DescribeDisposeAndPlaybook - Security Center - Alibaba Cloud Documentation Center

Retrieves a list of entities to handle and a list of available playbooks.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-sas:DescribeDisposeAndPlaybook

get

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
EntityType	string	No	The type of the entity. Valid values: ip: IP address process: process file: file	ip
IncidentUuid	string	No	The UUID of the event.	85ea4241-798f-4684-a876-65d4f0c3****
EntityUuid	string	No	The UUID of the entity.	85ea4241-798f-4684-a876-65d4f0c3****
CurrentPage	integer	No	The page number. The value must be greater than or equal to 1.	1
PageSize	integer	No	The number of entries per page. The maximum value is 100.	10
RoleType	integer	No	The view type. 0: The view of the current Alibaba Cloud account. 1: The view of all accounts in the enterprise.	1
RoleFor	integer	No	The ID of the user that the administrator wants to switch to.	113091674488****
RegionId	string	No	The region where the Data Management center of threat analysis is located. Select a region based on the region where your assets are located. Valid values: cn-hangzhou: Your assets are in the Chinese mainland and China (Hong Kong). ap-southeast-1: Your assets are outside China.	cn-hangzhou

Response elements

Element	Type	Description	Example
	object	PageResponse<List>
Success	boolean	Indicates whether the request was successful. Valid values: true: The request was successful. false: The request failed.	true
Code	integer	The request status code.	200
Message	string	The message returned for the request.	success
RequestId	string	The request ID.	9AAA9ED9-78F4-5021-86DC-D51C7511****
Data	object	The return value of the request.	123456
PageInfo	object	The paging information.
CurrentPage	integer	The current page number.	1
PageSize	integer	The number of entries returned per page.	10
TotalCount	integer	The total number of entries.	100
ResponseData	array<object>	The detailed data.
	object
EntityId	integer	The entity ID.	12345****
EntityType	string	The entity type. Valid values: ip: IP address domain: domain name url: URL process: process file: file host: host	ip
OpcodeMap	object	The key-value pair of the opcode and oplevel.	12345
	string	The key-value pair of the opcode and oplevel.	{"7","2"}
OpcodeSet	array	The recommended playbook codes for entity handling.	[1,3]
	string	The recommended playbook code for entity handling.	7
EntityInfo	object	The entity information.	{"file_path": "c:/www/leixi.jsp","file_hash": "aa0ca926ad948cd820e0a3d9a18c**","host_uuid": "efed2cf7-0b77-45d9-a97b-d2cf246b","malware_type": "${aliyun.siem.sas.alert_tag.webshell}","host_name": "launch-advisor-2023**"}
Dispose	string	The handling object.	192.168..
Scope	array	The handling scope, which is a list of user IDs that can perform the handling.	176618589410****
	any	The handling scope, which is a list of user IDs that can perform the handling.	[127608589417****]
PlaybookList	array<object>	The list of playbooks that can be used to handle the entity.	[{"name":"云安全中心-云服务器安全","code":"1"}]
	object
OpCode	string	The playbook opcode. It corresponds to the recommended playbook opcode for entity handling.	7
OpLevel	string	Indicates whether the playbook is selected by default for one-click handling. Valid values: 2: selected 1: displayed but not selected	2
Description	string	The description of the playbook.	WafBlockIP
DisplayName	string	The display name of the playbook.	WafBlockIP
TaskConfig	string	The opcode configuration.	{"opCode":"3"}
Name	string	The name of the playbook, which is the unique identifier of the playbook.	kill_process_isolate_file
Uuid	string	The UUID of the playbook, which is the unique identifier of the playbook.	kill_process_isolate_file
ParamConfig	array	The list of parameters for the playbook and their properties.
	any	The list of input parameters for the current playbook and their format requirements.	{ "ParamConfig": [ { "Field": "dispose", "Necessary": true, "CheckField": "[{"fieldPath":"$.ip","fieldName":"ip"}]" }, { "Field": "alert", "Necessary": true, "CheckField": "[{"fieldPath":"$.host_uuid","fieldName":"host_uuid"}]" }, { "Field": "scope", "Necessary": true, "Value": "$.main_user_id" }, { "Field": "startTime", "Necessary": true }, { "Field": "endTime", "Necessary": true } ] }
WafPlaybook	boolean	Indicates whether the playbook is a WAF playbook. Valid values: true: yes false: no	false
Available	string	Indicates whether the playbook is active. 1: active 0: inactive	1
AlertNum	integer	The number of alerts associated with the entity.	1

Examples

Success response

JSON format

{
  "Success": true,
  "Code": 200,
  "Message": "success",
  "RequestId": "9AAA9ED9-78F4-5021-86DC-D51C7511****",
  "Data": {
    "PageInfo": {
      "CurrentPage": 1,
      "PageSize": 10,
      "TotalCount": 100
    },
    "ResponseData": [
      {
        "EntityId": 0,
        "EntityType": "ip",
        "OpcodeMap": {
          "key": "{\"7\",\"2\"}"
        },
        "OpcodeSet": [
          "7"
        ],
        "EntityInfo": {
          "file_path": "c:/www/leixi.jsp",
          "file_hash": "aa0ca926ad948cd820e0a3d9a18c****",
          "host_uuid": "efed2cf7-0b77-45d9-a97b-d2cf246b****",
          "malware_type": "${aliyun.siem.sas.alert_tag.webshell}",
          "host_name": "launch-advisor-2023****"
        },
        "Dispose": "192.168.*.*",
        "Scope": [
          "[127608589417****]"
        ],
        "PlaybookList": [
          {
            "OpCode": "7",
            "OpLevel": "2",
            "Description": "WafBlockIP",
            "DisplayName": "WafBlockIP",
            "TaskConfig": "{\"opCode\":\"3\"}",
            "Name": "kill_process_isolate_file",
            "Uuid": "kill_process_isolate_file",
            "ParamConfig": [
              "{\n\t\"ParamConfig\": [\n\t\t{\n\t\t\t\"Field\": \"dispose\",\n\t\t\t\"Necessary\": true,\n\t\t\t\"CheckField\": \"[{"fieldPath":"$.ip","fieldName":"ip"}]\"\n\t\t},\n\t\t{\n\t\t\t\"Field\": \"alert\",\n\t\t\t\"Necessary\": true,\n\t\t\t\"CheckField\": \"[{"fieldPath":"$.host_uuid","fieldName":"host_uuid"}]\"\n\t\t},\n\t\t{\n\t\t\t\"Field\": \"scope\",\n\t\t\t\"Necessary\": true,\n\t\t\t\"Value\": \"$.main_user_id\"\n\t\t},\n\t\t{\n\t\t\t\"Field\": \"startTime\",\n\t\t\t\"Necessary\": true\n\t\t},\n\t\t{\n\t\t\t\"Field\": \"endTime\",\n\t\t\t\"Necessary\": true\n\t\t}\n\t]\n}"
            ],
            "WafPlaybook": false,
            "Available": "1"
          }
        ],
        "AlertNum": 1
      }
    ]
  }
}

Error codes

HTTP status code	Error code	Error message	Description
500	InternalError	The request processing has failed due to some unknown error.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.