DescribeAlarmEventList
Description
call the DescribeAlarmEventList interface to obtain the alarm event information of the security alarm processing page. Alarm events are divided into two dimensions: alarm and exception. An alarm event contains multiple exception events.
Request Method
POST
Request Path
/apsara/route/Sas/DescribeAlarmEventList
Request Parameters Common Parameters
| Name | Location | Type | Required | Sample value | Description |
|---|---|---|---|---|---|
| PageSize | BODY | string | Yes | 20 | The maximum number of pieces of data per page displayed during a paged query. The default value is 20. |
| AlarmEventName | BODY | string | No | DDoS Trojan | alarm event name. |
| Lang | BODY | string | No | zh | the language type of the request and receive message. zh: Chinese en: English |
| From | BODY | string | Yes | sas | request source identification, fixed as sas. |
| Dealed | BODY | string | No | Y | alarm event status. N: pending alarms Y: Alert processed |
| version | BODY | string | No | 2016-01-01 | version of api |
| Remark | BODY | string | No | database_server | alarm name/asset information. |
| GroupId | BODY | string | No | tst*** | the group ID of the asset affected by the alarm event. |
| SourceIp | BODY | string | No | 1.2.3.4 | access the IP address of the source. |
| CurrentPage | BODY | integer | Yes | 1 | the page number of the current page displayed when paging query. The starting value is 1 and the default value is 1. |
| regionId | BODY | string | Yes | No sample value for this parameter. | region id |
| AlarmEventType | BODY | string | No | malicious process (cloud killing) | alarm event type. |
| Levels | BODY | string | No | serious | the risk level of alarm events. multiple severity levels are separated by commas (severity levels decrease). serious: Emergency suspicious: Suspicious mind: reminder |
| OperateErrorCodeList.N | BODY | repeatlist | No | ignore. Success | alarm event processing result code. The format is: operation type. Operation result code. includes the following operation types: Common: General operation deal: processing ignore: ignore offline_handled: Alarm confirmed mark_mis_info: whitelist rm_mark_mis_info: Cancel whitelist quara: isolation kill_and_quara: ordinary killing kill_virus: Deep Cleanup block_ip: Block manual_handled: manual processing operation result code: Success: Success Failure: failed AgentOffline: client offline |
Return data
| Name | Type | Sample value | Description |
|---|---|---|---|
| Description | string | After hackers invade the server, in order to allow malicious backdoor programs to run persistently, hackers often write malicious SHELL scripts to planned tasks such as crontab and systemd. | description of the alarm event. |
| EndTime | long | 1543740301000 | the number of milliseconds when the alarm event ends. |
| PageSize | integer | 20 | The maximum number of pieces of data per page displayed during a paged query. |
| OperateErrorCode | string | kill_and_quara. Success | alarm processing result code. |
| AlarmEventName | string | execute malicious command | alarm event name. |
| SecurityEventIds | string | 270789 | ID of the associated exception. |
| GmtModified | long | 1569235879000 | the latest alarm occurrence time milliseconds. |
| Count | integer | 1 | the number of data on the current page displayed during paging query. |
| IntranetIp | string | 1.2.3.5 | the private IP of the affected asset instance. |
| HasTraceInfo | boolean | true | whether the alarm has traceability information. true: traceable false: no traceability |
| InternetIp | string | 1.2.3.4 | the public IP of the affected asset instance. |
| AlarmEventType | string | process exception behavior | alarm event type. |
| Solution | string | please check the malicious URL prompted in the alarm and the malicious files in the downloaded directory in time, and clean up the running malicious processes in time. If the command is executed on your own initiative, you can click on the console to mark it as a false positive. | method for handling alarm events. |
| CanCancelFault | boolean | false | can it be unmarked as a false positive. |
| AlarmEventNameOriginal | string | malicious command execution precision defense | the original parent name of the alarm event. |
| RequestId | string | 28267723-D857-4DD8-B295-013100000000 | request ID of the result. |
| InstanceId | string | i-e*** | affected asset instance ID. |
| StartTime | long | 1543740301000 | the start time of the alarm event. |
| SaleVersion | string | 1 | sales version supported by alarm event detection. 0: Basic version 1: Enterprise version |
| Dealed | boolean | false | whether the alarm has been processed. true: processed false: pending |
| DataSource | string | aegis_*** | data source. |
| InstanceName | string | test server | the name of the affected asset instance. |
| CanBeDealOnLine | boolean | true | whether alarm events can be handled online, such as blocking isolation, adding whitelist, ignoring, etc. true: supports online processing false: online processing is not supported |
| PageInfo | struct | No sample value for this parameter. | page displays information. |
| TotalCount | integer | 1 | the total number of alarm events. |
| Uuid | string | 47900178-885d-4fa4-9d77-*** | the unique identifier of the associated instance. |
| CurrentPage | integer | 1 | the page number of the current page displayed when paging query. |
| SuspiciousEventCount | integer | 1 | the number of abnormal events associated. |
| AlarmUniqueInfo | string | 8df914418f4211fbf756efe7a6f40cbc | unique ID of alarm event. |
| Level | string | serious | the risk level of the alarm event. serious: Emergency suspicious: Suspicious mind: reminder |
| SuspEvents | array | No sample value for this parameter. | alarm event information. |
Example
Successful Response example
{
"Description":"After hackers invade the server,
in order to allow malicious backdoor programs to run persistently,
hackers often write malicious SHELL scripts to planned tasks such as crontab and systemd.",
"EndTime":"1543740301000",
"PageSize":"20",
"OperateErrorCode":"kill_and_quara. Success",
"AlarmEventName":"execute malicious command",
"SecurityEventIds":"270789",
"GmtModified":"1569235879000",
"Count":"1",
"IntranetIp":"1.2.3.5",
"HasTraceInfo":"true",
"InternetIp":"1.2.3.4",
"AlarmEventType":"process exception behavior",
"Solution":"please check the malicious URL prompted in the alarm and the malicious files in the downloaded directory in time,
and clean up the running malicious processes in time. If the command is executed on your own initiative,
you can click on the console to mark it as a false positive.",
"CanCancelFault":"false",
"AlarmEventNameOriginal":"malicious command execution precision defense",
"RequestId":"28267723-D857-4DD8-B295-013100000000",
"InstanceId":"i-e***",
"StartTime":"1543740301000",
"SaleVersion":"1",
"Dealed":"false",
"DataSource":"aegis_***",
"InstanceName":"test server",
"CanBeDealOnLine":"true",
"PageInfo":"",
"TotalCount":"1",
"Uuid":"47900178-885d-4fa4-9d77-***",
"CurrentPage":"1",
"SuspiciousEventCount":"1",
"AlarmUniqueInfo":"8df914418f4211fbf756efe7a6f40cbc",
"Level":"serious",
"SuspEvents":""
}
Failed Response example
{
"errorSample":
{
"resultCode":-1,
"resultMsg":"system error",
"result":null
}
}