All Products
Search
Document Center

Security Center:ExportSuspEvents

Last Updated:Nov 25, 2024

Exports the information about exceptions to a file.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
yundun-sas:ExportSuspEventsnone
*All Resources
*
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
SourceIpstringNo

The source IP address of the request. The value of this parameter is specified by the system.

127.0.XX.XX
DealedstringNo

The status of the alert event. Valid values:

  • N: unhandled
  • Y: handled
Y
TimeStartstringNo

The beginning of the time range during which the exception is detected.

2022-10-01 00:00:00
TimeEndstringNo

The end of the time range during which the exception is detected.

2022-12-05 00:00:00
NamestringNo

The complete name of the exception.

WEBSHELL
LevelsstringNo

The severity of the alert event. Separate multiple severities with commas (,). Valid values:

  • serious
  • suspicious
  • remind
serious,suspicious,remind
ParentEventTypesstringNo

The alert type of the alert event. Valid values:

  • Suspicious process
  • Webshell
  • Unusual logon
  • Exception
  • Sensitive file tampering
  • Malicious process (cloud threat detection)
  • Suspicious network connection
  • Suspicious account
  • Application intrusion event
  • Cloud threat detection
  • Precise defense
  • Application whitelist
  • Persistent webshell
  • Web application threat detection
  • Malicious script
  • Threat intelligence
  • Malicious network activity
  • Cluster exception
  • Webshell (on-premises threat detection)
  • Vulnerability exploitation
  • Malicious process (on-premises threat detection)
  • Trusted exception
  • Others
WEBSHELL
RemarkstringNo

The remarks.

remark
StatusstringNo

The handling status of the exception. Valid values:

  • 0: all status
  • 1: pending handling
  • 2: ignored
  • 4: confirmed
  • 8: marked as false positive
  • 16: handling
  • 32: handled
  • 64: expired
  • 128: deleted
0
LangstringNo

The language of the content within the request and response. Default value: zh. Valid values:

  • zh: Chinese
  • en: English
zh
FromstringNo

The data source of the exception. Set the value to sas.

sas
ClusterIdstringNo

The ID of the cluster that you want to query.

Note You can call the DescribeGroupedContainerInstances operation to query the IDs of clusters.
c4af4fdf38a98496a9b63c2be5dae****
ContainerFieldNamestringNo

The key of the condition that is used to query alert events on containers. Valid values:

  • instanceId: the ID of the asset
  • appName: the name of the application
  • clusterId: the ID of the cluster
  • regionId: the ID of the region
  • nodeName: the name of the node
  • namespace: the namespace
  • clusterName: the name of the cluster
  • image: the name of the image
  • imageRepoName: the name of the image repository
  • imageRepoNamespace: the namespace to which the image repository belongs
  • imageRepoTag: the tag that is added to the image
  • imageDigest: the digest of the image
clusterId
ContainerFieldValuestringNo

The value of the condition that is used to query alert events on containers.

c819391d2d520485fa3e81e2dc2ea****
TargetTypestringNo

The dimension from which you want to configure the feature. Valid values:

  • uuid: the UUID of the asset
  • image_repo: the ID of the image repository
  • Cluster: the ID of the cluster
uuid
PageSizestringNo

The number of entries to return on each page. Default value: 20.

20
CurrentPagestringNo

The number of the page to return.

1
AssetsTypeListarrayNo

The types of assets.

stringNo

The types of assets.

ECS
UuidstringNo

The unique ID of the associated instance.

18b7336e-d469-473b-af83-8e5420f9****
UniqueInfostringNo

The unique key of the alert event.

1fbe8d16727f61d1478a674d6fa0****
IdlongNo

The unique ID of the alert event.

17821
OperateErrorCodeListarrayNo

The status codes of alert events.

stringNo

The status code of the alert event. Format: Operation type.Status code of the operation. The following operation types are supported:

  • Common: performs common operations.
  • deal: handles the alert event.
  • ignore: ignores the alert event.
  • offline_handled: marks the alert as handled.
  • mark_mis_info: marks the alert as a false positive by adding it to the whitelist.
  • rm_mark_mis_info: cancels a false positive by removing the alert from the whitelist.
  • quara: quarantines the source file of the malicious process.
  • kill_and_quara: terminates the malicious process and quarantines the source file.
  • kill_virus: deletes the source file of the malicious process.
  • block_ip: blocks the source IP address.
  • manual_handled: manually handles the alert event.
  • advance_mark_mis_info: adds the alert event to the whitelist that is configured for precise defense.
  • advance_mark_mis_info.System: automatically adds the alert event to the whitelist that is configured for precise defense.
  • advance_mark_mis_info.User: manually adds the alert event to the whitelist that is configured for precise defense.

The following status codes are supported:

  • Success: The operation is successful.
  • Failure: The operation fails.
  • AgentOffline: The agent is offline.
ignore. Success
GroupIdlongNo

The ID of the asset group.

8076980

Response parameters

ParameterTypeDescriptionExample
object
RequestIdstring

The ID of the request.

EF145C20-6A19-529A-8BDD-0671DXXXXXX
FileNamestring

The name of the exported file.

suspicious_event_20221209
Idinteger

The ID of the export record of the anomalous event.

1

Examples

Sample success responses

JSONformat

{
  "RequestId": "EF145C20-6A19-529A-8BDD-0671DXXXXXX",
  "FileName": "suspicious_event_20221209",
  "Id": 1
}

Error codes

HTTP status codeError codeError messageDescription
400IllegalParamIllegal param-
400FreeVersionNotPermitFree version is not permitted.The free version cannot be used.
403NoPermissioncaller has no permissionYou are not authorized to do this operation.
500ServerErrorServerError-

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-06-13The Error code has changedView Change Details
2023-12-06The Error code has changed. The request parameters of the API has changedView Change Details
2023-10-11The Error code has changed. The request parameters of the API has changedView Change Details
2023-10-11The Error code has changed. The request parameters of the API has changedView Change Details