DescribeSuspEvents - API Reference| Alibaba Cloud Documentation Center

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters


Parameter	Type	Required	Example	Description
Action	String	Yes	DescribeSuspEvents	The operation that you want to perform. Set the value to DescribeSuspEvents.
From	String	Yes	sas	The data source on which the exception is detected. Set the value to sas.
SourceIp	String	No	1.2.3.4	The source IP address of the request.
Dealed	String	No	N	The status of the exception. Valid values: N: unhandled Y: handled
Name	String	No	ecs-xxx	The name of the exception or the affected server. Fuzzy match is supported.
Levels	String	No	serious	The risk level of the exception. Separate multiple levels with commas (,). The following levels are listed in descending order: serious suspicious remind
ParentEventTypes	String	No	Webshell	The type of the alert event to which the exception is related.
Remark	String	No	Test server	The IP address or name of the server.
PageSize	String	No	20	The number of entries to return on each page. Default value: 20.
CurrentPage	String	No	1	The page number of the current page.
Lang	String	No	zh	The natural language of the request and response. Valid values: zh: Chinese en: English
AlarmUniqueInfo	String	No	8df914418f4211fbf***	The ID of the alert event to which the exception is related. Note To query details about the exceptions of an alert event, you must provide the ID of the alert event. You can call the DescribeAlarmEventList operation to query the IDs of alert events.

Response parameters


Parameter	Type	Example	Description
RequestId	String	43F670F3-AB40-4E91-BC7D-C57400000000	The ID of the request.
Count	Integer	1	The number of entries returned on the current page.
PageSize	Integer	20	The number of entries returned per page.
TotalCount	Integer	100	The total number of the exceptions.
CurrentPage	Integer	1	The page number of the current page.
SuspEvents	Array		The details of the exception.
LastTime	String	2018-09-26 01:51:01	The time when the exception last occurred.
OccurrenceTime	String	2018-09-26 01:51:01	The time when the exception first occurred.
Id	Long	1000	The ID of the exception.
UniqueInfo	String	e17e***	The ID of the exception after processing.
InstanceName	String	nginx	The name of the associated instance.
InternetIp	String	1.2.3.1	The public IP address of the associated instance.
IntranetIp	String	1.2.3.5	The private IP address of the associated instance.
Uuid	String	bf6b30d3-eea8-4924-9f0a-***	The ID of the associated instance.
Name	String	Malicious process (cloud threat detection) - XOR DDoS trojan	The complete name of the exception.
EventSubType	String	XOR DDoS trojan	The name of the exception.
Level	String	serious	The risk level of the exception. Valid values: serious suspicious remind
EventStatus	Integer	1	The status of the exception. Valid values: 1: unhandled 2: ignored 4: confirmed 8: marked as a false positive 16: handling 32: handled 64: expired
Desc	String	webshell	The impact of the exception.
OperateMsg	String	success	The operation remarks of the exception.
DataSource	String	aegis_suspicious_***	This parameter is deprecated.
CanBeDealOnLine	Boolean	true	Indicates whether the online processing of the exception is supported. The processing includes quarantining the exception. Valid values: true: Online processing is supported. false: Online processing is not supported.
SaleVersion	String	1	The edition in which exception detection can be enabled. Valid values: 0: the Basic edition 1: the Enterprise edition
AlarmEventType	String	Suspicious process	The type of the alert event.
AlarmEventName	String	Execution of suspicious commands in scheduled Linux tasks	The name of the alert event.
AlarmUniqueInfo	String	8df914418f***	The ID of the alert event.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeSuspEvents
&From=saas
&<Common request parameters>

Sample success responses

XML format

<DescribeSuspEvents>
  <TotalCount>3</TotalCount>
  <Count>2</Count>
  <PageSize>20</PageSize>
  <RequestId>0C7FAD74-83FA-4671-9250-A5F2A64F437A</RequestId>
  <CurrentPage>1</CurrentPage>
  <SuspEvents>
        <EventStatus>1</EventStatus>
        <SaleVersion>1</SaleVersion>
        <IntranetIp>1.2.3.4</IntranetIp>
        <EventSubType>XOR DDoS trojan</EventSubType>
        <Name>Malicious process (cloud threat detection) - XOR DDoS trojan</Name>
        <DataSource>aegis_suspiciou***</DataSource>
        <OccurrenceTime>2018-09-26 01:51:01</OccurrenceTime>
        <InstanceName>server01</InstanceName>
        <Desc>After accessing your server, the XOR DDoS trojan may inject malicious code into Linux scheduled tasks. </Desc>
        <CanBeDealOnLine>false</CanBeDealOnLine>
        <Uuid>bf6b30d3-eea8-4924***</Uuid>
        <InternetIp>1.2.3.4</InternetIp>
        <Level>serious</Level>
        <Id>3682</Id>
        <LastTime>2018-10-24 21:06:01</LastTime>
  </SuspEvents>
  <SuspEvents>
        <EventStatus>1</EventStatus>
        <SaleVersion>1</SaleVersion>
        <IntranetIp>1.2.3.5</IntranetIp>
        <EventSubType>XOR DDoS trojan</EventSubType>
        <Name>Malicious process (cloud threat detection) - XOR DDoS trojan</Name>
        <DataSource>aegis_suspiciou***</DataSource>
        <OccurrenceTime>2018-09-26 02:01:01</OccurrenceTime>
        <InstanceName>server01</InstanceName>
        <Desc>After accessing your server, the XOR DDoS trojan may inject malicious code into Linux scheduled tasks. </Desc>
        <CanBeDealOnLine>false</CanBeDealOnLine>
        <Uuid>bf6b30d3-eea8-4924-***</Uuid>
        <InternetIp>1.2.3.4</InternetIp>
        <Level>serious</Level>
        <Id>3683</Id>
        <LastTime>2018-10-24 21:01:01</LastTime>
  </SuspEvents>
</DescribeSuspEvents>

JSON format

{
    "TotalCount": 3,
    "Count": 2,
    "PageSize": 20,
    "RequestId": "0C7FAD74-83FA-4671-9250-A5F2A64F437A",
    "CurrentPage": 1,
    "SuspEvents": [
        {
            "EventStatus": 1,
            "SaleVersion": "1",
            "IntranetIp": "1.2.3.4",
            "EventSubType": "XOR DDoS trojan",
            "Name": "Malicious process (cloud threat detection) - XOR DDoS trojan",
            "DataSource": "aegis_suspiciou***",
            "OccurrenceTime": "2018-09-26 01:51:01",
            "InstanceName": "server01",
            "Desc": "After accessing your server, the XOR DDoS trojan may inject malicious code into Linux scheduled tasks.",
            "CanBeDealOnLine": false,
            "Uuid": "bf6b30d3-eea8-4924***",
            "InternetIp": "1.2.3.4",
            "Level": "serious",
            "Id": 3682,
            "LastTime": "2018-10-24 21:06:01"
        },
        {
            "EventStatus": 1,
            "SaleVersion": "1",
            "IntranetIp": "1.2.3.5",
            "EventSubType": "XOR DDoS trojan",
            "Name": "Malicious process (cloud threat detection) - XOR DDoS trojan",
            "DataSource": "aegis_suspiciou***",
            "OccurrenceTime": "2018-09-26 02:01:01",
            "InstanceName": "server01",
            "Desc": "After accessing your server, the XOR DDoS trojan may inject malicious code into Linux scheduled tasks.",
            "CanBeDealOnLine": false,
            "Uuid": "bf6b30d3-eea8-4924-***",
            "InternetIp": "1.2.3.4",
            "Level": "serious",
            "Id": 3683,
            "LastTime": "2018-10-24 21:01:01"
        }
    ]
}

Error codes

For a list of error codes, visit the API Error Center.