All Products
Search
Document Center

Data Security Center:DescribeEventDetail

Last Updated:Oct 17, 2024

Queries the details of an anomalous event. The details include the time when the anomalous event occurred, and the description and handling status of the anomalous event.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

ParameterTypeRequiredDescriptionExample
LangstringNo

The language of the content within the request and response. Valid values:

  • zh: Chinese
  • en: English
zh
IdlongYes

The ID of the anomalous event.

Note You can call the DescribeEvents operation to query the ID of the anomalous event.
13456723343

Response parameters

ParameterTypeDescriptionExample
object
RequestIdstring

The ID of the request.

69FB3C1-F4C9-42DF-9B72-7077A8989C13
Eventobject

The details of the anomalous event.

DisplayNamestring

The display name of the account that triggered the anomalous event.

yundunsr
Statusinteger

The handling status for the anomalous event. Valid values:

  • 0: unhandled
  • 1: confirmed
  • 2: marked as false positive
0
DealReasonstring

The reason why the anomalous event is handled.

Anomaly confirmed
UserIdlong

The ID of the account that triggered the anomalous event.

229157443385014***
StatusNamestring

The name of the handling status for the anomalous event.

Pending
DealTimelong

The time when the anomalous event was handled. The value is a UNIX timestamp. Unit: milliseconds.

1230000
DealLoginNamestring

The username of the account that is used to handle the anomalous event.

det1111
SubTypeNamestring

The name of the anomalous event subtype.

Anomalous volume of downloaded data
Backedboolean

Indicates whether the handling result of the anomalous event is used to enhance the detection of anomalous events. Valid values:

  • true: yes
  • false: no
Note If you enhance the detection of anomalous events, the detection accuracy and the rate of triggering alerts for anomalous events are improved.
false
DataInstancestring

The instance name of the service in which the anomalous event was detected.

in-222***
EventTimelong

The time when the anomalous event occurred. The value is a UNIX timestamp. Unit: milliseconds.

1545829129000
LoginNamestring

The username of the account that triggered the anomalous event.

det1111
SubTypeCodestring

The code of the anomalous event subtype.

020008
LogDetailstring

The details of the alert logs.

{"client_ip": ["106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX"], "start_time": "2020-05-10 00:00:01", "instance": ["omniscience-data", "punish-beaver-data"], "end_time": "2020-05-10 00:21:22", "client_ua": ["Java/1.8.0_152", "Java/1.8.0_92", "aliyun-sdk-java/2.0.0", "aliyun-sdk-java/2.8.0(Linux/4.9.151-015.ali3000.alios7.x86_64/amd64;1.8.0_152)"], "user_name": 1512222261295262}
TypeCodestring

The code of the anomalous event type.

02
AlertTimelong

The time when the alert for the anomalous event was generated. The value is a UNIX timestamp. Unit: milliseconds.

1545829129000
DealUserIdlong

The ID of the account that is used to handle the anomalous event.

229157443385014***
TypeNamestring

The name of the anomalous event type. Valid values:

  • 01: anomalous permission usage
  • 02: anomalous data flow
  • 03: anomalous data operation
Anomalous data flow
DealDisplayNamestring

The display name of the account that is used to handle the anomalous event.

yundunsr
Idlong

The unique ID of the anomalous event.

52234
ProductCodestring

The name of the service in which the anomalous event was detected. Valid values include MaxCompute, OSS, ADS, OTS, and RDS.

MaxCompute
HandleInfoListarray<object>

An array that consists of the handling records of the anomalous event.

HandleInfoobject

The details of a record in which the anomalous event is manually handled.

Statusinteger

The status of the account that triggered the anomalous event. Valid values:

  • 0: disabled
  • 1: enabled
  • -1: failed to disable the account
  • -2: failed to enable the account
1
EnableTimelong

The time when the disabled account is enabled. The value is a UNIX timestamp. Unit: milliseconds.

1611139155000
HandlerValueinteger

The duration for which the handling operation takes effect. If you leave this parameter empty, the handling operation is permanently valid. Unit: minutes.

10
DisableTimelong

The time when the account is disabled. The value is a UNIX timestamp. Unit: milliseconds.

1611139155000
HandlerNamestring

The handling method.

Remove from the whitelist
HandlerTypestring

The type of the handling method.

rds_security_ip
CurrentValuestring

The account that is used to handle the anomalous event.

sddp-test2
Idlong

The ID of the handling rule.

11
Detailobject

The content in the details of the anomalous event.

Contentarray<object>

The content in the anomalous event.

Contentobject

An array that consists of the content in the anomalous event.

Labelstring

The title of the content in the anomalous event.

Anomaly description
Valuestring

The description of the content in the anomalous event.

The account was used to access OSS from an unusual terminal whose IP address is 1.2.3.4 from 00:06:45 on September 9, 2019 to 00:57:37 on September 9, 2019.
Namestring

Exception event name.

daliaoyuncom
Chartarray<object>

The baseline behavior chart of the anomalous event.

Chartobject

The baseline behavior chart of the anomalous event.

Typestring

The type of the chart. Valid values:

  • 1: column chart
  • 2: line chart
1
Labelstring

The name of the baseline behavior chart of the anomalous event.

Baseline behavior chart
XLabelstring

The descriptive label of data items on the X axis.

Number of days
YLabelstring

The descriptive label of data items on the Y axis.

Value
Dataobject

The data in the baseline behavior profile of the anomalous event.

Yarray

The value of the data item on the Y axis.

Ystring

The value of the data item on the Y axis.

[1,2,3,...]
Xarray

The value of the data item on the X axis.

Xstring

The value of the data item on the X axis.

[test1,test2,...]
Zarray

The value of the data item for the Z axis.

Zstring

The value of the data item for the Z axis.

[5,7,...]
ChatTypeinteger

The type of the chart. Valid values:

  • 1: column chart
  • 2: line chart
Note This field will be returned only when NewAlarm is true.
1
Namestring

Icon title.

Note This field will be returned only when NewAlarm is true.
misskingm
ZLabelstring

The descriptive label of data items on the Z axis.

Note This field will be returned only when NewAlarm is true.
chart description
ResourceInfoarray<object>

An array that consists of the source from which the information of the anomalous event is recorded.

ResourceInfoobject

The source.

Labelstring

The source title.

Risk
Valuestring

The source description.

Based on the record of authentication by using an unusual terminal, an attacker may have obtained the access permission of the account, or an employee accessed data from a personal terminal.
NewAlarmboolean

Whether it is a new version of the alarm. Value:

  • true: Yes.
  • false: No.
true

Examples

Sample success responses

JSONformat

{
  "RequestId": "69FB3C1-F4C9-42DF-9B72-7077A8989C13",
  "Event": {
    "DisplayName": "yundunsr",
    "Status": 0,
    "DealReason": "Anomaly confirmed\n",
    "UserId": 0,
    "StatusName": "Pending\n",
    "DealTime": 1230000,
    "DealLoginName": "det1111",
    "SubTypeName": "Anomalous volume of downloaded data\n",
    "Backed": false,
    "DataInstance": "in-222***",
    "EventTime": 1545829129000,
    "LoginName": "det1111",
    "SubTypeCode": "020008",
    "LogDetail": "{\"client_ip\": [\"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\"], \"start_time\": \"2020-05-10 00:00:01\", \"instance\": [\"omniscience-data\", \"punish-beaver-data\"], \"end_time\": \"2020-05-10 00:21:22\", \"client_ua\": [\"Java/1.8.0_152\", \"Java/1.8.0_92\", \"aliyun-sdk-java/2.0.0\", \"aliyun-sdk-java/2.8.0(Linux/4.9.151-015.ali3000.alios7.x86_64/amd64;1.8.0_152)\"], \"user_name\": 1512222261295262}",
    "TypeCode": "02",
    "AlertTime": 1545829129000,
    "DealUserId": 0,
    "TypeName": "Anomalous data flow\n",
    "DealDisplayName": "yundunsr",
    "Id": 52234,
    "ProductCode": "MaxCompute",
    "HandleInfoList": [
      {
        "Status": 1,
        "EnableTime": 1611139155000,
        "HandlerValue": 10,
        "DisableTime": 1611139155000,
        "HandlerName": "Remove from the whitelist\n",
        "HandlerType": "rds_security_ip",
        "CurrentValue": "sddp-test2",
        "Id": 11
      }
    ],
    "Detail": {
      "Content": [
        {
          "Label": "Anomaly description\n",
          "Value": "The account was used to access OSS from an unusual terminal whose IP address is 1.2.3.4 from 00:06:45 on September 9, 2019 to 00:57:37 on September 9, 2019.\n",
          "Name": "daliaoyuncom"
        }
      ],
      "Chart": [
        {
          "Type": "1",
          "Label": "Baseline behavior chart\n",
          "XLabel": "Number of days\n",
          "YLabel": "Value\n",
          "Data": {
            "Y": [
              "[1,2,3,...]"
            ],
            "X": [
              "[test1,test2,...]"
            ],
            "Z": [
              "[5,7,...]\n"
            ]
          },
          "ChatType": 1,
          "Name": "misskingm",
          "ZLabel": "chart description\n"
        }
      ],
      "ResourceInfo": [
        {
          "Label": "Risk\n",
          "Value": "Based on the record of authentication by using an unusual terminal, an attacker may have obtained the access permission of the account, or an employee accessed data from a personal terminal.\n"
        }
      ]
    },
    "NewAlarm": true
  }
}

Error codes

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-04-22The API operation is not deprecated.. The response structure of the API has changedView Change Details
2022-04-18The response structure of the API has changedView Change Details