The CloudSIEM component primarily provides alert processing and member account management features.
Feature description
Action | Description | Scenarios |
Creates an alert. | Writes alert data to the user alert channel, used with playbook-based detection. | |
Queries alerts based on the event ID. | Retrieves the alert list for an event. | |
Queries member account information. | Retrieves member accounts controlled by the management account or delegated administrator account in multi-account management scenarios. |
Configuration example
This topic provides parameter configuration examples for each action in the CloudSIEM component, which you can import as test playbooks. Through the visualization flow editor, you can more intuitively understand and test the configuration parameters of each action, easily mastering the functional logic and usage of the component. For the procedure, see Playbook import.
You can save the example data as a JSON file first.
createAlert
Writes alert data to the user alert channel.
Parameter description
Parameter | Description |
start_time | The start timestamp. Unit: seconds. Also used to indicate the time of event occurrence. Example value: 1715258000. |
end_time | The end timestamp. Unit: seconds. Example value: 1715258321. |
user_id | The Alibaba Cloud account ID that the logs belong to. Example value: 127XXXXXX. |
cloud_code | The cloud code. Enumerated values: alibaba_cloud, huawei_cloud, tencent_cloud. Example value: alibaba_cloud. |
product_code | The product code. Example value: waf. |
cloud_user_id | The cloud account ID of other clouds. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the bound account. Example value: 127XXXXXX. |
extend_content | The extended field content. Example value: {"a":"111","b":"222"}. |
relate_alert_uuids | The UUID of the related alert. Example value: 1001. |
describeAlertsByIncidentUuid
Retrieves the alert list for an event based on the event ID.
Parameter description
Parameter | Description |
incidentUuid | The event UUID. Note You can obtain the event UUID through the DescribeCloudSiemEvents API. |
incidentAccount | The account ID that the event belongs to. Default value: the ID of the logged-in account. |
Output example
{
"AlertDescEn": "The IP address that is used to log on to the server is not within the IP addresses that you specify. We recommend that you check whether the logon is valid.",
"AttCk": [],
"EndTime": "2025-05-07T02:32:55.000+00:00",
"AlertTypeEn": "Unusual Logon",
"LogTime": "2025-05-07T02:32:55.000+00:00",
"GmtModified": "2025-05-08T04:01:47.000+00:00",
"AlertTypeCode": "security_event_config.event_name.unusuallogon",
"SubUserId": 123,
"IsDefend": "0",
"AlertType": "Unusual Logon",
"AlertInfoList": [
{
"KeyName": "${aliyun.siem.alert.host}",
"Values": "ed9aede1-9acd-****-****-16c54d441213",
"Key": "${aliyun.siem.alert.host}"
},
{
"KeyName": "${aliyun.siem.alert.status}",
"Values": "0",
"Key": "${aliyun.siem.alert.status}"
}
],
"AlertTitle": "Unusual Logon-Login with unusual IP",
"AlertDetail": {
"gmtModified": "2025-05-07 10:32:50",
"intra_ip": "192.***.***.51",
"proc_path": "N/A",
"pid": "N/A",
"type": "login_common_ip",
"product_code": "sas",
"uuid": "ed9aede1-9acd-****-****-16c54d441213",
"host_uuid": "ed9aede1-9acd-****-****-16c54d441213",
"loginUser": "administrator",
"protocol": 1,
"os_info": "windows",
"protocolName": "RDP",
"inter_ip": "118.***.***.158",
"cloud_code": "aliyun",
"cloud_user_id": "1766****4675",
"sub_user_id": "1766****4675",
"id": 123,
"assetInfo": "{\"aliUid\":1766****4675,\"bid\":\"233\",\"clientStatus\":\"online\",\"eip\":\"\",\"flag\":0,\"groupId\":91,\"groupName\":\"default\",\"internetIp\":\"118.***.***.158\",\"intranetIp\":\"192.***.0.51\",\"machineInstanceId\":\"i-bp13h2hjh****1pyxngn\",\"machineIp\":\"118.***.***.158\",\"machineName\":\"win11-enterprise-lenovo-manage-x64-zh\",\"machineRegion\":\"cn-hangzhou-dg-a01\",\"machineType\":0,\"os\":\"windows\",\"regionId\":\"cn-hangzhou\",\"status\":\"Running\",\"tag\":\"InternetIp\",\"uuid\":\"ed9aede1-9acd-****-****-16c54d441213\",\"vpcInstanceId\":\"vpc-bp1ih********2hyq8m5\"}",
"cmdLine": "N/A",
"loginSourceIp": "221.***.***.122",
"os": "windows",
"loginTimes": 1,
"gmtCreate": "2025-05-07 10:32:50",
"loginDestinationPort": 3329,
"clientIp": "192.***.***.51",
"location": "Xi'an",
"aliUid": 123,
"host_name": "win11-enterprise-lenovo-manage-x64-zh",
"status": 0,
"siem_vpc_instance_id": "vpc-bp1ihs*****ihq2hyq8m5"
},
"AlertTitleEn": "Unusual Logon-Login with unusual IP",
"AlertLevel": "suspicious",
"AssetList": [
{
"entity_user_id": "1766****4675",
"asset_name": "win11-enterprise-lenovo-manage-x64-zh",
"os_type": "windows",
"cloud_code": "alibaba_cloud",
"asset_type": "host",
"asset_id": "win11-enterprise-lenovo-manage-x64-zh",
"product_code": "sas",
"host_uuid": "ed9aede1-9acd-****-****-16c54d441213",
"host_name": "win11-enterprise-lenovo-manage-x64-zh"
}
],
"AlertNameCode": "security_event_config.event_name.ilp",
"AlertUuid": "sas_7c316ebfa92e79b*****9d62d25c0",
"MainUserId": 12,
"CloudCode": "aliyun",
"AlertName": "Login with unusual IP",
"AlertSrcProd": "Security Center",
"AlertSrcProdModule": "aegis_login_log",
"AlertDescCode": "security_event_config.yd.lcid",
"StartTime": "2025-05-07T02:32:55.000+00:00",
"LogUuid": "sas_3c042c0*****81a7144107",
"EntityList": [
{
"entity_user_id": "1766****4675",
"entity_uuid": "909315f7c595*******b436e65f2d4",
"entity_type": "host",
"entity_name": "win11-enterprise-lenovo-manage-x64-zh",
"os_type": "windows",
"cloud_code": "alibaba_cloud",
"is_asset": "1",
"entity_id": "win11-enterprise-lenovo-manage-x64-zh",
"product_code": "sas",
"host_uuid": "ed9aede1-9acd-****-****-16c54d441213",
"host_name": "win11-enterprise-lenovo-manage-x64-zh"
},
{
"entity_user_id": "1766****4675",
"entity_uuid": "14447f89554d7bb****e389328",
"entity_type": "host_account",
"entity_name": "administrator",
"cloud_code": "alibaba_cloud",
"is_asset": "0",
"entity_id": "administrator",
"product_code": "sas",
"host_uuid": {
"entity_user_id": "17****4675",
"entity_uuid": "90931****5fef0b436e65f2d4",
"entity_type": "host",
"entity_name": "win11-enterprise-lenovo-manage-x64-zh",
"os_type": "windows",
"cloud_code": "alibaba_cloud",
"is_asset": "1",
"entity_id": "win11-enterprise-lenovo-manage-x64-zh",
"product_code": "sas",
"host_uuid": "ed9aede1-9acd-****-****-16c54d441213",
"host_name": "win11-enterprise-lenovo-manage-x64-zh"
},
"username": "administrator"
},
{
"is_private": "0",
"entity_name": "221.**.17.122",
"ip": "221.**.17.122",
"is_asset": "0",
"entity_id": "221.**.17.122",
"product_code": "sas",
"entity_user_id": "176****4104675",
"op_code": "6",
"entity_uuid": "d41d8cd98f00b****800998ecf8427e",
"entity_type": "ip",
"ip_version": "v4",
"cloud_code": "alibaba_cloud",
"net_connectDir": "in",
"aliuid": "1766****4675",
"op_level": "1",
"malware_type": "${aliyun.siem.sas.alert_tag.login_unusual_ip}"
}
],
"SubUserName": "user1",
"OccurTime": "2025-05-07T02:32:55.000+00:00",
"AlertDesc": "The IP address that is used to log on to the server is not within the IP addresses that you specify. We recommend that you check whether the logon is valid.",
"GmtCreate": "2025-05-08T04:01:47.000+00:00",
"AlertNameEn": "Login with unusual IP",
"Id": 123,
"IncidentUuid": "355955f705b34*****4232a"
}describeSubUserInfo
Retrieves member accounts controlled by the management account or delegated administrator account in multi-account management scenarios.
Parameter description
Parameter | Description |
input | No actual meaning, can be left empty. |
Output example
[
{
"SubUserId": "12"
},
{
"SubUserId": "23"
}
]