DescribeAttackAnalysisData - Security Center - Alibaba Cloud Documentation Center

Queries the statistics of attack analysis.

Authorization information

The following table is the authorization information corresponding to the API, which can be found in the RAM permission policy statement.Action Used in the element to grant the RAM user or RAM role permission to call this API. The specific instructions are as follows:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the operation.
Condition keyword: refers to the condition keyword defined by the cloud product itself.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operate	access level	Resource type	conditional keyword	Association operation
yundun-sas:DescribeAttackAnalysisData	Read	SecurityCenter acs:yundun-sas::{#accountId}:	without	without

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the content within the request and response. Default value: zh. Valid values: zh: Chinese en: English	zh
Type	string	Yes	The details of attack analysis. Valid values: TOTAL: number of attacks TREND: attack trend PIE_CHART: distribution of attacks by type SOURCE_TOP: top 5 attack sources CLIENT_TOP: top 5 attacked assets DETAILS: attack details NoteIf the Type parameter is set to DETAILS, you must specify the CurrentPage and PageSize parameters.	DETAILS
StartTime	long	Yes	The timestamp at which the attack starts. By default, the statistics of the previous seven days are queried. Unit: seconds. NoteThe start time that you specify must be within the previous 40 days.	1644027670
EndTime	long	Yes	The timestamp when the attack stops. Unit: seconds.	1649040221
Data	string	No	The condition that is used to filter attack events. NoteThe following list describes the valid values of crack_type: 3: brute-force attack on MySQL 4: FTP brute-force attack 5: SSH brute-force attack 6: RDP brute-force attack 9: brute-force attack on Microsoft SQL Server 101: intercepted attack on Java Struts 2 102: intercepted attack on Redis 103: communication with AntSword Webshell 104: communication with China Chopper Webshell 133: communication with XISE Webshell sqli: SQL injection codei: code execution xss: cross-site scripting (XSS) lfi: local file inclusion rfi: remote file inclusion webshell: trojan script upload: vulnerability upload path: directory traversal bypass: unauthorized access csrf: cross-site request forgery (CSRF) crlf: carriage return line feed (CRLF) other: others	{"crack_type":"9"}
Base64	string	No	Specifies whether to encode the value of the client_url field in the query results by using the Base64 algorithm. Valid values: true: yes false: no	true
CurrentPage	integer	No	The number of the page to return. Pages start from page 1. NoteIf the Type parameter is set to DETAILS, you must specify the CurrentPage parameter.	1
PageSize	integer	No	The number of entries to return on each page. NoteIf the Type parameter is set to DETAILS, you must specify the PageSize parameter.	10

Response parameters

Parameter	Type	Description	Example
	object	The returned data.
Data	string	The attack events. The value contains the following fields: client_url: the URL of the attack request. internetIp: the IP address of the asset. instanceName: the name of the asset. table_src: the source of data. uuid: the UUID of the asset. crack_method: the method of the attack request. crack_hour: the attack time. crack_src_ip: the IP address from which the attack is launched. instanceId: the ID of the asset. dst_port: the attacked port. client_ip: the attacked IP address. location: the region from which the attack is launched. aliuid: the ID of the Alibaba Cloud account. crack_cnt: the number of times that the attack is launched. crack_type: the type of the attack. Valid values: 113: improper authorization 112: redirection attack upload: vulnerability upload other: others webshell: trojan script 201: suspicious connection 9: brute-force attack on Microsoft SQL Server 5: SSH brute-force attack 6: RDP brute-force attack lfi: local file inclusion 7: code execution sqli: SQL injection 209: web attack 31: buffer overflow 3: brute-force attack on MySQL 30: clickjacking 4: FTP brute-force attack bypass: unauthorized access 33: format string deeplearning: others 32: integer overflow 203: brute-force attack 34: race condition rfi: remote file inclusion 0: SQL injection 212: mining behavior 213: reverse shell 211: worm 61: session timeout 20: directory traversal xss: XSS 22: unauthorized access 21: scan attack 24: file modification 26: file deletion 25: file reading 28: CRLF injection 27: logic error 29: template injection csrf: CSRF path: directory traversal crlf: CRLF 102: CSRF 103: server-side request forgery (SSRF) 101: XSS 11: file inclusion 10: file upload 12: vulnerability upload 15: unauthorized access 14: information leakage 17: XML entity injection 16: insecure configuration 19: Lightweight Directory Access Protocol (LDAP) injection 18: XPath injection codei: code execution	[{\"crack_hour\":1662480000000,\"crack_cnt\":471},{\"crack_hour\":1662483600000,\"crack_cnt\":461},{\"crack_hour\":1662487200000,\"crack_cnt\":445},{\"crack_hour\":1662490800000,\"crack_cnt\":471},{\"crack_hour\":1662494400000,\"crack_cnt\":534},{\"crack_hour\":1662498000000,\"crack_cnt\":652},{\"crack_hour\":1662501600000,\"crack_cnt\":706},{\"crack_hour\":1662505200000,\"crack_cnt\":613},{\"crack_hour\":1662508800000,\"crack_cnt\":578},{\"crack_hour\":1662512400000,\"crack_cnt\":577},{\"crack_hour\":1662516000000,\"crack_cnt\":616},{\"crack_hour\":1662519600000,\"crack_cnt\":597},{\"crack_hour\":1662523200000,\"crack_cnt\":575},{\"crack_hour\":1662526800000,\"crack_cnt\":507}]
PageSize	integer	The number of entries returned per page. Default value: 10.	10
RequestId	string	The ID of the request, which is used to locate and troubleshoot issues.	4C1AE3F3-18FA-4108-BBB9-AFA1A032756C
Total	integer	The total number of attack events returned.	1000
Page	integer	The page number of the returned page.	1

Example

Normal return example

JSONFormat

{
  "Data": "[{\\\"crack_hour\\\":1662480000000,\\\"crack_cnt\\\":471},{\\\"crack_hour\\\":1662483600000,\\\"crack_cnt\\\":461},{\\\"crack_hour\\\":1662487200000,\\\"crack_cnt\\\":445},{\\\"crack_hour\\\":1662490800000,\\\"crack_cnt\\\":471},{\\\"crack_hour\\\":1662494400000,\\\"crack_cnt\\\":534},{\\\"crack_hour\\\":1662498000000,\\\"crack_cnt\\\":652},{\\\"crack_hour\\\":1662501600000,\\\"crack_cnt\\\":706},{\\\"crack_hour\\\":1662505200000,\\\"crack_cnt\\\":613},{\\\"crack_hour\\\":1662508800000,\\\"crack_cnt\\\":578},{\\\"crack_hour\\\":1662512400000,\\\"crack_cnt\\\":577},{\\\"crack_hour\\\":1662516000000,\\\"crack_cnt\\\":616},{\\\"crack_hour\\\":1662519600000,\\\"crack_cnt\\\":597},{\\\"crack_hour\\\":1662523200000,\\\"crack_cnt\\\":575},{\\\"crack_hour\\\":1662526800000,\\\"crack_cnt\\\":507}]",
  "PageSize": 10,
  "RequestId": "4C1AE3F3-18FA-4108-BBB9-AFA1A032756C",
  "Total": 1000,
  "Page": 1
}

Error codes

Http code	Error code	Error message	Description
403	NoPermission	caller has no permission	You are not authorized to do this operation.
500	ServerError	ServerError	-

For a list of error codes, visit the API error center.