QueryIncidentTracingDetail - Security Center - Alibaba Cloud Documentation Center

Queries the provenance graph of an event by using the event ID.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
yundun-sas:QueryIncidentTracingDetail	get	All Resources *	none	none

Request parameters

Parameter	Type	Required	Description	Example
IncidentId	string	Yes	The ID of the event. Note You can call the DescribeCloudSiemEvents operation to query the IDs of events.	184892fc5245b3ce8c3316434c94261f

Response parameters

Parameter	Type	Description	Example
	object	The provenance graph.
TracingDetail	object	The information about the provenance graph.
VertexList	array<object>	The nodes.
VertexList	object
Id	string	The ID of the current node.	383044
Name	string	The name of the current node.	auto-test-attestor
Type	string	The type of the current node. Valid values include the following values: process file alert ip domain	alidetect
Time	string	The time when the current node was created.	2021-11-26
Timestamp	long	The UNIX timestamp when the current node was created. Unit: milliseconds.	1663048980
Uuid	string	The UUID of the current node. The security information and event management (SIEM) system generates UUIDs for nodes and edges in the provenance graph to help you locate the nodes or edges.	32e36d8a-2b5d-4f71-98a8-12775685a3b4
RuleId	string	The ID of the rule based on which the current node is generated.	301425
Properties	string	The text that contains the properties of the current node.	[{'PropertyValues': [{'PropertyValueId': 239, 'PropertyValue': '121'}, {'PropertyValueId': 240, 'PropertyValue': '6666'}], 'PropertyKey': '22222222', 'PropertyId': 203}]
Property	object	The property of the current node.	{\"coverage\":\"global\"}
UpdateTime	string	The time when the current node was updated.	2022-01-13 12:49:33
Aliuid	string	The ID of the Alibaba Cloud account to which the current node belongs.	1487146717137516
NeighborList	array<object>	The nodes that are adjacent to the current node.
NeighborList	object
Type	string	The type of the node. Valid values include the following values: process file alert ip domain	2
Count	integer	The number of nodes.	0
HasMore	boolean	Indicates whether more nodes are adjacent to the current node. Valid values: true false	True
DisplayInfo	array<object>	The display information of the current node.
DisplayInfo	object
Name	string	The name of the property that needs to be displayed for the current node.	scan:ACSV-2020-111301
Value	string	The value of the property that needs to be displayed for the current node.	10.16.1
Lang	string	The rendering language of the current node.	zh
EdgeList	array<object>	The edges.
EdgeList	object
StartId	string	The ID of the start node for the current edge.	23003
StartType	string	The type of the start node for the current edge. Valid values include the following values: process file alert: ip domain	process
EndId	string	The ID of the end node for the current edge.	223a185f05e5fc3c637
EndType	string	The type of the end node for the current edge. Valid values include the following values: process file alert ip domain	process_test_process
Name	string	The name of the current edge.	mongod
Type	string	The type of the current edge. Valid values include the following values: process_exec_file: The relationship indicates an executable file that is run by a process. process_connect_ip: The relationship indicates an IP address that is connected by a process. domain_trgger_alert: The relationship indicates an alert that is triggered for a domain name.	elf
Time	string	The time when the current edge was created.	1652941117
Timestamp	long	The UNIX timestamp when the current edge was created. Unit: milliseconds.	1636092632
Aliuid	string	The ID of the Alibaba Cloud account to which the current edge belongs.	1277498600854739
Uuid	string	The UUID of the current edge. The SIEM system generates UUIDs for nodes and edges in the provenance graph to help you locate the nodes or edges.	678e29f4-d78f-4a7c-a2bc-38434a138538
Origin	string	The origin vertex ID of the current edge.	distribution
Properties	string	The text that contains the properties of the current edge.	{\"bandWidth\":\"8192\",\"internetIp\":\"8.211.13.50\",\"changeReason\":\"EIP_BIND\",\"bindInstanceId\":\"i-gw887xhzjvyjfv7vdfs3\",\"bindType\":\"EIP_ECS\"}
Property	object	The property of the current edge.	{\"coverage\":\"global\"}
ShowType	string	The display type of the current edge.	0
RuleId	string	The ID of the rule based on which the current edge is generated.	136
UpdateTime	string	The time when the current edge was updated.	2022-01-13 12:49:33
TypeName	string	The type of the current edge.	cis
EntityTypeList	array<object>	The entities.
EntityTypeList	object
Id	string	The ID of the current entity.	1425
Name	string	The type of the current entity. Valid values include the following values: process file alert ip domain	auto-test-policy-name
GmtCreate	string	The time when the current entity was created.	2022-10-09T10:53Z
GmtModified	string	The time when the current entity was updated.	1585816811000
Namespace	string	The namespace of the current entity.	78
DisplayTemplate	string	The display template of the current entity.	[]
DisplayColor	string	The display color of the current entity.	#FFF
SyncId	integer	The synchronization ID of the current entity.	e2fdf402-b4ed-4e1a-9e95-44d6069600b0
CurrentVersionId	string	The version ID of the current entity.	1768
DisplayIcon	string	The display icon of the current entity.	-
DisplayOrder	integer	The display sequence of the current entity.	2
TraceSuccessFlag	integer	The tag that indicates whether tracing was successful. Valid values: 1: successful 0: failed	1
IsVirtualNode	integer	Indicates whether the entity is a virtual node. Valid values: 1: yes 0: no	1
RelationTypeList	array<object>	The relationships.
RelationTypeList	object
Id	string	The ID of the current relationship.	1514
Name	string	The type of the current relationship. Valid values include the following values: process_exec_file: The relationship indicates an executable file that is run by a process. process_connect_ip: The relationship indicates an IP address that is connected by a process. domain_trgger_alert: The relationship indicates an alert that is triggered for a domain name.	wusa
Directed	integer	The direction of the current relationship. Valid values: 1: forward 0: reverse	1
GmtCreate	string	The time when the current relationship was created.	2022-09-23T10:50Z
GmtModified	string	The time when the current relationship was updated.	2022-07-12T07:58:49Z
Namespace	string	The namespace of the current relationship.	default
DisplayTemplate	string	The display template of the current relationship.	[]
DisplayColor	string	The display color of the current relationship.	#FFF
SyncId	integer	The synchronization ID of the current relationship.	sync-0000aws50gyy2ocisbmx
CurrentVersionId	string	The version ID of the current relationship.	1487
ShowType	string	The display type of the current relationship.	0
DisplayIcon	string	The display icon of the current relationship.	https://img.alicdn.com/imgextra/i2/O1CN01jpZwD31G56XYPEJv2_!!600000000****-55-tps-25-28.svg
Lang	string	The rendering language of the returned result. Valid values: zh: Chinese en: English	zh
Success	boolean	Indicates whether the request was successful. Valid values: true false	True
RequestId	string	The request ID.	D2956025-4E5C-529D-92B4-B2591DDED067

Examples

Sample success responses

JSONformat

{
  "TracingDetail": {
    "VertexList": [
      {
        "Id": "383044",
        "Name": "auto-test-attestor",
        "Type": "alidetect",
        "Time": "2021-11-26",
        "Timestamp": 1663048980,
        "Uuid": "32e36d8a-2b5d-4f71-98a8-12775685a3b4",
        "RuleId": "301425",
        "Properties": "[{'PropertyValues': [{'PropertyValueId': 239, 'PropertyValue': '121'}, {'PropertyValueId': 240, 'PropertyValue': '6666'}], 'PropertyKey': '22222222', 'PropertyId': 203}]",
        "Property": {
          "test": "test",
          "test2": 1
        },
        "UpdateTime": "2022-01-13 12:49:33",
        "Aliuid": "1487146717137516",
        "NeighborList": [
          {
            "Type": "2",
            "Count": 0,
            "HasMore": true
          }
        ],
        "DisplayInfo": [
          {
            "Name": "scan:ACSV-2020-111301",
            "Value": "10.16.1"
          }
        ],
        "Lang": "zh"
      }
    ],
    "EdgeList": [
      {
        "StartId": "23003",
        "StartType": "process",
        "EndId": "223a185f05e5fc3c637",
        "EndType": "process_test_process",
        "Name": "mongod",
        "Type": "elf",
        "Time": "1652941117",
        "Timestamp": 1636092632,
        "Aliuid": "1277498600854739",
        "Uuid": "678e29f4-d78f-4a7c-a2bc-38434a138538",
        "Origin": "distribution",
        "Properties": "{\\\"bandWidth\\\":\\\"8192\\\",\\\"internetIp\\\":\\\"8.211.13.50\\\",\\\"changeReason\\\":\\\"EIP_BIND\\\",\\\"bindInstanceId\\\":\\\"i-gw887xhzjvyjfv7vdfs3\\\",\\\"bindType\\\":\\\"EIP_ECS\\\"}",
        "Property": {
          "test": "test",
          "test2": 1
        },
        "ShowType": "0",
        "RuleId": "136",
        "UpdateTime": "2022-01-13 12:49:33",
        "TypeName": "cis"
      }
    ],
    "EntityTypeList": [
      {
        "Id": "1425",
        "Name": "auto-test-policy-name",
        "GmtCreate": "2022-10-09T10:53Z",
        "GmtModified": "1585816811000",
        "Namespace": "78",
        "DisplayTemplate": "[]",
        "DisplayColor": "#FFF",
        "SyncId": 0,
        "CurrentVersionId": "1768",
        "DisplayIcon": "-",
        "DisplayOrder": 2,
        "TraceSuccessFlag": 1,
        "IsVirtualNode": 1
      }
    ],
    "RelationTypeList": [
      {
        "Id": "1514",
        "Name": "wusa",
        "Directed": 1,
        "GmtCreate": "2022-09-23T10:50Z",
        "GmtModified": "2022-07-12T07:58:49Z",
        "Namespace": "default",
        "DisplayTemplate": "[]",
        "DisplayColor": "#FFF",
        "SyncId": 0,
        "CurrentVersionId": "1487",
        "ShowType": "0",
        "DisplayIcon": "https://img.alicdn.com/imgextra/i2/O1CN01jpZwD31G56XYPEJv2_!!600000000****-55-tps-25-28.svg"
      }
    ],
    "Lang": "zh"
  },
  "Success": true,
  "RequestId": "D2956025-4E5C-529D-92B4-B2591DDED067"
}

Error codes

HTTP status code	Error code	Error message	Description
400	TracingDetailError	The Incident tracing detail error, please try again.	-
403	NoPermission	caller has no permission	You are not authorized to do this operation.
500	ServerError	ServerError	-

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation

No change history