Queries the details of an exception. An alert event consists of alerts and exceptions. Each alert event is associated with multiple exceptions.
Debugging
Request parameters
Parameter | Type | Required | Example | Description |
---|---|---|---|---|
Action | String | Yes | DescribeSuspEventDetail |
The operation that you want to perform. Set the value to DescribeSuspEventDetail. |
From | String | Yes | sas |
The data source on which the exception is detected. Set the value to sas. |
SourceIp | String | No | 1.2.XX.XX |
The source IP address of the request. |
Lang | String | No | zh |
The natural language of the request and response. Valid values:
|
SuspiciousEventId | Integer | No | 1 |
The ID of the exception to query. Note To query the details of an exception, you must provide the ID of the exception. You
can call the DescribeSuspEvents operation to query the IDs of exceptions.
|
Response parameters
Parameter | Type | Example | Description |
---|---|---|---|
CanBeDealOnLine | Boolean | true |
Indicates whether the online processing of exceptions is supported. Valid values:
|
DataSource | String | aegis_suspicious_*** |
The data source on which the exception is detected. |
Details | Array of QuaraFile |
The details of the exception. |
|
NameDisplay | String | Source file download |
The name of the exception. |
Type | String | html |
The format in which the exception details are displayed. Valid values:
|
Value | String | 2018-12-12 12:00:00 |
The attribute information about the exception. For example, if the exception is associated with an alert that is triggered by an unusual logon, the information can include the time when the logon is initiated and the location from which the logon is initiated. If the exception is associated with an alert that is triggered by a webshell file, the information can include the path of the trojan file and the type of the trojan. |
EventDesc | String | This file may have been uploaded by an attacker who has intruded into your website. Check the validity of this file. |
The description of the exception. |
EventName | String | WEBSHELL |
The name of the exception. |
EventStatus | String | 1 |
The status of the exception. Valid values:
|
EventTypeDesc | String | Webshell - Webshell file |
The type of the exception. |
Id | Integer | 1991 |
The ID of the exception. |
InstanceName | String | ca_cpm_test1 |
The name of the server on which the exception occurs. |
InternetIp | String | 1.1.XX.XX |
The public IP address of the server on which the exception occurs. |
IntranetIp | String | 1.2.XX.XX |
The private IP address of the server on which the exception occurs. |
LastTime | String | 2018-10-30 11:43:46 |
The time when the exception was last detected. |
Level | String | serious |
The risk level of the exception. Valid values:
|
OperateErrorCode | String | quara.Succes |
The handling result code of the exception. |
OperateMsg | String | success |
The message that describes the handling result of the exception. |
RequestId | String | 1 |
The ID of the request. |
SaleVersion | String | 1 |
The edition in which the exception detection can be enabled. Valid values:
|
Uuid | String | bffb12c3-590a-4db2-b538-*** |
The UUID of the server on which the exception occurs. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=DescribeSuspEventDetail
&From=sas
&<Common request parameters>
Sample success responses
XML
format
<DescribeSuspEventDetailResponse>
<EventDesc>This file may have been uploaded by an attacker who has intruded into your website. Check the validity of this file.</EventDesc>
<EventTypeDesc>Webshell - Webshell file</EventTypeDesc>
<RequestId>1</RequestId>
<OperateErrorCode>quara.Succes</OperateErrorCode>
<EventStatus>1</EventStatus>
<EventName>WEBSHELL</EventName>
<SaleVersion>1</SaleVersion>
<IntranetIp>1.2.XX.XX</IntranetIp>
<DataSource>aegis_suspicious_***</DataSource>
<InstanceName>ca_cpm_test1</InstanceName>
<CanBeDealOnLine>true</CanBeDealOnLine>
<OperateMsg>success</OperateMsg>
<Uuid>bffb12c3-590a-4db2-b538-***</Uuid>
<Details>
<Type>html</Type>
<Value>2018-12-12 12:00:00</Value>
<NameDisplay>Source file download</NameDisplay>
</Details>
<InternetIp>1.1.XX.XX</InternetIp>
<Level>serious</Level>
<Id>1991</Id>
<LastTime> 2018-10-30 11:43:46 </LastTime>
</DescribeSuspEventDetailResponse>
JSON
format
{
"EventDesc": "This file may have been uploaded by an attacker who has intruded into your website. Check the validity of this file.",
"EventTypeDesc": "Webshell - Webshell file",
"RequestId": 1,
"OperateErrorCode": "quara.Succes",
"EventStatus": 1,
"EventName": "WEBSHELL",
"SaleVersion": 1,
"IntranetIp": "1.2.XX.XX",
"DataSource": "aegis_suspicious_***",
"InstanceName": "ca_cpm_test1",
"CanBeDealOnLine": true,
"OperateMsg": "success",
"Uuid": "bffb12c3-590a-4db2-b538-***",
"Details": {
"Type": "html",
"Value": "2018-12-12 12:00:00",
"NameDisplay": "Source file download"
},
"InternetIp": "1.1.XX.XX",
"Level": "serious",
"Id": 1991,
"LastTime": "2018-10-30 11:43:46"
}
Error codes
For a list of error codes, visit the API Error Center.