All Products
Search
Document Center

Security Center:ListUnknownThreatDetectProcess

Last Updated:Apr 29, 2026

Retrieve the list of processes from unknown threat detections.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-sas:ListUnknownThreatDetectProcess

list

*All Resource

*

None None

Request syntax

GET  HTTP/1.1

Request parameters

Parameter

Type

Required

Description

Example

ProcessPath

string

No

The process path.

/bin/rm

Md5

string

No

The MD5 value of the file.

0552c44e243abdea1729d4507bce****

Sha256

string

No

The SHA-256 value of the file.

f204693a7d2ce99d6c4434e550d985ee1c7be7cb5dd9a76094369af0d2******

Uuid

string

No

The UUID of the server to query.

50d213b4-3a35-427a-b8a5-04b0c7e1****

CurrentPage

integer

No

The page number to return.

1

PageSize

integer

No

The number of entries to return per page.

20

Path

string

No

The file path.

/etc/test

FirstTimeStart

integer

No

The start of the time range for the first detection, in milliseconds.

1768891966344

FirstTimeEnd

integer

No

The end of the time range for the first detection, in milliseconds.

1768891966345

AnalyzeResult

string

No

The analysis result. Valid values:

  • black: abnormal process

  • white: normal process

white

Remark

string

No

The server name or IP address.

172.20.XX.XX

Response elements

Element

Type

Description

Example

object

The response data.

RequestId

string

The request ID.

20456DD5-5CBF-5015-9173-12CA4246B***

PageInfo

object

The pagination information.

TotalCount

integer

The total number of entries.

83

CurrentPage

integer

The current page number.

1

PageSize

integer

The number of entries to return on each page.

20

Count

string

The number of entries on the current page.

2

Data

array<object>

An array of process details.

object

The details of a process.

ProcessPath

string

The process path.

/usr/bin/tar

Sha256

string

The SHA-256 hash of the file.

3a6fed5fc11392b3ee9f81caf017b48640d7458766a8eb0382899a605b41****

Md5

string

The MD5 hash of the file.

5b394b54ca632fe51c4ab4a6dbaf****

FirstTime

integer

The timestamp of the first occurrence.

1694576692000

Remark

string

Remarks about the process.

safe process

ProcessId

string

The process ID.

2025031506350619216822625103151158982

AnalyzeResult

string

The analysis result. Valid values:

  • black: A malicious process.

  • white: A normal process.

  • abnormal: An abnormal process.

white

Examples

Success response

JSON format

{
  "RequestId": "20456DD5-5CBF-5015-9173-12CA4246B***",
  "PageInfo": {
    "TotalCount": 83,
    "CurrentPage": 1,
    "PageSize": 20,
    "Count": "2"
  },
  "Data": [
    {
      "ProcessPath": "/usr/bin/tar",
      "Sha256": "3a6fed5fc11392b3ee9f81caf017b48640d7458766a8eb0382899a605b41****",
      "Md5": "5b394b54ca632fe51c4ab4a6dbaf****",
      "FirstTime": 1694576692000,
      "Remark": "safe process",
      "ProcessId": "2025031506350619216822625103151158982",
      "AnalyzeResult": "white"
    }
  ]
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.