ExportSuspEvents - Security Center - Alibaba Cloud Documentation Center

Exports the information about exceptions to a file.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
yundun-sas:ExportSuspEvents	Read	All Resources *	none	none

Request parameters

Parameter	Type	Required	Description	Example
SourceIp	string	No	The source IP address of the request. The value of this parameter is specified by the system.	127.0.XX.XX
Dealed	string	No	The status of the alert event. Valid values: N: unhandled Y: handled	Y
TimeStart	string	No	The beginning of the time range during which the exception is detected.	2022-10-01 00:00:00
TimeEnd	string	No	The end of the time range during which the exception is detected.	2022-12-05 00:00:00
Name	string	No	The complete name of the exception.	WEBSHELL
Levels	string	No	The severity of the alert event. Separate multiple severities with commas (,). Valid values: serious suspicious remind	serious,suspicious,remind
ParentEventTypes	string	No	The alert type of the alert event. Valid values: Suspicious process Webshell Unusual logon Exception Sensitive file tampering Malicious process (cloud threat detection) Suspicious network connection Suspicious account Application intrusion event Cloud threat detection Precise defense Application whitelist Persistent webshell Web application threat detection Malicious script Threat intelligence Malicious network activity Cluster exception Webshell (on-premises threat detection) Vulnerability exploitation Malicious process (on-premises threat detection) Trusted exception Others	WEBSHELL
Remark	string	No	The remarks.	remark
Status	string	No	The handling status of the exception. Valid values: 0: all status 1: pending handling 2: ignored 4: confirmed 8: marked as false positive 16: handling 32: handled 64: expired 128: deleted	0
Lang	string	No	The language of the content within the request and response. Default value: zh. Valid values: zh: Chinese en: English	zh
From	string	No	The data source of the exception. Set the value to sas.	sas
ClusterId	string	No	The ID of the cluster that you want to query. Note You can call the DescribeGroupedContainerInstances operation to query the IDs of clusters.	c4af4fdf38a98496a9b63c2be5dae****
ContainerFieldName	string	No	The key of the condition that is used to query alert events on containers. Valid values: instanceId: the ID of the asset appName: the name of the application clusterId: the ID of the cluster regionId: the ID of the region nodeName: the name of the node namespace: the namespace clusterName: the name of the cluster image: the name of the image imageRepoName: the name of the image repository imageRepoNamespace: the namespace to which the image repository belongs imageRepoTag: the tag that is added to the image imageDigest: the digest of the image	clusterId
ContainerFieldValue	string	No	The value of the condition that is used to query alert events on containers.	c819391d2d520485fa3e81e2dc2ea****
TargetType	string	No	The dimension from which you want to configure the feature. Valid values: uuid: the UUID of the asset image_repo: the ID of the image repository Cluster: the ID of the cluster	uuid
PageSize	string	No	The number of entries to return on each page. Default value: 20.	20
CurrentPage	string	No	The number of the page to return.	1
AssetsTypeList	array	No	The types of assets.
	string	No	The types of assets.	ECS
Uuid	string	No	The unique ID of the associated instance.	18b7336e-d469-473b-af83-8e5420f9****
UniqueInfo	string	No	The unique key of the alert event.	1fbe8d16727f61d1478a674d6fa0****
Id	long	No	The unique ID of the alert event.	17821
OperateErrorCodeList	array	No	The status codes of alert events.
	string	No	The status code of the alert event. Format: Operation type.Status code of the operation. The following operation types are supported: Common: performs common operations. deal: handles the alert event. ignore: ignores the alert event. offline_handled: marks the alert as handled. mark_mis_info: marks the alert as a false positive by adding it to the whitelist. rm_mark_mis_info: cancels a false positive by removing the alert from the whitelist. quara: quarantines the source file of the malicious process. kill_and_quara: terminates the malicious process and quarantines the source file. kill_virus: deletes the source file of the malicious process. block_ip: blocks the source IP address. manual_handled: manually handles the alert event. advance_mark_mis_info: adds the alert event to the whitelist that is configured for precise defense. advance_mark_mis_info.System: automatically adds the alert event to the whitelist that is configured for precise defense. advance_mark_mis_info.User: manually adds the alert event to the whitelist that is configured for precise defense. The following status codes are supported: Success: The operation is successful. Failure: The operation fails. AgentOffline: The agent is offline.	ignore. Success
GroupId	long	No	The ID of the new server group to which the servers belong. Note You can call the DescribeAllGroups operation to query the IDs of server groups.	8076980

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The ID of the request.	EF145C20-6A19-529A-8BDD-0671DXXXXXX
FileName	string	The name of the exported file.	suspicious_event_20221209
Id	integer	The ID of the export record of the anomalous event.	1

Examples

Sample success responses

JSONformat

{
  "RequestId": "EF145C20-6A19-529A-8BDD-0671DXXXXXX",
  "FileName": "suspicious_event_20221209",
  "Id": 1
}

Error codes

HTTP status code	Error code	Error message	Description
400	IllegalParam	Illegal param	-
403	NoPermission	caller has no permission	You are not authorized to do this operation.
500	ServerError	ServerError	-

For a list of error codes, visit the Service error codes.

Change history

Change time

Summary of changes

Operation

2023-12-06

The Error code has changed. The request parameters of the API has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	delete Error Codes: 400
Input Parameters	The request parameters of the API has changed.
	Added Input Parameters: GroupId

2023-10-11

The Error code has changed. The request parameters of the API has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	delete Error Codes: 400
Input Parameters	The request parameters of the API has changed.
	Added Input Parameters: UniqueInfo
	Added Input Parameters: Id
	Added Input Parameters: OperateErrorCodeList

2023-10-11

The Error code has changed. The request parameters of the API has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	delete Error Codes: 400
Input Parameters	The request parameters of the API has changed.
	Added Input Parameters: Uuid