All Products
Search
Document Center

Security Center:DescribeAlarmEventList

Last Updated:Jan 28, 2023

Queries aggregated alert events.

Operation Description

The alert aggregation feature of Security Center analyzes the paths of alerts to aggregate multiple alerts generated on the intrusions that are launched from the same IP address or service, or on the same user.

You can call the DescribeAlarmEventList or DescribeSuspEvents operation to query alert events.

  • If your Security Center runs the Enterprise or Ultimate edition and you turned on Alert Association on the Feature Settings page of the Security Center console, you can call the DescribeAlarmEventList operation to query alert events.
  • If your Security Center runs the Enterprise or Ultimate edition but you turned off Alert Association on the Feature Settings page of the Security Center console, you can call the DescribeSuspEvents operation to query alert events.
  • If your Security Center does not run the Enterprise or Ultimate edition, you can call the DescribeSuspEvents operation to query alert events.

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

ParameterTypeRequiredDescriptionExample
SourceIpstringNo

The source IP address of the request.

27.9.XX.XX
LangstringNo

The language of the content within the request and response. Default value: zh. Valid values:

  • zh: Chinese
  • en: English
zh
DealedstringNo

Specifies whether the alert event is handled. Valid values:

  • N: unhandled
  • Y: handled
Y
IdlongNo

The ID of the alert event.

1
FromstringYes

The ID of the request source. Set the value to sas, which indicates that the request is sent from Security Center.

sas
LevelsstringNo

The severity of the alert event. Separate multiple severities with commas (,). Valid values:

  • serious
  • suspicious
  • remind
serious
RemarkstringNo

The name of the alert or the information about the asset.

database_server
UuidsstringNo

The UUIDs of the assets. Separate multiple UUIDs with commas (,).

e8d8a2da-f9ce-4402-a1c6-0c4dc15b****
GroupIdstringNo

The ID of the asset group to which the affected asset belongs.

18732
AlarmEventNamestringNo

The name of the alert event.

NoteYou can call the DescribeNsasSuspEventType operation to query the names of alert events.
Trojan
AlarmEventTypestringNo

The type of the alert event.

NoteYou can call the DescribeNsasSuspEventType operation to query the types of alert events.
Malicious Software
CurrentPageintegerYes

The number of the page to return. Pages start from page 1. Default value: 1.

1
PageSizestringYes

The number of entries to return on each page. Default value: 20.

20
TacticIdstringNo

The tactic ID of ATT&CK.

TA0001
OperateErrorCodeListarrayNo

An array that consists of the handling result codes of alert events.

stringNo

The handling result code of the alert event. Set the value in the following format: Operation type.Operation result code. The following operation types are supported:

  • Common: performs common operations.
  • deal: handles the alert event.
  • ignore: ignores the alert event.
  • offline_handled: marks the alert as handled.
  • mark_mis_info: adds the alert event to the whitelist.
  • rm_mark_mis_info: cancels adding the alert event to the whitelist.
  • quara: quarantines the source file of the malicious process.
  • kill_and_quara: terminates the malicious process and quarantines the source file.
  • kill_virus: deletes the source file of the malicious process.
  • block_ip: blocks the source IP address.
  • manual_handled: marks the alert event as manually handled.
  • advance_mark_mis_info: adds the alert event to the whitelist that is configured for precise defense.
  • advance_mark_mis_info.System: automatically adds the alert event to the whitelist that is configured for precise defense.
  • advance_mark_mis_info.User: manually adds the alert event to the whitelist that is configured for precise defense.

The following handling result codes are supported:

  • Success: The operation is successful.
  • Failure: The operation fails.
  • AgentOffline: The agent is offline.
ignore. Success
UniqueInfostringNo

The ID of the alert event.

81c43b54073bbd922bcd887fddd8ba98
TimeStartstringNo

The start time when the alert event was last detected.

2022-07-05 13:50:38
TimeEndstringNo

The end time when the alert event was last detected.

2022-07-06 13:50:38
SortColumnstringNo

The custom sorting field. Default value: operateTime. Valid values:

  • lastTime: the latest occurrence time
  • operateTime: the handling time
NoteThis parameter takes effect if you set the Dealed parameter to Y.
operateTime
SortTypestringNo

The custom sorting order. Default value: desc. Valid values:

  • asc: the ascending order
  • desc: the descending order
NoteThis parameter takes effect if you set the Dealed parameter to Y.
desc
OperateTimeStartstringNo

The time when the handing operation starts.

2022-07-05 13:50:38
OperateTimeEndstringNo

The time when the handling operation ends.

2022-07-06 13:50:38

Response parameters

ParameterTypeDescriptionExample
object

The data returned.

RequestIdstring

The ID of the request, which is used to locate and troubleshoot issues.

28267723-D857-4DD8-B295-013100000000
PageInfoobject

The pagination information.

CurrentPageinteger

The page number of the returned page.

1
PageSizeinteger

The number of entries returned per page. Default value: 20.

20
TotalCountinteger

The total number of entries returned.

1
Countinteger

The number of entries returned per page.

1
SuspEventsarray

An array that consists of the alert events.

object
Dealedboolean

Indicates whether the alert event is handled. Valid values:

  • true: yes
  • false: no
false
Stagesstring

The stage at which the attack or intrusion is detected.

[\"authority_maintenance\"]
TacticItemsarray

An array that consists of the stage information about ATT&CK.

object
TacticIdstring

The tactic ID of ATT&CK.

TA0001
TacticDisplayNamestring

The tactic name of ATT&CK.

Command and Control
InternetIpstring

The public IP address of the affected asset.

123.21.XX.XX
SuspiciousEventCountinteger

The number of associated exceptions.

1
GmtModifiedlong

The timestamp when the alert event was last modified. Unit: milliseconds.

1569235879000
AlarmEventNameOriginalstring

The original parent name of the alert event.

Trojan
AlarmUniqueInfostring

The ID of the alert event.

8df914418f4211fbf756efe7a6f4****
CanCancelFaultboolean

Indicates whether you can cancel marking the alert event as a false positive. Valid values:

  • true: yes
  • false: no
false
SecurityEventIdsstring

The IDs of the associated exceptions.

270789
CanBeDealOnLineboolean

Indicates whether the online processing of the alert event is supported, such as quarantining the source file of the malicious process, adding the alert event to the whitelist, and ignoring the alert event. Valid values:

  • true: yes
  • false: no
true
Descriptionstring

The description of the alert event.

The detection model finds that there is a Trojan horse program on your server. The Trojan horse program is a program specially used to invade the user's host. Generally, it will download and release another malicious program after being implanted into the system through disguise.
InstanceNamestring

The name of the affected asset.

TestInstance
SaleVersionstring

The edition of Security Center in which the alert event can be detected. Valid values:

  • 0: Basic edition
  • 1: Advanced edition
  • 2: Enterprise edition
1
OperateErrorCodestring

The handling result code of the alert event.

kill_and_quara.Success
Solutionstring

The solution to the alert event.

A malicious program implanted by hacker after intrusion will occupy your bandwidth and attack other servers, and may affect you own service. The malicious process may also have self-deleting behavior or disguise as a system service to evade detection.
HasTraceInfoboolean

Indicates whether the alert event has tracing information. Valid values:

  • true: yes
  • false: no
true
DataSourcestring

The data source of the alert event.

aegis_****
OperateTimelong

The timestamp when the alert event was handled. Unit: milliseconds.

1631699497000
InstanceIdstring

The ID of the affected asset.

i-e****
IntranetIpstring

The private IP address of the affected asset.

192.168.XX.XX
EndTimelong

The timestamp when the alert event was last detected. Unit: milliseconds.

1543740301000
Uuidstring

The ID of the associated instance.

47900178-885d-4fa4-9d77-****
StartTimelong

The timestamp when the alert event starts. Unit: milliseconds.

1543740301000
AlarmEventTypestring

The type of the alert event.

Malicious Software
AlarmEventNamestring

The name of the alert event.

Trojan
Levelstring

The risk level of the alert event. Valid values:

  • serious
  • suspicious
  • remind
serious

Example

Normal return example

JSONFormat

{
  "RequestId": "28267723-D857-4DD8-B295-013100000000",
  "PageInfo": {
    "CurrentPage": 1,
    "PageSize": 20,
    "TotalCount": 1,
    "Count": 1
  },
  "SuspEvents": [
    {
      "Dealed": true,
      "Stages": "[\\\"authority_maintenance\\\"]",
      "TacticItems": [
        {
          "TacticId": "TA0001",
          "TacticDisplayName": "Command and Control"
        }
      ],
      "InternetIp": "123.21.XX.XX",
      "SuspiciousEventCount": 1,
      "GmtModified": 1569235879000,
      "AlarmEventNameOriginal": "Trojan\n",
      "AlarmUniqueInfo": "8df914418f4211fbf756efe7a6f4****",
      "CanCancelFault": true,
      "SecurityEventIds": "270789",
      "CanBeDealOnLine": true,
      "Description": "The detection model finds that there is a Trojan horse program on your server. The Trojan horse program is a program specially used to invade the user's host. Generally, it will download and release another malicious program after being implanted into the system through disguise.",
      "InstanceName": "TestInstance",
      "SaleVersion": "1",
      "OperateErrorCode": "kill_and_quara.Success",
      "Solution": "A malicious program implanted by hacker after intrusion will occupy your bandwidth and attack other servers, and may affect you own service. The malicious process may also have self-deleting behavior or disguise as a system service to evade detection. ",
      "HasTraceInfo": true,
      "DataSource": "aegis_****",
      "OperateTime": 1631699497000,
      "InstanceId": "i-e****",
      "IntranetIp": "192.168.XX.XX",
      "EndTime": 1543740301000,
      "Uuid": "47900178-885d-4fa4-9d77-****",
      "StartTime": 1543740301000,
      "AlarmEventType": "Malicious Software",
      "AlarmEventName": "Trojan",
      "Level": "serious"
    }
  ]
}

Error codes

Http codeError codeError messageDescription
400NoPermissionno permission-
400UnknownErrorUnknownError-
403NoPermissioncaller has no permissionYou are not authorized to do this operation.
500ServerErrorServerError-

For a list of error codes, visit the API error center.

Change history

Change timeSummary of changesOperate
2022-02-28The error codes of the API operation has changed, The input parameters of the API operation has changed
Change itemChange content
Error CodesThe error codes of the API operation has changed
    delete Error Codes: 400
    delete Error Codes: 500
Input ParametersThe input parameters of the API operation has changed
    Added Input Parameters: UniqueInfo