API standard and pre-built SDKs in multi-language
The OpenAPI specification of this product (cloud-siem/2022-06-16) follows the RPC standard. Alibaba Cloud provides pre-built SDKs for popular programming languages to abstract low-level complexities such as request signing. This enables developers to call APIs using language-specific syntax without dealing with HTTP details directly.
Custom signature
If your specific needs, such as a customized signature, are not supported by the SDK, manually sign requests using the signature mechanism. Note that manual signing requires significant effort (usually about 5 business days). For support, join our DingTalk group (ID: 147535001692).
Before you begin
An Alibaba Cloud account has full administrative privileges. A compromised AccessKey pair exposes all associated resources to unauthorized access, posing a significant security risk. Create a Resource Access Management (RAM) user with API-only access and use RAM policies to apply the principle of least privilege (PoLP). Alibaba Cloud accounts are only used when explicitly required.
To call APIs securely, configure the following:
A RAM user account
An AccessKey pair for the account
Multi-account Management
|
API |
Title |
Description |
| ListRdUsers | ListRdUsers | Lists the Alibaba Cloud accounts that are managed by the multi-account control feature of Threat Analysis. An account must be managed to use features such as log collection and event handling. |
Log Management
|
API |
Title |
Description |
| ListAccountsByLog | ListAccountsByLog | Queries the accounts associated with a log. |
| DescribeUserBuyStatus | DescribeUserBuyStatus | Checks whether the current Alibaba Cloud account or its associated enterprise organization has purchased threat analysis. |
| ListProjectLogStores | ListProjectLogStores | Queries projects and Logstores based on the name patterns of the default SLS project and Logstore for an Alibaba Cloud service. |
| ModifyDataSource | ModifyDataSource | Modifies the description of an existing data source. |
| ModifyDataSourceLog | ModifyDataSourceLog | Modifies the description of a data source log. |
| ModifyBindAccount | ModifyBindAccount | Modifies a bound Alibaba Cloud account. |
| ListImportedLogsByProd | ListImportedLogsByProd | Queries the log ingestion details for a specific product. |
| ListDataSourceTypes | ListDataSourceTypes | Lists the types of multicloud data sources that Threat Analysis supports. |
| ListDataSourceLogs | ListDataSourceLogs | Lists the logs for a data source. |
| ListBindDataSources | ListBindDataSources | Queries all bound data sources. |
| ListAllProds | ListAllProds | Lists the cloud products supported by Threat Analysis for data ingestion. |
| EnableServiceForCloudSiem | EnableServiceForCloudSiem | Enables resource directory authorization for threat analysis. This operation can be called only by a resource directory administrator. |
| EnableAccessForCloudSiem | EnableAccessForCloudSiem | Grants permissions to Threat Analysis and creates the AliyunServiceRoleForSasCloudSiem service-linked role. |
| DescribeServiceStatus | DescribeServiceStatus | Checks whether a resource directory is authorized for threat analysis. |
| DescribeProdCount | DescribeProdCount | Queries the number of Alibaba Cloud, Tencent Cloud, and Huawei Cloud products that can be integrated with Threat Analysis. |
| DescribeImportedLogCount | DescribeImportedLogCount | Queries the number of imported logs. |
| DescribeDataSourceParameters | DescribeDataSourceParameters | Describes the parameters for a data source. |
| DescribeDataSourceInstance | DescribeDataSourceInstance | Queries the details of a data source. |
| DescribeAuth | DescribeAuth | Checks whether an Alibaba Cloud account has granted permissions to Cloud SIEM and the AliyunServiceRoleForSasCloudSiem role has been created. |
| DeleteDataSourceLog | DeleteDataSourceLog | Removes a log. |
| DeleteDataSource | DeleteDataSource | Call this operation to delete a data source that is no longer required. |
| DeleteBindAccount | DeleteBindAccount | Detaches the AccessKey of a multicloud account, such as a Tencent Cloud or Huawei Cloud account, from a threat analysis data source. You can then attach a new account. |
| BindAccount | BindAccount | Binds a multicloud account from Multicloud Assets of Security Center to Threat Analysis. |
| AddUserSourceLogConfig | AddUserSourceLogConfig | Adds a log collection task to import log data into Threat Analysis for alerting and event analysis. |
| AddDataSourceLog | AddDataSourceLog | Adds a log for a data source. |
| AddDataSource | AddDataSource | Adds a data source to an attached multicloud account. |
| ListBindAccount | ListBindAccount | Lists multicloud accounts bound to Threat Analysis. |
| ListAccountAccessId | ListAccountAccessId | Lists the AccessKey IDs for attached multicloud accounts. |
| SubmitImportLogTasks | SubmitImportLogTasks | Submits a batch of log ingestion tasks. |
Alert Monitoring
|
API |
Title |
Description |
| DescribeAlertsWithEntity | DescribeAlertsWithEntity | Queries for alerts that are associated with an entity. |
| DescribeAlerts | DescribeAlerts | Retrieves a list of alerts for a user. |
| DescribeAlertSource | DescribeAlertSource | Retrieves a list of alert data sources. |
| DescribeAlertsCount | DescribeAlertsCount | Queries the count of alerts for different severity levels. |
Event Response
|
API |
Title |
Description |
| ListEntities | ListEntities | Queries a list of entities. |
| DescribeEntityInfo | DescribeEntityInfo | Retrieves the details of an entity. |
| PostEventDisposeAndWhiteruleList | PostEventDisposeAndWhiteruleList | Submits event handling information. |
| DescribeWafScope | DescribeWafScope | Retrieves the list of domain names protected by Web Application Firewall (WAF) instances. |
| DescribeEventDispose | DescribeEventDispose | Queries the policy handling history for an event. |
| DescribeEventCountByThreatLevel | DescribeEventCountByThreatLevel | Retrieves the count of events for each type. |
| DescribeDisposeAndPlaybook | DescribeDisposeAndPlaybook | Retrieves a list of entities to handle and a list of available playbooks. |
| DescribeCloudSiemEvents | DescribeCloudSiemEvents | Retrieves a list of threat analysis events. |
| DescribeCloudSiemEventDetail | DescribeCloudSiemEventDetail | Retrieves the details of an event. |
| DescribeCloudSiemAssetsCounter | DescribeCloudSiemAssetsCounter | Queries the number of assets of each type that are associated with an event. |
| DescribeCloudSiemAssets | DescribeCloudSiemAssets | Queries a list of assets that are associated with an event. |
| DescribeAlertsWithEvent | DescribeAlertsWithEvent | Retrieves alerts associated with an event. |
| DescribeAlertSourceWithEvent | DescribeAlertSourceWithEvent | Retrieves the alert data sources associated with an event. |
Rule Management
|
API |
Title |
Description |
| DescribeAlertType | DescribeAlertType | Retrieves a list of threat types for custom rules. |
| DeleteCustomizeRule | DeleteCustomizeRule | You can customize rules for a specific ID. |
| DescribeAggregateFunction | DescribeAggregateFunction | Describes the aggregate functions that are supported by custom rules. |
| DescribeCustomizeRuleCount | DescribeCustomizeRuleCount | Retrieves the count of custom rules. |
| DescribeCustomizeRuleTest | DescribeCustomizeRuleTest | Retrieves historical simulated data from a test scenario. |
| DescribeCustomizeRuleTestHistogram | DescribeCustomizeRuleTestHistogram | Retrieves the chart of test results for a custom rule. |
| DescribeLogFields | DescribeLogFields | Retrieves the list of configurable fields for custom rules. |
| DescribeLogSource | DescribeLogSource | Retrieves a list of configurable log sources for custom rules. |
| DescribeLogType | DescribeLogType | Retrieves the log types that can be configured for custom rules. |
| DescribeOperators | DescribeOperators | Retrieves the list of operators for custom rules. |
| ListCloudSiemCustomizeRules | ListCloudSiemCustomizeRules | Retrieves a list of custom rules. |
| ListCloudSiemPredefinedRules | ListCloudSiemPredefinedRules | Retrieves a list of predefined rules. |
| ListCustomizeRuleTestResult | ListCustomizeRuleTestResult | Retrieves the list of test results for a custom rule. |
| PostCustomizeRule | PostCustomizeRule | Adds or updates a custom rule. |
| PostCustomizeRuleTest | PostCustomizeRuleTest | Submits a custom rule for testing. |
| PostFinishCustomizeRuleTest | PostFinishCustomizeRuleTest | Finishes the test for a custom rule. |
| PostRuleStatusChange | PostRuleStatusChange | Updates the statuses of custom rules. |
Response Rules Management
|
API |
Title |
Description |
| DescribeScopeUsers | DescribeScopeUsers | Retrieves the list of users in the playbook scope. |
| DeleteAutomateResponseConfig | DeleteAutomateResponseConfig | Deletes an automated response rule by its ID. |
| DescribeAutomateResponseConfigCounter | DescribeAutomateResponseConfigCounter | Returns the number of automated response rules. |
| DescribeAutomateResponseConfigFeature | DescribeAutomateResponseConfigFeature | Retrieves the configurable fields and operators for automated response rules. |
| ListAutomateResponseConfigs | ListAutomateResponseConfigs | Retrieves a list of automated response rules. |
| PostAutomateResponseConfig | PostAutomateResponseConfig | Adds or updates an automated response rule. |
| UpdateAutomateResponseConfigStatus | UpdateAutomateResponseConfigStatus | Updates the status of an automated response rule. |
Disposal Center
|
API |
Title |
Description |
| ListDisposeStrategy | ListDisposeStrategy | Lists system-recommended response policies. |
| DescribeDisposeStrategyPlaybook | DescribeDisposeStrategyPlaybook | Retrieves the list of playbooks used in a disposal policy. |
Storage Management
|
API |
Title |
Description |
| RestoreCapacity | RestoreCapacity | Releases storage space. This operation is irreversible and causes data loss. Use with caution. |
| GetCapacity | GetCapacity | Queries the storage usage and subscription capacity for threat analysis. The values are returned in GB. |
| SetStorage | SetStorage | Sets user settings, such as the storage duration and storage region. |
| DescribeStorage | DescribeStorage | Checks the status of the storage for the threat analysis feature. The storage is a Logstore in Simple Log Service. |
| GetStorage | GetStorage | Retrieves the storage settings created by the Threat Analysis and Response product in your Simple Log Service (SLS). These settings include the storage duration and storage region. |
Delivery Management
|
API |
Title |
Description |
| ListDelivery | ListDelivery | Lists the products and logs that are connected to threat analysis for an enterprise or a member, and the data shipping status of these logs. |
| OpenDelivery | OpenDelivery | Enables log delivery for integrated cloud services. |
| CloseDelivery | CloseDelivery | Stops log delivery from a connected cloud service. Once stopped, no new logs are added to your Logstore. |
White Rule Management
|
API |
Title |
Description |
| UpdateWhiteRuleList | UpdateWhiteRuleList | Adds or updates alert whitelist rules. |
| PostEventWhiteruleList | PostEventWhiteruleList | Submits alert whitelisting rules. |
| DescribeWhiteRuleList | DescribeWhiteRuleList | Queries the rules in the alert whitelist. |
| DescribeAlertScene | DescribeAlertScene | Queries the scenarios in which alerts can be whitelisted. |
| DescribeAlertSceneByEvent | DescribeAlertSceneByEvent | Retrieves a list of alert whitelisting scenarios and objects. |
| DeleteWhiteRuleList | DeleteWhiteRuleList | Deletes an alert whitelist rule with the specified ID. |