DescribeEventDetail - Data Security Center - Alibaba Cloud Documentation Center

Queries the details of an anomalous event. The details include the time when the anomalous event occurred, and the description and handling status of the anomalous event.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the content within the request and response. Valid values: zh: Chinese en: English	zh
Id	long	Yes	The ID of the anomalous event. Note You can call the DescribeEvents operation to query the ID of the anomalous event.	13456723343

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The ID of the request.	69FB3C1-F4C9-42DF-9B72-7077A8989C13
Event	object	The details of the anomalous event.
DisplayName	string	The display name of the account that triggered the anomalous event.	yundunsr
Status	integer	The handling status for the anomalous event. Valid values: 0: unhandled 1: confirmed 2: marked as false positive	0
DealReason	string	The reason why the anomalous event is handled.	Anomaly confirmed
UserId	long	The ID of the account that triggered the anomalous event.	229157443385014***
StatusName	string	The name of the handling status for the anomalous event.	Pending
DealTime	long	The time when the anomalous event was handled. The value is a UNIX timestamp. Unit: milliseconds.	1230000
DealLoginName	string	The username of the account that is used to handle the anomalous event.	det1111
SubTypeName	string	The name of the anomalous event subtype.	Anomalous volume of downloaded data
Backed	boolean	Indicates whether the handling result of the anomalous event is used to enhance the detection of anomalous events. Valid values: true: yes false: no Note If you enhance the detection of anomalous events, the detection accuracy and the rate of triggering alerts for anomalous events are improved.	false
DataInstance	string	The instance name of the service in which the anomalous event was detected.	in-222***
EventTime	long	The time when the anomalous event occurred. The value is a UNIX timestamp. Unit: milliseconds.	1545829129000
LoginName	string	The username of the account that triggered the anomalous event.	det1111
SubTypeCode	string	The code of the anomalous event subtype.	020008
LogDetail	string	The details of the alert logs.	{"client_ip": ["106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX"], "start_time": "2020-05-10 00:00:01", "instance": ["omniscience-data", "punish-beaver-data"], "end_time": "2020-05-10 00:21:22", "client_ua": ["Java/1.8.0_152", "Java/1.8.0_92", "aliyun-sdk-java/2.0.0", "aliyun-sdk-java/2.8.0(Linux/4.9.151-015.ali3000.alios7.x86_64/amd64;1.8.0_152)"], "user_name": 1512222261295262}
TypeCode	string	The code of the anomalous event type.	02
AlertTime	long	The time when the alert for the anomalous event was generated. The value is a UNIX timestamp. Unit: milliseconds.	1545829129000
DealUserId	long	The ID of the account that is used to handle the anomalous event.	229157443385014***
TypeName	string	The name of the anomalous event type. Valid values: 01: anomalous permission usage 02: anomalous data flow 03: anomalous data operation	Anomalous data flow
DealDisplayName	string	The display name of the account that is used to handle the anomalous event.	yundunsr
Id	long	The unique ID of the anomalous event.	52234
ProductCode	string	The name of the service in which the anomalous event was detected. Valid values include MaxCompute, OSS, ADS, OTS, and RDS.	MaxCompute
HandleInfoList	object []	An array that consists of the handling records of the anomalous event.
Status	integer	The status of the account that triggered the anomalous event. Valid values: 0: locked 1: unlocked -1: failed to unlock the account -2: failed to enable the account	1
EnableTime	long	The point in time when the account was unlocked. The value is a UNIX timestamp. Unit: milliseconds.	1611139155000
HandlerValue	integer	The duration for which the handling operation takes effect. If you leave this parameter empty, the handling operation is permanently valid. Unit: minutes.	10
DisableTime	long	The point in time when the account was locked. The value is a UNIX timestamp. Unit: milliseconds.	1611139155000
HandlerName	string	The handling method.	Remove from the whitelist
HandlerType	string	The type of the handling method.	rds_security_ip
CurrentValue	string	The account that is used to handle the anomalous event.	sddp-test2
Id	long	The ID of the handling record.	11
Detail	object	The content in the details of the anomalous event.
Content	object []	An array that consists of the content in the anomalous event.
Label	string	The title of the content in the anomalous event.	Anomaly description
Value	string	The description of the content in the anomalous event.	The account was used to access OSS from an unusual terminal whose IP address is 1.2.3.4 from 00:06:45 on September 9, 2019 to 00:57:37 on September 9, 2019.
Chart	object []	An array that consists of the baseline behavior chart of the anomalous event.
Type	string	The type of the chart. Valid values: 1: column chart 2: line chart	1
Label	string	The name of the baseline behavior chart of the anomalous event.	Baseline behavior chart
XLabel	string	The descriptive label of data on the x-axis.	Number of days
YLabel	string	The descriptive label of data on the y-axis.	Value
Data	object	The data in the baseline behavior profile of the anomalous event.
Y	array	The values of data on the y-axis.
	string
X	array	The values of data on the x-axis.
	string
ResourceInfo	object []	An array that consists of the source from which the information of the anomalous event is recorded.
Label	string	The source title.	Risk
Value	string	The source description.	Based on the record of authentication by using an unusual terminal, an attacker may have obtained the access permission of the account, or an employee accessed data from a personal terminal.

Examples

Sample success responses

JSONformat

{
  "RequestId": "69FB3C1-F4C9-42DF-9B72-7077A8989C13",
  "Event": {
    "DisplayName": "yundunsr",
    "Status": 0,
    "DealReason": "Anomaly confirmed\n",
    "UserId": 0,
    "StatusName": "Pending\n",
    "DealTime": 1230000,
    "DealLoginName": "det1111",
    "SubTypeName": "Anomalous volume of downloaded data\n",
    "Backed": false,
    "DataInstance": "in-222***",
    "EventTime": 1545829129000,
    "LoginName": "det1111",
    "SubTypeCode": "020008",
    "LogDetail": "{\"client_ip\": [\"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\"], \"start_time\": \"2020-05-10 00:00:01\", \"instance\": [\"omniscience-data\", \"punish-beaver-data\"], \"end_time\": \"2020-05-10 00:21:22\", \"client_ua\": [\"Java/1.8.0_152\", \"Java/1.8.0_92\", \"aliyun-sdk-java/2.0.0\", \"aliyun-sdk-java/2.8.0(Linux/4.9.151-015.ali3000.alios7.x86_64/amd64;1.8.0_152)\"], \"user_name\": 1512222261295262}",
    "TypeCode": "02",
    "AlertTime": 1545829129000,
    "DealUserId": 0,
    "TypeName": "Anomalous data flow\n",
    "DealDisplayName": "yundunsr",
    "Id": 52234,
    "ProductCode": "MaxCompute",
    "HandleInfoList": [
      {
        "Status": 1,
        "EnableTime": 1611139155000,
        "HandlerValue": 10,
        "DisableTime": 1611139155000,
        "HandlerName": "Remove from the whitelist\n",
        "HandlerType": "rds_security_ip",
        "CurrentValue": "sddp-test2",
        "Id": 11
      }
    ],
    "Detail": {
      "Content": [
        {
          "Label": "Anomaly description\n",
          "Value": "The account was used to access OSS from an unusual terminal whose IP address is 1.2.3.4 from 00:06:45 on September 9, 2019 to 00:57:37 on September 9, 2019.\n"
        }
      ],
      "Chart": [
        {
          "Type": "1",
          "Label": "Baseline behavior chart\n",
          "XLabel": "Number of days\n",
          "YLabel": "Value\n",
          "Data": {
            "Y": [
              ""
            ],
            "X": [
              ""
            ]
          }
        }
      ],
      "ResourceInfo": [
        {
          "Label": "Risk\n",
          "Value": "Based on the record of authentication by using an unusual terminal, an attacker may have obtained the access permission of the account, or an employee accessed data from a personal terminal.\n"
        }
      ]
    }
  }
}

Error codes

For a list of error codes, visit the Service error codes.

Change history

Change time

Summary of changes

Operation

2022-04-18

The response structure of the API has changed

see changesets

Change item	Change content
Output Parameters	The response structure of the API has changed.