DescribeRiskEventGroup - Cloud Firewall - Alibaba Cloud Documentation Center

Retrieves the details of intrusion prevention events.

Operation description

You can use this operation to query and download the details of intrusion prevention events. We recommend querying 5 to 10 entries at a time. To prevent query timeouts, set the NoLocation parameter to true if you do not need IP geolocation information.

QPS limit

The queries per second (QPS) limit for a single user is 10. If you exceed the limit, your API calls are throttled. This may affect your business. Make calls to this operation at a reasonable rate.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the request and response. Valid values: zh (default): Chinese. en: English.	zh
Lang	string	No	The language of the request and response. Valid values: zh (default): Chinese. en: English.	zh
StartTime	string	Yes	The start of the time range to query. The value is a UNIX timestamp. Unit: seconds.	1534408189
EndTime	string	Yes	The end of the time range to query. The value is a UNIX timestamp. Unit: seconds.	1534408267
Direction	string	No	The traffic direction of the intrusion prevention event. Valid values: in: inbound out: outbound Note If you do not set this parameter, events in all traffic directions are queried.	in
PageSize	string	No	The number of entries to return on each page. Default value: 6. Maximum value: 10.	6
CurrentPage	string	No	The page number of the returned data. Default value: 1.	1
DataType	string	Yes	The type of the risk event. Set the value to session, which indicates intrusion prevention events.	session
RuleSource	string	No	The source of the rule that is used to detect the intrusion prevention event. Valid values: 1: basic protection 2: virtual patching 4: threat intelligence Note If you do not set this parameter, events detected based on all types of rules are queried.	1
RuleResult	string	No	The handling status of Cloud Firewall. Valid values: 1: Alert 2: Block Note If you do not set this parameter, events in all handling statuses are queried.	1
SrcIP	string	No	The source IP address to query. If you set this parameter, only intrusion prevention events that contain the specified source IP address are queried.	192.0.XX.XX
DstIP	string	No	The destination IP address to query. If you set this parameter, only intrusion prevention events that contain the specified destination IP address are queried.	192.0.XX.XX
VulLevel	string	No	The risk level of the intrusion prevention event. Valid values: 1: low 2: medium 3: high Note If you do not set this parameter, events of all risk levels are queried.	1
FirewallType	string	No	The type of the firewall. Valid values: VpcFirewall: VPC firewall InternetFirewall (default): Internet firewall	InternetFirewall
SrcNetworkInstanceId	string	No	The ID of the source VPC. Note This parameter is required only when `FirewallType` is set to `VpcFirewall`.	vpc-uf6e9a9zyokj2ywuo****
DstNetworkInstanceId	string	No	The ID of the destination VPC. Note This parameter is required only when `FirewallType` is set to `VpcFirewall`.	vpc-uf6e9a9zyokj2ywuo****
AttackType	string	No	The type of the attack. Valid values: 1: abnormal connection 2: command execution 3: brute-force attack 4: scan 5: other 6: information leakage 7: DoS attack 8: overflow attack 9: web attack 10: backdoor trojan 11: virus or worm 12: mining behavior 13: reverse shell Note If you do not set this parameter, events of all attack types are queried.	1
NoLocation	string	No	Specifies whether to query the IP address location information. Valid values: true: Does not query the IP geolocation information. false (default): Queries the IP geolocation information.	false
AttackApp	array	No	A list of names of the attacked applications. Use the `["AttackApp1","AttackApp2"]` format.	["MySql","DNS"]
	string	No	The name of the attacked application.	Redis
BuyVersion	integer	No	The edition of Cloud Firewall. Valid values: 2: Premium Edition 3: Enterprise Edition 4: Ultimate Edition 10: pay-as-you-go	10
Sort	string	No	The field to use for sorting. Valid values: VulLevel (default): Sorts by risk level. LastTime: Sorts by the most recent occurrence time.	LastTime
Order	string	No	The sorting order. Valid values: asc: ascending desc (default): descending	desc
EventName	string	No	The name of the intrusion prevention event.	木马后门通信
IsOnlyPrivateAssoc	string	No	Specifies whether to query only the data that is traced to private IP addresses.	true
AttackAppCategory	array	No	A list of categories of the attacked applications. Use the ["AttackAppCategory1","AttackAppCategory2"] format.
	string	No	The category of the attacked application.	AI组件

In addition to the preceding request parameters, you must specify common request parameters when you call this operation. For more information about common request parameters, see Common parameters. For the request format, see the request example in the Examples section of this topic.

Response elements

Element	Type	Description	Example
	object	The details of the intrusion prevention events.
TotalCount	integer	The total number of risk events.	20
RequestId	string	The ID of the request.	B14757D0-4640-4B44-AC67-7F558FE7E6EF
DataList	array<object>	The list of returned data.
	array<object>	The list of returned data.
Direction	string	The traffic direction of the intrusion prevention event. Valid values: in: inbound out: outbound	in
EventName	string	The name of the intrusion prevention event.	Web目录穿越攻击
DstIP	string	The destination IP address. The intrusion prevention event contains this destination IP address.	192.0.XX.XX
AttackType	integer	The type of the attack. Valid values: 1: abnormal connection 2: command execution 3: brute-force attack 4: scan 5: other 6: information leakage 7: DoS attack 8: overflow attack 9: web attack 10: backdoor trojan 11: virus or worm 12: mining behavior 13: reverse shell	1
Tag	string	The tag for major event support.	重保情报
RuleId	string	The ID of the rule that is used to defend against the intrusion prevention event.	1000****
EventId	string	The ID of the intrusion prevention event.	2b58efae-4c4b-4d96-9544-a586fb1f****
ResourceType	string	The type of the public IP address. Valid values: EIP: an elastic IP address (EIP) EcsPublicIP: an ECS public IP address EcsEIP: an ECS EIP NatPublicIP: a NAT public IP address NatEIP: a NAT EIP SlbPublicIp: an SLB public IP address	EcsPublicIP
FirstEventTime	integer	The time when the intrusion event first occurred. The value is a UNIX timestamp. Unit: seconds.	1534408189
Description	string	The description of the intrusion prevention event.	检测到HTTP请求的Web访问中使用了目录穿越攻击。
EventCount	integer	The number of intrusion prevention events.	100
VulLevel	integer	The risk level of the intrusion prevention event. Valid values: 1: low 2: medium 3: high	1
AttackApp	string	The name of the attacked application.	MySql
RuleSource	integer	The source of the rule that is used to detect the intrusion prevention event. Valid values: 1: basic protection 2: virtual patching 4: threat intelligence	1
RuleResult	integer	The handling status. Valid values: 1: Alert 2: Block	2
SrcIP	string	The source IP address. The intrusion prevention event contains this source IP address.	192.0.XX.XX
LastEventTime	integer	The time when the intrusion prevention event last occurred. The value is a UNIX timestamp. Unit: seconds.	1534408267
ResourcePrivateIPList	array<object>	The information about the private IP address in the intrusion prevention event. The value is an array that consists of the RegionNo, ResourceInstanceId, ResourceInstanceName, and ResourcePrivateIP parameters. RegionNo indicates the region ID of the IP address. ResourceInstanceId indicates the ID of the instance to which the IP address belongs. ResourceInstanceName indicates the name of the instance to which the IP address belongs. ResourcePrivateIP indicates the IP address.
	object	The information about the private IP address in the intrusion prevention event. The value is an array that consists of the RegionNo, ResourceInstanceId, ResourceInstanceName, and ResourcePrivateIP parameters. RegionNo indicates the region ID of the IP address. ResourceInstanceId indicates the ID of the instance to which the IP address belongs. ResourceInstanceName indicates the name of the instance to which the IP address belongs. ResourcePrivateIP indicates the IP address.
ResourceInstanceName	string	The name of the instance.	LD-shenzhen-zy****
ResourcePrivateIP	string	The private IP address.	10.255.XX.XX
ResourceInstanceId	string	The ID of the instance.	i-wz92jf4scg2zb74p****
RegionNo	string	The region ID. This parameter indicates the region ID of the private IP address.	cn-hangzhou
SrcPrivateIPList	array	The list of source private IP addresses in the intrusion prevention event.
	string	The source private IP address in the intrusion prevention event. Note This parameter is returned only for outbound traffic.	["192.168.XX.XX","192.168.XX.XX"]
VpcSrcInfo	object	The information about the source VPC of the intrusion prevention event. This struct contains the EcsInstanceId, EcsInstanceName, NetworkInstanceId, NetworkInstanceName, and RegionNo parameters. EcsInstanceId indicates the ID of the ECS instance in the VPC. EcsInstanceName indicates the name of the ECS instance in the VPC. NetworkInstanceId indicates the ID of the VPC. NetworkInstanceName indicates the name of the VPC. RegionNo indicates the region ID of the VPC.
EcsInstanceName	string	The name of the ECS instance.	LD-shenzhen-zy****
NetworkInstanceName	string	The name of the VPC.	VPC-SH-TX****
NetworkInstanceId	string	The ID of the VPC.	vpc-uf6e9a9zyokj2ywuo****
EcsInstanceId	string	The ID of the ECS instance.	i-wz92jf4scg2zb74p****
RegionNo	string	The region ID. This parameter indicates the region ID of the source VPC.	cn-hangzhou
VpcDstInfo	object	The information about the destination VPC of the intrusion prevention event. This struct contains the EcsInstanceId, EcsInstanceName, NetworkInstanceId, NetworkInstanceName, and RegionNo parameters. EcsInstanceId indicates the ID of the ECS instance in the VPC. EcsInstanceName indicates the name of the ECS instance in the VPC. NetworkInstanceId indicates the ID of the VPC. NetworkInstanceName indicates the name of the VPC. RegionNo indicates the region ID of the VPC.
EcsInstanceName	string	The name of the ECS instance.	LD-shenzhen-zy****
NetworkInstanceName	string	The name of the VPC.	VPC-SH-TX****
NetworkInstanceId	string	The ID of the VPC.	vpc-uf6e9a9zyokj2ywuo****
EcsInstanceId	string	The ID of the ECS instance.	i-wz92jf4scg2zb74p****
RegionNo	string	The region ID. This parameter indicates the region ID of the destination VPC.	cn-hangzhou
IPLocationInfo	object	The geolocation information of the IP address. This struct contains the CityId, CityName, CountryId, and CountryName parameters. CityId indicates the city ID of the IP address. CityName indicates the city name of the IP address. CountryId indicates the country ID of the IP address. CountryName indicates the country name of the IP address.
CityId	string	The city ID.	510100
CountryName	string	The country name.	中国
CityName	string	The city name.	四川省成都
CountryId	string	The country ID.	CN
SrcIPTag `deprecated`	string	The tag of the source IP address. This tag is used to identify whether the IP address is a back-to-origin IP address of an Alibaba Cloud service.	WAF Back-to-origin Address
SrcIPTags	array	The list of IP address tags.
	string	The IP address tag.	Anti-DDoS Back-to-origin Address

Examples

Success response

JSON format

{
  "TotalCount": 20,
  "RequestId": "B14757D0-4640-4B44-AC67-7F558FE7E6EF",
  "DataList": [
    {
      "Direction": "in",
      "EventName": "Web目录穿越攻击",
      "DstIP": "192.0.XX.XX",
      "AttackType": 1,
      "Tag": "重保情报",
      "RuleId": "1000****",
      "EventId": "2b58efae-4c4b-4d96-9544-a586fb1f****",
      "ResourceType": "EcsPublicIP",
      "FirstEventTime": 1534408189,
      "Description": "检测到HTTP请求的Web访问中使用了目录穿越攻击。",
      "EventCount": 100,
      "VulLevel": 1,
      "AttackApp": "MySql",
      "RuleSource": 1,
      "RuleResult": 2,
      "SrcIP": "192.0.XX.XX",
      "LastEventTime": 1534408267,
      "ResourcePrivateIPList": [
        {
          "ResourceInstanceName": "LD-shenzhen-zy****",
          "ResourcePrivateIP": "10.255.XX.XX",
          "ResourceInstanceId": "i-wz92jf4scg2zb74p****",
          "RegionNo": "cn-hangzhou"
        }
      ],
      "SrcPrivateIPList": [
        "[\"192.168.XX.XX\",\"192.168.XX.XX\"]"
      ],
      "VpcSrcInfo": {
        "EcsInstanceName": "LD-shenzhen-zy****",
        "NetworkInstanceName": "VPC-SH-TX****",
        "NetworkInstanceId": "vpc-uf6e9a9zyokj2ywuo****",
        "EcsInstanceId": "i-wz92jf4scg2zb74p****",
        "RegionNo": "cn-hangzhou"
      },
      "VpcDstInfo": {
        "EcsInstanceName": "LD-shenzhen-zy****",
        "NetworkInstanceName": "VPC-SH-TX****",
        "NetworkInstanceId": "vpc-uf6e9a9zyokj2ywuo****",
        "EcsInstanceId": "i-wz92jf4scg2zb74p****",
        "RegionNo": "cn-hangzhou"
      },
      "IPLocationInfo": {
        "CityId": "510100",
        "CountryName": "中国",
        "CityName": "四川省成都",
        "CountryId": "CN"
      },
      "SrcIPTag": "WAF Back-to-origin Address",
      "SrcIPTags": [
        "Anti-DDoS Back-to-origin Address"
      ]
    }
  ]
}

Error codes

HTTP status code	Error code	Error message	Description
400	ErrorAliUid	Aliuid invalid.	The aliuid is invalid.
400	ErrorFirewallType	The specified firewall type is invalid.	The firewall type of traffic log is invalid.
400	ErrorParameters	A parameter error occurred.	A parameter error occurred.
400	ErrorDirectionError	The direction is invalid.	The direction is invalid.
400	ErrorIpFormat	The IP address is invalid.	The IP address is invalid.
400	ErrorRuleSourceError	The rule source is invalid.	The rule source is invalid.
400	ErrorRuleResultError	The rule result is invalid.	The rule result is invalid.
400	ErrorVulLevelFailed	VulLevel has failed.	VulLevel has failed.
400	ErrorTimeError	time range invalid.	The specified time is invalid. Select again.
400	ErrorIntervalError	The interval is invalid.	The interval is invalid.
400	ErrorPageNo	Either page number or page size is invalid.	Either page number or page size is invalid.
400	ErrorDBSelectError	A database select error occurred.	The error message returned because an internal error has occurred in querying the database.
400	ErrorMarshalJSON	internal error.	Internal error.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.