All Products
Search
Document Center

Security Center:ListUnknownThreatDetectEvent

Last Updated:Jun 15, 2026

Queries the list of intelligent behavior analytics alerting events.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-sas:ListUnknownThreatDetectEvent

list

*All Resource

*

None None

Request syntax

GET  HTTP/1.1

Request parameters

Parameter

Type

Required

Description

Example

CurrentPage

integer

No

The page number of the current page in a paged query. This parameter is used for paging.

1

PageSize

integer

No

The maximum number of entries to return on each page in a paged query. This parameter is used for paging.

10

Remark

string

No

The filter condition. You can filter by instance name or IP address.

10.167.XX.XX

HashKey

string

No

The unique identifier of the file.

0a212417e65c26ff133cfff28f6c****

ProcessPath

string

No

The process path.

/test

ParentProcessPath

string

No

The parent process path.

/bin/bash

Uuid

string

No

The UUID of the server to query.

18b7336e-d469-473b-af83-8e5420f9****

Status

integer

No

The event status. Valid values:

  • 1: Unhandled.

  • 2: Blocked.

  • 3: Ignored.

1

Lang

string

No

AnalyzeResult

string

No

Response elements

Element

Type

Description

Example

object

Schema of Response

RequestId

string

Id of the request

7532B7EE-7CE7-5F4D-BF04-B12447******

PageInfo

object

The pagination information.

TotalCount

integer

The total number of entries.

149

CurrentPage

integer

The page number of the current page in a paged query. This parameter is used for paging.

1

PageSize

integer

The maximum number of entries displayed on each page in a paged query. This parameter is used for paging.

20

Count

integer

The number of alerting events displayed on the current page in a paged query. This parameter is used for paging.

2

Data

array<object>

The returned data details.

object

The returned data.

Uuid

string

The UUID of the asset instance.

6690a46c-0edb-4663-a641-3629d1a9****

ProcessPath

string

The process path.

/usr/bin/tar

ParentProcessPath

string

The parent process path.

/usr/bin/tar

HashKey

string

The unique identifier of the file.

30368144069e7567bbb10eabc2******

CmdChain

string

The process chain.

[{"5133":"pickup -l -t unix -u"},{"1077":"/usr/libexec/postfix/master -w"},{"1":"/usr/lib/systemd/systemd --switched-root --system --deserialize 22"}]

Count

integer

The number of occurrences.

5

Status

integer

The event status. Valid values:

  • 1: Unhandled.

  • 2: Blocked.

  • 3: Ignored.

1

Cmdline

string

The process command line.

/usr/sbin/sshd -D

ParentCmdline

string

The parent command line.

/usr/sbin/sshd -D

Md5

string

The MD5 hash of the file.

5b394b54ca632fe51c4ab4a6dbaf****

Sha256

string

The SHA-256 hash of the file.

3a6fed5fc11392b3ee9f81caf017b48640d7458766a8eb0382899a605b41****

Pid

string

The process ID.

11

ParentPid

string

The parent process ID.

12

InstanceName

string

The instance name.

centos****

InternetIp

string

The public IP address.

172.16.XX.XX

IntranetIp

string

The private IP address.

10.42.XX.XX

FirstTime

integer

The timestamp of the first occurrence.

1694576692000

LastTime

integer

The timestamp of the most recent occurrence.

1694576692000

Id

string

The event ID.

1

AnalyzeResult

string

AnalyzeDesc

string

HandleType

string

Examples

Success response

JSON format

{
  "RequestId": "7532B7EE-7CE7-5F4D-BF04-B12447******",
  "PageInfo": {
    "TotalCount": 149,
    "CurrentPage": 1,
    "PageSize": 20,
    "Count": 2
  },
  "Data": [
    {
      "Uuid": "6690a46c-0edb-4663-a641-3629d1a9****",
      "ProcessPath": "/usr/bin/tar",
      "ParentProcessPath": "/usr/bin/tar\n",
      "HashKey": "30368144069e7567bbb10eabc2******",
      "CmdChain": "[{\"5133\":\"pickup -l -t unix -u\"},{\"1077\":\"/usr/libexec/postfix/master -w\"},{\"1\":\"/usr/lib/systemd/systemd --switched-root --system --deserialize 22\"}]",
      "Count": 5,
      "Status": 1,
      "Cmdline": "/usr/sbin/sshd -D",
      "ParentCmdline": "/usr/sbin/sshd -D",
      "Md5": "5b394b54ca632fe51c4ab4a6dbaf****",
      "Sha256": "3a6fed5fc11392b3ee9f81caf017b48640d7458766a8eb0382899a605b41****",
      "Pid": "11",
      "ParentPid": "12",
      "InstanceName": "centos****",
      "InternetIp": "172.16.XX.XX",
      "IntranetIp": "10.42.XX.XX",
      "FirstTime": 1694576692000,
      "LastTime": 1694576692000,
      "Id": "1"
    }
  ]
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.