DescribeAlarmEventDetail - API Reference| Alibaba Cloud Documentation Center

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters


Parameter	Type	Required	Example	Description
Action	String	Yes	DescribeAlarmEventDetail	The operation that you want to perform. Set the value to DescribeAlarmEventDetail.
AlarmUniqueInfo	String	Yes	8df914418f4211fbf756efe7a6f4****	The ID of the alert event. Note To query the details of an alert event, you must specify the ID of the alert event. You can call the DescribeAlarmEventList operation to query the IDs of alert events.
From	String	Yes	sas	The ID of the request source. Set the value to sas.
SourceIp	String	No	1.2.3.4	The source IP address of the request.
Lang	String	No	zh	The natural language of the request and response. Valid values: zh: Chinese en: English

Response parameters


Parameter	Type	Example	Description
Data	Struct		The details of the alert event.
AlarmEventAliasName	String	Suspicious process behavior - Execution of suspicious commands in scheduled Linux tasks	The complete name of the alert event.
AlarmEventDesc	String	After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep the malicious programs running. The scheduled tasks include crontab and systemd.	The description of the alert event.
AlarmUniqueInfo	String	8df914418f4211fbf756efe70000****	The ID of the alert event.
CanBeDealOnLine	Boolean	false	Indicates whether the online processing of alert events online is supported, such as blocking an alert, adding an alert to the whitelist, and ignoring an alert. Valid values: true: Online processing is supported. false: Online processing is not supported.
CanCancelFault	Boolean	false	Indicates whether you can cancel marking this alert event as a false positive. Valid values: true: You can cancel marking this alert event as a false positive. false: You cannot cancel marking this alert event as a false positive.
CauseDetails	Array of CauseDetail		The cause of the alert event, which can be used to trace the alert.
Key	String	html	The format in the alert event details. Valid values: text html
Value	Array of Value		The value of the field that displays the information used to trace alerts.
Name	String	Solutions	The name of the field that displays the information used to trace alerts.
Type	String	html	The format of the field that displays the information used to trace alerts. Valid values: text html
Value	String	Check for the exploited pages of your web services and vulnerabilities in parameter configuration, and resolve these issues.	The value of the field that displays the information used to trace alerts.
ContainHwMode	Boolean	true	Indicates whether the Safeguard Mode For Major Activities mode is enabled for the server. Valid values: true: The mode is enabled. false: The mode is disabled.
DataSource	String	aegis_***	The source of data. Note This parameter is deprecated.
EndTime	Long	1542366542000	The end time of the alert event.
InstanceName	String	Test server	The name of the associated instance.
InternetIp	String	1.2.3.1	The public IP address of the associated instance.
IntranetIp	String	1.2.3.5	The private IP address of the associated instance.
Level	String	serious	The risk level of the alert event. Valid values: serious suspicious remind
Solution	String	Check the malicious URLs that are listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you trust the processes, mark the alert as a false positive in the console, and submit a ticket to notify security engineers.	The solution to the alert event.
StartTime	Long	1542378601000	The timestamp when the alert event was detected.
Type	String	Suspicious network connection	The type of the alert event. Valid values: Suspicious Process Webshell Unusual Logon Suspicious Event Sensitive File Tampering Malicious Process Suspicious Network Connection Other Suspicious Account Application intrusion event Cloud threat detection Precision defense Application Whitelist Persistence Web Application Threat Detection Malicious scripts Threat intelligence Malicious Network Activity
Uuid	String	47900178-885d-4fa4-9d77-XXXXXXXXXXXX	The ID of the associated instance.
RequestId	String	5A1DDB3C-798C-4A84-BF6E-3DC700000000	The ID of the request.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeAlarmEventDetail
&AlarmUniqueInfo=8df914418f4211fbf756efe7a6f4****
&From=sas
&<Common request parameters>

Sample success responses

XML format

<DescribeAlarmEventDetailResponse>
      <RequestId>5A1DDB3C-798C-4A84-BF6E-3DC700000000</RequestId>
      <Data>
            <CanCancelFault>false</CanCancelFault>
            <EndTime>1542366542000</EndTime>
            <ContainHwMode>true</ContainHwMode>
            <CauseDetails>
                  <Key>html</Key>
            </CauseDetails>
            <CauseDetails>
                  <Value>
                        <Type>html</Type>
                        <Value>Check for the exploited pages of your web services and vulnerabilities in parameter configuration, and resolve these issues. </Value>
                        <Name>Solutions</Name>
                  </Value>
            </CauseDetails>
            <StartTime>1542378601000</StartTime>
            <IntranetIp>1.2.3.5</IntranetIp>
            <DataSource>aegis_***</DataSource>
            <InstanceName>Test server</InstanceName>
            <Type>Suspicious network connection</Type>
            <CanBeDealOnLine>false</CanBeDealOnLine>
            <Uuid>47900178-885d-4fa4-9d77-XXXXXXXXXXXX</Uuid>
            <InternetIp>1.2.3.1</InternetIp>
            <AlarmEventDesc>After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep the malicious programs running. The scheduled tasks include crontab and systemd. </AlarmEventDesc>
            <AlarmUniqueInfo>8df914418f4211fbf756efe70000****</AlarmUniqueInfo>
            <Level>serious</Level>
            <AlarmEventAliasName>Suspicious process behavior - Execution of suspicious commands in scheduled Linux tasks</AlarmEventAliasName>
            <Solution>Check the malicious URLs that are listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you trust the processes, mark the alert as a false positive in the console, and submit a ticket to notify security engineers. </Solution>
      </Data>
</DescribeAlarmEventDetailResponse>

JSON format

{
    "RequestId": "5A1DDB3C-798C-4A84-BF6E-3DC700000000",
    "Data": {
        "CanCancelFault": "false",
        "EndTime": "1542366542000",
        "ContainHwMode": "true",
        "CauseDetails": [{
            "Key": "html"
        }, {
            "Value": [{
                "Type": "html",
                "Value": "Check for the exploited pages of your web services and vulnerabilities in parameter configuration, and resolve these issues.",
                "Name": "Solutions"
            }]
        }],
        "StartTime": "1542378601000",
        "IntranetIp": "1.2.3.5",
        "DataSource": "aegis_***",
        "InstanceName": "Test server",
        "EventType": "Suspicious network connection",
        "CanBeDealOnLine": "false",
        "Uuid": "47900178-885d-4fa4-9d77-XXXXXXXXXXXX",
        "InternetIp": "1.2.3.1",
        "AlarmEventDesc": "After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep the malicious programs running. The scheduled tasks include crontab and systemd.",
        "AlarmUniqueInfo": "8df914418f4211fbf756efe70000****",
        "Level": "serious",
        "AlarmEventAliasName": "Suspicious process behavior - Execution of suspicious commands in scheduled Linux tasks",
        "Solution": "Check the malicious URLs that have been listed in the alert. Check the directory for malicious file downloads. Stop the malicious processes that are running. If you trust the processes, mark the alert as a false positive in the console, and submit a ticket to notify security engineers.
    }
}

Error codes

For a list of error codes, visit the API Error Center.