DescribeSuspEvents
Description
call DescribeSuspEvents interface to query abnormal event information. Alarm events are divided into two dimensions: alarm and exception. An alarm event contains multiple exception events.
Request Method
POST
Request Path
/apsara/route/Sas/DescribeSuspEvents
Request Parameters Common Parameters
| Name | Location | Type | Required | Sample value | Description |
|---|---|---|---|---|---|
| ParentEventTypes | BODY | string | No | website backdoor | the alarm type to which the exception event belongs. |
| PageSize | BODY | string | No | 20 | The maximum number of pieces of data displayed per page when querying by pages. The default value is 20. |
| Lang | BODY | string | No | zh | the language type of the request and receive message. Valid values include: zh: Chinese en: English |
| From | BODY | string | Yes | sas | the identification of the data source to which the exception event belongs, fixed as sas. |
| Dealed | BODY | string | No | N | abnormal event status. Valid values include: N: Pending Y: processed |
| version | BODY | string | No | 2016-01-01 | version of api |
| Name | BODY | string | No | ecs-xxx | exception event name or host name, fuzzy match. |
| Remark | BODY | string | No | test machine | host IP or name. |
| SourceIp | BODY | string | No | 1.2.3.4 | access the IP address of the source. |
| CurrentPage | BODY | string | No | 1 | the page number of the current page displayed when paging query. |
| regionId | BODY | string | Yes | No sample value for this parameter. | region id |
| AlarmUniqueInfo | BODY | string | No | 8df914418f4211fbf*** | the unique ID of the alarm event to which the exception event belongs. description if you query the abnormal event information of a single alarm event, you need to provide a unique identification ID of the alarm event, which can be obtained by using the DescribeAlarmEventList interface. |
| Levels | BODY | string | No | serious | the risk level of abnormal events, multiple risk levels are separated by English commas. The following hazard levels decrease in severity. serious: emergency suspicious: Suspicious mind: reminder |
Return data
| Name | Type | Sample value | Description |
|---|---|---|---|
| PageSize | integer | 20 | the maximum number of pieces of data displayed per page during paging query. |
| AlarmEventName | string | Linux scheduled task execution exception instruction | alarm event name. |
| EventStatus | integer | 1 | the state of the exception event. Valid values include: 1:PENDING (to be processed) 2:IGNORE (ignored) 4:HANDLED (confirmed) 8:FAULT (marked false positive) 16:DEALING (in process) 32:DONE (processed) 64:EXPIRE (expired) |
| Count | integer | 1 | the number of data pieces displayed on the current page during paging query. |
| IntranetIp | string | 1.2.3.5 | the private IP of the associated instance. |
| EventSubType | string | XorDDoS Trojan | exception event name. |
| Name | string | malicious process (cloud kill)-XorDDoS trojan | the full name of the exception event. |
| Desc | string | webshell | description of the impact of abnormal events. |
| InternetIp | string | 1.2.3.1 | the public network IP of the associated instance. |
| AlarmEventType | string | process exception behavior | alarm event type. |
| UniqueInfo | string | e17e*** | unique identification ID of the exception event. |
| RequestId | string | 43F670F3-AB40-4E91-BC7D-C57400000000 | ID of this request. |
| SaleVersion | string | 1 | product sales version supported by abnormal event detection. Valid values include: 0: basic version 1: enterprise version |
| DataSource | string | aegis_suspicious_*** | data source (negligible). |
| OccurrenceTime | string | 2018-09-26 01:51:01 | the time when the abnormal event first occurred. |
| InstanceName | string | nginx | the name of the associated instance. |
| TotalCount | integer | 100 | the total number of abnormal events. |
| OperateMsg | string | success | remarks on abnormal event operations. |
| CanBeDealOnLine | boolean | true | whether online handling of exception events, such as isolation, is supported. Valid values include: true: online processing is supported false: online processing is not supported |
| Uuid | string | bf6b30d3-eea8-4924-9f0a-*** | the unique identifier of the associated instance. |
| CurrentPage | integer | 1 | page number of the current page when paging query. |
| AlarmUniqueInfo | string | 8df914418f*** | unique ID of alarm event. |
| Level | string | serious | the risk level of abnormal events. Valid values include: serious: emergency suspicious: Suspicious mind: reminder |
| Id | long | 1000 | unique identification ID for recording abnormal events. |
| SuspEvents | array | No sample value for this parameter. | abnormal event information. |
| LastTime | string | 2018-09-26 01:51:01 | the latest occurrence time of the abnormal event. |
Example
Successful Response example
{
"PageSize":"20",
"AlarmEventName":"Linux scheduled task execution exception instruction",
"EventStatus":"1",
"Count":"1",
"IntranetIp":"1.2.3.5",
"EventSubType":"XorDDoS Trojan",
"Name":"malicious process (cloud kill)-XorDDoS trojan",
"Desc":"webshell",
"InternetIp":"1.2.3.1",
"AlarmEventType":"process exception behavior",
"UniqueInfo":"e17e***",
"RequestId":"43F670F3-AB40-4E91-BC7D-C57400000000",
"SaleVersion":"1",
"DataSource":"aegis_suspicious_***",
"OccurrenceTime":"2018-09-26 01:51:01",
"InstanceName":"nginx",
"TotalCount":"100",
"OperateMsg":"success",
"CanBeDealOnLine":"true",
"Uuid":"bf6b30d3-eea8-4924-9f0a-***",
"CurrentPage":"1",
"AlarmUniqueInfo":"8df914418f***",
"Level":"serious",
"Id":"1000",
"SuspEvents":"",
"LastTime":"2018-09-26 01:51:01"
}
Failed Response example
{
"errorSample":
{
"resultCode":-1,
"resultMsg":"system error",
"result":null
}
}