All Products
Search

This Product

    Security Center:ListNormalizationRules

    Document Center

    Security Center:ListNormalizationRules

    Last Updated:Jan 22, 2026

    Retrieves a list of normalization rules.

    Operation description

    Notifications are sent based on frequency and time limits. Each user can receive a maximum of two notifications per day, and only between 08:00 and 20:00.

    Try it now

    Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

    Test

    RAM authorization

    The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

    • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

    • API: The API that you can call to perform the action.

    • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

    • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

      • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

      • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

    • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

    • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

    Action

    Access level

    Resource type

    Condition key

    Dependent action

    yundun-sas:ListNormalizationRules

    list

    *NormalizationRule

    acs:yundun-sas::{#accountId}:normalizationrule/*

    		 None None

    Request parameters

    Parameter

    Type

    Required

    Description

    Example
    RegionId

    string

    No

    The region of the Data Management center for threat analysis. Select the region based on the location of your assets. Valid values:

    • cn-hangzhou: your assets are in the Chinese mainland.

    • ap-southeast-1: your assets are in a region outside the Chinese mainland.

    cn-hangzhou
    Lang

    string

    No

    The language of the response message. Valid values:

    • zh (default): Chinese.

    • en: English.

    zh
    RoleFor

    integer

    No

    The user ID of the member whose perspective the administrator wants to switch to.

    173326*******
    NormalizationRuleIds

    array

    No

    A list of normalization rule IDs.

    string

    No

    The ID of the normalization rule.

    nr-z0b2ssjteut85uoh9nzp
    NormalizationRuleName

    string

    No

    The name of the normalization rule.

    normalization_rule_Z57np
    NormalizationRuleType

    string

    No

    The type of the normalization rule. Valid values:

    • predefined: a predefined normalization rule.

    • custom: a custom normalization rule.

    predefined
    NormalizationCategoryId

    string

    No

    The ID of the normalization rule classification.

    NETWORK_CATEGORY
    NormalizationSchemaId

    string

    No

    The ID of the normalization structure.

    HTTP_ACTIVITY
    VendorId

    string

    No

    The vendor ID for the normalization rule.

    alibaba_cloud
    ProductId

    string

    No

    The product ID.

    alibaba_cloud_sas
    PageNumber

    integer

    No

    The page number to return.

    3
    PageSize

    integer

    No

    The number of entries to return on each page.

    10
    OrderField

    string

    No

    The field to use for sorting the results.

    UpdateTime
    OrderType

    string

    No

    The sort order. Valid values:

    • desc

    • asc

    desc
    MaxResults

    integer

    No

    The maximum number of entries to return.

    50
    NextToken

    string

    No

    The token that is used to retrieve the next page of results. Leave this parameter empty for the first query. To retrieve the next page, set this parameter to the `NextToken` value from the previous response.

    AAAAAUqcj6VO4E3ECWIrFczs****

    Response elements

    Element

    Type

    Description

    Example

    object

    The response body.

    RequestId

    string

    The request ID.

    6276D891-*****-55B2-87B9-74D413F7****
    NormalizationRules

    array<object>

    The list of normalization rules.

    array<object>

    The normalization rule.

    CreateTime

    integer

    The time when the rule was created.

    1733269771123
    UpdateTime

    integer

    The time when the rule was last updated.

    1733269771123
    NormalizationRuleId

    string

    The ID of the normalization rule.

    nr-z0b2ssjteut85uoh9nzp
    NormalizationRuleName

    string

    The name of the normalization rule.

    normalization_rule_Z57np
    NormalizationRuleType

    string

    The type of the normalization rule. Valid values:

    • predefined: a predefined normalization rule.

    • custom: a custom normalization rule.

    predefined
    NormalizationRuleFormat

    string

    The format of the normalization rule.

    SPL
    NormalizationRuleDescription

    string

    The description of the normalization rule.

    normalization_rule_Z57np
    NormalizationRuleVersion

    string

    The current version of the normalization rule.

    V1
    NormalizationRuleExpression

    string

    The expression of the normalization rule.

    * | pack-fields -include='[\s\S]+' as extend_content
    NormalizationRuleStatus

    string

    The status of the normalization rule.

    started
    NormalizationCategoryId

    string

    The ID of the normalization rule classification.

    NETWORK_CATEGORY
    NormalizationSchemaId

    string

    The ID of the normalization structure.

    HTTP_ACTIVITY
    VendorId

    string

    The vendor ID for the normalization rule.

    alibaba_cloud
    ProductId

    string

    The product ID.

    alibaba_cloud_sas
    NormalizationRuleReferences

    array<object>

    A list of associated data ingestion policies.

    object

    The associated data ingestion policy.

    DataIngestionId

    string

    The data ingestion ID.

    alibaba_cloud_bot_flow_ingestion_173326*******
    NormalizationRuleMode

    string

    The mode of the normalization rule. Valid values:

    • both

    • scan

    • realtime

    both
    ExtendContentPacked

    string

    Indicates whether non-standard fields are packaged into the `extend_content` extension field. Valid values:

    • enabled: Enabled.

    • disabled: Disabled.

    enabled
    ExtendFieldStoreMode

    string

    The storage mode for extension fields. `flat` ingests fields as they are. `reject` does not ingest fields. `pack` packages fields into the `extend_content` field.

    flat
    PageNumber

    integer

    The page number of the returned page.

    1
    PageSize

    integer

    The number of entries returned on the page.

    2
    TotalCount

    integer

    The total number of entries.

    5
    TotalPage

    integer

    The total number of pages.

    1
    MaxResults

    integer

    The maximum number of entries returned.

    50
    NextToken

    string

    The token that is used to retrieve the next page of results. If this parameter is empty, all results have been returned.

    AAAAAUqcj6VO4E3ECWIrFczs****

    Examples

    Success response

    JSON format

    {
  "RequestId": "6276D891-*****-55B2-87B9-74D413F7****",
  "NormalizationRules": [
    {
      "CreateTime": 1733269771123,
      "UpdateTime": 1733269771123,
      "NormalizationRuleId": "nr-z0b2ssjteut85uoh9nzp",
      "NormalizationRuleName": "normalization_rule_Z57np",
      "NormalizationRuleType": "predefined",
      "NormalizationRuleFormat": "SPL",
      "NormalizationRuleDescription": "normalization_rule_Z57np",
      "NormalizationRuleVersion": "V1",
      "NormalizationRuleExpression": "* | pack-fields -include='[\\s\\S]+' as extend_content",
      "NormalizationRuleStatus": "started",
      "NormalizationCategoryId": "NETWORK_CATEGORY",
      "NormalizationSchemaId": "HTTP_ACTIVITY",
      "VendorId": "alibaba_cloud",
      "ProductId": "alibaba_cloud_sas",
      "NormalizationRuleReferences": [
        {
          "DataIngestionId": "alibaba_cloud_bot_flow_ingestion_173326*******"
        }
      ],
      "NormalizationRuleMode": "both",
      "ExtendContentPacked": "enabled",
      "ExtendFieldStoreMode": "flat"
    }
  ],
  "PageNumber": 1,
  "PageSize": 2,
  "TotalCount": 5,
  "TotalPage": 1,
  "MaxResults": 50,
  "NextToken": "AAAAAUqcj6VO4E3ECWIrFczs****"
}

    Error codes

    HTTP status code

    Error code

    Error message

    Description
    400 IdempotentParameterMismatch The request uses the same client token as a previous, but non-identical request. Do not reuse a client token with different requests, unless the requests are identical.

    See Error Codes for a complete list.

    Release notes

    See Release Notes for a complete list.