Queries the details of an exception. An alert event consists of alerts and exceptions. Each alert event is associated with multiple exceptions.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeSuspEventDetail

The operation that you want to perform.

Set the value to DescribeSuspEventDetail.

From String Yes sas

The data source on which the exception is detected. Set the value to sas.

SourceIp String No 1.2.XX.XX

The source IP address of the request.

Lang String No zh

The natural language of the request and response. Valid values:

  • zh: Chinese
  • en: English
SuspiciousEventId Integer No 1

The ID of the exception to query.

Note To query the details of an exception, you must provide the ID of the exception. You can call the DescribeSuspEvents operation to query the IDs of exceptions.

Response parameters

Parameter Type Example Description
CanBeDealOnLine Boolean true

Indicates whether the online processing of exceptions is supported. Valid values:

  • true: Online processing is supported.
  • false: Online processing is not supported.
DataSource String aegis_suspicious_***

The data source on which the exception is detected.

Details Array of QuaraFile

The details of the exception.

NameDisplay String Source file download

The name of the exception.

Type String html

The format in which the exception details are displayed.

Valid values:

  • text
  • html
Value String 2018-12-12 12:00:00

The attribute information about the exception. For example, if the exception is associated with an alert that is triggered by an unusual logon, the information can include the time when the logon is initiated and the location from which the logon is initiated. If the exception is associated with an alert that is triggered by a webshell file, the information can include the path of the trojan file and the type of the trojan.

EventDesc String This file may have been uploaded by an attacker who has intruded into your website. Check the validity of this file.

The description of the exception.

EventName String WEBSHELL

The name of the exception.

EventStatus String 1

The status of the exception. Valid values:

  • 1: unhandled
  • 2: ignored
  • 4: confirmed
  • 8: marked as a false positive
  • 16: handling
  • 32: handled
  • 64: expired
EventTypeDesc String Webshell - Webshell file

The type of the exception.

Id Integer 1991

The ID of the exception.

InstanceName String ca_cpm_test1

The name of the server on which the exception occurs.

InternetIp String 1.1.XX.XX

The public IP address of the server on which the exception occurs.

IntranetIp String 1.2.XX.XX

The private IP address of the server on which the exception occurs.

LastTime String 2018-10-30 11:43:46

The time when the exception was last detected.

Level String serious

The risk level of the exception. Valid values:

  • serious
  • suspicious
  • remind
OperateErrorCode String quara.Succes

The handling result code of the exception.

OperateMsg String success

The message that describes the handling result of the exception.

RequestId String 1

The ID of the request.

SaleVersion String 1

The edition in which the exception detection can be enabled. Valid values:

  • 0: the Basic edition
  • 1: the Advanced edition
  • 2: the Enterprise edition
Uuid String bffb12c3-590a-4db2-b538-***

The UUID of the server on which the exception occurs.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeSuspEventDetail
&From=sas
&<Common request parameters>

Sample success responses

XML format

<DescribeSuspEventDetailResponse>
  <EventDesc>This file may have been uploaded by an attacker who has intruded into your website. Check the validity of this file.</EventDesc>
  <EventTypeDesc>Webshell - Webshell file</EventTypeDesc>
  <RequestId>1</RequestId>
  <OperateErrorCode>quara.Succes</OperateErrorCode>
  <EventStatus>1</EventStatus>
  <EventName>WEBSHELL</EventName>
  <SaleVersion>1</SaleVersion>
  <IntranetIp>1.2.XX.XX</IntranetIp>
  <DataSource>aegis_suspicious_***</DataSource>
  <InstanceName>ca_cpm_test1</InstanceName>
  <CanBeDealOnLine>true</CanBeDealOnLine>
  <OperateMsg>success</OperateMsg>
  <Uuid>bffb12c3-590a-4db2-b538-***</Uuid>
  <Details>
        <Type>html</Type>
        <Value>2018-12-12 12:00:00</Value>
        <NameDisplay>Source file download</NameDisplay>
  </Details>
  <InternetIp>1.1.XX.XX</InternetIp>
  <Level>serious</Level>
  <Id>1991</Id>
  <LastTime> 2018-10-30 11:43:46 </LastTime>
</DescribeSuspEventDetailResponse>

JSON format

{
    "EventDesc": "This file may have been uploaded by an attacker who has intruded into your website. Check the validity of this file.",
    "EventTypeDesc": "Webshell - Webshell file",
    "RequestId": 1,
    "OperateErrorCode": "quara.Succes",
    "EventStatus": 1,
    "EventName": "WEBSHELL",
    "SaleVersion": 1,
    "IntranetIp": "1.2.XX.XX",
    "DataSource": "aegis_suspicious_***",
    "InstanceName": "ca_cpm_test1",
    "CanBeDealOnLine": true,
    "OperateMsg": "success",
    "Uuid": "bffb12c3-590a-4db2-b538-***",
    "Details": {
        "Type": "html",
        "Value": "2018-12-12 12:00:00",
        "NameDisplay": "Source file download"
    },
    "InternetIp": "1.1.XX.XX",
    "Level": "serious",
    "Id": 1991,
    "LastTime": "2018-10-30 11:43:46"
}

Error codes

For a list of error codes, visit the API Error Center.