Queries aggregated alert events.
Operation Description
The alert aggregation feature of Security Center analyzes the paths of alerts to aggregate multiple alerts generated on the intrusions that are launched from the same IP address or service, or on the same user.
You can call the DescribeAlarmEventList or DescribeSuspEvents operation to query alert events.
- If your Security Center runs the Enterprise or Ultimate edition and you turned on Alert Association on the Feature Settings page of the Security Center console, you can call the DescribeAlarmEventList operation to query alert events.
- If your Security Center runs the Enterprise or Ultimate edition but you turned off Alert Association on the Feature Settings page of the Security Center console, you can call the DescribeSuspEvents operation to query alert events.
- If your Security Center does not run the Enterprise or Ultimate edition, you can call the DescribeSuspEvents operation to query alert events.
Authorization information
Request parameters
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
| SourceIp | string | No | The source IP address of the request. | 27.9.XX.XX |
| Lang | string | No | The language of the content within the request and response. Default value: zh. Valid values:
| zh |
| Dealed | string | No | Specifies whether the alert event is handled. Valid values:
| Y |
| Id | long | No | The ID of the alert event. | 1 |
| From | string | Yes | The ID of the request source. Set the value to sas, which indicates that the request is sent from Security Center. | sas |
| Levels | string | No | The severity of the alert event. Separate multiple severities with commas (,). Valid values:
| serious |
| Remark | string | No | The name of the alert or the information about the asset. | database_server |
| Uuids | string | No | The UUIDs of the assets. Separate multiple UUIDs with commas (,). | e8d8a2da-f9ce-4402-a1c6-0c4dc15b**** |
| GroupId | string | No | The ID of the asset group to which the affected asset belongs. | 18732 |
| AlarmEventName | string | No | The name of the alert event. NoteYou can call the DescribeNsasSuspEventType operation to query the names of alert events. | Trojan |
| AlarmEventType | string | No | The type of the alert event. NoteYou can call the DescribeNsasSuspEventType operation to query the types of alert events. | Malicious Software |
| CurrentPage | integer | Yes | The number of the page to return. Pages start from page 1. Default value: 1. | 1 |
| PageSize | string | Yes | The number of entries to return on each page. Default value: 20. | 20 |
| TacticId | string | No | The tactic ID of ATT&CK. | TA0001 |
| OperateErrorCodeList | array | No | An array that consists of the handling result codes of alert events. | |
| string | No | The handling result code of the alert event. Set the value in the following format: Operation type.Operation result code. The following operation types are supported:
The following handling result codes are supported:
| ignore. Success | |
| UniqueInfo | string | No | The ID of the alert event. | 81c43b54073bbd922bcd887fddd8ba98 |
| TimeStart | string | No | The start time when the alert event was last detected. | 2022-07-05 13:50:38 |
| TimeEnd | string | No | The end time when the alert event was last detected. | 2022-07-06 13:50:38 |
| SortColumn | string | No | The custom sorting field. Default value: operateTime. Valid values:
NoteThis parameter takes effect if you set the Dealed parameter to Y. | operateTime |
| SortType | string | No | The custom sorting order. Default value: desc. Valid values:
NoteThis parameter takes effect if you set the Dealed parameter to Y. | desc |
| OperateTimeStart | string | No | The time when the handing operation starts. | 2022-07-05 13:50:38 |
| OperateTimeEnd | string | No | The time when the handling operation ends. | 2022-07-06 13:50:38 |
Response parameters
Example
Normal return example
JSONFormat
{
"RequestId": "28267723-D857-4DD8-B295-013100000000",
"PageInfo": {
"CurrentPage": 1,
"PageSize": 20,
"TotalCount": 1,
"Count": 1
},
"SuspEvents": [
{
"Dealed": true,
"Stages": "[\\\"authority_maintenance\\\"]",
"TacticItems": [
{
"TacticId": "TA0001",
"TacticDisplayName": "Command and Control"
}
],
"InternetIp": "123.21.XX.XX",
"SuspiciousEventCount": 1,
"GmtModified": 1569235879000,
"AlarmEventNameOriginal": "Trojan\n",
"AlarmUniqueInfo": "8df914418f4211fbf756efe7a6f4****",
"CanCancelFault": true,
"SecurityEventIds": "270789",
"CanBeDealOnLine": true,
"Description": "The detection model finds that there is a Trojan horse program on your server. The Trojan horse program is a program specially used to invade the user's host. Generally, it will download and release another malicious program after being implanted into the system through disguise.",
"InstanceName": "TestInstance",
"SaleVersion": "1",
"OperateErrorCode": "kill_and_quara.Success",
"Solution": "A malicious program implanted by hacker after intrusion will occupy your bandwidth and attack other servers, and may affect you own service. The malicious process may also have self-deleting behavior or disguise as a system service to evade detection. ",
"HasTraceInfo": true,
"DataSource": "aegis_****",
"OperateTime": 1631699497000,
"InstanceId": "i-e****",
"IntranetIp": "192.168.XX.XX",
"EndTime": 1543740301000,
"Uuid": "47900178-885d-4fa4-9d77-****",
"StartTime": 1543740301000,
"AlarmEventType": "Malicious Software",
"AlarmEventName": "Trojan",
"Level": "serious"
}
]
}Error codes
| Http code | Error code | Error message | Description |
|---|---|---|---|
| 400 | NoPermission | no permission | - |
| 400 | UnknownError | UnknownError | - |
| 403 | NoPermission | caller has no permission | You are not authorized to do this operation. |
| 500 | ServerError | ServerError | - |
For a list of error codes, visit the API error center.
Change history
| Change time | Summary of changes | Operate | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2022-02-28 | The error codes of the API operation has changed, The input parameters of the API operation has changed | |||||||||||
|