No false

Specifies whether to query the information about the geographical locations of IP addresses.

  • true: does not query the information about the geographical locations of IP addresses.
  • false: queries the information about the geographical locations of IP addresses. This is the default value.

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters.

For more information about sample requests, see the "Examples" section of this topic.

Response parameters

Parameter Type Example Description
DataList Array of Data

The details of the intrusion event.

AttackApp String MySql

The name of the attacked application.

AttackType Integer 1

The attack type of the intrusion event. Valid values:

  • 1: suspicious connection
  • 2: command execution
  • 3: brute-force attack
  • 4: scanning
  • 5: others
  • 6: information leak
  • 7: DoS attack
  • 8: buffer overflow attack
  • 9: web attack
  • 10: trojan backdoor
  • 11: computer worm
  • 12: mining
  • 13: reverse shell
Description String Path traversal attacks are detected in the web access requests over HTTP.

The description of the intrusion event.

Direction String in

The direction of the traffic for the intrusion event. Valid values:

  • in: inbound
  • out: outbound
DstIP String 192.0.XX.XX

The destination IP address that is included in the intrusion event.

EventCount Integer 100

The number of intrusion events.

EventId String 2b58efae-4c4b-4d96-9544-a586fb1f****

The ID of the intrusion event.

EventName String Path traversal attack

The name of the intrusion event.

FirstEventTime Integer 1534408189

The time when the intrusion event was first detected. The value is a UNIX timestamp. Unit: seconds.

IPLocationInfo Struct

The information about the geographical location of the IP address. This struct contains the following parameters: CityId, CityName, CountryId, and CountryName.

CityId String 510100

The ID of the city to which the IP address belongs.

CityName String Chengdu, Sichuan Province

The name of the city to which the IP address belongs.

CountryId String CN

The ID of the country to which the IP address belongs.

CountryName String China

The name of the country to which the IP address belongs.

LastEventTime Integer 1534408267

The time when the intrusion event was last detected. The value is a UNIX timestamp. Unit: seconds.

ResourcePrivateIPList Array of ResourcePrivateIPListItem

The information about the private IP address of the intrusion event. The value is an array and includes the following parameters: RegionNo, ResourceInstanceId, ResourceInstanceName, and ResourcePrivateIP.

RegionNo String cn-hangzhou

The ID of the region to which the private IP address belongs.

ResourceInstanceId String i-wz92jf4scg2zb74p****

The ID of the instance that uses the private IP address.

ResourceInstanceName String LD-shenzhen-zy****

The name of the instance that uses the private IP address.

ResourcePrivateIP String 10.255.XX.XX

The private IP address.

ResourceType String EcsPublicIP

The type of the public IP address in the intrusion event. Valid values:

  • EIP: the elastic IP address (EIP)
  • EcsPublicIP: the public IP address of an Elastic Compute Service (ECS) instance
  • EcsEIP: the EIP of an ECS instance
  • NatPublicIP: the public IP address of a Network Address Translation (NAT) gateway
  • NatEIP: the EIP of a NAT gateway
RuleId String 1000****

The ID of the rule that is used to detect the intrusion event.

RuleResult Integer 2

The status of the firewall. Valid values:

  • 1: alerting
  • 2: blocking
RuleSource Integer 1

The module of the rule that is used to detect the intrusion event. Valid values:

  • 1: basic protection
  • 2: virtual patching
  • 4: threat intelligence
SrcIP String 192.0.XX.XX

The sourced IP address that is included in the intrusion event.

SrcPrivateIPList List ["192.168.XX.XX","192.168.XX.XX"]

The source private IP addresses of the intrusion event.

Note The value of this parameter is returned only when you set Direction to out.
Tag String Threat intelligence provided for major events

The tag added to the threat intelligence that is provided for major events.

VpcDstInfo Struct

The information about the destination VPC of the intrusion event. This struct contains the following parameters: EcsInstanceId, EcsInstanceName, NetworkInstanceId, NetworkInstanceName, and RegionNo.

EcsInstanceId String i-wz92jf4scg2zb74p****

The ID of the ECS instance.

EcsInstanceName String LD-shenzhen-zy****

The name of the ECS instance.

NetworkInstanceId String vpc-uf6e9a9zyokj2ywuo****

The ID of the VPC.

NetworkInstanceName String VPC-SH-TX****

The name of the VPC.

RegionNo String cn-hangzhou

The ID of the region in which the destination VPC resides.

VpcSrcInfo Struct

The information about the source VPC of the intrusion event. This struct contains the following parameters: EcsInstanceId, EcsInstanceName, NetworkInstanceId, NetworkInstanceName, and RegionNo.

EcsInstanceId String i-wz92jf4scg2zb74p****

The ID of the ECS instance.

EcsInstanceName String LD-shenzhen-zy****

The name of the ECS instance.

NetworkInstanceId String vpc-uf6e9a9zyokj2ywuo****

The ID of the VPC.

NetworkInstanceName String VPC-SH-TX****

The name of the VPC.

RegionNo String cn-hangzhou

The ID of the region in which the source VPC resides.

VulLevel Integer 1

The risk level of the intrusion event. Valid values:

  • 1: low
  • 2: medium
  • 3: high
RequestId String B14757D0-4640-4B44-AC67-7F558FE7E6EF

The ID of the request.

TotalCount Integer 20

The total number of risk events.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeRiskEventGroup
&DataType=session
&EndTime=1534408267
&StartTime=1534408189
&<Common request parameters>|

Sample success responses

XML format

<DescribeRiskEventGroupResponse>
  <DataList>
        <RuleSource>1</RuleSource>
        <Description>Path traversal attacks are detected in the web access requests over HTTP. </Description>
        <FirstEventTime>1534408189</FirstEventTime>
        <EventCount>100</EventCount>
        <RuleId>1000****</RuleId>
        <AttackType>1</AttackType>
        <ResourceType>EcsPublicIP</ResourceType>
        <RuleResult>2</RuleResult>
        <EventName>Path traversal attack</EventName>
        <Direction>in</Direction>
        <SrcIP>192.0.XX.XX</SrcIP>
        <DstIP>192.0.XX.XX</DstIP>
        <EventId>2b58efae-4c4b-4d96-9544-a586fb1f****</EventId>
        <Tag>Threat intelligence provided for major events</Tag>
        <LastEventTime>1534408267</LastEventTime>
        <AttackApp>MySql</AttackApp>
        <VulLevel>1</VulLevel>
        <ResourcePrivateIPList>
              <RegionNo>cn-hangzhou</RegionNo>
              <ResourcePrivateIP>10.255.XX.XX</ResourcePrivateIP>
              <ResourceInstanceName>LD-shenzhen-zy****</ResourceInstanceName>
              <ResourceInstanceId>i-wz92jf4scg2zb74p****</ResourceInstanceId>
        </ResourcePrivateIPList>
        <SrcPrivateIPList>["192.168.XX.XX","192.168.XX.XX"]</SrcPrivateIPList>
        <VpcSrcInfo>
              <EcsInstanceName>LD-shenzhen-zy****</EcsInstanceName>
              <EcsInstanceId>i-wz92jf4scg2zb74p****</EcsInstanceId>
              <RegionNo>cn-hangzhou</RegionNo>
              <NetworkInstanceId>vpc-uf6e9a9zyokj2ywuo****</NetworkInstanceId>
              <NetworkInstanceName>VPC-SH-TX****</NetworkInstanceName>
        </VpcSrcInfo>
        <VpcDstInfo>
              <EcsInstanceName>LD-shenzhen-zy****</EcsInstanceName>
              <EcsInstanceId>i-wz92jf4scg2zb74p****</EcsInstanceId>
              <RegionNo>cn-hangzhou</RegionNo>
              <NetworkInstanceId>vpc-uf6e9a9zyokj2ywuo****</NetworkInstanceId>
              <NetworkInstanceName>VPC-SH-TX****</NetworkInstanceName>
        </VpcDstInfo>
        <IPLocationInfo>
              <CountryId>CN</CountryId>
              <CityId>510100</CityId>
              <CountryName>China</CountryName>
              <CityName>Chengdu, Sichuan Province</CityName>
        </IPLocationInfo>
  </DataList>
  <TotalCount>20</TotalCount>
  <RequestId>B14757D0-4640-4B44-AC67-7F558FE7E6EF</RequestId>
</DescribeRiskEventGroupResponse>

JSON format

{
    "DataList": {
        "RuleSource": 1,
        "Description": "Path traversal attacks are detected in the web access requests over HTTP.",
        "FirstEventTime": 1534408189,
        "EventCount": 100,
        "RuleId": "1000****",
        "AttackType": 1,
        "ResourceType": "EcsPublicIP",
        "RuleResult": 2,
        "EventName": "Path traversal attack",
        "Direction": "in",
        "SrcIP": "192.0.XX.XX",
        "DstIP": "192.0.XX.XX",
        "EventId": "2b58efae-4c4b-4d96-9544-a586fb1f****",
        "Tag": "Threat intelligence provided for major events",
        "LastEventTime": 1534408267,
        "AttackApp": "MySql",
        "VulLevel": 1,
        "ResourcePrivateIPList": {
            "RegionNo": "cn-hangzhou",
            "ResourcePrivateIP": "10.255.XX.XX",
            "ResourceInstanceName": "LD-shenzhen-zy****",
            "ResourceInstanceId": "i-wz92jf4scg2zb74p****"
        },
        "SrcPrivateIPList": "[\"192.168.XX.XX\",\"192.168.XX.XX\"]",
        "VpcSrcInfo": {
            "EcsInstanceName": "LD-shenzhen-zy****",
            "EcsInstanceId": "i-wz92jf4scg2zb74p****",
            "RegionNo": "cn-hangzhou",
            "NetworkInstanceId": "vpc-uf6e9a9zyokj2ywuo****",
            "NetworkInstanceName": "VPC-SH-TX****"
        },
        "VpcDstInfo": {
            "EcsInstanceName": "LD-shenzhen-zy****",
            "EcsInstanceId": "i-wz92jf4scg2zb74p****",
            "RegionNo": "cn-hangzhou",
            "NetworkInstanceId": "vpc-uf6e9a9zyokj2ywuo****",
            "NetworkInstanceName": "VPC-SH-TX****"
        },
        "IPLocationInfo": {
            "CountryId": "CN",
            "CityId": 510100,
            "CountryName": "China",
            "CityName": "Chengdu, Sichuan Province"
        }
    },
    "TotalCount": 20,
    "RequestId": "B14757D0-4640-4B44-AC67-7F558FE7E6EF"
}