All Products
Search
Document Center

Security Center:DescribeSuspEvents

Last Updated:Nov 25, 2024

Queries a list of alert events that are generated without aggregation.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
yundun-sas:DescribeSuspEventsget
*All Resources
*
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
SourceIpstringNo

The source IP address of the request.

192.168.XX.XX
DealedstringNo

Specifies whether the alert event is handled. Valid values:

  • N: unhandled
  • Y: handled
N
NamestringNo

The name of the asset that is affected by the alert event.

ecs-xxx
LevelsstringNo

The severity of the alert event. Separate multiple severities with commas (,). Valid values:

  • serious
  • suspicious
  • remind
serious
ParentEventTypesstringNo

The alert type of the alert event. Valid values:

  • Suspicious process
  • Webshell
  • Unusual logon
  • Exception
  • Sensitive file tampering
  • Malicious process (cloud threat detection)
  • Suspicious network connection
  • Suspicious account
  • Application intrusion event
  • Cloud threat detection
  • Precise defense
  • Application whitelist
  • Persistent webshell
  • Web application threat detection
  • Malicious script
  • Threat intelligence
  • Malicious network activity
  • Cluster exception
  • Webshell (on-premises threat detection)
  • Vulnerability exploitation
  • Malicious process (on-premises threat detection)
  • Trusted exception
  • Others
Webshell
EventNamesstringNo

The subtype of the alert event. Separate multiple subtypes with commas (,).

WEBSHELL
RemarkstringNo

The name of the alert or the information about the asset.

Note Fuzzy search is supported. The asset information includes the name, public IP address, and private IP address of an asset.
192.168.XX.XX
StatusstringNo

The status of the alert event. Valid values:

  • 0: all
  • 1: pending handling
  • 2: ignored
  • 4: confirmed
  • 8: marked as a false positive
  • 16: handling
  • 32: handled
  • 64: expired
  • 128: deleted
  • 512: automatically blocking
  • 513: automatically blocked
1
PageSizestringNo

The number of entries per page. Default value: 20. Maximum value: 100.

20
CurrentPagestringNo

The number of the page to return. Default value: 1.

1
LangstringNo

The language of the content within the request and response. Default value: zh. Valid values:

  • zh: Chinese
  • en: English
zh
AlarmUniqueInfostringNo

The ID of the alert event.

Note To query the details of an alert event, you must specify the ID of the alert event. You can call the DescribeSuspEvents operation to query the IDs of alert events.
8df914418f4211fb****
UniqueInfostringNo

The unique key of the alert.

73fc06fb175a7405697e402f52864****
IdlongNo

The ID of the alert event.

123
FromstringNo

The data source of the alert event. Set the value to sas.

sas
SourcestringNo

The source of the alert.

aegis_suspicious_file_v2
GroupIdlongNo

The ID of the asset group to which the affected asset belongs.

18768
UuidsstringNo

The UUID of the server on which the alert is detected. Separate multiple UUIDs with commas (,).

bb5d2484-f10e-450d-8917-3e79667e****,0e7c2fcd-7100-42c7-a21a-db6e4f32****
ClusterIdstringNo

The ID of the cluster of whose alert events you want to query.

c4af4fdf38a98496a9b63c2be5dae****
ContainerFieldNamestringNo

The key of the condition that is used to query alert events on containers. Valid values:

  • instanceId: the ID of the asset
  • appName: the name of the application
  • clusterId: the ID of the cluster
  • regionId: the ID of the region
  • nodeName: the name of the node
  • namespace: the namespace
  • clusterName: the name of the cluster
  • image: the name of the image
  • imageRepoName: the name of the image repository
  • imageRepoNamespace: the namespace to which the image repository belongs
  • imageRepoTag: the tag that is added to the image
  • imageDigest: the digest of the image
instanceId
ContainerFieldValuestringNo

The value of the condition that is used to query alert events on containers.

ccf9769c22b844ff9b8d57417683b****
TargetTypestringNo

The item that is used to search for the container. Valid values:

  • containerId: the ID of the container
  • uuid: the UUID of the server
  • imageUuid: the UUID of the image
containerId
TacticIdstringNo

The tactic ID of ATT&CK.

TA0001
OperateErrorCodeListarrayNo

An array that consists of the handling result codes of alert events.

stringNo

The handling result code of the alert event. Set the value in the following format: Operation type.Operation result code. The following operation types are supported:

  • Common: performs common operations.
  • deal: handles the alert event.
  • ignore: ignores the alert event.
  • offline_handled: marks the alert event as handled.
  • mark_mis_info: adds the alert event to the whitelist.
  • rm_mark_mis_info: cancels adding the alert event to the whitelist.
  • quara: quarantines the source file of the malicious process.
  • kill_and_quara: terminates the malicious process and quarantines the source file.
  • kill_virus: deletes the source file of the malicious process.
  • block_ip: blocks the source IP address.
  • manual_handled: marks the alert event as manually handled.
  • advance_mark_mis_info: adds the alert event to the whitelist that is configured for precise defense.
  • advance_mark_mis_info.System: automatically adds the alert event to the whitelist that is configured for precise defense.
  • advance_mark_mis_info.User: manually adds the alert event to the whitelist that is configured for precise defense.

The following handling result codes are supported:

  • Success: The operation is successful.
  • Failure: The operation fails.
  • AgentOffline: The agent is offline.
ignore. Success
OperateTimeStartstringNo

The timestamp when the handling operation starts.

2022-07-05 13:50:38
OperateTimeEndstringNo

The timestamp when the handling operation ends.

2022-07-06 13:50:38
TimeStartstringNo

The start time when the alert event was last detected.

2022-07-05 13:50:38
TimeEndstringNo

The end time when the alert event was last detected.

2022-07-06 13:50:38
SortColumnstringNo

The custom sorting field. Default value: operateTime. Valid values:

  • lastTime: the latest occurrence time.
  • operateTime: the handling time.
Note This parameter takes effect if you set the Dealed parameter to Y.
operateTime
SortTypestringNo

The custom sorting order. Default value: desc. Valid values:

  • asc: the ascending order
  • desc: the descending order
Note This parameter takes effect if you set the Dealed parameter to Y.
desc
AssetsTypeListarrayNo

The types of the assets.

stringNo

The type of the asset. Valid values:

  • ECS: Elastic Compute Service (ECS) instance
  • CONTAINER: container
  • K8S: Kubernetes cluster
ECS
ResourceDirectoryAccountIdlongNo

The Alibaba Cloud account ID of the member in the resource directory.

Note You can call the DescribeMonitorAccounts operation to query the ID.
16670360956*****
StrictModestringNo

Specifies whether to enable the strict alerting mode.

  • N: no
  • Y: Yes
Y
MultiAccountActionTypeintegerNo

The type of the accounts that you want to query. Default value: 0. Valid values:

  • 0: the current account.
  • 1: all accounts.
0
SourceAliUidsarrayNo

The IDs of the Alibaba Cloud accounts within which alerts are generated.

longNo

The ID of the Alibaba Cloud account within which an alert is generated.

196072141348****

Response parameters

ParameterTypeDescriptionExample
object

The response parameters.

CurrentPageinteger

The page number of the returned page.

1
PageSizeinteger

The number of entries returned per page.

20
RequestIdstring

The ID of the request.

0D6E20E4-8326-1D03-A553-2182BE9E82F9
TotalCountinteger

The total number of alert events.

100
Countinteger

The number of entries returned on the current page.

20
SuspEventsarray<object>

The information about the alert events.

WarningSummaryobject
Stagesstring

The stage at which the attack is detected.

"["authority_maintenance"]"
TacticItemsarray<object>

The display name of the attack stage.

TacticItemobject
TacticIdstring

The stage information about ATT&CK.

TA0001
TacticDisplayNamestring

The tactic name of ATT&CK.

Malicious scripts-Malicious script code execution
InternetIpstring

The public IP address of the associated instance.

1.2.XX.XX
K8sClusterNamestring

The name of the Kubernetes cluster.

k8s-daily
ContainerImageIdstring

The ID of the container image.

sha256:2e5a3b0ae5f452b3cb458789a9a7542ef40035a84318469a8528c5e444db1****
LastTimeStamplong

The timestamp when the alert event was last detected. Unit: milliseconds.

1631699497000
OccurrenceTimestring

The time when the alert event was first detected.

2018-09-26 01:51:01
AlarmUniqueInfostring

The unique ID of the alert event.

8df914418f****
Descstring

The impact of the alert event.

webshell
CanCancelFaultboolean

Indicates whether you can cancel marking the alert event as a false positive. Valid values:

  • true
  • false
false
AlarmEventNameDisplaystring

The name of the alert.

Login with unusual location
AppNamestring

The name of the application to which the alert event belongs.

pro-deploy-tibasic
SecurityEventIdsstring

The ID of the associated alert event.

270789
K8sClusterIdstring

The ID of the Kubernetes cluster.

c517b37e1401e4961b3951863a49a****
ContainerImageNamestring

The name of the container image.

centos7_apache:v1.0.1
MarkMisRulesstring

The advanced whitelist rule.

[{\"uuid\":\"ALL\",\"field\":\"gmtModified\",\"operate\":\"contains\",\"fieldValue\":\"222\"}]
CanBeDealOnLineboolean

Indicates whether you can handle the alert event online, such as quarantining the source file of the malicious process. Valid values:

  • true
  • false
true
ContainHwModeboolean

Indicates whether the safeguard mode for major activities is enabled for the server. Valid values:

  • true
  • false
false
K8sNodeIdstring

The ID of the Kubernetes node.

i-bp14a1ay8e0aa9t0****
InstanceNamestring

The name of the associated instance.

nginx
EventStatusinteger

The status of the alert event. Valid values:

  • 1: pending handling
  • 2: ignored
  • 4: confirmed
  • 8: marked as a false positive
  • 16: handling
  • 32: handled
  • 64: expired
  • 604: marked as a false positive by the system
1
SaleVersionstring

The edition of Security Center in which the alert event can be detected. Valid values:

  • 0: Basic edition
  • 1: Enterprise edition
1
OperateErrorCodestring

The handling result code of the alert event.

kill_and_quara.Success
Namestring

The complete name of the alert event.

Unusual Logon-Login with unusual location
HasTraceInfoboolean

Indicates whether the alert event has tracing information. Valid values:

  • true
  • false
true
DataSourcestring

The source of data. This parameter can be ignored.

aegis_suspicious_****
OperateTimelong

The handling timestamp of the alert event. Unit: milliseconds.

1631699497000
EventSubTypestring

The subtype of the alert event.

login_common_location
Advancedboolean

Indicates whether the alert event was analyzed offline.

true
OccurrenceTimeStamplong

The timestamp when the alert event was first detected. Unit: milliseconds.

1631699497000
InstanceIdstring

The instance ID of the affected asset.

i-9dp6dwsxdl9z5u1e2f****
AlarmEventTypeDisplaystring

The display name of the type of the alert event.

Unusual Logon
IntranetIpstring

The private IP address of the associated instance.

100.100.XX.XX
LastTimestring

The time when the alert event was last detected.

2018-09-26 01:51:01
OperateMsgstring

The handing result message of the alert event.

success
Uuidstring

The unique ID of the associated instance.

bf6b30d3-eea8-4924-9f0a-****
K8sPodNamestring

The name of the Kubernetes pod.

myapp-pod
ContainerIdstring

The ID of the container.

container_1648601865161_14925_02_000****
AlarmEventTypestring

The type of the alert event.

Unusual Logon
K8sNamespacestring

The namespace of the Kubernetes cluster.

default
AutoBreakingboolean

Indicates whether automatic defense is enabled.

true
K8sNodeNamestring

The name of the Kubernetes node.

N/A
AlarmEventNamestring

The name of the alert event.

login_common_location
UniqueInfostring

The unique key of the alert.

e17e****
MaliciousRuleStatusstring

The status of the malicious behavior defense rule. Valid values:

  • open
  • close
open
Levelstring

The severity of the alert event. Valid values:

  • serious
  • suspicious
  • remind
serious
Idlong

The unique ID of the alert event.

1000
Detailsarray<object>

The details of the alert event.

QuaraFileobject
Typestring

The type of the alert event.

text
Valuestring

The path of the alert event.

/etc/crontab
NameDisplaystring

The display name of the alert event.

Login with unusual location
ValueDisplaystring

The display name of the path of the alert event.

/etc/crontab
EventNotesarray<object>

The note information about the alert event.

EventNoteobject
Notestring

The note.

Test
NoteIdlong

The ID of the note.

123
NoteTimestring

The time when the note was created.

2018-09-26 01:51:01
clusterIdstring

The ID of the cluster.

c2051775877374cccbf68af596e6****
ImageUuidstring

The UUID of the image.

70489fb520cea585ad9761d5a842****
DisplaySandboxResultboolean

Indicates whether the alert event can be detected by cloud sandbox. Valid values:

  • true
  • false
true
LargeModelboolean

Indicates whether the large model analysis tag is supported. Valid values:

  • true
  • false
true
MarkListarray

The tags of the alert events.

EventMarkstring

The tag of the alert event.

mark
SourceAliUidlong

The ID of the Alibaba Cloud account within which an alert is generated.

196072141348****

Examples

Sample success responses

JSONformat

{
  "CurrentPage": 1,
  "PageSize": 20,
  "RequestId": "0D6E20E4-8326-1D03-A553-2182BE9E82F9",
  "TotalCount": 100,
  "Count": 20,
  "SuspEvents": [
    {
      "Stages": "\"[\"authority_maintenance\"]\"",
      "TacticItems": [
        {
          "TacticId": "TA0001",
          "TacticDisplayName": "Malicious scripts-Malicious script code execution"
        }
      ],
      "InternetIp": "1.2.XX.XX",
      "K8sClusterName": "k8s-daily",
      "ContainerImageId": "sha256:2e5a3b0ae5f452b3cb458789a9a7542ef40035a84318469a8528c5e444db1****",
      "LastTimeStamp": 1631699497000,
      "OccurrenceTime": "2018-09-26 01:51:01",
      "AlarmUniqueInfo": "8df914418f****",
      "Desc": "webshell",
      "CanCancelFault": false,
      "AlarmEventNameDisplay": "Login with unusual location",
      "AppName": "pro-deploy-tibasic",
      "SecurityEventIds": "270789",
      "K8sClusterId": "c517b37e1401e4961b3951863a49a****",
      "ContainerImageName": "centos7_apache:v1.0.1",
      "MarkMisRules": "[{\\\"uuid\\\":\\\"ALL\\\",\\\"field\\\":\\\"gmtModified\\\",\\\"operate\\\":\\\"contains\\\",\\\"fieldValue\\\":\\\"222\\\"}]",
      "CanBeDealOnLine": true,
      "ContainHwMode": false,
      "K8sNodeId": "i-bp14a1ay8e0aa9t0****\n",
      "InstanceName": "nginx",
      "EventStatus": 1,
      "SaleVersion": "1",
      "OperateErrorCode": "kill_and_quara.Success",
      "Name": "Unusual Logon-Login with unusual location",
      "HasTraceInfo": true,
      "DataSource": "aegis_suspicious_****",
      "OperateTime": 1631699497000,
      "EventSubType": "login_common_location",
      "Advanced": true,
      "OccurrenceTimeStamp": 1631699497000,
      "InstanceId": "i-9dp6dwsxdl9z5u1e2f****",
      "AlarmEventTypeDisplay": "Unusual Logon",
      "IntranetIp": "100.100.XX.XX",
      "LastTime": "2018-09-26 01:51:01",
      "OperateMsg": "success",
      "Uuid": "bf6b30d3-eea8-4924-9f0a-****",
      "K8sPodName": "myapp-pod\n",
      "ContainerId": "container_1648601865161_14925_02_000****",
      "AlarmEventType": "Unusual Logon",
      "K8sNamespace": "default",
      "AutoBreaking": true,
      "K8sNodeName": "N/A",
      "AlarmEventName": "login_common_location",
      "UniqueInfo": "e17e****",
      "MaliciousRuleStatus": "open",
      "Level": "serious",
      "Id": 1000,
      "Details": [
        {
          "Type": "text",
          "Value": "/etc/crontab",
          "NameDisplay": "Login with unusual location",
          "ValueDisplay": "/etc/crontab"
        }
      ],
      "EventNotes": [
        {
          "Note": "Test",
          "NoteId": 123,
          "NoteTime": "2018-09-26 01:51:01\n"
        }
      ],
      "clusterId": "c2051775877374cccbf68af596e6****",
      "ImageUuid": "70489fb520cea585ad9761d5a842****",
      "DisplaySandboxResult": true,
      "LargeModel": true,
      "MarkList": [
        "mark"
      ],
      "SourceAliUid": 0
    }
  ]
}

Error codes

HTTP status codeError codeError messageDescription
400NoPermissionno permission-
400UnknownErrorUnknownError-
400RdCheckNoPermissionResource directory account verification has no permission.-
403NoPermissioncaller has no permissionYou are not authorized to do this operation.
500RdCheckInnerErrorResource directory account service internal error.-
500ServerErrorServerError-

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-09-05The Error code has changed. The request parameters of the API has changed. The response structure of the API has changedView Change Details
2024-06-21The Error code has changed. The response structure of the API has changedView Change Details
2024-05-13The Error code has changed. The request parameters of the API has changedView Change Details
2024-01-24The Error code has changedView Change Details
2023-09-21The Error code has changedView Change Details
2023-09-20The Error code has changedView Change Details
2023-09-13The Error code has changedView Change Details
2023-09-07The Error code has changedView Change Details
2023-08-09The Error code has changed. The response structure of the API has changedView Change Details
2023-07-20The Error code has changed. The request parameters of the API has changedView Change Details
2023-04-25The Error code has changed. The response structure of the API has changedView Change Details