All Products
Search
Document Center

Security Center:DescribeAlarmEventDetail

Last Updated:Nov 25, 2024

Queries the details about an alert event. An alert event consists of an alert and exceptions. Each alert event is associated with multiple exceptions.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
yundun-sas:DescribeAlarmEventDetailget
*All Resources
*
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
SourceIpstringNo

The source IP address of the request.

192.168.XX.XX
LangstringNo

The language of the content within the request and response. Default value: zh. Valid values:

  • zh: Chinese
  • en: English
zh
AlarmUniqueInfostringYes

The unique identifier of the alert event.

Note To query the details of an alert event, you must provide the unique identifier of the alert event. You can call the DescribeSuspEvents operation to obtain the identifier.
9f62555666f177aa84ee1eaf465a****
FromstringYes

The ID of the request source. Set the value to sas.

sas

Response parameters

ParameterTypeDescriptionExample
object
RequestIdstring

The ID of the request, which is used to locate and troubleshoot issues.

7EA50837-2F0B-5BCC-AB61-4968D88D75AD
Dataobject

The details of the alert event.

Typestring

The alert type of the alert event. Valid values:

  • Suspicious process
  • Webshell
  • Unusual logon
  • Exception
  • Sensitive file tampering
  • Malicious process (cloud threat detection)
  • Suspicious network connection
  • Other
  • Abnormal account
  • Application intrusion event
  • Cloud threat detection
  • Precise defense
  • Application whitelist
  • Persistent webshell
  • Web application threat detection
  • Malicious script
  • Threat intelligence
  • Malicious network activity
  • Cluster exception
  • Webshell (on-premises threat detection)
  • Vulnerability exploitation
  • Malicious process (on-premises threat detection)
  • Trusted exception
Webshell
InternetIpstring

The public IP address of the associated instance.

172.16.XX.XX
K8sClusterNamestring

The name of the Kubernetes cluster.

TestK8sCluser
ContainerImageIdstring

The ID of the image to which the container belongs.

cadb7a725641
AlarmEventDescstring

The description of the alert event.

The detection model finds that self-mutation is running on your server. A self-mutation Trojan is a Trojan horse program with self-mutation function. It will change its hash or copy a large number of itself to different paths, and run in the background to avoid cleaning.
AlarmUniqueInfostring

The unique identifier of the alert event.

Note To query the details of an alert event, you must provide the unique identifier of the alert event. You can call the DescribeSuspEvents operation to obtain the identifier.
9f62555666f177aa84ee1eaf465a****
CanCancelFaultboolean

Indicates whether you can cancel marking the alert event as a false positive. Valid values:

  • true: yes
  • false: no
false
AppNamestring

The name of the container application.

app:msdp-uat-service
CanBeDealOnLineboolean

Indicates whether the online handling of the alert event is supported. Valid values:

  • true: yes
  • false: no
false
ContainerImageNamestring

The name of the image to which the container belongs.

jenkins/jenkins:latest
K8sClusterIdstring

The ID of the Kubernetes cluster.

c562cf0d68e9749ee9fe544a7ab2f****
ContainHwModeboolean

Indicates whether the Safeguard Mode For Major Activities mode is enabled.

true
InstanceNamestring

The name of the instance.

i-wz92q7m5hsbgfhdss***
K8sNodeIdstring

The ID of the Kubernetes cluster node.

i-bp14a1ay8e0aa9t0l***
Solutionstring

The solution to the alert event.

An invalid logon source IP has been detected. If you recognize this logon attempt, we recommend that you add the current logon source IP to the valid logon source IP list to avoid future alerts. If you do not recognize this logon attempt, we recommend that you modify the password.
DataSourcestring

The data source of the alert event.

aegis_***
IntranetIpstring

The private IP address of the associated instance.

172.25.30.**
AlarmEventAliasNamestring

The name of the alert event.

Login with unusual location
EndTimelong

The timestamp when the alert event ends. Unit: milliseconds.

1542366542000
Uuidstring

The instance UUID of the asset.

6690a46c-0edb-4663-a641-3629d1a9****
StartTimelong

The timestamp when the alert event starts. Unit: milliseconds.

1542378601000
ContainerIdstring

The ID of the container application.

container_1606995441910_394868_01_000***
K8sPodNamestring

The name of the Kubernetes pod.

myapp-pod
K8sNamespacestring

The namespace of the Kubernetes cluster.

sit-saic-trip
K8sNodeNamestring

The name of the Kubernetes cluster node.

cn-hangzhou.10.188.139.**
Levelstring

The severity of the alert event. Valid values:

  • serious
  • suspicious
  • remind
serious
CauseDetailsarray<object>

An array consisting of the cause of the alert event, which can be used to trace the alert event.

CauseDetailobject
Keystring

The key that is used to trace the alert event.

842e314e69b1a2c45d5c1a2f88a16***
Valuearray<object>

The value that is used to trace the alert event.

Valueobject

The tracing information.

Typestring

The type of the field that displays the tracing information. Valid values:

  • text
  • html
html
Valuestring

The value of the field that displays the tracing information.

<p>under a certain small probability, yundun may mistakenly judge the repeated attempts caused by the administrator forgetting or entering the wrong password as successful blasting. Please check according to the account number and time shown in the alarm details. Once it is confirmed that it is not the initiative of the administrator, it is recommended to immediately block the IP, and you can open it at the same time<a href="https://yundun.console.aliyun.com/?p=pam">PAM</a>, hosting host login password, improving remote connection efficiency and security control ability, and according to<a href="https://click.aliyun.com/m/1000226086/">best practice of ECS account security protection</a>Modify login password and convergence asset.</p>↵
Namestring

The name of the field that displays the tracing information.

sshd

Examples

Sample success responses

JSONformat

{
  "RequestId": "7EA50837-2F0B-5BCC-AB61-4968D88D75AD",
  "Data": {
    "Type": "Webshell",
    "InternetIp": "172.16.XX.XX",
    "K8sClusterName": "TestK8sCluser",
    "ContainerImageId": "cadb7a725641",
    "AlarmEventDesc": "The detection model finds that self-mutation is running on your server. A self-mutation Trojan is a Trojan horse program with self-mutation function. It will change its hash or copy a large number of itself to different paths, and run in the background to avoid cleaning.",
    "AlarmUniqueInfo": "9f62555666f177aa84ee1eaf465a****",
    "CanCancelFault": false,
    "AppName": "app:msdp-uat-service",
    "CanBeDealOnLine": false,
    "ContainerImageName": "jenkins/jenkins:latest",
    "K8sClusterId": "c562cf0d68e9749ee9fe544a7ab2f****",
    "ContainHwMode": true,
    "InstanceName": "i-wz92q7m5hsbgfhdss***",
    "K8sNodeId": "i-bp14a1ay8e0aa9t0l***",
    "Solution": "An invalid logon source IP has been detected. If you recognize this logon attempt, we recommend that you add the current logon source IP to the valid logon source IP list to avoid future alerts. If you do not recognize this logon attempt, we recommend that you modify the password.",
    "DataSource": "aegis_***",
    "IntranetIp": "172.25.30.**",
    "AlarmEventAliasName": "Login with unusual location",
    "EndTime": 1542366542000,
    "Uuid": "6690a46c-0edb-4663-a641-3629d1a9****",
    "StartTime": 1542378601000,
    "ContainerId": "container_1606995441910_394868_01_000***",
    "K8sPodName": "myapp-pod",
    "K8sNamespace": "sit-saic-trip",
    "K8sNodeName": "cn-hangzhou.10.188.139.**",
    "Level": "serious",
    "CauseDetails": [
      {
        "Key": "842e314e69b1a2c45d5c1a2f88a16***",
        "Value": [
          {
            "Type": "html",
            "Value": "<p>under a certain small probability, yundun may mistakenly judge the repeated attempts caused by the administrator forgetting or entering the wrong password as successful blasting. Please check according to the account number and time shown in the alarm details. Once it is confirmed that it is not the initiative of the administrator, it is recommended to immediately block the IP, and you can open it at the same time<a href=\"https://yundun.console.aliyun.com/?p=pam\">PAM</a>, hosting host login password, improving remote connection efficiency and security control ability, and according to<a href=\"https://click.aliyun.com/m/1000226086/\">best practice of ECS account security protection</a>Modify login password and convergence asset.</p>↵",
            "Name": "sshd"
          }
        ]
      }
    ]
  }
}

Error codes

HTTP status codeError codeError messageDescription
403NoPermissioncaller has no permissionYou are not authorized to do this operation.
500ServerErrorServerError-

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
No change history