DescribeEventDetail - Data Security Center - Alibaba Cloud Documentation Center

You can call this operation to query the details of a single anomalous activity, such as its time of occurrence, description, and processing status.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-sddp:DescribeEventDetail

get

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the content within the request and response. Valid values: zh: Chinese. en: English.	zh
Id	integer	Yes	The unique ID of the anomalous activity. Note To query the details of a single anomalous activity, you must provide its unique ID. You can call the DescribeEvents operation to obtain the ID.	13456723343

Response elements

Element	Type	Description	Example
	object
RequestId	string	The ID of the request.	69FB3C1-F4C9-42DF-9B72-7077A8989C13
Event	object	The details of the anomalous activity.
DisplayName	string	The display name of the account that performed the operation.	yundunsr
Status	integer	The processing status of the anomalous activity. Valid values: 0: unhandled. 1: confirmed. 2: dismissed.	0
DealReason	string	The reason for handling the anomalous activity.	Anomaly confirmed
UserId	integer	The ID of the account that performed the operation.	229157443385014***
StatusName	string	The name of the processing status of the anomalous activity.	Pending
DealTime	integer	The time when the anomalous activity was handled. This value is a UNIX timestamp. Unit: milliseconds.	1611139155000
DealLoginName	string	The logon name of the account that handled the anomalous activity.	det1111
SubTypeName	string	The name of the anomalous activity subtype.	Anomalous volume of downloaded data
Backed	boolean	Indicates whether the detection of the anomalous activity is enhanced. Valid values: true: yes. false: no. Note Enhancing the detection of anomalous activities improves detection accuracy and the alert reporting rate.	false
DataInstance	string	The name of the asset instance in which the anomalous activity occurred.	in-222***
EventTime	integer	The time when the anomalous activity occurred. This value is a UNIX timestamp. Unit: milliseconds.	1545829129000
LoginName	string	The name of the account that performed the operation.	det1111
SubTypeCode	string	The code of the anomalous activity subtype.	020008
LogDetail	string	The details of the alert log.	{"client_ip": ["106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX", "106.11.XX.XX"], "start_time": "2020-05-10 00:00:01", "instance": ["omniscience-data", "punish-beaver-data"], "end_time": "2020-05-10 00:21:22", "client_ua": ["Java/1.8.0_152", "Java/1.8.0_92", "aliyun-sdk-java/2.0.0", "aliyun-sdk-java/2.8.0(Linux/4.9.151-015.ali3000.alios7.x86_64/amd64;1.8.0_152)"], "user_name": 1512222261295262}
TypeCode	string	The code of the anomalous activity type.	02
AlertTime	integer	The time when the alert for the anomalous activity was triggered. This value is a UNIX timestamp. Unit: milliseconds.	1545829129000
DealUserId	integer	The ID of the account that handled the anomalous activity.	229157443385014***
TypeName	string	The name of the anomalous activity type. Valid values: 01: anomalous permission access. 02: anomalous data flow. 03: anomalous data operation.	Anomalous data flow
DealDisplayName	string	The display name of the account that handled the anomalous activity.	yundunsr
Id	integer	The unique ID of the anomalous activity that is recorded in Data Security Center.	52234
ProductCode	string	The name of the product in which the anomalous activity is detected. Valid values include MaxCompute, OSS, ADS, OTS, and RDS.	MaxCompute
HandleInfoList	array<object>	The handling history.
	object	The details of how the event is handled manually.
Status	integer	The status of the handling action. Valid values: 0: disabled. 1: enabled. -1: disabling failed. -2: enabling failed.	1
EnableTime	integer	The time when the handling action was enabled. This value is a UNIX timestamp. Unit: milliseconds.	1611139155000
HandlerValue	integer	The duration of the handling action. Unit: minutes. If this parameter is empty, the handling action is permanent.	10
DisableTime	integer	The time when the handling action was disabled. This value is a UNIX timestamp. Unit: milliseconds.	1611139155000
HandlerName	string	The handling method.	Remove from the whitelist
HandlerType	string	The handling type.	rds_security_ip
CurrentValue	string	Specifies the account that handled the event.	sddp-test2
Id	integer	The handling ID.	11
Detail	object	The specific content of the anomalous activity details.
Content	array<object>	The content of the anomalous activity.
	object	The content of the anomalous activity.
Label	string	The title of the anomalous activity content.	Anomaly description
Value	string	The description of the anomalous activity content.	The account was used to access OSS from an unusual terminal whose IP address is 1.2.3.4 from 00:06:45 on September 9, 2019 to 00:57:37 on September 9, 2019.
Name	string	The name of the anomalous activity.	daliaoyuncom
Chart	array<object>	The baseline behavior profile for the anomalous activity.
	array<object>	The baseline behavior profile for the anomalous activity.
Type	string	The type of the chart. Valid values: 1: column chart. 2: line chart.	1
Label	string	The name of the baseline behavior profile for the anomalous activity.	Baseline behavior chart
XLabel	string	The label of the x-axis.	Number of days
YLabel	string	The label of the y-axis.	Value
Data	object	The data items of the baseline behavior profile for the anomalous activity.
Y	array	The values of the data items on the y-axis.	[1,2,3,...]
	string	The value of the data item on the y-axis.	[1,2,3,...]
X	array	The values of the data items on the x-axis.	[test1,test2,...]
	string	The value of the data item on the x-axis.	[test1,test2,...]
Z	array	The values of the data items on the z-axis.
	string	The value of the data item on the z-axis.	[5,7,...]
ChatType	integer	The type of the chart. Valid values: 1: column chart. 2: line chart. Note This parameter is returned only when NewAlarm is set to true.	1
Name	string	The title of the chart. Note This parameter is returned only when NewAlarm is set to true.	misskingm
ZLabel	string	The label of the z-axis. Note This parameter is returned only when NewAlarm is set to true.	chart description
ResourceInfo	array<object>	The information about the source of the anomalous activity.
	object	The information about the source of the anomalous activity.
Label	string	The title of the source of the anomalous activity.	Risk
Value	string	The description of the source of the anomalous activity.	Based on the record of authentication by using an unusual terminal, an attacker may have obtained the access permission of the account, or an employee accessed data from a personal terminal.
NewAlarm	boolean	Indicates whether the alert is of the new version. Valid values: true: yes. false: no.	true

Examples

Success response

JSON format

{
  "RequestId": "69FB3C1-F4C9-42DF-9B72-7077A8989C13",
  "Event": {
    "DisplayName": "yundunsr",
    "Status": 0,
    "DealReason": "Anomaly confirmed\n",
    "UserId": 0,
    "StatusName": "Pending",
    "DealTime": 1611139155000,
    "DealLoginName": "det1111",
    "SubTypeName": "Anomalous volume of downloaded data\n",
    "Backed": false,
    "DataInstance": "in-222***",
    "EventTime": 1545829129000,
    "LoginName": "det1111",
    "SubTypeCode": "020008",
    "LogDetail": "{\"client_ip\": [\"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\", \"106.11.XX.XX\"], \"start_time\": \"2020-05-10 00:00:01\", \"instance\": [\"omniscience-data\", \"punish-beaver-data\"], \"end_time\": \"2020-05-10 00:21:22\", \"client_ua\": [\"Java/1.8.0_152\", \"Java/1.8.0_92\", \"aliyun-sdk-java/2.0.0\", \"aliyun-sdk-java/2.8.0(Linux/4.9.151-015.ali3000.alios7.x86_64/amd64;1.8.0_152)\"], \"user_name\": 1512222261295262}",
    "TypeCode": "02",
    "AlertTime": 1545829129000,
    "DealUserId": 0,
    "TypeName": "Anomalous data flow\n",
    "DealDisplayName": "yundunsr",
    "Id": 52234,
    "ProductCode": "MaxCompute",
    "HandleInfoList": [
      {
        "Status": 1,
        "EnableTime": 1611139155000,
        "HandlerValue": 10,
        "DisableTime": 1611139155000,
        "HandlerName": "Remove from the whitelist\n",
        "HandlerType": "rds_security_ip",
        "CurrentValue": "sddp-test2",
        "Id": 11
      }
    ],
    "Detail": {
      "Content": [
        {
          "Label": "Anomaly description\n",
          "Value": "The account was used to access OSS from an unusual terminal whose IP address is 1.2.3.4 from 00:06:45 on September 9, 2019 to 00:57:37 on September 9, 2019.",
          "Name": "daliaoyuncom"
        }
      ],
      "Chart": [
        {
          "Type": "1",
          "Label": "Baseline behavior chart\n",
          "XLabel": "Number of days\n",
          "YLabel": "Value",
          "Data": {
            "Y": [
              "[1,2,3,...]"
            ],
            "X": [
              "[test1,test2,...]"
            ],
            "Z": [
              "[5,7,...]"
            ]
          },
          "ChatType": 1,
          "Name": "misskingm",
          "ZLabel": "chart description"
        }
      ],
      "ResourceInfo": [
        {
          "Label": "Risk",
          "Value": "Based on the record of authentication by using an unusual terminal, an attacker may have obtained the access permission of the account, or an employee accessed data from a personal terminal."
        }
      ]
    },
    "NewAlarm": true
  }
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.