Querying Alert Detail

Function

Calling Method

For details, see Calling APIs.

URI

GET /v1/{project_id}/workspaces/{workspace_id}/soc/alerts/{alert_id}

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID.
workspace_id	Yes	String	Workspace ID
alert_id	Yes	String	Alert ID.

Request Parameters

**Table 2** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.
content-type	Yes	String	Content type.

Response Parameters

Status code: 200

**Table 3** Response header parameters
Parameter	Type	Description
X-request-id	String	Request ID, in the format request_uuid-timestamp-hostname.

**Table 4** Response body parameters
Parameter	Type	Description
code	String	Error code
message	String	Error Message
data	AlertDetail object	Alert Detail

**Table 5** AlertDetail
Parameter	Type	Description
create_time	String	Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.
data_object	Alert object	Alert entity information.
dataclass_ref	dataclass_ref object	Data class object.
format_version	Integer	Format version.
id	String	Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters.
type	String	Data Types.
project_id	String	ID of the current project.
update_time	String	Update time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.
version	Integer	Version.
workspace_id	String	ID of the current workspace.

**Table 6** Alert
Parameter	Type	Description
version	String	Version of the data source of the alert. The value must be one officially released by the Cloud SSA service.
id	String	Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters.
domain_id	String	ID of the account (domain_id) to whom the data is delivered and hosted.
region_id	String	ID of the region where the account to whom the data is delivered and hosted belongs to.
workspace_id	String	ID of the current workspace.
labels	String	Tag (display only)
environment	environment object	Coordinates of the environment where the alert was generated.
data_source	data_source object	Source the data is first reported.
first_observed_time	String	First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.
last_observed_time	String	First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.
create_time	String	Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.
arrive_time	String	Data receiving time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.
title	String	Alert title.
description	String	Alert description.
source_url	String	Alert URL, which points to the page of the current incident description in the data source product.
count	Integer	Incident occurrences
confidence	Integer	Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or incident. Value range -- 0-100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%.
severity	String	Severity level. Value range: Tips \| Low \| Medium \| High \| Fatal Description: 0: TIPS: No threats are found. 1: LOW: No actions are required for the threat. 2: MEDIUM: The threat needs to be handled but is not urgent. 3: HIGH: The threat must be handled preferentially. 4: FATAL: The threat must be handled immediately to prevent further damage.
criticality	Integer	Criticality, which specifies the importance level of the resources involved in an incident. Value range -- 0 to 100. The value 0 indicates that the resource is not critical, and 100 indicates that the resource is critical.
alert_type	alert_type object	Alert classification. For details, see the Alert Type Definition.
network_list	Array of network_list objects	Network Information
resource_list	Array of resource_list objects	Affected resources.
remediation	remediation object	Remedy measure.
verification_state	String	Verification status, which identifies the accuracy of an incident. The options are as follows: – Unknown – True_Positive – False_Positive Enter Unknown by default.
handle_status	String	Incident handling status. The options are as follows: Open: enabled. Block: blocked. Closed: closed. The default value is Open.
sla	Integer	Risk close time -- Set the acceptable risk duration. Unit -- Hour
update_time	String	Update time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the alert occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.
close_time	String	Closing time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.
ipdrr_phase	String	Period/Handling phase No. Prepartion\|Detection and Analysis\|Containm,Eradication& Recovery\|Post-Incident-Activity
simulation	String	Debugging field.
actor	String	Alert investigator.
owner	String	Owner and service owner.
creator	String	Creator
close_reason	String	Close reason. False detection. Resolved Repeated Other
close_comment	String	Whether to close comment.
malware	malware object	Malware
system_info	Object	System information.
process	Array of process objects	Process information.
user_info	Array of user_info objects	User Details
file_info	Array of file_info objects	Document information.
system_alert_table	Object	Layout fields in the alerts list.

**Table 7** environment
Parameter	Type	Description
vendor_type	String	Environment provider.
domain_id	String	Tenant ID.
region_id	String	Region ID. global is returned for global services.
cross_workspace_id	String	ID of the source workspace for the data delivery. If the source workspace ID is null, then the destination workspace account ID is used.
project_id	String	Project ID. The default value is null for global services.

**Table 8** data_source
Parameter	Type	Description
source_type	Integer	Data source type. The options are as follows-- 1- cloud product 2- Third-party product 3- Tenant product
domain_id	String	Account ID to which the data source product belongs.
project_id	String	ID of the project to which the data source product belongs.
region_id	String	Region where the data source is located, for example, cn-north1. For details about the value range, see Regions and Endpoints.
company_name	String	Name of the company to which a data source belongs.
product_name	String	Name of the data source.
product_feature	String	Name of the feature of the product that detects the incident.
product_module	String	Threat detection module list.

**Table 9** alert_type
Parameter	Type	Description
category	String	Type
alert_type	String	Alert type.

**Table 10** network_list
Parameter	Type	Description
direction	String	Direction. The value can be IN or OUT.
protocol	String	Protocol, including Layer 7 and Layer 4 protocols. For details, see IANA registered name. https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.
src_ip	String	Source IP address
src_port	Integer	Source port. The value ranges from 0 to 65535.
src_domain	String	Source domain name.
src_geo	src_geo object	Geographical location of the source IP address.
dest_ip	String	Destination IP address
dest_port	String	Destination port. The value ranges from 0 to 65535.
dest_domain	String	Destination domain name
dest_geo	dest_geo object	Geographical location of the destination IP address.

**Table 11** src_geo
Parameter	Type	Description
latitude	Number	Latitude
longitude	Number	Longitude
city_code	String	City code. For example, Beijing or Shanghai.
country_code	String	Country code. For details, see ISO 3166-1 alpha-2. For example, CN \| US \| DE \| IT \| SG.

**Table 12** dest_geo
Parameter	Type	Description
latitude	Number	Latitude
longitude	Number	Longitude
city_code	String	City code. For example, Beijing or Shanghai.
country_code	String	Country code. For details, see ISO 3166-1 alpha-2. For example, CN \| US \| DE \| IT \| SG.

**Table 13** resource_list
Parameter	Type	Description
id	String	Cloud service resource ID.
name	String	Resource name.
type	String	Resource type. This parameter references the value of RMS type on Cloud.
provider	String	Cloud service name, which is the same as the provider field in the RMS service.
region_id	String	Region ID in Cloud, for example, cn-north-1.
domain_id	String	ID of the account to which the resource belongs, in UUID format.
project_id	String	ID of the account to which the resource belongs, in UUID format.
ep_id	String	Specifies the enterprise project ID.
ep_name	String	Enterprise Project Name
tags	String	Resource tag. A maximum of 50 key/value pairs are supported. Value: a maximum of 255 characters, including letters, digits, spaces, and +, -, =, ., _, :, /,@

**Table 14** remediation
Parameter	Type	Description
recommendation	String	Recommended solution.
url	String	Link to the general fix information for the incident. The URL must be accessible from the public network with no credentials required.

**Table 15** malware
Parameter	Type	Description
malware_family	String	Malicious family.
malware_class	String	Malware category.

**Table 16** process
Parameter	Type	Description
process_name	String	Process name.
process_path	String	Process execution file path.
process_pid	Integer	Process ID.
process_uid	Integer	Process user ID.
process_cmdline	String	Process command line.
process_parent_name	String	Parent process name.
process_parent_path	String	Parent process execution file path.
process_parent_pid	Integer	Parent process ID.
process_parent_uid	Integer	Parent process user ID.
process_parent_cmdline	String	Parent process command line.
process_child_name	String	Subprocess name.
process_child_path	String	Subprocess execution file path.
process_child_pid	Integer	Subprocess ID.
process_child_uid	Integer	Subprocess user ID.
process_child_cmdline	String	Subprocess command line
process_launche_time	String	Incident start time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.
process_terminate_time	String	Process end time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

**Table 17** user_info
Parameter	Type	Description
user_id	String	User UID
user_name	String	Username

**Table 18** file_info
Parameter	Type	Description
file_path	String	File path/name.
file_content	String	File path/name.
file_new_path	String	New file path/name.
file_hash	String	File Hash
file_md5	String	File MD5
file_sha256	String	File SHA256
file_attr	String	File attribute.

**Table 19** dataclass_ref
Parameter	Type	Description
id	String	Unique identifier of a data class. The value is in UUID format and can contain a maximum of 36 characters.
name	String	Data class name.

Status code: 400

**Table 20** Response header parameters
Parameter	Type	Description
X-request-id	String	Request ID, in the format request_uuid-timestamp-hostname.

**Table 21** Response body parameters
Parameter	Type	Description
code	String	Error Code
message	String	Error Description

Example Requests

None

Example Responses

Status code: 200

Response body for obtaining alert condition details.

{
  "code" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
  "message" : "Error message",
  "data" : {
    "data_object" : {
      "version" : "1.0",
      "environment" : {
        "vendor_type" : "MyXXX",
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      },
      "data_source" : {
        "source_type" : 3,
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      },
      "first_observed_time" : "2021-01-30T23:00:00Z+0800",
      "last_observed_time" : "2021-01-30T23:00:00Z+0800",
      "create_time" : "2021-01-30T23:00:00Z+0800",
      "arrive_time" : "2021-01-30T23:00:00Z+0800",
      "title" : "MyXXX",
      "description" : "This my XXXX",
      "source_url" : "http://xxx",
      "count" : "4",
      "confidence" : 4,
      "severity" : "TIPS",
      "criticality" : 4,
      "alert_type" : { },
      "network_list" : [ {
        "direction" : {
          "IN" : null
        },
        "protocol" : "TCP",
        "src_ip" : "192.168.0.1",
        "src_port" : "1",
        "src_domain" : "xxx",
        "dest_ip" : "192.168.0.1",
        "dest_port" : "1",
        "dest_domain" : "xxx",
        "src_geo" : {
          "latitude" : 90,
          "longitude" : 180
        },
        "dest_geo" : {
          "latitude" : 90,
          "longitude" : 180
        }
      } ],
      "resource_list" : [ {
        "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "name" : "MyXXX",
        "type" : "MyXXX",
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "ep_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "ep_name" : "MyXXX",
        "tags" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      } ],
      "remediation" : {
        "recommendation" : "MyXXX",
        "url" : "MyXXX"
      },
      "verification_state" : "Unknown,True_Positive,False_Positive. The default value is Unknown.",
      "handle_status" : "Open – enabled.Block – blocked.Closed – closed.The default value is Open.",
      "sla" : 60000,
      "update_time" : "2021-01-30T23:00:00Z+0800",
      "close_time" : "2021-01-30T23:00:00Z+0800",
      "ipdrr_phase" : "Prepartion|Detection and Analysis|Containm,Eradication& Recovery| Post-Incident-Activity",
      "simulation" : "false",
      "actor" : "Tom",
      "owner" : "MyXXX",
      "creator" : "MyXXX",
      "close_reason" : "False positive; Resolved; Duplicate; Others",
      "close_comment" : "False positive; Resolved; Duplicate; Others",
      "malware" : {
        "malware_family" : "family",
        "malware_class" : "Malicious memory occupation."
      },
      "system_info" : { },
      "process" : [ {
        "process_name" : "MyXXX",
        "process_path" : "MyXXX",
        "process_pid" : 123,
        "process_uid" : 123,
        "process_cmdline" : "MyXXX"
      } ],
      "user_info" : [ {
        "user_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "user_name" : "MyXXX"
      } ],
      "file_info" : [ {
        "file_path" : "MyXXX",
        "file_content" : "MyXXX",
        "file_new_path" : "MyXXX",
        "file_hash" : "MyXXX",
        "file_md5" : "MyXXX",
        "file_sha256" : "MyXXX",
        "file_attr" : "MyXXX"
      } ],
      "system_alert_table" : { },
      "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca620"
    },
    "create_time" : "2021-01-30T23:00:00Z+0800",
    "update_time" : "2021-01-30T23:00:00Z+0800",
    "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
    "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
    "id" : "MyXXX",
    "version" : 11,
    "format_version" : 11,
    "dataclass_ref" : {
      "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "name" : "MyXXX"
    }
  }
}

Status Codes

Status Code	Description
200	Response body for obtaining alert condition details.
400	Response body for request failures of obtaining alert condition details.

Error Codes

See Error Codes.

Parent Topic: Alert Management

Previous topic: Converting an Alert to an Incident

Next topic: Updating an Alert

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.