Queries the details about the alert events on the Alerts page. An alert event consists of an alert and exceptions. Each alert event is associated with multiple exceptions.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeAlarmEventList

The operation that you want to perform. Set the value to DescribeAlarmEventList.

SourceIp String No 1.2.X.X

The source IP address of the request.

Lang String No zh

The language of the content within the request and response. Default value: zh. Valid values:

  • zh: Chinese
  • en: English
Dealed String No Y

The status of the alert event. Valid values:

  • N: unhandled
  • Y: handled
From String Yes sas

The ID of the request source. Set the value to sas, which indicates that the request is sent from Security Center.

Levels String No serious

The risk level of the alert event. Separate multiple levels with commas (,). Valid values:

  • serious
  • suspicious
  • remind
Remark String No database_server

The name of the alert, or the information about the asset.

GroupId String No tst***

The ID of the asset group to which the affected asset belongs.

AlarmEventName String No DDoS trojan

The name of the alert event.

AlarmEventType String No Malicious process (cloud threat detection)

The type of the alert event.

CurrentPage Integer Yes 1

The number of the page to return. Pages start from page 1. Default value: 1.

PageSize String Yes 20

The number of entries to return on each page. Default value: 20.

OperateErrorCodeList.N String No ignore. Success

The handling result code N of the alert event. The value is in the following format: Operation type.Operation result code. Operation types:

  • Common: performs common operations.
  • deal: handles the alert.
  • ignore: ignores the alert.
  • offline_handled: marks the alert as handled.
  • mark_mis_info: marks the alert as a false positive by adding it to the whitelist.
  • rm_mark_mis_info: cancels a false positive by removing the alert from the whitelist.
  • quara: quarantines the source file of the malicious process.
  • kill_and_quara: terminates the malicious process and quarantines the source file.
  • kill_virus: deletes the source file of the malicious process.
  • block_ip: blocks the source IP address.
  • manual_handled: manually handles the alert.

Operation result codes:

  • Success: The operation is successful.
  • Failure: The operation fails.
  • AgentOffline: The agent is offline.

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters.

For more information about sample requests, see the "Examples" section of this topic.

Response parameters

Parameter Type Example Description
RequestId String 28267723-D857-4DD8-B295-013100000000

The ID of the request, which is used to locate and troubleshoot issues.

PageInfo Object

The pagination information.

CurrentPage Integer 1

The page number of the returned page. Default value: 1.

PageSize Integer 20

The number of entries returned per page. Default value: 20.

TotalCount Integer 1

The total number of alert events that are returned.

Count Integer 1

The number of entries returned on the current page.

SuspEvents Array of SuspEvents

The information about the alert event.

Dealed Boolean false

Indicates whether the alert is handled. Valid values:

  • true: handled
  • false: unhandled
Stages String [\"authority_maintenance\"]

The stage at which the attack is detected.

InternetIp String 1.2.X.X

The public IP address of the affected asset.

SuspiciousEventCount Integer 1

The number of associated exceptions.

GmtModified Long 1569235879000

The timestamp when the alert was last modified. Unit: milliseconds.

AlarmEventNameOriginal String Precise defense against malicious commands

The original parent name of the alert event.

AlarmUniqueInfo String 8df914418f4211fbf756efe7a6f40cbc

The ID of the alert event.

CanCancelFault Boolean false

Indicates whether you can cancel marking the alert event as a false positive. Valid values:

  • true: yes
  • false: no
SecurityEventIds String 270789

The ID of the associated exception.

CanBeDealOnLine Boolean true

Indicates whether the online processing of the alert event is supported, such as quarantining the source file of the malicious process, adding the alert event to the whitelist, and ignoring the alert event. Valid values:

  • true: Online processing is supported.
  • false: Online processing is not supported.
Description String After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep malicious programs running. The scheduled tasks include crontab and systemd.

The description of the alert event.

InstanceName String Test server

The name of the affected asset.

SaleVersion String 1

The edition in which the alert event detection can be enabled. Valid values:

  • 0: the Basic edition
  • 1: the Enterprise edition
OperateErrorCode String kill_and_quara.Success

The handling result code of the alert event.

Solution String Check the malicious URLs that are listed in the alert. Check the directory for malicious files. Terminate malicious processes. If you manually run the processes, you can mark them as false positives in the console.

The solution to the alert event.

HasTraceInfo Boolean true

Indicates whether the alert has trace information. Valid values:

  • true: The alert has trace information.
  • false: The alert does not have trace information.
DataSource String aegis_***

The source of data.

OperateTime Long 1631699497000

The timestamp when the alert event was handled. Unit: milliseconds.

InstanceId String i-e***

The ID of the affected asset.

IntranetIp String 1.2.X.X

The private IP address of the affected asset.

EndTime Long 1543740301000

The timestamp when the alert event was last detected. Unit: milliseconds.

Uuid String 47900178-885d-4fa4-9d77-***

The ID of the associated instance.

StartTime Long 1543740301000

The timestamp when the alert event starts.

AlarmEventType String Suspicious process

The type of the alert event.

AlarmEventName String Execution of malicious commands

The name of the alert event.

Level String serious

The risk level of the alert event. Valid values:

  • serious
  • suspicious
  • remind

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeAlarmEventList
&SourceIp=1.2.X.X
&Lang=zh
&Dealed=Y
&From=sas
&Levels=serious
&Remark=database_server
&GroupId=tst***
&AlarmEventName=DDoS trojan
&AlarmEventType=Malicious process (cloud threat detection)
&CurrentPage=1
&PageSize=20
&OperateErrorCodeList=["ignore. Success"]
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribeAlarmEventListResponse>
    <RequestId>28267723-D857-4DD8-B295-013100000000</RequestId>
    <PageInfo>
        <CurrentPage>1</CurrentPage>
        <PageSize>20</PageSize>
        <TotalCount>1</TotalCount>
        <Count>1</Count>
    </PageInfo>
    <SuspEvents>
        <Dealed>false</Dealed>
        <Stages>[\"authority_maintenance\"]</Stages>
        <InternetIp>1.2.X.X</InternetIp>
        <SuspiciousEventCount>1</SuspiciousEventCount>
        <GmtModified>1569235879000</GmtModified>
        <AlarmEventNameOriginal>Precise defense against malicious commands</AlarmEventNameOriginal>
        <AlarmUniqueInfo>8df914418f4211fbf756efe7a6f40cbc</AlarmUniqueInfo>
        <CanCancelFault>false</CanCancelFault>
        <SecurityEventIds>270789</SecurityEventIds>
        <CanBeDealOnLine>true</CanBeDealOnLine>
        <Description>After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep malicious programs running. The scheduled tasks include crontab and systemd. </Description>
        <InstanceName>Test server</InstanceName>
        <SaleVersion>1</SaleVersion>
        <OperateErrorCode>kill_and_quara.Success</OperateErrorCode>
        <Solution>Check the malicious URLs that are listed in the alert. Check the directory for malicious files. Terminate malicious processes. If you manually run the processes, you can mark them as false positives in the console. </Solution>
        <HasTraceInfo>true</HasTraceInfo>
        <DataSource>aegis_***</DataSource>
        <OperateTime>1631699497000</OperateTime>
        <InstanceId>i-e***</InstanceId>
        <IntranetIp>1.2.X.X</IntranetIp>
        <EndTime>1543740301000</EndTime>
        <Uuid>47900178-885d-4fa4-9d77-***</Uuid>
        <StartTime>1543740301000</StartTime>
        <AlarmEventType>Suspicious process</AlarmEventType>
        <AlarmEventName>Execution of malicious commands</AlarmEventName>
        <Level>serious</Level>
    </SuspEvents>
</DescribeAlarmEventListResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "28267723-D857-4DD8-B295-013100000000",
  "PageInfo" : {
    "CurrentPage" : 1,
    "PageSize" : 20,
    "TotalCount" : 1,
    "Count" : 1
  },
  "SuspEvents" : [ {
    "Dealed" : false,
    "Stages" : "[\\\"authority_maintenance\\\"]",
    "InternetIp" : "1.2.X.X",
    "SuspiciousEventCount" : 1,
    "GmtModified" : 1569235879000,
    "AlarmEventNameOriginal" : "Precise defense against malicious commands",
    "AlarmUniqueInfo" : "8df914418f4211fbf756efe7a6f40cbc",
    "CanCancelFault" : false,
    "SecurityEventIds" : "270789",
    "CanBeDealOnLine" : true,
    "Description" : "After an attacker accesses a server, the attacker may import malicious shell scripts into scheduled tasks to keep malicious programs running. The scheduled tasks include crontab and systemd.",
    "InstanceName" : "Test server",
    "SaleVersion" : "1",
    "OperateErrorCode" : "kill_and_quara.Success",
    "Solution" : "Check the malicious URLs that are listed in the alert. Check the directory for malicious files. Terminate malicious processes. If you manually run the processes, you can mark them as false positives in the console.",
    "HasTraceInfo" : true,
    "DataSource" : "aegis_***",
    "OperateTime" : 1631699497000,
    "InstanceId" : "i-e***",
    "IntranetIp" : "1.2.X.X",
    "EndTime" : 1543740301000,
    "Uuid" : "47900178-885d-4fa4-9d77-***",
    "StartTime" : 1543740301000,
    "AlarmEventType" : "Suspicious process",
    "AlarmEventName" : "Execution of malicious commands",
    "Level" : "serious"
  } ]
}

Error codes

HTTP status code Error code Error message Description
400 NoPermission no permission The error message returned because you do not have access permissions.
400 UnknownError UnknownError The error message returned because an unknown error occurred.
500 ServerError ServerError The error message returned because a server error occurred.

For a list of error codes, visit the API Error Center.