All Products
Search
Document Center

Data Security Center:DescribeEventDetail

Last Updated:Jul 07, 2026

Queries the details of a single anomalous activity, including the time when the anomalous activity occurred, the anomaly description, and the handling status.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-sddp:DescribeEventDetail

get

*All Resource

*

  • acs:ResourceGroupId
None

Request parameters

Parameter

Type

Required

Description

Example

Lang

string

No

The language of the request and response. Valid values:

  • zh: Chinese.

  • en: English.

zh

Id

integer

Yes

The unique ID of the anomalous activity.

Note

To query the details of a single anomalous activity, provide the unique ID of the anomalous activity. You can call the DescribeEvents operation to obtain the ID.

13456723343

Response elements

Element

Type

Description

Example

object

RequestId

string

The request ID.

69FB3C1-F4C9-42DF-9B72-7077A8989C13

Event

object

The details of the anomalous activity.

DisplayName

string

The display name of the account that triggered the anomalous activity.

yundunsr

Status

integer

The handling status of the anomalous activity. Valid values:

  • 0: unhandled.

  • 1: confirmed as a violation.

  • 2: marked as a false positive.

0

DealReason

string

The reason for handling the anomalous activity.

Anomaly confirmed

UserId

integer

The ID of the account that triggered the anomalous activity.

229157443385014***

StatusName

string

The name of the handling status of the anomalous activity.

Pending

DealTime

integer

The time when the anomalous activity was handled. Format: UNIX timestamp. Unit: milliseconds.

1611139155000

DealLoginName

string

The logon name of the account that handled the anomalous activity.

det1111

SubTypeName

string

The name of the subtype of the anomalous activity.

Anomalous volume of downloaded data

Backed

boolean

Indicates whether detection enhancement is enabled for the anomalous activity. Valid values:

  • true: Enabled.

  • false: Disabled.

Note

Enhancing the detection capability for anomalous activities can improve detection accuracy and increase the event alerting rate for anomalous activities.

false

DataInstance

string

The name of the asset instance of the product to which the anomalous activity belongs.

in-222***

EventTime

integer

The time when the anomalous activity occurred. Format: UNIX timestamp. Unit: milliseconds.

1545829129000

LoginName

string

The logon name of the account that triggered the anomalous activity.

det1111

SubTypeCode

string

The code of the subtype of the anomalous activity.

020008

LogDetail

string

The alert log information.

{"client_ip": ["106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX"], "start_time": "2020-05-10 00:00:01", "instance": ["omniscience-data", "punish-beaver-data"], "end_time": "2020-05-10 00:21:22", "client_ua": ["Java/1.8.0_152", "Java/1.8.0_92", "aliyun-sdk-java/2.0.0", "aliyun-sdk-java/2.8.0(Linux/4.9.151-015.ali3000.alios7.x86_64/amd64;1.8.0_152)"], "user_name": 1512222261295262}

TypeCode

string

The code of the parent type of the anomalous activity.

02

AlertTime

integer

The time when the alert was triggered for the anomalous activity. Format: UNIX timestamp. Unit: milliseconds.

1545829129000

DealUserId

integer

The ID of the account that handled the anomalous activity.

229157443385014***

TypeName

string

The name of the parent type of the anomalous activity. Valid values:

  • 01: anomalous permission access.

  • 02: anomalous data flow.

  • 03: anomalous data operation.

Anomalous data flow

DealDisplayName

string

The display name of the account that handled the anomalous activity.

yundunsr

Id

integer

The unique ID of the anomalous activity recorded by Data Security Center.

52234

ProductCode

string

The name of the product to which the anomalous activity belongs. Valid values: MaxCompute, OSS, ADS, OTS, RDS, and others.

MaxCompute

HandleInfoList

array<object>

The handling history.

object

The details of the manually handled event.

Status

integer

The status of the handling action. Valid values:

  • 0: disabled.

  • 1: enabled.

  • -1: disabling failed.

  • -2: enabling failed.

1

EnableTime

integer

The time when the handling action was enabled. This value is a UNIX timestamp. Unit: milliseconds.

1611139155000

HandlerValue

integer

The duration of the handling action. Unit: minutes. If this parameter is empty, the handling action is permanent.

10

DisableTime

integer

The time when the handling action was disabled. This value is a UNIX timestamp. Unit: milliseconds.

1611139155000

HandlerName

string

The handling method.

Remove from the whitelist

HandlerType

string

The handling type.

rds_security_ip

CurrentValue

string

Specifies the account that handled the event.

sddp-test2

Id

integer

The handling ID.

11

Detail

object

The specific content in the anomalous activity details.

Content

array<object>

The content of the anomalous activity.

object

The content of the anomalous activity.

Label

string

The title of the anomalous activity content.

Anomaly description

Value

string

The description of the anomalous activity content.

The account was used to access OSS from an unusual terminal whose IP address is 1.2.3.4 from 00:06:45 on September 9, 2019 to 00:57:37 on September 9, 2019.

Name

string

The name of the anomalous activity.

daliaoyuncom

Chart

array<object>

The baseline behavior profile for the anomalous activity.

array<object>

The baseline behavior profile for the anomalous activity.

Type

string

The type of the chart. Valid values:

  • 1: column chart.

  • 2: line chart.

1

Label

string

The name of the baseline behavior profile for the anomalous activity.

Baseline behavior chart

XLabel

string

The label of the x-axis.

Number of days

YLabel

string

The label of the y-axis.

Value

Data

object

The data items of the baseline behavior profile for the anomalous activity.

Y

array

The values of the data items on the y-axis.

[1,2,3,...]

string

The value of the data item on the y-axis.

[1,2,3,...]

X

array

The values of the data items on the x-axis.

[test1,test2,...]

string

The value of the data item on the x-axis.

[test1,test2,...]

Z

array

The values of the data items on the z-axis.

string

The value of the data item on the z-axis.

[5,7,...]

ChatType

integer

The type of the chart. Valid values:

  • 1: column chart.

  • 2: line chart.

Note

This parameter is returned only when NewAlarm is set to true.

1

Name

string

The title of the chart.

Note

This parameter is returned only when NewAlarm is set to true.

misskingm

ZLabel

string

The label of the z-axis.

Note

This parameter is returned only when NewAlarm is set to true.

chart description

ResourceInfo

array<object>

The information about the source of the anomalous activity.

object

The information about the source of the anomalous activity.

Label

string

The title of the source of the anomalous activity.

Risk

Value

string

The description of the source of the anomalous activity.

Based on the record of authentication by using an unusual terminal, an attacker may have obtained the access permission of the account, or an employee accessed data from a personal terminal.

NewAlarm

boolean

Indicates whether the alert is of the new version. Valid values:

  • true: Yes.

  • false: No.

true

Examples

Success response

JSON format

{
  "RequestId": "69FB3C1-F4C9-42DF-9B72-7077A8989C13",
  "Event": {
    "DisplayName": "yundunsr",
    "Status": 0,
    "DealReason": "Anomaly confirmed\n",
    "UserId": 0,
    "StatusName": "Pending",
    "DealTime": 1611139155000,
    "DealLoginName": "det1111",
    "SubTypeName": "Anomalous volume of downloaded data\n",
    "Backed": false,
    "DataInstance": "in-222***",
    "EventTime": 1545829129000,
    "LoginName": "det1111",
    "SubTypeCode": "020008",
    "LogDetail": "{\"client_ip\": [\"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\"], \"start_time\": \"2020-05-10 00:00:01\", \"instance\": [\"omniscience-data\", \"punish-beaver-data\"], \"end_time\": \"2020-05-10 00:21:22\", \"client_ua\": [\"Java/1.8.0_152\", \"Java/1.8.0_92\", \"aliyun-sdk-java/2.0.0\", \"aliyun-sdk-java/2.8.0(Linux/4.9.151-015.ali3000.alios7.x86_64/amd64;1.8.0_152)\"], \"user_name\": 1512222261295262}",
    "TypeCode": "02",
    "AlertTime": 1545829129000,
    "DealUserId": 0,
    "TypeName": "Anomalous data flow\n",
    "DealDisplayName": "yundunsr",
    "Id": 52234,
    "ProductCode": "MaxCompute",
    "HandleInfoList": [
      {
        "Status": 1,
        "EnableTime": 1611139155000,
        "HandlerValue": 10,
        "DisableTime": 1611139155000,
        "HandlerName": "Remove from the whitelist\n",
        "HandlerType": "rds_security_ip",
        "CurrentValue": "sddp-test2",
        "Id": 11
      }
    ],
    "Detail": {
      "Content": [
        {
          "Label": "Anomaly description\n",
          "Value": "The account was used to access OSS from an unusual terminal whose IP address is 1.2.3.4 from 00:06:45 on September 9, 2019 to 00:57:37 on September 9, 2019.",
          "Name": "daliaoyuncom"
        }
      ],
      "Chart": [
        {
          "Type": "1",
          "Label": "Baseline behavior chart\n",
          "XLabel": "Number of days\n",
          "YLabel": "Value",
          "Data": {
            "Y": [
              "[1,2,3,...]"
            ],
            "X": [
              "[test1,test2,...]"
            ],
            "Z": [
              "[5,7,...]"
            ]
          },
          "ChatType": 1,
          "Name": "misskingm",
          "ZLabel": "chart description"
        }
      ],
      "ResourceInfo": [
        {
          "Label": "Risk",
          "Value": "Based on the record of authentication by using an unusual terminal, an attacker may have obtained the access permission of the account, or an employee accessed data from a personal terminal."
        }
      ]
    },
    "NewAlarm": true
  }
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.