DescribeDomainSecureAlarmList - - Alibaba Cloud Documentation Center

Queries the security alert data of a website security report.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
yundun-sas:DescribeDomainSecureAlarmList	list	All Resources ``	none	none

Request parameters

Parameter	Type	Required	Description	Example
SourceIp	string	No	The source IP address.	139.227..
Lang	string	No	The language of the content within the request and response. Valid values: zh: Chinese en: English	zh
From	string	No	The identifier of the request source. Set the value to sas.	sas

Response parameters

Parameter	Type	Description	Example
	object	The response parameters.
TotalCount	integer	The total number of entries returned.	42
RequestId	string	The request ID.	D03DD0FD-6041-5107-AC00-383E28F1****
AlarmList	array<object>	The security alerts in your website assets.
AlarmEvent	object	The security alert in your website assets.
Dealed	boolean	Indicates whether the alert event is handled. Valid values: N: unhandled Y: handled	y
Stages	string	The stage at which the attack or intrusion is detected.	[\"authority_maintenance\"]
InternetIp	string	The public IP address of the server.	95.214..
SuspiciousEventCount	integer	The total number of security alerts in your website assets.	1
GmtModified	long	The time of the last modification.	1656901794000
AlarmEventNameOriginal	string	The original parent name of the alert event.	login_common_location
AlarmUniqueInfo	string	The unique ID of the alert event.	8df914418f4211fbf756efe7a6f4****
CanCancelFault	boolean	Indicates whether you can cancel marking the alert event as a false positive. Valid values: true false	false
SecurityEventIds	string	The ID of the associated alert event.	270789
CanBeDealOnLine	boolean	Indicates whether the alert event can be handled online, such as quarantining the source file of the malicious process, adding the alert event to the whitelist, and ignoring the alert event. Valid values: true false	true
Description	string	The description of the alert event.	The detection model finds that there is a Trojan horse program on your server. The Trojan horse program is a program specially used to invade the user's host. Generally, it will download and release another malicious program after being implanted into the system through disguise.
ContainHwMode	boolean	Indicates whether the safeguard mode for major activities is supported.	true
InstanceName	string	The instance name of the affected asset.	TestInstance
SaleVersion	string	The edition of Security Center in which the alert event can be detected. Valid values: 0: Basic edition. 1: Advanced edition. 2: Enterprise edition.	1
OperateErrorCode	string	The handling result code of the alert event.	kill_and_quara.Success
Solution	string	The solution to the alert event.	A malicious program implanted by hacker after intrusion will occupy your bandwidth and attack other servers, and may affect you own service. The malicious process may also have self-deleting behavior or disguise as a system service to evade detection.
DataSource	string	The data source of the alert event.	aegis_****
HasTraceInfo	boolean	Indicates whether the alert event has tracing information. Valid values: true false	true
OperateTime	long	The timestamp generated when the alert event was handled. Unit: milliseconds.	1631699497000
InstanceId	string	The instance ID of the affected asset.	i-e****
IntranetIp	string	The private IP address of the affected instance.	192.168.XX.XX
EndTime	long	The timestamp generated when the alert event was last detected. Unit: milliseconds.	1543740301000
StartTime	long	The timestamp generated when the alert event was first detected. Unit: milliseconds.	1543740301000
Uuid	string	The unique ID of the associated instance.	47900178-885d-4fa4-9d77-****
AlarmEventType	string	The type of the alert event.	Malicious Software
AutoBreaking	boolean	Indicates whether automatic defense is enabled.	true
AlarmEventName	string	The name of the alert event.	Trojan
Level	string	The risk level of the alert event. Valid values: serious suspicious remind	serious

Examples

Sample success responses

JSONformat

{
  "TotalCount": 42,
  "RequestId": "D03DD0FD-6041-5107-AC00-383E28F1****",
  "AlarmList": [
    {
      "Dealed": true,
      "Stages": "[\\\"authority_maintenance\\\"]\n",
      "InternetIp": "95.214.*.*",
      "SuspiciousEventCount": 1,
      "GmtModified": 1656901794000,
      "AlarmEventNameOriginal": "login_common_location",
      "AlarmUniqueInfo": "8df914418f4211fbf756efe7a6f4****",
      "CanCancelFault": false,
      "SecurityEventIds": "270789",
      "CanBeDealOnLine": true,
      "Description": "The detection model finds that there is a Trojan horse program on your server. The Trojan horse program is a program specially used to invade the user's host. Generally, it will download and release another malicious program after being implanted into the system through disguise.",
      "ContainHwMode": true,
      "InstanceName": "TestInstance",
      "SaleVersion": "1",
      "OperateErrorCode": "kill_and_quara.Success",
      "Solution": "A malicious program implanted by hacker after intrusion will occupy your bandwidth and attack other servers, and may affect you own service. The malicious process may also have self-deleting behavior or disguise as a system service to evade detection. ",
      "DataSource": "aegis_****",
      "HasTraceInfo": true,
      "OperateTime": 1631699497000,
      "InstanceId": "i-e****",
      "IntranetIp": "192.168.XX.XX",
      "EndTime": 1543740301000,
      "StartTime": 1543740301000,
      "Uuid": "47900178-885d-4fa4-9d77-****",
      "AlarmEventType": "Malicious Software",
      "AutoBreaking": true,
      "AlarmEventName": "Trojan",
      "Level": "serious"
    }
  ]
}

Error codes

HTTP status code	Error code	Error message	Description
403	NoPermission	caller has no permission	You are not authorized to do this operation.
500	ServerError	ServerError	-

For a list of error codes, visit the Service error codes.