All Products
Search
Document Center

Data Security Center:DescribeEventDetail

Last Updated:Nov 17, 2022

Queries the details of an anomalous activity, including the time when the anomalous activity occurred, description of the anomalous activity, and processing status of the anomalous activity.

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

ParameterTypeRequiredDescriptionExample
LangstringNo

The natural language of the request and response. Valid values:

  • zh: Chinese
  • en: English
zh
IdlongYes

The unique ID of the anomalous activity.

NoteYou can call the DescribeEvents operation to query the unique ID of the anomalous activity.
13456723343

Response parameters

ParameterTypeDescriptionExample
object
RequestIdstring

The ID of the request.

69FB3C1-F4C9-42DF-9B72-7077A8989C13
Eventobject

The details of the anomalous activity.

DisplayNamestring

The display name of the account that triggered the anomalous activity.

yundunsr
Statusinteger

The processing status of the anomalous activity. Valid values:

  • 0: unprocessed
  • 1: confirmed as an anomaly
  • 2: excluded as a false positive
0
DealReasonstring

The reason for which the anomalous activity is processed.

Anomaly confirmed
UserIdlong

The ID of the account that triggered the anomalous activity.

229157443385014***
StatusNamestring

The name of the processing status of the anomalous activity.

To be processed
DealTimelong

The point in time when the anomalous activity was processed. The value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC. Unit: milliseconds.

1230000
DealLoginNamestring

The username of the account used to process the anomalous activity.

det1111
SubTypeNamestring

The name of the anomalous activity subtype.

Anomalous volume of downloaded data
Backedboolean

Indicates whether the processing result of the anomalous activity was used to enhance the detection of anomalous activities. Valid values:

  • true: yes
  • false: no
NoteYou can improve the detection accuracy and the rate of triggering alerts for anomalous activities by enhancing the detection.
false
DataInstancestring

The name of the instance in the service in which the anomalous activity was detected.

in-222***
EventTimelong

The point in time when the anomalous activity was detected. The value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC. Unit: milliseconds.

1545829129000
LoginNamestring

The username of the account that triggered the anomalous activity.

det1111
SubTypeCodestring

The code of the anomalous activity subtype.

020008
LogDetailstring

The details of the alert logs.

{"client_ip": ["106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX"], "start_time": "2020-05-10 00:00:01", "instance": ["omniscience-data", "punish-beaver-data"], "end_time": "2020-05-10 00:21:22", "client_ua": ["Java/1.8.0_152", "Java/1.8.0_92", "aliyun-sdk-java/2.0.0", "aliyun-sdk-java/2.8.0(Linux/4.9.151-015.ali3000.alios7.x86_64/amd64;1.8.0_152)"], "user_name": 1512222261295262}
TypeCodestring

The code of the anomalous activity type.

02
AlertTimelong

The point in time when an alert was triggered for the anomalous activity. The value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC. Unit: milliseconds.

1545829129000
DealUserIdlong

The ID of the account used to process the anomalous activity.

229157443385014***
TypeNamestring

The name of the anomalous activity type. Valid values:

  • 01: anomalous permission access
  • 02: anomalous data flow
  • 03: anomalous data operation
Anomalous data flow
DealDisplayNamestring

The display name of the account used to process the anomalous activity.

yundunsr
Idlong

The unique ID of the anomalous activity.

52234
ProductCodestring

The name of the service in which the anomalous activity was detected. Valid values include MaxCompute, OSS, ADS, OTS, and RDS.

MaxCompute
HandleInfoListarray

The processing records of the anomalous activity.

object

The details of a record in which the anomalous activity is manually processed.

Statusinteger

The status of the account that triggered the anomalous activity. Valid values:

  • 0: disabled
  • 1: enabled
  • -1: failed to be disabled
  • -2: failed to be enabled
1
EnableTimelong

The point in time when the disabled account was enabled. The value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC. Unit: milliseconds.

1611139155000
HandlerValueinteger

The duration for which the processing operation takes effect. If you leave this parameter empty, the processing operation is permanently valid. Unit: minutes.

10
DisableTimelong

The point in time when the account was disabled. The value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC. Unit: milliseconds.

1611139155000
HandlerNamestring

The processing operation.

Remove from the whitelist
HandlerTypestring

The type of the processing operation.

rds_security_ip
CurrentValuestring

The account that is used to process the anomalous activity.

sddp-test2
Idlong

The ID of the processing record.

11
Detailobject

The details of the anomalous activity.

Contentarray

The content of the anomalous activity.

object

The content of the anomalous activity.

Labelstring

The name of the anomalous activity content.

Anomaly description
Valuestring

The description of the anomalous activity content.

The account was used to access OSS from an unusual terminal whose IP address is 1.2.3.4 from 00:06:45 on September 9, 2019, to 00:57:37 on September 9, 2019.
Chartarray

The baseline behavior profile of the anomalous activity.

object

The baseline behavior profile of the anomalous activity.

Typestring

The type of the chart. Valid values:

  • 1: column chart
  • 2: line chart
1
Labelstring

The name of the baseline behavior profile of the anomalous activity.

Baseline behavior profile
XLabelstring

The descriptive label of data items on the X axis.

Number of days
YLabelstring

The descriptive label of data items on the Y axis.

Value
Dataobject

The data in the baseline behavior profile of the anomalous activity.

Yarray

The value of the data item on the Y axis.

string
Xarray

The value of the data item on the X axis.

string
ResourceInfoarray

The source of the anomalous activity.

object

The source of the anomalous activity.

Labelstring

The name of the anomalous activity source.

Activity risk
Valuestring

The description of the anomalous activity source.

An external attacker may obtain the logon credentials of an account and use the account to log on to the service, or an employee may log on to the service on a personal terminal.

Example

Normal return example

JSONFormat

{
  "RequestId": "69FB3C1-F4C9-42DF-9B72-7077A8989C13",
  "Event": {
    "DisplayName": "yundunsr",
    "Status": 0,
    "DealReason": "Anomaly confirmed",
    "UserId": 0,
    "StatusName": "To be processed",
    "DealTime": 1230000,
    "DealLoginName": "det1111",
    "SubTypeName": "Anomalous volume of downloaded data",
    "Backed": true,
    "DataInstance": "in-222***",
    "EventTime": 1545829129000,
    "LoginName": "det1111",
    "SubTypeCode": "020008",
    "LogDetail": "{\"client_ip\": [\"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\"], \"start_time\": \"2020-05-10 00:00:01\", \"instance\": [\"omniscience-data\", \"punish-beaver-data\"], \"end_time\": \"2020-05-10 00:21:22\", \"client_ua\": [\"Java/1.8.0_152\", \"Java/1.8.0_92\", \"aliyun-sdk-java/2.0.0\", \"aliyun-sdk-java/2.8.0(Linux/4.9.151-015.ali3000.alios7.x86_64/amd64;1.8.0_152)\"], \"user_name\": 1512222261295262}",
    "TypeCode": "02",
    "AlertTime": 1545829129000,
    "DealUserId": 0,
    "TypeName": "Anomalous data flow",
    "DealDisplayName": "yundunsr",
    "Id": 52234,
    "ProductCode": "MaxCompute",
    "HandleInfoList": [
      {
        "Status": 1,
        "EnableTime": 1611139155000,
        "HandlerValue": 10,
        "DisableTime": 1611139155000,
        "HandlerName": "Remove from the whitelist",
        "HandlerType": "rds_security_ip",
        "CurrentValue": "sddp-test2",
        "Id": 11
      }
    ],
    "Detail": {
      "Content": [
        {
          "Label": "Anomaly description",
          "Value": "The account was used to access OSS from an unusual terminal whose IP address is 1.2.3.4 from 00:06:45 on September 9, 2019, to 00:57:37 on September 9, 2019."
        }
      ],
      "Chart": [
        {
          "Type": "1",
          "Label": "Baseline behavior profile",
          "XLabel": "Number of days",
          "YLabel": "Value",
          "Data": {
            "Y": [
              ""
            ],
            "X": [
              ""
            ]
          }
        }
      ],
      "ResourceInfo": [
        {
          "Label": "Activity risk",
          "Value": "An external attacker may obtain the logon credentials of an account and use the account to log on to the service, or an employee may log on to the service on a personal terminal."
        }
      ]
    }
  }
}

Error codes

For a list of error codes, visit the API error center.

Change history

Change timeSummary of changesOperate
2022-04-18The response structure of the API operation has changed
Change itemChange content
Output ParametersThe response structure of the API operation has changed