Handles alerts.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes HandleSecurityEvents

The operation that you want to perform. Set the value to HandleSecurityEvents.

SourceIp String No 1.2.XX.XX

The source IP address of the request.

OperationCode String No block_ip

The method to handle alerts. Valid values:

  • block_ip: blocks the source IP address.
  • advance_mark_mis_info: adds the alerts to the whitelist.
  • ignore: ignores the alerts.
  • manual_handled: marks the alerts as manually handled.
  • kill_process: terminates the malicious process.
  • cleanup: performs in-depth virus detection and removal.
  • kill_and_quara: terminates the malicious process and quarantines the source file.
  • disable_malicious_defense: stops the container on which the alerting files or processes exist.
  • client_problem_check: The diagnostic program of the Security Center agent collects information about the agent that is installed on your server and reports the information to Security Center for analysis.
  • quara: quarantines the source file of the malicious process.
OperationParams String No null

The configuration for a sub-operation to handle alerts.

Note If you set OperationCode to kill_and_quara or block_ip, you must specify OperationParams. If you set OperationCode to other values, you can leave OperationParams empty.
MarkMissParam String No {"field":"md5","operate":"contains","fieldValue":"{"field":"md5","operate":"contains","fieldValue":"aa"}"}

The rule condition based on which the alerts are added to the whitelist. For example, if you want to add a file that contains the string a to the whitelist based on the MD5 hash value, set this parameter to {"field":"md5","operate":"contains","fieldValue":"aa"}.

MarkBatch String No true

Specifies whether to add multiple alerts to the whitelist.

  • true: yes
  • false: no
SecurityEventIds.N String No 909361

The IDs of alerts.

Response parameters

Parameter Type Example Description
RequestId String FF0020B9-999F-5DE2-985F-DB282BDA5311

The ID of the request, which is used to locate and troubleshoot issues.

HandleSecurityEventsResponse Object

The response of the processing result.

TaskId Long 15411

The ID of the task to handle alerts.

Examples

Sample requests

http(s)://[Endpoint]/?Action=HandleSecurityEvents
&SourceIp=1.2.XX.XX
&OperationCode=block_ip
&OperationParams={}
&MarkMissParam={"field":"md5","operate":"contains","fieldValue":"{"field":"md5","operate":"contains","fieldValue":"aa"}"}
&MarkBatch=true
&SecurityEventIds=["909361"]
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<RequestId>FF0020B9-999F-5DE2-985F-DB282BDA5311</RequestId>
<HandleSecurityEventsResponse>
    <TaskId>15411</TaskId>
</HandleSecurityEventsResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "FF0020B9-999F-5DE2-985F-DB282BDA5311",
  "HandleSecurityEventsResponse" : {
    "TaskId" : 15411
  }
}

Error codes

HTTP status code Error code Error message Description
400 NoPermission no permission The error message returned because you do not have access permissions.
400 SecurityEventNotExists Security event not exists. The error message returned because no security events exist.
500 ServerError ServerError The error message returned because a server error occurred.

For a list of error codes, visit the API Error Center.