DescribeEventDetail - Data Security Center - Alibaba Cloud Documentation Center

Queries the details of an anomalous activity, including the time when the anomalous activity occurred, description of the anomalous activity, and processing status of the anomalous activity.

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The natural language of the request and response. Valid values: zh: Chinese en: English	zh
Id	long	Yes	The unique ID of the anomalous activity. NoteYou can call the DescribeEvents operation to query the unique ID of the anomalous activity.	13456723343

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The ID of the request.	69FB3C1-F4C9-42DF-9B72-7077A8989C13
Event	object	The details of the anomalous activity.
DisplayName	string	The display name of the account that triggered the anomalous activity.	yundunsr
Status	integer	The processing status of the anomalous activity. Valid values: 0: unprocessed 1: confirmed as an anomaly 2: excluded as a false positive	0
DealReason	string	The reason for which the anomalous activity is processed.	Anomaly confirmed
UserId	long	The ID of the account that triggered the anomalous activity.	229157443385014***
StatusName	string	The name of the processing status of the anomalous activity.	To be processed
DealTime	long	The point in time when the anomalous activity was processed. The value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC. Unit: milliseconds.	1230000
DealLoginName	string	The username of the account used to process the anomalous activity.	det1111
SubTypeName	string	The name of the anomalous activity subtype.	Anomalous volume of downloaded data
Backed	boolean	Indicates whether the processing result of the anomalous activity was used to enhance the detection of anomalous activities. Valid values: true: yes false: no NoteYou can improve the detection accuracy and the rate of triggering alerts for anomalous activities by enhancing the detection.	false
DataInstance	string	The name of the instance in the service in which the anomalous activity was detected.	in-222***
EventTime	long	The point in time when the anomalous activity was detected. The value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC. Unit: milliseconds.	1545829129000
LoginName	string	The username of the account that triggered the anomalous activity.	det1111
SubTypeCode	string	The code of the anomalous activity subtype.	020008
LogDetail	string	The details of the alert logs.	{"client_ip": ["106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX"], "start_time": "2020-05-10 00:00:01", "instance": ["omniscience-data", "punish-beaver-data"], "end_time": "2020-05-10 00:21:22", "client_ua": ["Java/1.8.0_152", "Java/1.8.0_92", "aliyun-sdk-java/2.0.0", "aliyun-sdk-java/2.8.0(Linux/4.9.151-015.ali3000.alios7.x86_64/amd64;1.8.0_152)"], "user_name": 1512222261295262}
TypeCode	string	The code of the anomalous activity type.	02
AlertTime	long	The point in time when an alert was triggered for the anomalous activity. The value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC. Unit: milliseconds.	1545829129000
DealUserId	long	The ID of the account used to process the anomalous activity.	229157443385014***
TypeName	string	The name of the anomalous activity type. Valid values: 01: anomalous permission access 02: anomalous data flow 03: anomalous data operation	Anomalous data flow
DealDisplayName	string	The display name of the account used to process the anomalous activity.	yundunsr
Id	long	The unique ID of the anomalous activity.	52234
ProductCode	string	The name of the service in which the anomalous activity was detected. Valid values include MaxCompute, OSS, ADS, OTS, and RDS.	MaxCompute
HandleInfoList	array	The processing records of the anomalous activity.
	object	The details of a record in which the anomalous activity is manually processed.
Status	integer	The status of the account that triggered the anomalous activity. Valid values: 0: disabled 1: enabled -1: failed to be disabled -2: failed to be enabled	1
EnableTime	long	The point in time when the disabled account was enabled. The value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC. Unit: milliseconds.	1611139155000
HandlerValue	integer	The duration for which the processing operation takes effect. If you leave this parameter empty, the processing operation is permanently valid. Unit: minutes.	10
DisableTime	long	The point in time when the account was disabled. The value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC. Unit: milliseconds.	1611139155000
HandlerName	string	The processing operation.	Remove from the whitelist
HandlerType	string	The type of the processing operation.	rds_security_ip
CurrentValue	string	The account that is used to process the anomalous activity.	sddp-test2
Id	long	The ID of the processing record.	11
Detail	object	The details of the anomalous activity.
Content	array	The content of the anomalous activity.
	object	The content of the anomalous activity.
Label	string	The name of the anomalous activity content.	Anomaly description
Value	string	The description of the anomalous activity content.	The account was used to access OSS from an unusual terminal whose IP address is 1.2.3.4 from 00:06:45 on September 9, 2019, to 00:57:37 on September 9, 2019.
Chart	array	The baseline behavior profile of the anomalous activity.
	object	The baseline behavior profile of the anomalous activity.
Type	string	The type of the chart. Valid values: 1: column chart 2: line chart	1
Label	string	The name of the baseline behavior profile of the anomalous activity.	Baseline behavior profile
XLabel	string	The descriptive label of data items on the X axis.	Number of days
YLabel	string	The descriptive label of data items on the Y axis.	Value
Data	object	The data in the baseline behavior profile of the anomalous activity.
Y	array	The value of the data item on the Y axis.
	string
X	array	The value of the data item on the X axis.
	string
ResourceInfo	array	The source of the anomalous activity.
	object	The source of the anomalous activity.
Label	string	The name of the anomalous activity source.	Activity risk
Value	string	The description of the anomalous activity source.	An external attacker may obtain the logon credentials of an account and use the account to log on to the service, or an employee may log on to the service on a personal terminal.

Example

Normal return example

JSONFormat

{
  "RequestId": "69FB3C1-F4C9-42DF-9B72-7077A8989C13",
  "Event": {
    "DisplayName": "yundunsr",
    "Status": 0,
    "DealReason": "Anomaly confirmed",
    "UserId": 0,
    "StatusName": "To be processed",
    "DealTime": 1230000,
    "DealLoginName": "det1111",
    "SubTypeName": "Anomalous volume of downloaded data",
    "Backed": true,
    "DataInstance": "in-222***",
    "EventTime": 1545829129000,
    "LoginName": "det1111",
    "SubTypeCode": "020008",
    "LogDetail": "{\"client_ip\": [\"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\"], \"start_time\": \"2020-05-10 00:00:01\", \"instance\": [\"omniscience-data\", \"punish-beaver-data\"], \"end_time\": \"2020-05-10 00:21:22\", \"client_ua\": [\"Java/1.8.0_152\", \"Java/1.8.0_92\", \"aliyun-sdk-java/2.0.0\", \"aliyun-sdk-java/2.8.0(Linux/4.9.151-015.ali3000.alios7.x86_64/amd64;1.8.0_152)\"], \"user_name\": 1512222261295262}",
    "TypeCode": "02",
    "AlertTime": 1545829129000,
    "DealUserId": 0,
    "TypeName": "Anomalous data flow",
    "DealDisplayName": "yundunsr",
    "Id": 52234,
    "ProductCode": "MaxCompute",
    "HandleInfoList": [
      {
        "Status": 1,
        "EnableTime": 1611139155000,
        "HandlerValue": 10,
        "DisableTime": 1611139155000,
        "HandlerName": "Remove from the whitelist",
        "HandlerType": "rds_security_ip",
        "CurrentValue": "sddp-test2",
        "Id": 11
      }
    ],
    "Detail": {
      "Content": [
        {
          "Label": "Anomaly description",
          "Value": "The account was used to access OSS from an unusual terminal whose IP address is 1.2.3.4 from 00:06:45 on September 9, 2019, to 00:57:37 on September 9, 2019."
        }
      ],
      "Chart": [
        {
          "Type": "1",
          "Label": "Baseline behavior profile",
          "XLabel": "Number of days",
          "YLabel": "Value",
          "Data": {
            "Y": [
              ""
            ],
            "X": [
              ""
            ]
          }
        }
      ],
      "ResourceInfo": [
        {
          "Label": "Activity risk",
          "Value": "An external attacker may obtain the logon credentials of an account and use the account to log on to the service, or an employee may log on to the service on a personal terminal."
        }
      ]
    }
  }
}

Error codes

For a list of error codes, visit the API error center.

Change history

Change time

Summary of changes

Operate

2022-04-18

The response structure of the API operation has changed

Change item	Change content
Output Parameters	The response structure of the API operation has changed