DescribeThreatEventDetail - Web Application Firewall - Alibaba Cloud Documentation Center

Details of noteworthy security events.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter	Type	Required	Description	Example
EventId	string	Yes	The ID of the security event.	1661131a028f72a976703f4a4082ad87
InstanceId	string	Yes	The ID of the WAF instance. Note Call the DescribeInstance operation to query the ID of your WAF instance.	waf_v2_public_cn-lbj*****
RegionId	string	No	The region where the WAF instance resides. Valid values: cn-hangzhou: the Chinese mainland. ap-southeast-1: outside the Chinese mainland.	cn-hangzhou
ResourceManagerResourceGroupId	string	No	The ID of the resource group.	rg-aekzhks66****

Response elements

Element	Type	Description	Example
	object
RequestId	string	The ID of the request.	D7861F61-5B61-46CE-A47C-6B1****
ThreatEventDetail	object	The details of the security event.
IsPersistent	integer	Indicates whether the attack is persistent. 0: The attack is not persistent. 1: The attack is persistent.	1
EventLevel	string	The severity level of the event. Valid values: critical: critical. high: high. medium: medium. low: low.	high
EventBlock	string	The number of blocked attacks.	20
EventCnt	string	The total number of attacks.	20
EndTime	integer	The time of the last attack. This value is a UNIX timestamp. Unit: milliseconds.	1749916800000
EventIntelligence	string	The threat intelligence associated with the event. The value is a string that is converted from a JSON array.	["CVE-2020-14882","DDoS Attack"]
EventSrcRegion	string	The region from which the attack was initiated.	GB-ENG
EventSrc	string	The source IP address of the attack. Note A security event may have multiple source IP addresses. This operation returns only one of the source IP addresses.	XX.XX.XX.XX
EventSuggest	string	The suggestion for security protection. Valid values: ProtectInterface: The attack target appears to be a management backend. If the address has fixed access characteristics, configure a custom rule in the access control module to restrict access. BlockArea: Pay attention to the attack source region. If the attack source region is different from the normal business region, configure a location blacklist or an IP address blacklist rule in the access control module to restrict access. SwitchBlock: The current protection rule is in Alert mode. To ensure business security, switch to Block mode. Before you switch, check for false positives. FixBug: Check whether the attack target has security vulnerabilities. If a security vulnerability exists, fix it immediately to prevent exploits. SwitchStrict: If your business is not affected, change the policies of modules such as protection rules and scan protection to a stricter mode. Before you change the policies, check for false positives. ProtectFile: Check for sensitive files or paths under the destination domain name to prevent exploits. BlockIP: The attack source IP address is highly malicious. Keep it under observation. If your business is not affected, use an IP address blacklist to block access from the malicious IP address. KeepConcerned: No threats are found. Keep the event under observation.	FixBug
EventCondition	string	The filter condition that is used to view logs. The value is a string that is converted from a JSON object that consists of a set of parameters.	{"end_ts": 1766637714, "start_ts": 1764096746, "condition": {"real_client_ip": ["78.153.140.179", "78.153.140.203", "78.153.140.177", "78.153.140.178", "78.153.140.151"]}}
EventTag	string	The name of the event. Valid values: MultipleDomainDirscan: directory and file scans for multiple domain names. SingleDomainDirscan: directory and file scans for a single domain name. MultipleDomainWebscan: web vulnerability scans for multiple domain names. SingleDomainWebscan: web vulnerability scans for a single domain name. MultipleDomainWebattack: web vulnerability attacks on multiple domain names. SingleDomainWebattack: web vulnerability attacks on a single domain name. SingleURLWebattack: web vulnerability attacks on a specific URL. SingleURLSqlattack: SQL injection attacks on a specific URL. SingleURLXssattack: XSS vulnerability attacks on a specific URL. WebshellUpload: attacks that try to upload backdoor trojans. RandomVulnTest: random web vulnerability scans.	MultipleDomainWebattack
EventSrcCountry	string	The country from which the attack was initiated.	GB

Examples

Success response

JSON format

{
  "RequestId": "D7861F61-5B61-46CE-A47C-6B1****",
  "ThreatEventDetail": {
    "IsPersistent": 1,
    "EventLevel": "high",
    "EventBlock": "20",
    "EventCnt": "20",
    "EndTime": 1749916800000,
    "EventIntelligence": "[\"CVE-2020-14882\",\"DDoS Attack\"]",
    "EventSrcRegion": "GB-ENG",
    "EventSrc": "XX.XX.XX.XX",
    "EventSuggest": "FixBug",
    "EventCondition": "{\"end_ts\": 1766637714, \"start_ts\": 1764096746, \"condition\": {\"real_client_ip\": [\"78.153.140.179\", \"78.153.140.203\", \"78.153.140.177\", \"78.153.140.178\", \"78.153.140.151\"]}}",
    "EventTag": "MultipleDomainWebattack",
    "EventSrcCountry": "GB"
  }
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.