Queries the details of the alert events on the Alerts page. An alert event consists of alerts and exceptions. Each alert event is associated with multiple exceptions.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeAlarmEventList

The operation that you want to perform.

Set the value to DescribeAlarmEventList.

CurrentPage Integer Yes 1

The number of the page to return. Pages start from page 1. Default value: 1.

From String Yes sas

The ID of the request source. Set the value to sas, which indicates that the request is sent from Security Center.

PageSize String Yes 20

The number of entries to return on each page. Default value: 20.

SourceIp String No 1.2.X.X

The source IP address of the request.

Lang String No zh

The natural language of the request and response. Default value: zh. Valid values:

  • zh: Chinese
  • en: English
Dealed String No Y

The status of the alert event. Valid values:

  • N: unhandled
  • Y: handled
Levels String No serious

The risk level of the alert event. Separate multiple levels with commas (,). Valid values:

  • serious
  • suspicious
  • remind
Remark String No database_server

The name of the alert, or the information about the asset.

GroupId String No tst***

The ID of the asset group to which the affected asset belongs.

AlarmEventName String No DDoS trojans

The name of the alert event.

AlarmEventType String No Malicious process (cloud threat detection)

The type of the alert event.

OperateErrorCodeList.N RepeatList No ignore. Success

The handling result code N of the alert event. The value is in the following format: Operation type.Operation result code. Operation types:

  • Common: performs common operations.
  • deal: handles the alert.
  • ignore: ignores the alert.
  • offline_handled: marks the alert as handled.
  • mark_mis_info: marks the alert as a false positive by adding it to the whitelist.
  • rm_mark_mis_info: cancels a false positive by removing the alert from the whitelist.
  • quara: quarantines the source file of the malicious process.
  • kill_and_quara: terminates the malicious process and quarantines the source file.
  • kill_virus: deletes the source file of the malicious process.
  • block_ip: blocks the source IP address.
  • manual_handled: manually handles the alert.

Operation result codes:

  • Success: The operation is successful.
  • Failure: The operation fails.
  • AgentOffline: The agent is offline.

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters.

For more information about sample requests, see the "Examples" section of this topic.

Response parameters

Parameter Type Example Description
PageInfo Struct

The pagination information.

Count Integer 1

The number of entries returned on the current page.

CurrentPage Integer 1

The page number of the returned page. Pages start from page 1. Default value: 1.

PageSize Integer 20

The number of entries returned per page. Default value: 20.

TotalCount Integer 1

The total number of alert events that are returned.

RequestId String 28267723-D857-4DD8-B295-013100000000

The ID of the request, which is used to locate and troubleshoot issues.

SuspEvents Array of SuspEvents

The information about the alert event.

AlarmEventName String Execution of malicious commands

The name of the alert event.

AlarmEventNameOriginal String Precise defense against malicious commands

The original parent name of the alert event.

AlarmEventType String Suspicious process

The type of the alert event.

AlarmUniqueInfo String 8df914418f4211fbf756efe7a6f40cbc

The ID of the alert event.

CanBeDealOnLine Boolean true

Indicates whether the online processing of the alert event is supported, such as quarantining the source file of the malicious process, adding the alert event to the whitelist, and ignoring the alert event. Valid values:

  • true: Online processing is supported.
  • false: Online processing is not supported.
CanCancelFault Boolean false

Indicates whether you can cancel marking the alert event as a false positive. Valid values:

  • true: yes
  • false: no
DataSource String aegis_***

The source of data.

Dealed Boolean false

Indicates whether the alert event is handled. Valid values:

  • true: handled
  • false: unhandled
Description String After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep malicious programs running. The scheduled tasks include crontab and systemd.

The description of the alert event.

EndTime Long 1543740301000

The timestamp when the alert event ends. Unit: milliseconds.

GmtModified Long 1569235879000

The timestamp when the alert was last modified. Unit: milliseconds.

HasTraceInfo Boolean true

Indicates whether the alert has trace information. Valid values:

  • true: The alert has trace information.
  • false: The alert does not have trace information.
InstanceId String i-e***

The ID of the affected asset.

InstanceName String Test server

The name of the affected asset.

InternetIp String 1.2.X.X

The public IP address of the affected asset.

IntranetIp String 1.2.X.X

The private IP address of the affected asset.

Level String serious

The risk level of the alert event. Valid values:

  • serious
  • suspicious
  • remind
OperateErrorCode String kill_and_quara.Success

The handling result code of the alert event.

OperateTime Long 1631699497000

The timestamp when the alert event was handled. Unit: milliseconds.

SaleVersion String 1

The edition in which the alert event detection can be enabled. Valid values:

  • 0: the Basic edition
  • 1: the Enterprise edition
SecurityEventIds String 270789

The ID of the associated exception.

Solution String Check the malicious URLs that are listed in the alert. Check the directory for malicious files. Terminate malicious processes. If you manually run the processes, you can mark them as false positives in the console.

The solution to the alert event.

Stages String [\"authority_maintenance\"]

The stage at which the attack is detected.

StartTime Long 1543740301000

The timestamp when the alert event starts.

SuspiciousEventCount Integer 1

The number of associated exceptions.

Uuid String 47900178-885d-4fa4-9d77-***

The ID of the associated instance.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeAlarmEventList
&CurrentPage=1
&From=sas
&PageSize=20
&<Common request parameters>

Sample success responses

XML format

<DescribeAlarmEventList>
  <PageInfo>
        <TotalCount>1</TotalCount>
        <PageSize>20</PageSize>
        <CurrentPage>1</CurrentPage>
        <Count>1</Count>
  </PageInfo>
  <RequestId>28267723-D857-4DD8-B295-013100000000</RequestId>
  <SuspEvents>
        <Description>After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep malicious programs running. The scheduled tasks include crontab and systemd. </Description>
        <EndTime>1543740301000</EndTime>
        <OperateErrorCode>kill_and_quara.Success</OperateErrorCode>
        <AlarmEventName>Execution of malicious commands</AlarmEventName>
        <SecurityEventIds>270789</SecurityEventIds>
        <GmtModified>1569235879000</GmtModified>
        <IntranetIp>1.2.X.X</IntranetIp>
        <HasTraceInfo>true</HasTraceInfo>
        <InternetIp>1.2.X.X</InternetIp>
        <AlarmEventType>Suspicious process</AlarmEventType>
        <Solution>Check the malicious URLs that are listed in the alert. Check the directory for malicious files. Terminate malicious processes. If you manually run the processes, you can mark them as false positives in the console. </Solution>
        <CanCancelFault>false</CanCancelFault>
        <AlarmEventNameOriginal>Precise defense against malicious commands</AlarmEventNameOriginal>
        <InstanceId>i-e***</InstanceId>
        <Stages>[\"authority_maintenance\"]</Stages>
        <StartTime>1543740301000</StartTime>
        <SaleVersion>1</SaleVersion>
        <Dealed>false</Dealed>
        <DataSource>aegis_***</DataSource>
        <InstanceName>Test server</InstanceName>
        <OperateTime>1631699497000</OperateTime>
        <CanBeDealOnLine>true</CanBeDealOnLine>
        <Uuid>47900178-885d-4fa4-9d77-***</Uuid>
        <SuspiciousEventCount>1</SuspiciousEventCount>
        <AlarmUniqueInfo>8df914418f4211fbf756efe7a6f40cbc</AlarmUniqueInfo>
        <Level>serious</Level>
  </SuspEvents>
</DescribeAlarmEventList>

JSON format

{
    "PageInfo": {
        "TotalCount": "1",
        "PageSize": "20",
        "CurrentPage": "1",
        "Count": "1"
    },
    "RequestId": "28267723-D857-4DD8-B295-013100000000",
    "SuspEvents": [
        {
            "Description": "After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep malicious programs running. The scheduled tasks include crontab and systemd.",
            "EndTime": "1543740301000",
            "OperateErrorCode": "kill_and_quara.Success",
            "AlarmEventName": "Execution of malicious commands",
            "SecurityEventIds": "270789",
            "GmtModified": "1569235879000",
            "IntranetIp": "1.2.X.X",
            "HasTraceInfo": "true",
            "InternetIp": "1.2.X.X",
            "AlarmEventType": "Suspicious process",
            "Solution": "Check the malicious URLs that are listed in the alert. Check the directory for malicious files. Terminate malicious processes. If you manually run the processes, you can mark them as false positives in the console.",
            "CanCancelFault": "false",
            "AlarmEventNameOriginal": "Precise defense against malicious commands",
            "InstanceId": "i-e***",
            "Stages": "[\\\"authority_maintenance\\\"]",
            "StartTime": "1543740301000",
            "SaleVersion": "1",
            "Dealed": "false",
            "DataSource": "aegis_***",
            "InstanceName": "Test server",
            "OperateTime": "1631699497000",
            "CanBeDealOnLine": "true",
            "Uuid": "47900178-885d-4fa4-9d77-***",
            "SuspiciousEventCount": "1",
            "AlarmUniqueInfo": "8df914418f4211fbf756efe7a6f40cbc",
            "Level": "serious"
        }
    ]
}

Error codes

For a list of error codes, visit the API Error Center.