DescribeRiskEventGroup - Cloud Firewall - Alibaba Cloud Documentation Center

Queries the details of intrusion events.

Operation description

You can call the DescribeRiskEventGroup operation to query and download the details of intrusion events. We recommend that you query the details of 5 to 10 intrusion events at a time. If you do not need to query the geographical information about IP addresses, you can set the NoLocation parameter to true to prevent query timeout.

Limits

You can call this operation up to 10 times per second per account. If the number of the calls per second exceeds the limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limit when you call this operation.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
yundun-cloudfirewall:DescribeRiskEventGroup	list	All Resources ``	none	none

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the content within the request and response. Valid values: zh: Chinese (default) en: English	zh
StartTime	string	Yes	The beginning of the time range to query. The value is a UNIX timestamp. Unit: seconds.	1534408189
EndTime	string	Yes	The end of the time range to query. The value is a UNIX timestamp. Unit: seconds.	1534408267
Direction	string	No	The direction of the traffic for the intrusion events. Valid values: in: inbound out: outbound Note If you do not specify this parameter, the intrusion events that are recorded for both inbound and outbound traffic are queried.	in
PageSize	string	No	The number of entries to return on each page. Default value: 6. Maximum value: 10.	6
CurrentPage	string	No	The number of the page to return. Default value: 1.	1
DataType	string	Yes	The type of the risk events. Set the value to session, which indicates intrusion events.	session
RuleSource	string	No	The module of the rule that is used to detect the intrusion events. Valid values: 1: basic protection 2: virtual patching 4: threat intelligence Note If you do not specify this parameter, the intrusion events that are detected by all rules are queried.	1
RuleResult	string	No	The status of the firewall. Valid values: 1: alerting 2: blocking Note If you do not specify this parameter, all intrusion events that are detected by the firewall are queried, regardless of the firewall status.	1
SrcIP	string	No	The source IP address to query. If you specify this parameter, all intrusion events with the specified source IP address are queried.	192.0.XX.XX
DstIP	string	No	The destination IP address to query. If you specify this parameter, all intrusion events with the specified destination IP address are queried.	192.0.XX.XX
VulLevel	string	No	The risk level of the intrusion events. Valid values: 1: low 2: medium 3: high Note If you do not specify this parameter, the intrusion events that are at all risk levels are queried.	1
FirewallType	string	No	The type of the firewall. Valid values: VpcFirewall: virtual private cloud (VPC) firewall InternetFirewall: Internet firewall (default)	InternetFirewall
SrcNetworkInstanceId	string	No	The ID of the source VPC. Note If the FirewallType parameter is set to VpcFirewall, you must specify this parameter.	vpc-uf6e9a9zyokj2ywuo****
DstNetworkInstanceId	string	No	The ID of the destination VPC. Note If the FirewallType parameter is set to VpcFirewall, you must specify this parameter.	vpc-uf6e9a9zyokj2ywuo****
AttackType	string	No	The attack type of the intrusion events. Valid values: 1: suspicious connection 2: command execution 3: brute-force attack 4: scanning 5: others 6: information leak 7: DoS attack 8: buffer overflow attack 9: web attack 10: trojan backdoor 11: computer worm 12: mining 13: reverse shell Note If you do not specify this parameter, the intrusion events of all attack types are queried.	1
NoLocation	string	No	Specifies whether to query the information about the geographical locations of IP addresses. true: does not query the information about the geographical locations of IP addresses. false: queries the information about the geographical locations of IP addresses. This is the default value.	false
AttackApp	array	No	The names of attacked applications. Set the value in the `["AttackApp1","AttackApp2"]` format.
	string	No	The name of the attacked application. Set the value in the `["AttackApp1","AttackApp2"]` format.	Redis
BuyVersion	long	No	The edition of Cloud Firewall that you purchase. Valid values: 2: Premium Edition 3: Enterprise Edition 4: Ultimate Edition 10: Cloud Firewall that uses the pay-as-you-go billing method	10
Sort	string	No	The field based on which you want to sort the results. Valid values: VulLevel: The results are sorted based on the risk level field. This is the default value. LastTime: The results are sorted based on the most recent occurrence time.	LastTime
Order	string	No	The order in which you want to sort the results. Valid values: asc: the ascending order. desc: the descending order. This is the default value.	desc
EventName	string	No	The name of the intrusion event.	Webshell communication
IsOnlyPrivateAssoc	string	No	Whether to query only the data that has completed private network tracing.	true

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters. For more information about sample requests, see the "Examples" section of this topic.

Response parameters

Parameter	Type	Description	Example
	object	The data returned.
TotalCount	integer	The total number of risk events.	20
RequestId	string	The ID of the request.	B14757D0-4640-4B44-AC67-7F558FE7E6EF
DataList	array<object>	An array that consists of the details of the intrusion events.
Data	object	The details of the intrusion event.
Direction	string	The direction of the traffic for the intrusion event. Valid values: in: inbound out: outbound	in
EventName	string	The name of the intrusion event.	Path traversal attack
DstIP	string	The destination IP address that is included in the intrusion event.	192.0.XX.XX
AttackType	integer	The attack type of the intrusion event. Valid values: 1: suspicious connection 2: command execution 3: brute-force attack 4: scanning 5: others 6: information leak 7: DoS attack 8: buffer overflow attack 9: web attack 10: trojan backdoor 11: computer worm 12: mining 13: reverse shell	1
Tag	string	The tag added to the threat intelligence that is provided for major events.	Threat intelligence provided for major events
RuleId	string	The ID of the rule that is used to detect the intrusion event.	1000****
EventId	string	The ID of the intrusion event.	2b58efae-4c4b-4d96-9544-a586fb1f****
ResourceType	string	The type of the public IP address in the intrusion event. Valid values: EIP: the elastic IP address (EIP) EcsPublicIP: the public IP address of an Elastic Compute Service (ECS) instance EcsEIP: the EIP of an ECS instance NatPublicIP: the public IP address of a NAT gateway NatEIP: the EIP of a NAT gateway	EcsPublicIP
FirstEventTime	integer	The time when the intrusion event was first detected. The value is a UNIX timestamp. Unit: seconds.	1534408189
Description	string	The description of the intrusion event.	Path traversal attacks are detected in the web access requests over HTTP.
EventCount	integer	The number of intrusion events.	100
VulLevel	integer	The risk level of the intrusion event. Valid values: 1: low 2: medium 3: high	1
AttackApp	string	The name of the attacked application.	MySql
RuleSource	integer	The module of the rule that is used to detect the intrusion event. Valid values: 1: basic protection 2: virtual patching 4: threat intelligence	1
RuleResult	integer	The status of the firewall. Valid values: 1: alerting 2: blocking	2
SrcIP	string	The source IP address that is included in the intrusion event.	192.0.XX.XX
LastEventTime	integer	The time when the intrusion event was last detected. The value is a UNIX timestamp. Unit: seconds.	1534408267
ResourcePrivateIPList	array<object>	The information about the private IP address in the intrusion event. The value is an array that contains the following parameters: RegionNo, ResourceInstanceId, ResourceInstanceName, and ResourcePrivateIP.\
ResourcePrivateIPListItem	object	The information about the private IP address in the intrusion event. The value is an array that contains the following parameters: RegionNo, ResourceInstanceId, ResourceInstanceName, and ResourcePrivateIP.\
ResourceInstanceName	string	The name of the instance that uses the private IP address.	LD-shenzhen-zy****
ResourcePrivateIP	string	The private IP address.	10.255.XX.XX
ResourceInstanceId	string	The ID of the instance that uses the private IP address.	i-wz92jf4scg2zb74p****
RegionNo	string	The ID of the region to which the private IP address belongs.	cn-hangzhou
SrcPrivateIPList	array	An array that consists of the source private IP addresses in the intrusion event.
StringItem	string	The source private IP address in the intrusion event. Note The value of this parameter is returned only when the value of Direction is out.	["192.168.XX.XX","192.168.XX.XX"]
VpcSrcInfo	object	The information about the source VPC of the intrusion event. The value is a struct that contains the following parameters: EcsInstanceId, EcsInstanceName, NetworkInstanceId, NetworkInstanceName, and RegionNo.\
EcsInstanceName	string	The name of the ECS instance.	LD-shenzhen-zy****
NetworkInstanceName	string	The name of the VPC.	VPC-SH-TX****
NetworkInstanceId	string	The ID of the VPC.	vpc-uf6e9a9zyokj2ywuo****
EcsInstanceId	string	The ID of the ECS instance.	i-wz92jf4scg2zb74p****
RegionNo	string	The ID of the region in which the source VPC resides.	cn-hangzhou
VpcDstInfo	object	The information about the destination VPC of the intrusion event. The value is a struct that contains the following parameters: EcsInstanceId, EcsInstanceName, NetworkInstanceId, NetworkInstanceName, and RegionNo.\
EcsInstanceName	string	The name of the ECS instance.	LD-shenzhen-zy****
NetworkInstanceName	string	The name of the VPC.	VPC-SH-TX****
NetworkInstanceId	string	The ID of the VPC.	vpc-uf6e9a9zyokj2ywuo****
EcsInstanceId	string	The ID of the ECS instance.	i-wz92jf4scg2zb74p****
RegionNo	string	The ID of the region in which the destination VPC resides.	cn-hangzhou
IPLocationInfo	object	The geographical information about the IP address. The value is a struct that contains the following parameters: CityId, CityName, CountryId, and CountryName.\
CityId	string	The ID of the city to which the IP address belongs.	510100
CountryName	string	The name of the country to which the IP address belongs.	China
CityName	string	The name of the city to which the IP address belongs.	Chengdu, Sichuan Province
CountryId	string	The ID of the country to which the IP address belongs.	CN
SrcIPTag	string	The tag added to the source IP address. The tag helps identify whether the source IP address is a back-to-origin IP address for a cloud service.	WAF Back-to-origin Address

Examples

Sample success responses

JSONformat

{
  "TotalCount": 20,
  "RequestId": "B14757D0-4640-4B44-AC67-7F558FE7E6EF",
  "DataList": [
    {
      "Direction": "in",
      "EventName": "Path traversal attack\n",
      "DstIP": "192.0.XX.XX",
      "AttackType": 1,
      "Tag": "Threat intelligence provided for major events\n",
      "RuleId": "1000****",
      "EventId": "2b58efae-4c4b-4d96-9544-a586fb1f****",
      "ResourceType": "EcsPublicIP",
      "FirstEventTime": 1534408189,
      "Description": "Path traversal attacks are detected in the web access requests over HTTP.\n",
      "EventCount": 100,
      "VulLevel": 1,
      "AttackApp": "MySql",
      "RuleSource": 1,
      "RuleResult": 2,
      "SrcIP": "192.0.XX.XX",
      "LastEventTime": 1534408267,
      "ResourcePrivateIPList": [
        {
          "ResourceInstanceName": "LD-shenzhen-zy****",
          "ResourcePrivateIP": "10.255.XX.XX",
          "ResourceInstanceId": "i-wz92jf4scg2zb74p****",
          "RegionNo": "cn-hangzhou"
        }
      ],
      "SrcPrivateIPList": [
        "[\"192.168.XX.XX\",\"192.168.XX.XX\"]"
      ],
      "VpcSrcInfo": {
        "EcsInstanceName": "LD-shenzhen-zy****",
        "NetworkInstanceName": "VPC-SH-TX****",
        "NetworkInstanceId": "vpc-uf6e9a9zyokj2ywuo****",
        "EcsInstanceId": "i-wz92jf4scg2zb74p****",
        "RegionNo": "cn-hangzhou"
      },
      "VpcDstInfo": {
        "EcsInstanceName": "LD-shenzhen-zy****",
        "NetworkInstanceName": "VPC-SH-TX****",
        "NetworkInstanceId": "vpc-uf6e9a9zyokj2ywuo****",
        "EcsInstanceId": "i-wz92jf4scg2zb74p****",
        "RegionNo": "cn-hangzhou"
      },
      "IPLocationInfo": {
        "CityId": "510100",
        "CountryName": "China\n",
        "CityName": "Chengdu, Sichuan Province\n",
        "CountryId": "CN"
      },
      "SrcIPTag": "WAF Back-to-origin Address"
    }
  ]
}

Error codes

HTTP status code	Error code	Error message	Description
400	ErrorAliUid	Aliuid invalid.	The aliuid is invalid.
400	ErrorFirewallType	The specified firewall type is invalid.	The firewall type of traffic log is invalid.
400	ErrorParameters	A parameter error occurred.	A parameter error occurred.
400	ErrorDirectionError	The direction is invalid.	The direction is invalid.
400	ErrorIpFormat	The IP address is invalid.	The IP address is invalid.
400	ErrorRuleSourceError	The rule source is invalid.	The rule source is invalid.
400	ErrorRuleResultError	The rule result is invalid.	The rule result is invalid.
400	ErrorVulLevelFailed	VulLevel has failed.	VulLevel has failed.
400	ErrorTimeError	time range invalid.	The specified time is invalid. Select again.
400	ErrorIntervalError	The interval is invalid.	The interval is invalid.
400	ErrorPageNo	Either page number or page size is invalid.	Either page number or page size is invalid.
400	ErrorDBSelectError	A database select error occurred.	The error message returned because an internal error has occurred in querying the database.
400	ErrorMarshalJSON	internal error.	Internal error.

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation
2024-08-29	API Description Update. The Error code has changed	View Change Details
2023-03-16	The Error code has changed. The request parameters of the API has changed	View Change Details
2022-09-27	The API operation is not deprecated.. The Error code has changed. The request parameters of the API has changed	View Change Details