Queries the information about exceptions. An alert event consists of alerts and exceptions. Each alert event is related to multiple exceptions.
Debugging
Request parameters
Parameter | Type | Required | Example | Description |
---|---|---|---|---|
Action | String | Yes | DescribeSuspEvents |
The operation that you want to perform. Set the value to DescribeSuspEvents. |
From | String | Yes | sas |
The data source on which the exception is detected. Set the value to sas. |
SourceIp | String | No | 1.2.3.4 |
The source IP address of the request. |
Dealed | String | No | N |
The status of the exception. Valid values:
|
Name | String | No | ecs-xxx |
The name of the exception or the affected server. Fuzzy match is supported. |
Levels | String | No | serious |
The risk level of the exception. Separate multiple levels with commas (,). The following levels are listed in descending order:
|
ParentEventTypes | String | No | Webshell |
The type of the alert event to which the exception is related. |
Remark | String | No | Test server |
The IP address or name of the server. |
PageSize | String | No | 20 |
The number of entries to return on each page. Default value: 20. |
CurrentPage | String | No | 1 |
The page number of the current page. |
Lang | String | No | zh |
The natural language of the request and response. Valid values:
|
AlarmUniqueInfo | String | No | 8df914418f4211fbf*** |
The ID of the alert event to which the exception is related. Note To query details about the exceptions of an alert event, you must provide the ID of
the alert event. You can call the DescribeAlarmEventList operation to query the IDs
of alert events.
|
Response parameters
Parameter | Type | Example | Description |
---|---|---|---|
RequestId | String | 43F670F3-AB40-4E91-BC7D-C57400000000 |
The ID of the request. |
Count | Integer | 1 |
The number of entries returned on the current page. |
PageSize | Integer | 20 |
The number of entries returned per page. |
TotalCount | Integer | 100 |
The total number of the exceptions. |
CurrentPage | Integer | 1 |
The page number of the current page. |
SuspEvents | Array |
The details of the exception. |
|
LastTime | String | 2018-09-26 01:51:01 |
The time when the exception last occurred. |
OccurrenceTime | String | 2018-09-26 01:51:01 |
The time when the exception first occurred. |
Id | Long | 1000 |
The ID of the exception. |
UniqueInfo | String | e17e*** |
The ID of the exception after processing. |
InstanceName | String | nginx |
The name of the associated instance. |
InternetIp | String | 1.2.3.1 |
The public IP address of the associated instance. |
IntranetIp | String | 1.2.3.5 |
The private IP address of the associated instance. |
Uuid | String | bf6b30d3-eea8-4924-9f0a-*** |
The ID of the associated instance. |
Name | String | Malicious process (cloud threat detection) - XOR DDoS trojan |
The complete name of the exception. |
EventSubType | String | XOR DDoS trojan |
The name of the exception. |
Level | String | serious |
The risk level of the exception. Valid values:
|
EventStatus | Integer | 1 |
The status of the exception. Valid values:
|
Desc | String | webshell |
The impact of the exception. |
OperateMsg | String | success |
The operation remarks of the exception. |
DataSource | String | aegis_suspicious_*** |
This parameter is deprecated. |
CanBeDealOnLine | Boolean | true |
Indicates whether the online processing of the exception is supported. The processing includes quarantining the exception. Valid values:
|
SaleVersion | String | 1 |
The edition in which exception detection can be enabled. Valid values:
|
AlarmEventType | String | Suspicious process |
The type of the alert event. |
AlarmEventName | String | Execution of suspicious commands in scheduled Linux tasks |
The name of the alert event. |
AlarmUniqueInfo | String | 8df914418f*** |
The ID of the alert event. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=DescribeSuspEvents
&From=saas
&<Common request parameters>
Sample success responses
XML
format
<DescribeSuspEvents>
<TotalCount>3</TotalCount>
<Count>2</Count>
<PageSize>20</PageSize>
<RequestId>0C7FAD74-83FA-4671-9250-A5F2A64F437A</RequestId>
<CurrentPage>1</CurrentPage>
<SuspEvents>
<EventStatus>1</EventStatus>
<SaleVersion>1</SaleVersion>
<IntranetIp>1.2.3.4</IntranetIp>
<EventSubType>XOR DDoS trojan</EventSubType>
<Name>Malicious process (cloud threat detection) - XOR DDoS trojan</Name>
<DataSource>aegis_suspiciou***</DataSource>
<OccurrenceTime>2018-09-26 01:51:01</OccurrenceTime>
<InstanceName>server01</InstanceName>
<Desc>After accessing your server, the XOR DDoS trojan may inject malicious code into Linux scheduled tasks. </Desc>
<CanBeDealOnLine>false</CanBeDealOnLine>
<Uuid>bf6b30d3-eea8-4924***</Uuid>
<InternetIp>1.2.3.4</InternetIp>
<Level>serious</Level>
<Id>3682</Id>
<LastTime>2018-10-24 21:06:01</LastTime>
</SuspEvents>
<SuspEvents>
<EventStatus>1</EventStatus>
<SaleVersion>1</SaleVersion>
<IntranetIp>1.2.3.5</IntranetIp>
<EventSubType>XOR DDoS trojan</EventSubType>
<Name>Malicious process (cloud threat detection) - XOR DDoS trojan</Name>
<DataSource>aegis_suspiciou***</DataSource>
<OccurrenceTime>2018-09-26 02:01:01</OccurrenceTime>
<InstanceName>server01</InstanceName>
<Desc>After accessing your server, the XOR DDoS trojan may inject malicious code into Linux scheduled tasks. </Desc>
<CanBeDealOnLine>false</CanBeDealOnLine>
<Uuid>bf6b30d3-eea8-4924-***</Uuid>
<InternetIp>1.2.3.4</InternetIp>
<Level>serious</Level>
<Id>3683</Id>
<LastTime>2018-10-24 21:01:01</LastTime>
</SuspEvents>
</DescribeSuspEvents>
JSON
format
{
"TotalCount": 3,
"Count": 2,
"PageSize": 20,
"RequestId": "0C7FAD74-83FA-4671-9250-A5F2A64F437A",
"CurrentPage": 1,
"SuspEvents": [
{
"EventStatus": 1,
"SaleVersion": "1",
"IntranetIp": "1.2.3.4",
"EventSubType": "XOR DDoS trojan",
"Name": "Malicious process (cloud threat detection) - XOR DDoS trojan",
"DataSource": "aegis_suspiciou***",
"OccurrenceTime": "2018-09-26 01:51:01",
"InstanceName": "server01",
"Desc": "After accessing your server, the XOR DDoS trojan may inject malicious code into Linux scheduled tasks.",
"CanBeDealOnLine": false,
"Uuid": "bf6b30d3-eea8-4924***",
"InternetIp": "1.2.3.4",
"Level": "serious",
"Id": 3682,
"LastTime": "2018-10-24 21:06:01"
},
{
"EventStatus": 1,
"SaleVersion": "1",
"IntranetIp": "1.2.3.5",
"EventSubType": "XOR DDoS trojan",
"Name": "Malicious process (cloud threat detection) - XOR DDoS trojan",
"DataSource": "aegis_suspiciou***",
"OccurrenceTime": "2018-09-26 02:01:01",
"InstanceName": "server01",
"Desc": "After accessing your server, the XOR DDoS trojan may inject malicious code into Linux scheduled tasks.",
"CanBeDealOnLine": false,
"Uuid": "bf6b30d3-eea8-4924-***",
"InternetIp": "1.2.3.4",
"Level": "serious",
"Id": 3683,
"LastTime": "2018-10-24 21:01:01"
}
]
}
Error codes
For a list of error codes, visit the API Error Center.