All Products
Search
Document Center

Security Center:DescribeSecurityEventOperations

Last Updated:Nov 25, 2024

Queries the operations that you can perform to handle an alert.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
yundun-sas:DescribeSecurityEventOperationsget
*All Resources
*
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
SourceIpstringNo

The source IP address of the request.

192.168.XX.XX
LangstringNo

The language of the content within the request and response. Default value: zh. Valid values:

  • zh: Chinese
  • en: English
zh
SecurityEventIdlongYes

The ID of the alert event that you want to handle.

61352054

Response parameters

ParameterTypeDescriptionExample
object
RequestIdstring

The ID of the request, which is used to locate and troubleshoot issues.

B7A2000F-497E-5DA0-B14D-615CD410DD7E
SecurityEventOperationsResponsearray<object>

The operations that are performed to handle the alert.

SecurityEventOperationobject

The operation that is performed to handle the alert.

OperationParamsstring

The configuration of the operation that is performed to handle the alert.

Note If the value of the OperationCode parameter is kill_and_quara or block_ip, the OperationParams parameter is required. If the value of the OperationCode parameter is a different value, the OperationParams parameter can be left empty.
{"expireTime":1641566807783}
OperationCodestring

The operation that is performed to handle the alert. Valid values:

  • block_ip: blocks the source IP address.
  • advance_mark_mis_info: adds the alert to the whitelist.
  • ignore: ignores the alert.
  • manual_handled: marks the alert as manually handled.
  • kill_process: terminates the malicious process.
  • cleanup: performs in-depth virus detection and removal.
  • kill_and_quara: terminates the malicious process and quarantines the source file.
  • disable_malicious_defense: disables the malicious behavior defense feature.
  • client_problem_check: performs troubleshooting.
  • quara: quarantines the source file of the malicious process.
  • defense_mark_mis_info: enables the precise defense feature but disables the notification feature.
  • rm_defense_mark_mis_info: enables the notification feature.
  • rm_mark_mis_info: removes the alert from the whitelist.
  • cancle_manual: cancels marking the alert as manually handled.
advance_mark_mis_info
UserCanOperateboolean

Indicates whether you can handle the alert in the current edition of Security Center. Valid values:

  • true
  • false
false
MarkFieldarray<object>

The configurations that are used when the value of the OperationCode parameter is advance_mark_mis_info.

MarkFieldobject

The configuration that is used when the value of the OperationCode parameter is advance_mark_mis_info.

MarkMisTypestring

The operation that is used in the whitelist rule. Valid values:

  • contains: contains
  • notContains: does not contain
  • regex: regular expression
  • strEqual: equals
  • strNotEqual: does not equal
contains
FiledNamestring

The field that is used in the whitelist rule.

gmtModified
FiledAliasNamestring

The alias of the field that is used in the whitelist rule.

file path
MarkMisValuestring

The value of the field that is used in the whitelist rule.

2022-04-25 10:11:04
Uuidstring

The UUID of the server on which the alert event is detected.

3d6b4a75-c28f-447b-9142-38f6252c****
SupportedMisTypearray

An array consisting of the operations that are supported by the method to add the alert event to the whitelist.

StringItemstring

The operation that is used and can be modified in the whitelist rule. Valid values:

  • contains: contains
  • notContains: does not contain
  • regex: regular expression
  • strEqual: equals
  • strNotEqual: does not equal
contains
MarkFieldsSourcearray<object>

The configuration items that can be used when the value of the OperationCode parameter is advance_mark_mis_info.

SecurityEventOperationobject

The configuration item that can be used when the value of the OperationCode parameter is advance_mark_mis_info.

FiledNamestring

The field that can be used in the whitelist rule.

gmtModified
FiledAliasNamestring

The alias of the field that can be used in the whitelist rule.

file path
MarkMisValuestring

The value of the field that can be used in the whitelist rule.

contains
SupportedMisTypearray

An array consisting of the operations that are supported by the method to add the alert event to the whitelist.

StringItemstring

The operation that is supported in the whitelist rule. Valid values:

  • contains: contains
  • notContains: does not contain
  • regex: regular expression
  • strEqual: equals
  • strNotEqual: does not equal
contains
MappingMarkFieldsarray<object>

The objects on which the operations are performed. This parameter is required when you add the alert to the whitelist by configuring precise defense rules.

MappingMarkFieldobject

The object on which the operation is performed. This parameter is required when you add the alert to the whitelist by configuring precise defense rules.

Namestring

The name of the field that is added to the whitelist.

pid
Valuestring

The value of the field that is added to the whitelist.

1791
ShowValuestring

The display name of the field that is added to the whitelist.

1791
FillTypestring

Indicates whether the value of the field can be changed.

  • CUSTOM: The value of the field can be changed.
  • SYSTEM: The value of the field cannot be changed.
CUSTOM
Requiredboolean

Indicates whether the parameter is required. Valid values:

  • true
  • false
true
ShowNamestring

The display name of the field that can be used in the whitelist rule.

pid
MinLengthinteger

The minimum length of the field that is added to the whitelist.

1024
MaxLengthinteger

The maximum length of the field that is added to the whitelist.

2048
Descriptionstring

The description of the field that is added to the whitelist.

test

Examples

Sample success responses

JSONformat

{
  "RequestId": "B7A2000F-497E-5DA0-B14D-615CD410DD7E",
  "SecurityEventOperationsResponse": [
    {
      "OperationParams": "{\"expireTime\":1641566807783}",
      "OperationCode": "advance_mark_mis_info",
      "UserCanOperate": false,
      "MarkField": [
        {
          "MarkMisType": "contains",
          "FiledName": "gmtModified",
          "FiledAliasName": "file path",
          "MarkMisValue": "2022-04-25 10:11:04",
          "Uuid": "3d6b4a75-c28f-447b-9142-38f6252c****",
          "SupportedMisType": [
            "contains"
          ]
        }
      ],
      "MarkFieldsSource": [
        {
          "FiledName": "gmtModified",
          "FiledAliasName": "file path",
          "MarkMisValue": "contains",
          "SupportedMisType": [
            "contains"
          ]
        }
      ],
      "MappingMarkFields": [
        {
          "Name": "pid",
          "Value": "1791",
          "ShowValue": "1791",
          "FillType": "CUSTOM",
          "Required": true,
          "ShowName": "pid",
          "MinLength": 1024,
          "MaxLength": 2048,
          "Description": "test"
        }
      ]
    }
  ]
}

Error codes

HTTP status codeError codeError messageDescription
400SecurityEventNotExistsSecurity event not exists.-
403NoPermissioncaller has no permissionYou are not authorized to do this operation.
500ServerErrorServerError-

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-09-11The Error code has changed. The response structure of the API has changedView Change Details