Queries the details about the alert events on the Alerts page. An alert event consists of an alert and exceptions. Each alert event is associated with multiple exceptions.
Debugging
Request parameters
| Parameter | Type | Required | Example | Description |
|---|---|---|---|---|
| Action | String | Yes | DescribeAlarmEventList |
The operation that you want to perform. Set the value to DescribeAlarmEventList. |
| SourceIp | String | No | 1.2.X.X |
The source IP address of the request. |
| Lang | String | No | zh |
The language of the content within the request and response. Default value: zh. Valid values:
|
| Dealed | String | No | Y |
The status of the alert event. Valid values:
|
| From | String | Yes | sas |
The ID of the request source. Set the value to sas, which indicates that the request is sent from Security Center. |
| Levels | String | No | serious |
The risk level of the alert event. Separate multiple levels with commas (,). Valid values:
|
| Remark | String | No | database_server |
The name of the alert, or the information about the asset. |
| GroupId | String | No | tst*** |
The ID of the asset group to which the affected asset belongs. |
| AlarmEventName | String | No | DDoS trojan |
The name of the alert event. |
| AlarmEventType | String | No | Malicious process (cloud threat detection) |
The type of the alert event. |
| CurrentPage | Integer | Yes | 1 |
The number of the page to return. Pages start from page 1. Default value: 1. |
| PageSize | String | Yes | 20 |
The number of entries to return on each page. Default value: 20. |
| OperateErrorCodeList.N | String | No | ignore. Success |
The handling result code N of the alert event. The value is in the following format: Operation type.Operation result code. Operation types:
Operation result codes:
|
All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters.
For more information about sample requests, see the "Examples" section of this topic.
Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
| RequestId | String | 28267723-D857-4DD8-B295-013100000000 |
The ID of the request, which is used to locate and troubleshoot issues. |
| PageInfo | Object |
The pagination information. |
|
| CurrentPage | Integer | 1 |
The page number of the returned page. Default value: 1. |
| PageSize | Integer | 20 |
The number of entries returned per page. Default value: 20. |
| TotalCount | Integer | 1 |
The total number of alert events that are returned. |
| Count | Integer | 1 |
The number of entries returned on the current page. |
| SuspEvents | Array of SuspEvents |
The information about the alert event. |
|
| Dealed | Boolean | false |
Indicates whether the alert is handled. Valid values:
|
| Stages | String | [\"authority_maintenance\"] |
The stage at which the attack is detected. |
| InternetIp | String | 1.2.X.X |
The public IP address of the affected asset. |
| SuspiciousEventCount | Integer | 1 |
The number of associated exceptions. |
| GmtModified | Long | 1569235879000 |
The timestamp when the alert was last modified. Unit: milliseconds. |
| AlarmEventNameOriginal | String | Precise defense against malicious commands |
The original parent name of the alert event. |
| AlarmUniqueInfo | String | 8df914418f4211fbf756efe7a6f40cbc |
The ID of the alert event. |
| CanCancelFault | Boolean | false |
Indicates whether you can cancel marking the alert event as a false positive. Valid values:
|
| SecurityEventIds | String | 270789 |
The ID of the associated exception. |
| CanBeDealOnLine | Boolean | true |
Indicates whether the online processing of the alert event is supported, such as quarantining the source file of the malicious process, adding the alert event to the whitelist, and ignoring the alert event. Valid values:
|
| Description | String | After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep malicious programs running. The scheduled tasks include crontab and systemd. |
The description of the alert event. |
| InstanceName | String | Test server |
The name of the affected asset. |
| SaleVersion | String | 1 |
The edition in which the alert event detection can be enabled. Valid values:
|
| OperateErrorCode | String | kill_and_quara.Success |
The handling result code of the alert event. |
| Solution | String | Check the malicious URLs that are listed in the alert. Check the directory for malicious files. Terminate malicious processes. If you manually run the processes, you can mark them as false positives in the console. |
The solution to the alert event. |
| HasTraceInfo | Boolean | true |
Indicates whether the alert has trace information. Valid values:
|
| DataSource | String | aegis_*** |
The source of data. |
| OperateTime | Long | 1631699497000 |
The timestamp when the alert event was handled. Unit: milliseconds. |
| InstanceId | String | i-e*** |
The ID of the affected asset. |
| IntranetIp | String | 1.2.X.X |
The private IP address of the affected asset. |
| EndTime | Long | 1543740301000 |
The timestamp when the alert event was last detected. Unit: milliseconds. |
| Uuid | String | 47900178-885d-4fa4-9d77-*** |
The ID of the associated instance. |
| StartTime | Long | 1543740301000 |
The timestamp when the alert event starts. |
| AlarmEventType | String | Suspicious process |
The type of the alert event. |
| AlarmEventName | String | Execution of malicious commands |
The name of the alert event. |
| Level | String | serious |
The risk level of the alert event. Valid values:
|
Examples
Sample requests
http(s)://[Endpoint]/?Action=DescribeAlarmEventList
&SourceIp=1.2.X.X
&Lang=zh
&Dealed=Y
&From=sas
&Levels=serious
&Remark=database_server
&GroupId=tst***
&AlarmEventName=DDoS trojan
&AlarmEventType=Malicious process (cloud threat detection)
&CurrentPage=1
&PageSize=20
&OperateErrorCodeList=["ignore. Success"]
&Common request parametersSample success responses
XML format
HTTP/1.1 200 OK
Content-Type:application/xml
<DescribeAlarmEventListResponse>
<RequestId>28267723-D857-4DD8-B295-013100000000</RequestId>
<PageInfo>
<CurrentPage>1</CurrentPage>
<PageSize>20</PageSize>
<TotalCount>1</TotalCount>
<Count>1</Count>
</PageInfo>
<SuspEvents>
<Dealed>false</Dealed>
<Stages>[\"authority_maintenance\"]</Stages>
<InternetIp>1.2.X.X</InternetIp>
<SuspiciousEventCount>1</SuspiciousEventCount>
<GmtModified>1569235879000</GmtModified>
<AlarmEventNameOriginal>Precise defense against malicious commands</AlarmEventNameOriginal>
<AlarmUniqueInfo>8df914418f4211fbf756efe7a6f40cbc</AlarmUniqueInfo>
<CanCancelFault>false</CanCancelFault>
<SecurityEventIds>270789</SecurityEventIds>
<CanBeDealOnLine>true</CanBeDealOnLine>
<Description>After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep malicious programs running. The scheduled tasks include crontab and systemd. </Description>
<InstanceName>Test server</InstanceName>
<SaleVersion>1</SaleVersion>
<OperateErrorCode>kill_and_quara.Success</OperateErrorCode>
<Solution>Check the malicious URLs that are listed in the alert. Check the directory for malicious files. Terminate malicious processes. If you manually run the processes, you can mark them as false positives in the console. </Solution>
<HasTraceInfo>true</HasTraceInfo>
<DataSource>aegis_***</DataSource>
<OperateTime>1631699497000</OperateTime>
<InstanceId>i-e***</InstanceId>
<IntranetIp>1.2.X.X</IntranetIp>
<EndTime>1543740301000</EndTime>
<Uuid>47900178-885d-4fa4-9d77-***</Uuid>
<StartTime>1543740301000</StartTime>
<AlarmEventType>Suspicious process</AlarmEventType>
<AlarmEventName>Execution of malicious commands</AlarmEventName>
<Level>serious</Level>
</SuspEvents>
</DescribeAlarmEventListResponse>JSON format
HTTP/1.1 200 OK
Content-Type:application/json
{
"RequestId" : "28267723-D857-4DD8-B295-013100000000",
"PageInfo" : {
"CurrentPage" : 1,
"PageSize" : 20,
"TotalCount" : 1,
"Count" : 1
},
"SuspEvents" : [ {
"Dealed" : false,
"Stages" : "[\\\"authority_maintenance\\\"]",
"InternetIp" : "1.2.X.X",
"SuspiciousEventCount" : 1,
"GmtModified" : 1569235879000,
"AlarmEventNameOriginal" : "Precise defense against malicious commands",
"AlarmUniqueInfo" : "8df914418f4211fbf756efe7a6f40cbc",
"CanCancelFault" : false,
"SecurityEventIds" : "270789",
"CanBeDealOnLine" : true,
"Description" : "After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep malicious programs running. The scheduled tasks include crontab and systemd.",
"InstanceName" : "Test server",
"SaleVersion" : "1",
"OperateErrorCode" : "kill_and_quara.Success",
"Solution" : "Check the malicious URLs that are listed in the alert. Check the directory for malicious files. Terminate malicious processes. If you manually run the processes, you can mark them as false positives in the console.",
"HasTraceInfo" : true,
"DataSource" : "aegis_***",
"OperateTime" : 1631699497000,
"InstanceId" : "i-e***",
"IntranetIp" : "1.2.X.X",
"EndTime" : 1543740301000,
"Uuid" : "47900178-885d-4fa4-9d77-***",
"StartTime" : 1543740301000,
"AlarmEventType" : "Suspicious process",
"AlarmEventName" : "Execution of malicious commands",
"Level" : "serious"
} ]
}Error codes
| HTTP status code | Error code | Error message | Description |
|---|---|---|---|
| 400 | NoPermission | no permission | The error message returned because you do not have access permissions. |
| 400 | UnknownError | UnknownError | The error message returned because an unknown error occurred. |
| 500 | ServerError | ServerError | The error message returned because a server error occurred. |
For a list of error codes, visit the API Error Center.