DescribeRiskEventGroup - Cloud Firewall - Alibaba Cloud Documentation Center

Queries the details of intrusion events.

Operation description

You can call the DescribeRiskEventGroup operation to query and download the details of intrusion events. We recommend that you query the details of 5 to 10 intrusion events at a time. If you do not need to query the geographical information about IP addresses, you can set the NoLocation parameter to true to prevent query timeout.

Limits

You can call this operation up to 10 times per second per account. If the number of the calls per second exceeds the limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limit when you call this operation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
yundun-cloudfirewall:DescribeRiskEventGroup	Read	All Resources *	none	none

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the content within the request and response. Valid values: zh: Chinese (default) en: English	zh
StartTime	string	Yes	The beginning of the time range to query. The value is a UNIX timestamp. Unit: seconds.	1534408189
EndTime	string	Yes	The end of the time range to query. The value is a UNIX timestamp. Unit: seconds.	1534408267
Direction	string	No	The direction of the traffic for the intrusion events. Valid values: in: inbound out: outbound Note If you do not specify this parameter, the intrusion events that are recorded for both inbound and outbound traffic are queried.	in
PageSize	string	No	The number of entries to return on each page. Default value: 6. Maximum value: 10.	6
CurrentPage	string	No	The number of the page to return. Default value: 1.	1
DataType	string	Yes	The type of the risk events. Set the value to session, which indicates intrusion events.	session
RuleSource	string	No	The module of the rule that is used to detect the intrusion events. Valid values: 1: basic protection 2: virtual patching 4: threat intelligence Note If you do not specify this parameter, the intrusion events that are detected by all rules are queried.	1
RuleResult	string	No	The status of the firewall. Valid values: 1: alerting 2: blocking Note If you do not specify this parameter, all intrusion events that are detected by the firewall are queried, regardless of the firewall status.	1
SrcIP	string	No	The source IP address to query. If you specify this parameter, all intrusion events with the specified source IP address are queried.	192.0.XX.XX
DstIP	string	No	The destination IP address to query. If you specify this parameter, all intrusion events with the specified destination IP address are queried.	192.0.XX.XX
VulLevel	string	No	The risk level of the intrusion events. Valid values: 1: low 2: medium 3: high Note If you do not specify this parameter, the intrusion events that are at all risk levels are queried.	1
FirewallType	string	No	The type of the firewall. Valid values: VpcFirewall: virtual private cloud (VPC) firewall InternetFirewall: Internet firewall (default)	InternetFirewall
SrcNetworkInstanceId	string	No	The ID of the source VPC. Note If the FirewallType parameter is set to VpcFirewall, you must specify this parameter.	vpc-uf6e9a9zyokj2ywuo****
DstNetworkInstanceId	string	No	The ID of the destination VPC. Note If the FirewallType parameter is set to VpcFirewall, you must specify this parameter.	vpc-uf6e9a9zyokj2ywuo****
AttackType	string	No	The attack type of the intrusion events. Valid values: 1: suspicious connection 2: command execution 3: brute-force attack 4: scanning 5: others 6: information leak 7: DoS attack 8: buffer overflow attack 9: web attack 10: trojan backdoor 11: computer worm 12: mining 13: reverse shell Note If you do not specify this parameter, the intrusion events of all attack types are queried.	1
NoLocation	string	No	Specifies whether to query the information about the geographical locations of IP addresses. true: does not query the information about the geographical locations of IP addresses. false: queries the information about the geographical locations of IP addresses. This is the default value.	false
AttackApp	array	No	The names of attacked applications. Set the value in the `["AttackApp1","AttackApp2"]` format.
	string	No	The name of the attacked application. Set the value in the `["AttackApp1","AttackApp2"]` format.	Redis
BuyVersion	long	No	The edition of Cloud Firewall that you purchase. Valid values: 2: Premium Edition 3: Enterprise Edition 4: Ultimate Edition 10: Cloud Firewall that uses the pay-as-you-go billing method	10
Sort	string	No	The field based on which you want to sort the results. Valid values: VulLevel: The results are sorted based on the risk level field. This is the default value. LastTime: The results are sorted based on the most recent occurrence time.	LastTime
Order	string	No	The order in which you want to sort the results. Valid values: asc: the ascending order. desc: the descending order. This is the default value.	desc
EventName	string	No	The name of the intrusion event.	Webshell communication

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters. For more information about sample requests, see the "Examples" section of this topic.

Response parameters

Parameter	Type	Description	Example
	object	The data returned.
TotalCount	integer	The total number of risk events.	20
RequestId	string	The ID of the request.	B14757D0-4640-4B44-AC67-7F558FE7E6EF
DataList	object []	An array that consists of the details of the intrusion events.
Direction	string	The direction of the traffic for the intrusion event. Valid values: in: inbound out: outbound	in
EventName	string	The name of the intrusion event.	Path traversal attack
DstIP	string	The destination IP address that is included in the intrusion event.	192.0.XX.XX
AttackType	integer	The attack type of the intrusion event. Valid values: 1: suspicious connection 2: command execution 3: brute-force attack 4: scanning 5: others 6: information leak 7: DoS attack 8: buffer overflow attack 9: web attack 10: trojan backdoor 11: computer worm 12: mining 13: reverse shell	1
Tag	string	The tag added to the threat intelligence that is provided for major events.	Threat intelligence provided for major events
RuleId	string	The ID of the rule that is used to detect the intrusion event.	1000****
EventId	string	The ID of the intrusion event.	2b58efae-4c4b-4d96-9544-a586fb1f****
ResourceType	string	The type of the public IP address in the intrusion event. Valid values: EIP: the elastic IP address (EIP) EcsPublicIP: the public IP address of an Elastic Compute Service (ECS) instance EcsEIP: the EIP of an ECS instance NatPublicIP: the public IP address of a NAT gateway NatEIP: the EIP of a NAT gateway	EcsPublicIP
FirstEventTime	integer	The time when the intrusion event was first detected. The value is a UNIX timestamp. Unit: seconds.	1534408189
Description	string	The description of the intrusion event.	Path traversal attacks are detected in the web access requests over HTTP.
EventCount	integer	The number of intrusion events.	100
VulLevel	integer	The risk level of the intrusion event. Valid values: 1: low 2: medium 3: high	1
AttackApp	string	The name of the attacked application.	MySql
RuleSource	integer	The module of the rule that is used to detect the intrusion event. Valid values: 1: basic protection 2: virtual patching 4: threat intelligence	1
RuleResult	integer	The status of the firewall. Valid values: 1: alerting 2: blocking	2
SrcIP	string	The source IP address that is included in the intrusion event.	192.0.XX.XX
LastEventTime	integer	The time when the intrusion event was last detected. The value is a UNIX timestamp. Unit: seconds.	1534408267
ResourcePrivateIPList	object []	The information about the private IP address in the intrusion event. The value is an array that contains the following parameters: RegionNo, ResourceInstanceId, ResourceInstanceName, and ResourcePrivateIP.\
ResourceInstanceName	string	The name of the instance that uses the private IP address.	LD-shenzhen-zy****
ResourcePrivateIP	string	The private IP address.	10.255.XX.XX
ResourceInstanceId	string	The ID of the instance that uses the private IP address.	i-wz92jf4scg2zb74p****
RegionNo	string	The ID of the region to which the private IP address belongs.	cn-hangzhou
SrcPrivateIPList	array	An array that consists of the source private IP addresses in the intrusion event.
	string	The source private IP address in the intrusion event. Note The value of this parameter is returned only when the value of Direction is out.	["192.168.XX.XX","192.168.XX.XX"]
VpcSrcInfo	object	The information about the source VPC of the intrusion event. The value is a struct that contains the following parameters: EcsInstanceId, EcsInstanceName, NetworkInstanceId, NetworkInstanceName, and RegionNo.\
EcsInstanceName	string	The name of the ECS instance.	LD-shenzhen-zy****
NetworkInstanceName	string	The name of the VPC.	VPC-SH-TX****
NetworkInstanceId	string	The ID of the VPC.	vpc-uf6e9a9zyokj2ywuo****
EcsInstanceId	string	The ID of the ECS instance.	i-wz92jf4scg2zb74p****
RegionNo	string	The ID of the region in which the source VPC resides.	cn-hangzhou
VpcDstInfo	object	The information about the destination VPC of the intrusion event. The value is a struct that contains the following parameters: EcsInstanceId, EcsInstanceName, NetworkInstanceId, NetworkInstanceName, and RegionNo.\
EcsInstanceName	string	The name of the ECS instance.	LD-shenzhen-zy****
NetworkInstanceName	string	The name of the VPC.	VPC-SH-TX****
NetworkInstanceId	string	The ID of the VPC.	vpc-uf6e9a9zyokj2ywuo****
EcsInstanceId	string	The ID of the ECS instance.	i-wz92jf4scg2zb74p****
RegionNo	string	The ID of the region in which the destination VPC resides.	cn-hangzhou
IPLocationInfo	object	The geographical information about the IP address. The value is a struct that contains the following parameters: CityId, CityName, CountryId, and CountryName.\
CityId	string	The ID of the city to which the IP address belongs.	510100
CountryName	string	The name of the country to which the IP address belongs.	China
CityName	string	The name of the city to which the IP address belongs.	Chengdu, Sichuan Province
CountryId	string	The ID of the country to which the IP address belongs.	CN
SrcIPTag	string	The tag added to the source IP address. The tag helps identify whether the source IP address is a back-to-origin IP address for a cloud service.	WAF Back-to-origin Address

Examples

Sample success responses

JSONformat

{
  "TotalCount": 20,
  "RequestId": "B14757D0-4640-4B44-AC67-7F558FE7E6EF",
  "DataList": [
    {
      "Direction": "in",
      "EventName": "Path traversal attack\n",
      "DstIP": "192.0.XX.XX",
      "AttackType": 1,
      "Tag": "Threat intelligence provided for major events\n",
      "RuleId": "1000****",
      "EventId": "2b58efae-4c4b-4d96-9544-a586fb1f****",
      "ResourceType": "EcsPublicIP",
      "FirstEventTime": 1534408189,
      "Description": "Path traversal attacks are detected in the web access requests over HTTP.\n",
      "EventCount": 100,
      "VulLevel": 1,
      "AttackApp": "MySql",
      "RuleSource": 1,
      "RuleResult": 2,
      "SrcIP": "192.0.XX.XX",
      "LastEventTime": 1534408267,
      "ResourcePrivateIPList": [
        {
          "ResourceInstanceName": "LD-shenzhen-zy****",
          "ResourcePrivateIP": "10.255.XX.XX",
          "ResourceInstanceId": "i-wz92jf4scg2zb74p****",
          "RegionNo": "cn-hangzhou"
        }
      ],
      "SrcPrivateIPList": [
        "[\"192.168.XX.XX\",\"192.168.XX.XX\"]"
      ],
      "VpcSrcInfo": {
        "EcsInstanceName": "LD-shenzhen-zy****",
        "NetworkInstanceName": "VPC-SH-TX****",
        "NetworkInstanceId": "vpc-uf6e9a9zyokj2ywuo****",
        "EcsInstanceId": "i-wz92jf4scg2zb74p****",
        "RegionNo": "cn-hangzhou"
      },
      "VpcDstInfo": {
        "EcsInstanceName": "LD-shenzhen-zy****",
        "NetworkInstanceName": "VPC-SH-TX****",
        "NetworkInstanceId": "vpc-uf6e9a9zyokj2ywuo****",
        "EcsInstanceId": "i-wz92jf4scg2zb74p****",
        "RegionNo": "cn-hangzhou"
      },
      "IPLocationInfo": {
        "CityId": "510100",
        "CountryName": "China\n",
        "CityName": "Chengdu, Sichuan Province\n",
        "CountryId": "CN"
      },
      "SrcIPTag": "WAF Back-to-origin Address"
    }
  ]
}

Error codes

HTTP status code	Error code	Error message	Description
400	ErrorAliUid	The aliuid is invalid.	The aliuid is invalid.

For a list of error codes, visit the Service error codes.

Change history

Change time

Summary of changes

Operation

2023-03-16

The Error code has changed. The request parameters of the API has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	delete Error Codes: 400
Input Parameters	The request parameters of the API has changed.
	Added Input Parameters: EventName

2022-09-27

The API operation is not deprecated.. The Error code has changed. The request parameters of the API has changed

see changesets

Change item	Change content
API Deprecation Description	The API operation is not deprecated..
Error Codes	The Error code has changed.
	delete Error Codes: 400
Input Parameters	The request parameters of the API has changed.
	Added Input Parameters: Sort
	Added Input Parameters: Order