Help Center> SecMaster> API Reference> API> Alert Management> Creating an Alert Rule
Updated on 2024-03-20 GMT+08:00
Online Debugging
CLI Examples
View PDF

Creating an Alert Rule

Function

Creating an Alert Rule

Calling Method

For details, see Calling APIs.

URI

POST /v1/{project_id}/workspaces/{workspace_id}/soc/alerts

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID.

Minimum: 32

Maximum: 36

workspace_id

Yes

String

Workspace ID

Minimum: 32

Maximum: 36

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

Minimum: 0

Maximum: 2097152

content-type

Yes

String

Content type.

Default: application/json;charset=UTF-8

Minimum: 0

Maximum: 64
Table 3 Request body parameters

Parameter

Mandatory

Type

Description

data_object

Yes

Alert object

Alert entity information.
Table 4 Alert

Parameter

Mandatory

Type

Description

version

No

String

Version of the data source of the alert. The value must be one officially released by the Huawei Cloud SSA service.

Minimum: 0

Maximum: 64

id

No

String

Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters.

Minimum: 0

Maximum: 36

domain_id

No

String

ID of the account (domain_id) to whom the data is delivered and hosted.

Minimum: 0

Maximum: 36

region_id

No

String

ID of the region where the account to whom the data is delivered and hosted belongs to.

Minimum: 0

Maximum: 36

workspace_id

No

String

ID of the current workspace.

Minimum: 0

Maximum: 36

labels

No

String

Tag (display only)

Minimum: 0

Maximum: 1024

environment

No

environment object

Coordinates of the environment where the alert was generated.

data_source

No

data_source object

Source the data is first reported.

first_observed_time

No

String

First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

last_observed_time

No

String

First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

create_time

No

String

Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

arrive_time

No

String

Data receiving time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

title

No

String

Alert title.

Minimum: 0

Maximum: 255

description

No

String

Alert description.

Minimum: 0

Maximum: 1024

source_url

No

String

Alert URL, which points to the page of the current incident description in the data source product.

Minimum: 0

Maximum: 1024

count

No

Integer

Incident occurrences

Minimum: 0

Maximum: 999

confidence

No

Integer

Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or incident. Value range -- 0-100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%.

Minimum: 0

Maximum: 100

severity

No

String

Severity level. Value range: Tips | Low | Medium | High | Fatal Description:

  • 0: TIPS: No threats are found.
  • 1: LOW: No actions are required for the threat.
  • 2: MEDIUM: The threat needs to be handled but is not urgent.
  • 3: HIGH: The threat must be handled preferentially.
  • 4: FATAL: The threat must be handled immediately to prevent further damage.

Minimum: 3

Maximum: 6

Enumeration values:

  • Tips
  • Low
  • Medium
  • High
  • Fatal

criticality

No

Integer

Criticality, which specifies the importance level of the resources involved in an incident. Value range -- 0 to 100. The value 0 indicates that the resource is not critical, and 100 indicates that the resource is critical.

Minimum: 0

Maximum: 100

alert_type

No

alert_type object

Alert classification. For details, see the Alert Type Definition.

network_list

No

Array of network_list objects

Network Information

Array Length: 0 - 999

resource_list

No

Array of resource_list objects

Affected resources.

Array Length: 0 - 999

remediation

No

remediation object

Remedy measure.

verification_state

No

String

Verification status, which identifies the accuracy of an incident. The options are as follows: – Unknown – True_Positive – False_Positive Enter Unknown by default.

Minimum: 32

Maximum: 64

Enumeration values:

  • Unknown
  • True_Positive
  • False_Positive

handle_status

No

String

Incident handling status. The options are as follows:

  • Open: enabled.
  • Block: blocked.
  • Closed: closed. The default value is Open.

Minimum: 4

Maximum: 5

Enumeration values:

  • Open
  • Block
  • Closed

sla

No

Integer

Risk close time -- Set the acceptable risk duration. Unit -- Hour

Minimum: 0

Maximum: 999

update_time

No

String

Update time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the alert occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

close_time

No

String

Closing time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

ipdrr_phase

No

String

Period/Handling phase No. Prepartion|Detection and Analysis|Containm, Eradication& Recovery|Post-Incident-Activity

Minimum: 0

Maximum: 64

Enumeration values:

  • Prepartion
  • Detection and Analysis
  • Containm, Eradication& Recovery
  • Post-Incident-Activity

simulation

No

String

Debugging field.

Minimum: 0

Maximum: 64

actor

No

String

Alert investigator.

Minimum: 0

Maximum: 64

owner

No

String

Owner and service owner.

Minimum: 0

Maximum: 64

creator

No

String

Creator

Minimum: 0

Maximum: 64

close_reason

No

String

Close reason.

  • False positive.
  • Resolved
  • Repeated
  • Other

Minimum: 0

Maximum: 64

Enumeration values:

  • False detection
  • Resolved
  • Repeated
  • Other

close_comment

No

String

Whether to close comment.

Minimum: 0

Maximum: 1024

malware

No

malware object

Malware

system_info

No

Object

System information.

process

No

Array of process objects

Process information.

Array Length: 0 - 999

user_info

No

Array of user_info objects

User Details

Array Length: 0 - 999

file_info

No

Array of file_info objects

Document information.

Array Length: 0 - 999

system_alert_table

No

Object

Layout fields in the alerts list.
Table 5 environment

Parameter

Mandatory

Type

Description

vendor_type

No

String

Environment provider. The value can be HWCP, HWC, AWS, Azure, or GCP.

Minimum: 0

Maximum: 64

domain_id

No

String

Tenant ID.

Minimum: 0

Maximum: 64

region_id

No

String

Region ID. global is returned for global services.

Minimum: 0

Maximum: 64

cross_workspace_id

No

String

ID of the source workspace for the data delivery. If the source workspace ID is null, then the destination workspace account ID is used.

Minimum: 0

Maximum: 64

project_id

No

String

Project ID. The default value is null for global services.

Minimum: 0

Maximum: 64
Table 6 data_source

Parameter

Mandatory

Type

Description

source_type

No

Integer

Data source type. The options are as follows-- 1- Huawei product 2- Third-party product 3- Tenant product

Minimum: 1

Maximum: 3

Enumeration values:

  • 1
  • 2
  • 3

domain_id

No

String

Account ID to which the data source product belongs.

Minimum: 0

Maximum: 36

project_id

No

String

ID of the project to which the data source product belongs.

Minimum: 0

Maximum: 64

region_id

No

String

Region where the data source is located, for example, cn-north1. For details about the value range, see Regions and Endpoints.

Minimum: 0

Maximum: 64

company_name

No

String

Name of the company to which a data source belongs.

Minimum: 0

Maximum: 16

product_name

No

String

Name of the data source.

Minimum: 0

Maximum: 24

product_feature

No

String

Name of the feature of the product that detects the incident.

Minimum: 0

Maximum: 24

product_module

No

String

Threat detection module list.

Minimum: 0

Maximum: 1024
Table 7 alert_type

Parameter

Mandatory

Type

Description

category

No

String

Type

Minimum: 0

Maximum: 1024

alert_type

No

String

Alert type.

Minimum: 0

Maximum: 1024
Table 8 network_list

Parameter

Mandatory

Type

Description

direction

No

String

Direction. The value can be IN or OUT.

Minimum: 0

Maximum: 3

Enumeration values:

  • IN
  • OUT

protocol

No

String

Protocol, including Layer 7 and Layer 4 protocols. For details, see IANA registered name. https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

Minimum: 0

Maximum: 64

src_ip

No

String

Source IP address

Minimum: 0

Maximum: 64

src_port

No

Integer

Source port. The value ranges from 0 to 65535.

Minimum: 0

Maximum: 65535

src_domain

No

String

Source domain name.

Minimum: 0

Maximum: 128

src_geo

No

src_geo object

Geographical location of the source IP address.

dest_ip

No

String

Destination IP address

Minimum: 32

Maximum: 64

dest_port

No

String

Destination port. The value ranges from 0 to 65535.

Minimum: 0

Maximum: 65535

dest_domain

No

String

Destination domain name

Minimum: 0

Maximum: 128

dest_geo

No

dest_geo object

Geographical location of the destination IP address.
Table 9 src_geo

Parameter

Mandatory

Type

Description

latitude

No

Number

Latitude

Minimum: 0

Maximum: 90

longitude

No

Number

Longitude

Minimum: 0

Maximum: 180

city_code

No

String

City code. For example, Beijing or Shanghai.

Minimum: 0

Maximum: 64

country_code

No

String

Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG.

Minimum: 0

Maximum: 64
Table 10 dest_geo

Parameter

Mandatory

Type

Description

latitude

No

Number

Latitude

Minimum: 0

Maximum: 90

longitude

No

Number

Longitude

Minimum: 0

Maximum: 180

city_code

No

String

City code. For example, Beijing or Shanghai.

Minimum: 0

Maximum: 64

country_code

No

String

Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG.

Minimum: 0

Maximum: 64
Table 11 resource_list

Parameter

Mandatory

Type

Description

id

No

String

Cloud service resource ID.

Minimum: 0

Maximum: 36

name

No

String

Resource name.

Minimum: 0

Maximum: 255

type

No

String

Resource type. This parameter references the value of RMS type on Huawei Cloud.

Minimum: 0

Maximum: 64

provider

No

String

Cloud service name, which is the same as the provider field in the RMS service.

Minimum: 0

Maximum: 64

region_id

No

String

Region ID in Huawei Cloud, for example, cn-north-1.

Minimum: 0

Maximum: 36

domain_id

No

String

ID of the account to which the resource belongs, in UUID format.

Minimum: 0

Maximum: 36

project_id

No

String

ID of the account to which the resource belongs, in UUID format.

Minimum: 0

Maximum: 36

ep_id

No

String

Specifies the enterprise project ID.

Minimum: 0

Maximum: 128

ep_name

No

String

Enterprise Project Name

Minimum: 0

Maximum: 128

tags

No

String

Resource tag.

  1. A maximum of 50 key/value pairs are supported.
  2. Value: a maximum of 255 characters, including letters, digits, spaces, and +, -, =, ., _, :, /,@

Minimum: 0

Maximum: 2048
Table 12 remediation

Parameter

Mandatory

Type

Description

recommendation

No

String

Recommended solution.

Minimum: 0

Maximum: 128

url

No

String

Link to the general fix information for the incident. The URL must be accessible from the public network with no credentials required.

Minimum: 0

Maximum: 2048
Table 13 malware

Parameter

Mandatory

Type

Description

malware_family

No

String

Malicious family.

Minimum: 0

Maximum: 64

malware_class

No

String

Malware category.

Minimum: 0

Maximum: 64
Table 14 process

Parameter

Mandatory

Type

Description

process_name

No

String

Process name.

Minimum: 0

Maximum: 64

process_path

No

String

Process execution file path.

Minimum: 0

Maximum: 512

process_pid

No

Integer

Process ID.

Minimum: 0

Maximum: 65535

process_uid

No

Integer

Process user ID.

Minimum: 0

Maximum: 655350

process_cmdline

No

String

Process command line.

Minimum: 0

Maximum: 128

process_parent_name

No

String

Parent process name.

Minimum: 0

Maximum: 64

process_parent_path

No

String

Parent process execution file path.

Minimum: 0

Maximum: 512

process_parent_pid

No

Integer

Parent process ID.

Minimum: 0

Maximum: 65535

process_parent_uid

No

Integer

Parent process user ID.

Minimum: 0

Maximum: 655350

process_parent_cmdline

No

String

Parent process command line.

Minimum: 0

Maximum: 128

process_child_name

No

String

Subprocess name.

Minimum: 0

Maximum: 64

process_child_path

No

String

Subprocess execution file path.

Minimum: 0

Maximum: 512

process_child_pid

No

Integer

Subprocess ID.

Minimum: 0

Maximum: 65535

process_child_uid

No

Integer

Subprocess user ID.

Minimum: 0

Maximum: 655350

process_child_cmdline

No

String

Subprocess command line

Minimum: 0

Maximum: 128

process_launche_time

No

String

Incident start time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

process_terminate_time

No

String

Process end time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30
Table 15 user_info

Parameter

Mandatory

Type

Description

user_id

No

String

User UID

Minimum: 0

Maximum: 36

user_name

No

String

Username

Minimum: 32

Maximum: 64
Table 16 file_info

Parameter

Mandatory

Type

Description

file_path

No

String

File path/name.

Minimum: 0

Maximum: 128

file_content

No

String

File path/name.

Minimum: 0

Maximum: 1024

file_new_path

No

String

New file path/name.

Minimum: 32

Maximum: 64

file_hash

No

String

File Hash

Minimum: 0

Maximum: 128

file_md5

No

String

File MD5

Minimum: 0

Maximum: 128

file_sha256

No

String

File SHA256

Minimum: 0

Maximum: 128

file_attr

No

String

File attribute.

Minimum: 0

Maximum: 1024

Response Parameters

Status code: 200

Table 17 Response header parameters

Parameter

Type

Description

X-request-id

String

Request ID, in the format request_uuid-timestamp-hostname.
Table 18 Response body parameters

Parameter

Type

Description

code

String

Error code

Minimum: 0

Maximum: 64

message

String

Error Message

Minimum: 0

Maximum: 1024

data

AlertDetail object

   
Table 19 AlertDetail

Parameter

Type

Description

create_time

String

Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

data_object

Alert object

Alert entity information.

dataclass_ref

dataclass_ref object

Data class object.

format_version

Integer

Format version.

Minimum: 0

Maximum: 999

id

String

Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters.

Minimum: 0

Maximum: 36

project_id

String

ID of the current project.

Minimum: 0

Maximum: 64

update_time

String

Update time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

version

Integer

Version.

Minimum: 0

Maximum: 999

workspace_id

String

ID of the current workspace.

Minimum: 0

Maximum: 36
Table 20 Alert

Parameter

Type

Description

version

String

Version of the data source of the alert. The value must be one officially released by the Huawei Cloud SSA service.

Minimum: 0

Maximum: 64

id

String

Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters.

Minimum: 0

Maximum: 36

domain_id

String

ID of the account (domain_id) to whom the data is delivered and hosted.

Minimum: 0

Maximum: 36

region_id

String

ID of the region where the account to whom the data is delivered and hosted belongs to.

Minimum: 0

Maximum: 36

workspace_id

String

ID of the current workspace.

Minimum: 0

Maximum: 36

labels

String

Tag (display only)

Minimum: 0

Maximum: 1024

environment

environment object

Coordinates of the environment where the alert was generated.

data_source

data_source object

Source the data is first reported.

first_observed_time

String

First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

last_observed_time

String

First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

create_time

String

Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

arrive_time

String

Data receiving time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

title

String

Alert title.

Minimum: 0

Maximum: 255

description

String

Alert description.

Minimum: 0

Maximum: 1024

source_url

String

Alert URL, which points to the page of the current incident description in the data source product.

Minimum: 0

Maximum: 1024

count

Integer

Incident occurrences

Minimum: 0

Maximum: 999

confidence

Integer

Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or incident. Value range -- 0-100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%.

Minimum: 0

Maximum: 100

severity

String

Severity level. Value range: Tips | Low | Medium | High | Fatal Description:

  • 0: TIPS: No threats are found.
  • 1: LOW: No actions are required for the threat.
  • 2: MEDIUM: The threat needs to be handled but is not urgent.
  • 3: HIGH: The threat must be handled preferentially.
  • 4: FATAL: The threat must be handled immediately to prevent further damage.

Minimum: 3

Maximum: 6

Enumeration values:

  • Tips
  • Low
  • Medium
  • High
  • Fatal

criticality

Integer

Criticality, which specifies the importance level of the resources involved in an incident. Value range -- 0 to 100. The value 0 indicates that the resource is not critical, and 100 indicates that the resource is critical.

Minimum: 0

Maximum: 100

alert_type

alert_type object

Alert classification. For details, see the Alert Type Definition.

network_list

Array of network_list objects

Network Information

Array Length: 0 - 999

resource_list

Array of resource_list objects

Affected resources.

Array Length: 0 - 999

remediation

remediation object

Remedy measure.

verification_state

String

Verification status, which identifies the accuracy of an incident. The options are as follows: – Unknown – True_Positive – False_Positive Enter Unknown by default.

Minimum: 32

Maximum: 64

Enumeration values:

  • Unknown
  • True_Positive
  • False_Positive

handle_status

String

Incident handling status. The options are as follows:

  • Open: enabled.
  • Block: blocked.
  • Closed: closed. The default value is Open.

Minimum: 4

Maximum: 5

Enumeration values:

  • Open
  • Block
  • Closed

sla

Integer

Risk close time -- Set the acceptable risk duration. Unit -- Hour

Minimum: 0

Maximum: 999

update_time

String

Update time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the alert occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

close_time

String

Closing time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

ipdrr_phase

String

Period/Handling phase No. Prepartion|Detection and Analysis|Containm, Eradication& Recovery|Post-Incident-Activity

Minimum: 0

Maximum: 64

Enumeration values:

  • Prepartion
  • Detection and Analysis
  • Containm, Eradication& Recovery
  • Post-Incident-Activity

simulation

String

Debugging field.

Minimum: 0

Maximum: 64

actor

String

Alert investigator.

Minimum: 0

Maximum: 64

owner

String

Owner and service owner.

Minimum: 0

Maximum: 64

creator

String

Creator

Minimum: 0

Maximum: 64

close_reason

String

Close reason.

  • False positive.
  • Resolved
  • Repeated
  • Other

Minimum: 0

Maximum: 64

Enumeration values:

  • False detection
  • Resolved
  • Repeated
  • Other

close_comment

String

Whether to close comment.

Minimum: 0

Maximum: 1024

malware

malware object

Malware

system_info

Object

System information.

process

Array of process objects

Process information.

Array Length: 0 - 999

user_info

Array of user_info objects

User Details

Array Length: 0 - 999

file_info

Array of file_info objects

Document information.

Array Length: 0 - 999

system_alert_table

Object

Layout fields in the alerts list.
Table 21 environment

Parameter

Type

Description

vendor_type

String

Environment provider. The value can be HWCP, HWC, AWS, Azure, or GCP.

Minimum: 0

Maximum: 64

domain_id

String

Tenant ID.

Minimum: 0

Maximum: 64

region_id

String

Region ID. global is returned for global services.

Minimum: 0

Maximum: 64

cross_workspace_id

String

ID of the source workspace for the data delivery. If the source workspace ID is null, then the destination workspace account ID is used.

Minimum: 0

Maximum: 64

project_id

String

Project ID. The default value is null for global services.

Minimum: 0

Maximum: 64
Table 22 data_source

Parameter

Type

Description

source_type

Integer

Data source type. The options are as follows-- 1- Huawei product 2- Third-party product 3- Tenant product

Minimum: 1

Maximum: 3

Enumeration values:

  • 1
  • 2
  • 3

domain_id

String

Account ID to which the data source product belongs.

Minimum: 0

Maximum: 36

project_id

String

ID of the project to which the data source product belongs.

Minimum: 0

Maximum: 64

region_id

String

Region where the data source is located, for example, cn-north1. For details about the value range, see Regions and Endpoints.

Minimum: 0

Maximum: 64

company_name

String

Name of the company to which a data source belongs.

Minimum: 0

Maximum: 16

product_name

String

Name of the data source.

Minimum: 0

Maximum: 24

product_feature

String

Name of the feature of the product that detects the incident.

Minimum: 0

Maximum: 24

product_module

String

Threat detection module list.

Minimum: 0

Maximum: 1024
Table 23 alert_type

Parameter

Type

Description

category

String

Type

Minimum: 0

Maximum: 1024

alert_type

String

Alert type.

Minimum: 0

Maximum: 1024
Table 24 network_list

Parameter

Type

Description

direction

String

Direction. The value can be IN or OUT.

Minimum: 0

Maximum: 3

Enumeration values:

  • IN
  • OUT

protocol

String

Protocol, including Layer 7 and Layer 4 protocols. For details, see IANA registered name. https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

Minimum: 0

Maximum: 64

src_ip

String

Source IP address

Minimum: 0

Maximum: 64

src_port

Integer

Source port. The value ranges from 0 to 65535.

Minimum: 0

Maximum: 65535

src_domain

String

Source domain name.

Minimum: 0

Maximum: 128

src_geo

src_geo object

Geographical location of the source IP address.

dest_ip

String

Destination IP address

Minimum: 32

Maximum: 64

dest_port

String

Destination port. The value ranges from 0 to 65535.

Minimum: 0

Maximum: 65535

dest_domain

String

Destination domain name

Minimum: 0

Maximum: 128

dest_geo

dest_geo object

Geographical location of the destination IP address.
Table 25 src_geo

Parameter

Type

Description

latitude

Number

Latitude

Minimum: 0

Maximum: 90

longitude

Number

Longitude

Minimum: 0

Maximum: 180

city_code

String

City code. For example, Beijing or Shanghai.

Minimum: 0

Maximum: 64

country_code

String

Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG.

Minimum: 0

Maximum: 64
Table 26 dest_geo

Parameter

Type

Description

latitude

Number

Latitude

Minimum: 0

Maximum: 90

longitude

Number

Longitude

Minimum: 0

Maximum: 180

city_code

String

City code. For example, Beijing or Shanghai.

Minimum: 0

Maximum: 64

country_code

String

Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG.

Minimum: 0

Maximum: 64
Table 27 resource_list

Parameter

Type

Description

id

String

Cloud service resource ID.

Minimum: 0

Maximum: 36

name

String

Resource name.

Minimum: 0

Maximum: 255

type

String

Resource type. This parameter references the value of RMS type on Huawei Cloud.

Minimum: 0

Maximum: 64

provider

String

Cloud service name, which is the same as the provider field in the RMS service.

Minimum: 0

Maximum: 64

region_id

String

Region ID in Huawei Cloud, for example, cn-north-1.

Minimum: 0

Maximum: 36

domain_id

String

ID of the account to which the resource belongs, in UUID format.

Minimum: 0

Maximum: 36

project_id

String

ID of the account to which the resource belongs, in UUID format.

Minimum: 0

Maximum: 36

ep_id

String

Specifies the enterprise project ID.

Minimum: 0

Maximum: 128

ep_name

String

Enterprise Project Name

Minimum: 0

Maximum: 128

tags

String

Resource tag.

  1. A maximum of 50 key/value pairs are supported.
  2. Value: a maximum of 255 characters, including letters, digits, spaces, and +, -, =, ., _, :, /,@

Minimum: 0

Maximum: 2048
Table 28 remediation

Parameter

Type

Description

recommendation

String

Recommended solution.

Minimum: 0

Maximum: 128

url

String

Link to the general fix information for the incident. The URL must be accessible from the public network with no credentials required.

Minimum: 0

Maximum: 2048
Table 29 malware

Parameter

Type

Description

malware_family

String

Malicious family.

Minimum: 0

Maximum: 64

malware_class

String

Malware category.

Minimum: 0

Maximum: 64
Table 30 process

Parameter

Type

Description

process_name

String

Process name.

Minimum: 0

Maximum: 64

process_path

String

Process execution file path.

Minimum: 0

Maximum: 512

process_pid

Integer

Process ID.

Minimum: 0

Maximum: 65535

process_uid

Integer

Process user ID.

Minimum: 0

Maximum: 655350

process_cmdline

String

Process command line.

Minimum: 0

Maximum: 128

process_parent_name

String

Parent process name.

Minimum: 0

Maximum: 64

process_parent_path

String

Parent process execution file path.

Minimum: 0

Maximum: 512

process_parent_pid

Integer

Parent process ID.

Minimum: 0

Maximum: 65535

process_parent_uid

Integer

Parent process user ID.

Minimum: 0

Maximum: 655350

process_parent_cmdline

String

Parent process command line.

Minimum: 0

Maximum: 128

process_child_name

String

Subprocess name.

Minimum: 0

Maximum: 64

process_child_path

String

Subprocess execution file path.

Minimum: 0

Maximum: 512

process_child_pid

Integer

Subprocess ID.

Minimum: 0

Maximum: 65535

process_child_uid

Integer

Subprocess user ID.

Minimum: 0

Maximum: 655350

process_child_cmdline

String

Subprocess command line

Minimum: 0

Maximum: 128

process_launche_time

String

Incident start time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30

process_terminate_time

String

Process end time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

Minimum: 0

Maximum: 30
Table 31 user_info

Parameter

Type

Description

user_id

String

User UID

Minimum: 0

Maximum: 36

user_name

String

Username

Minimum: 32

Maximum: 64
Table 32 file_info

Parameter

Type

Description

file_path

String

File path/name.

Minimum: 0

Maximum: 128

file_content

String

File path/name.

Minimum: 0

Maximum: 1024

file_new_path

String

New file path/name.

Minimum: 32

Maximum: 64

file_hash

String

File Hash

Minimum: 0

Maximum: 128

file_md5

String

File MD5

Minimum: 0

Maximum: 128

file_sha256

String

File SHA256

Minimum: 0

Maximum: 128

file_attr

String

File attribute.

Minimum: 0

Maximum: 1024
Table 33 dataclass_ref

Parameter

Type

Description

id

String

Unique identifier of a data class. The value is in UUID format and can contain a maximum of 36 characters.

Minimum: 0

Maximum: 36

name

String

Data class name.

Minimum: 0

Maximum: 36

Status code: 400

Table 34 Response header parameters

Parameter

Type

Description

X-request-id

String

Request ID, in the format request_uuid-timestamp-hostname.
Table 35 Response body parameters

Parameter

Type

Description

code

String

Error Code

Minimum: 0

Maximum: 64

message

String

Error Description

Minimum: 0

Maximum: 1024

Example Requests

Create an alarm. Set Alarm Name to MyXXX, Tag to MyXXX, URL to http://xxx, Number of occurrences to 4, Confidence to 4, and Severity to tips.

{
  "data_object" : {
    "version" : "1.0",
    "environment" : {
      "vendor_type" : "MyXXX",
      "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
    },
    "data_source" : {
      "source_type" : 3,
      "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "product_name" : "test",
      "product_feature" : "test"
    },
    "first_observed_time" : "2021-01-30T23:00:00Z+0800",
    "last_observed_time" : "2021-01-30T23:00:00Z+0800",
    "create_time" : "2021-01-30T23:00:00Z+0800",
    "arrive_time" : "2021-01-30T23:00:00Z+0800",
    "title" : "MyXXX",
    "labels" : "MyXXX",
    "description" : "This my XXXX",
    "source_url" : "http://xxx",
    "count" : 4,
    "confidence" : 4,
    "severity" : "TIPS",
    "criticality" : 4,
    "alert_type" : { },
    "network_list" : [ {
      "direction" : {
        "IN" : null
      },
      "protocol" : "TCP",
      "src_ip" : "192.168.0.1",
      "src_port" : "1",
      "src_domain" : "xxx",
      "dest_ip" : "192.168.0.1",
      "dest_port" : "1",
      "dest_domain" : "xxx",
      "src_geo" : {
        "latitude" : 90,
        "longitude" : 180
      },
      "dest_geo" : {
        "latitude" : 90,
        "longitude" : 180
      }
    } ],
    "resource_list" : [ {
      "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "name" : "MyXXX",
      "type" : "MyXXX",
      "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "ep_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "ep_name" : "MyXXX",
      "tags" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
    } ],
    "remediation" : {
      "recommendation" : "MyXXX",
      "url" : "MyXXX"
    },
    "verification_state" : "Unknown,True_Positive,False_Positive The default value is Unknown.",
    "handle_status" : "Open – enabled.Block – blocked.Closed – closed.The default value is Open.",
    "sla" : 60000,
    "update_time" : "2021-01-30T23:00:00Z+0800",
    "close_time" : "2021-01-30T23:00:00Z+0800",
    "ipdrr_phase" : "Prepartion|Detection and Analysis|Containm, Eradication& Recovery| Post-Incident-Activity",
    "simulation" : "false",
    "actor" : "Tom",
    "owner" : "MyXXX",
    "creator" : "MyXXX",
    "close_reason" : "False positive; Resolved; Duplicate; Others",
    "close_comment" : "False positive; Resolved; Duplicate; Others",
    "malware" : {
      "malware_family" : "family",
      "malware_class" : "Malicious memory occupation."
    },
    "system_info" : { },
    "process" : [ {
      "process_name" : "MyXXX",
      "process_path" : "MyXXX",
      "process_pid" : 123,
      "process_uid" : 123,
      "process_cmdline" : "MyXXX"
    } ],
    "user_info" : [ {
      "user_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "user_name" : "MyXXX"
    } ],
    "file_info" : [ {
      "file_path" : "MyXXX",
      "file_content" : "MyXXX",
      "file_new_path" : "MyXXX",
      "file_hash" : "MyXXX",
      "file_md5" : "MyXXX",
      "file_sha256" : "MyXXX",
      "file_attr" : "MyXXX"
    } ],
    "system_alert_table" : { },
    "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
    "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca620"
  }
}

Example Responses

Status code: 200

Response body of the request for creating alerts.

{
  "code" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
  "message" : "Error message",
  "data" : {
    "data_object" : {
      "version" : "1.0",
      "environment" : {
        "vendor_type" : "MyXXX",
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      },
      "data_source" : {
        "source_type" : 3,
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      },
      "first_observed_time" : "2021-01-30T23:00:00Z+0800",
      "last_observed_time" : "2021-01-30T23:00:00Z+0800",
      "create_time" : "2021-01-30T23:00:00Z+0800",
      "arrive_time" : "2021-01-30T23:00:00Z+0800",
      "title" : "MyXXX",
      "description" : "This my XXXX",
      "source_url" : "http://xxx",
      "count" : 4,
      "confidence" : 4,
      "severity" : "TIPS",
      "criticality" : 4,
      "alert_type" : { },
      "network_list" : [ {
        "direction" : {
          "IN" : null
        },
        "protocol" : "TCP",
        "src_ip" : "192.168.0.1",
        "src_port" : "1",
        "src_domain" : "xxx",
        "dest_ip" : "192.168.0.1",
        "dest_port" : "1",
        "dest_domain" : "xxx",
        "src_geo" : {
          "latitude" : 90,
          "longitude" : 180
        },
        "dest_geo" : {
          "latitude" : 90,
          "longitude" : 180
        }
      } ],
      "resource_list" : [ {
        "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "name" : "MyXXX",
        "type" : "MyXXX",
        "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "ep_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "ep_name" : "MyXXX",
        "tags" : "909494e3-558e-46b6-a9eb-07a8e18ca62f"
      } ],
      "remediation" : {
        "recommendation" : "MyXXX",
        "url" : "MyXXX"
      },
      "verification_state" : "Unknown,True_Positive,False_Positive The default value is Unknown.",
      "handle_status" : "Open – enabled.Block – blocked.Closed – closed.The default value is Open.",
      "sla" : 60000,
      "update_time" : "2021-01-30T23:00:00Z+0800",
      "close_time" : "2021-01-30T23:00:00Z+0800",
      "ipdrr_phase" : "Preparation | Detection and Analysis | Containment, Eradication&Recovery | Post-Incident-Activity",
      "simulation" : "false",
      "actor" : "Tom",
      "owner" : "MyXXX",
      "creator" : "MyXXX",
      "close_reason" : "False positive; Resolved; Duplicate; Others",
      "close_comment" : "False positive; Resolved; Duplicate; Others",
      "malware" : {
        "malware_family" : "family",
        "malware_class" : "Malicious memory occupation."
      },
      "system_info" : { },
      "process" : [ {
        "process_name" : "MyXXX",
        "process_path" : "MyXXX",
        "process_pid" : 123,
        "process_uid" : 123,
        "process_cmdline" : "MyXXX"
      } ],
      "user_info" : [ {
        "user_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
        "user_name" : "MyXXX"
      } ],
      "file_info" : [ {
        "file_path" : "MyXXX",
        "file_content" : "MyXXX",
        "file_new_path" : "MyXXX",
        "file_hash" : "MyXXX",
        "file_md5" : "MyXXX",
        "file_sha256" : "MyXXX",
        "file_attr" : "MyXXX"
      } ],
      "system_alert_table" : { },
      "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca620"
    },
    "create_time" : "2021-01-30T23:00:00Z+0800",
    "update_time" : "2021-01-30T23:00:00Z+0800",
    "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
    "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
    "id" : "MyXXX",
    "version" : 123,
    "format_version" : 123,
    "dataclass_ref" : {
      "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f",
      "name" : "MyXXX"
    }
  }
}

SDK Sample Code

The SDK sample code is as follows.

Create an alarm. Set Alarm Name to MyXXX, Tag to MyXXX, URL to http://xxx, Number of occurrences to 4, Confidence to 4, and Severity to tips.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
 
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.secmaster.v2.region.SecMasterRegion;
import com.huaweicloud.sdk.secmaster.v2.*;
import com.huaweicloud.sdk.secmaster.v2.model.*;

import java.util.List;
import java.util.ArrayList;

public class CreateAlertSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new BasicCredentials()
                .withAk(ak)
                .withSk(sk);

        SecMasterClient client = SecMasterClient.newBuilder()
                .withCredential(auth)
                .withRegion(SecMasterRegion.valueOf("<YOUR REGION>"))
                .build();
        CreateAlertRequest request = new CreateAlertRequest();
        CreateAlertRequestBody body = new CreateAlertRequestBody();
        List<AlertFileInfo> listDataObjectFileInfo = new ArrayList<>();
        listDataObjectFileInfo.add(
            new AlertFileInfo()
                .withFilePath("MyXXX")
                .withFileContent("MyXXX")
                .withFileNewPath("MyXXX")
                .withFileHash("MyXXX")
                .withFileMd5("MyXXX")
                .withFileSha256("MyXXX")
                .withFileAttr("MyXXX")
        );
        List<AlertUserInfo> listDataObjectUserInfo = new ArrayList<>();
        listDataObjectUserInfo.add(
            new AlertUserInfo()
                .withUserId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
                .withUserName("MyXXX")
        );
        List<AlertProcess> listDataObjectProcess = new ArrayList<>();
        listDataObjectProcess.add(
            new AlertProcess()
                .withProcessName("MyXXX")
                .withProcessPath("MyXXX")
                .withProcessPid(123)
                .withProcessUid(123)
                .withProcessCmdline("MyXXX")
        );
        AlertMalware malwareDataObject = new AlertMalware();
        malwareDataObject.withMalwareFamily("family")
            .withMalwareClass("Malicious memory occupation.");
        AlertRemediation remediationDataObject = new AlertRemediation();
        remediationDataObject.withRecommendation("MyXXX")
            .withUrl("MyXXX");
        List<AlertResourceList> listDataObjectResourceList = new ArrayList<>();
        listDataObjectResourceList.add(
            new AlertResourceList()
                .withId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
                .withName("MyXXX")
                .withType("MyXXX")
                .withRegionId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
                .withDomainId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
                .withProjectId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
                .withEpId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
                .withEpName("MyXXX")
                .withTags("909494e3-558e-46b6-a9eb-07a8e18ca62f")
        );
        AlertDestGeo destGeoNetworkList = new AlertDestGeo();
        destGeoNetworkList.withLatitude(java.math.BigDecimal.valueOf(90))
            .withLongitude(java.math.BigDecimal.valueOf(180));
        AlertSrcGeo srcGeoNetworkList = new AlertSrcGeo();
        srcGeoNetworkList.withLatitude(java.math.BigDecimal.valueOf(90))
            .withLongitude(java.math.BigDecimal.valueOf(180));
        List<AlertNetworkList> listDataObjectNetworkList = new ArrayList<>();
        listDataObjectNetworkList.add(
            new AlertNetworkList()
                .withDirection(AlertNetworkList.DirectionEnum.fromValue("{}"))
                .withProtocol("TCP")
                .withSrcIp("192.168.0.1")
                .withSrcPort(1)
                .withSrcDomain("xxx")
                .withSrcGeo(srcGeoNetworkList)
                .withDestIp("192.168.0.1")
                .withDestPort("1")
                .withDestDomain("xxx")
                .withDestGeo(destGeoNetworkList)
        );
        AlertDataSource dataSourceDataObject = new AlertDataSource();
        dataSourceDataObject.withSourceType(3)
            .withDomainId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withProjectId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withRegionId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withProductName("test")
            .withProductFeature("test");
        AlertEnvironment environmentDataObject = new AlertEnvironment();
        environmentDataObject.withVendorType("MyXXX")
            .withDomainId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withRegionId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withProjectId("909494e3-558e-46b6-a9eb-07a8e18ca62f");
        Alert dataObjectbody = new Alert();
        dataObjectbody.withVersion("1.0")
            .withId("909494e3-558e-46b6-a9eb-07a8e18ca62f")
            .withWorkspaceId("909494e3-558e-46b6-a9eb-07a8e18ca620")
            .withLabels("MyXXX")
            .withEnvironment(environmentDataObject)
            .withDataSource(dataSourceDataObject)
            .withFirstObservedTime("2021-01-30T23:00:00Z+0800")
            .withLastObservedTime("2021-01-30T23:00:00Z+0800")
            .withCreateTime("2021-01-30T23:00:00Z+0800")
            .withArriveTime("2021-01-30T23:00:00Z+0800")
            .withTitle("MyXXX")
            .withDescription("This my XXXX")
            .withSourceUrl("http://xxx")
            .withCount(4)
            .withConfidence(4)
            .withSeverity(Alert.SeverityEnum.fromValue("TIPS"))
            .withCriticality(4)
            .withNetworkList(listDataObjectNetworkList)
            .withResourceList(listDataObjectResourceList)
            .withRemediation(remediationDataObject)
            .withVerificationState(Alert.VerificationStateEnum.fromValue("Unknown,True_Positive,False_Positive The default value is Unknown."))
            .withHandleStatus(Alert.HandleStatusEnum.fromValue("Open – enabled.Block – blocked.Closed – closed.The default value is Open."))
            .withSla(60000)
            .withUpdateTime("2021-01-30T23:00:00Z+0800")
            .withCloseTime("2021-01-30T23:00:00Z+0800")
            .withIpdrrPhase(Alert.IpdrrPhaseEnum.fromValue("Prepartion|Detection and Analysis|Containm,Eradication& Recovery| Post-Incident-Activity"))
            .withSimulation("false")
            .withActor("Tom")
            .withOwner("MyXXX")
            .withCreator("MyXXX")
            .withCloseReason(Alert.CloseReasonEnum.fromValue("False positive; Resolved; Duplicate; Others"))
            .withCloseComment("False positive; Resolved; Duplicate; Others")
            .withMalware(malwareDataObject)
            .withSystemInfo(new Object())
            .withProcess(listDataObjectProcess)
            .withUserInfo(listDataObjectUserInfo)
            .withFileInfo(listDataObjectFileInfo)
            .withSystemAlertTable(new Object());
        body.withDataObject(dataObjectbody);
        request.withBody(body);
        try {
            CreateAlertResponse response = client.createAlert(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

Create an alarm. Set Alarm Name to MyXXX, Tag to MyXXX, URL to http://xxx, Number of occurrences to 4, Confidence to 4, and Severity to tips.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
 
# coding: utf-8

from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdksecmaster.v2.region.secmaster_region import SecMasterRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdksecmaster.v2 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = __import__('os').getenv("CLOUD_SDK_AK")
    sk = __import__('os').getenv("CLOUD_SDK_SK")

    credentials = BasicCredentials(ak, sk) \

    client = SecMasterClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(SecMasterRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = CreateAlertRequest()
        listFileInfoDataObject = [
            AlertFileInfo(
                file_path="MyXXX",
                file_content="MyXXX",
                file_new_path="MyXXX",
                file_hash="MyXXX",
                file_md5="MyXXX",
                file_sha256="MyXXX",
                file_attr="MyXXX"
            )
        ]
        listUserInfoDataObject = [
            AlertUserInfo(
                user_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
                user_name="MyXXX"
            )
        ]
        listProcessDataObject = [
            AlertProcess(
                process_name="MyXXX",
                process_path="MyXXX",
                process_pid=123,
                process_uid=123,
                process_cmdline="MyXXX"
            )
        ]
        malwareDataObject = AlertMalware(
            malware_family="family",
            malware_class="Malicious memory occupation."
        )
        remediationDataObject = AlertRemediation(
            recommendation="MyXXX",
            url="MyXXX"
        )
        listResourceListDataObject = [
            AlertResourceList(
                id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
                name="MyXXX",
                type="MyXXX",
                region_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
                domain_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
                project_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
                ep_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
                ep_name="MyXXX",
                tags="909494e3-558e-46b6-a9eb-07a8e18ca62f"
            )
        ]
        destGeoNetworkList = AlertDestGeo(
            latitude=90,
            longitude=180
        )
        srcGeoNetworkList = AlertSrcGeo(
            latitude=90,
            longitude=180
        )
        listNetworkListDataObject = [
            AlertNetworkList(
                direction="{}",
                protocol="TCP",
                src_ip="192.168.0.1",
                src_port=1,
                src_domain="xxx",
                src_geo=srcGeoNetworkList,
                dest_ip="192.168.0.1",
                dest_port="1",
                dest_domain="xxx",
                dest_geo=destGeoNetworkList
            )
        ]
        dataSourceDataObject = AlertDataSource(
            source_type=3,
            domain_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            project_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            region_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            product_name="test",
            product_feature="test"
        )
        environmentDataObject = AlertEnvironment(
            vendor_type="MyXXX",
            domain_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            region_id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            project_id="909494e3-558e-46b6-a9eb-07a8e18ca62f"
        )
        dataObjectbody = Alert(
            version="1.0",
            id="909494e3-558e-46b6-a9eb-07a8e18ca62f",
            workspace_id="909494e3-558e-46b6-a9eb-07a8e18ca620",
            labels="MyXXX",
            environment=environmentDataObject,
            data_source=dataSourceDataObject,
            first_observed_time="2021-01-30T23:00:00Z+0800",
            last_observed_time="2021-01-30T23:00:00Z+0800",
            create_time="2021-01-30T23:00:00Z+0800",
            arrive_time="2021-01-30T23:00:00Z+0800",
            title="MyXXX",
            description="This my XXXX",
            source_url="http://xxx",
            count=4,
            confidence=4,
            severity="TIPS",
            criticality=4,
            network_list=listNetworkListDataObject,
            resource_list=listResourceListDataObject,
            remediation=remediationDataObject,
            verification_state="Unknown,True_Positive,False_Positive The default value is Unknown.",
            handle_status="Open – enabled.Block – blocked.Closed – closed.The default value is Open.",
            sla=60000,
            update_time="2021-01-30T23:00:00Z+0800",
            close_time="2021-01-30T23:00:00Z+0800",
            ipdrr_phase="Prepartion|Detection and Analysis|Containm,Eradication& Recovery| Post-Incident-Activity",
            simulation="false",
            actor="Tom",
            owner="MyXXX",
            creator="MyXXX",
            close_reason="False positive; Resolved; Duplicate; Others",
            close_comment="False positive; Resolved; Duplicate; Others",
            malware=malwareDataObject,
            system_info={},
            process=listProcessDataObject,
            user_info=listUserInfoDataObject,
            file_info=listFileInfoDataObject,
            system_alert_table={}
        )
        request.body = CreateAlertRequestBody(
            data_object=dataObjectbody
        )
        response = client.create_alert(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

Create an alarm. Set Alarm Name to MyXXX, Tag to MyXXX, URL to http://xxx, Number of occurrences to 4, Confidence to 4, and Severity to tips.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
 
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    secmaster "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := secmaster.NewSecMasterClient(
        secmaster.SecMasterClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.CreateAlertRequest{}
	filePathFileInfo:= "MyXXX"
	fileContentFileInfo:= "MyXXX"
	fileNewPathFileInfo:= "MyXXX"
	fileHashFileInfo:= "MyXXX"
	fileMd5FileInfo:= "MyXXX"
	fileSha256FileInfo:= "MyXXX"
	fileAttrFileInfo:= "MyXXX"
	var listFileInfoDataObject = []model.AlertFileInfo{
        {
            FilePath: &filePathFileInfo,
            FileContent: &fileContentFileInfo,
            FileNewPath: &fileNewPathFileInfo,
            FileHash: &fileHashFileInfo,
            FileMd5: &fileMd5FileInfo,
            FileSha256: &fileSha256FileInfo,
            FileAttr: &fileAttrFileInfo,
        },
    }
	userIdUserInfo:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	userNameUserInfo:= "MyXXX"
	var listUserInfoDataObject = []model.AlertUserInfo{
        {
            UserId: &userIdUserInfo,
            UserName: &userNameUserInfo,
        },
    }
	processNameProcess:= "MyXXX"
	processPathProcess:= "MyXXX"
	processPidProcess:= int32(123)
	processUidProcess:= int32(123)
	processCmdlineProcess:= "MyXXX"
	var listProcessDataObject = []model.AlertProcess{
        {
            ProcessName: &processNameProcess,
            ProcessPath: &processPathProcess,
            ProcessPid: &processPidProcess,
            ProcessUid: &processUidProcess,
            ProcessCmdline: &processCmdlineProcess,
        },
    }
	malwareFamilyMalware:= "family"
	malwareClassMalware:= "Malicious memory occupation."
	malwareDataObject := &model.AlertMalware{
		MalwareFamily: &malwareFamilyMalware,
		MalwareClass: &malwareClassMalware,
	}
	recommendationRemediation:= "MyXXX"
	urlRemediation:= "MyXXX"
	remediationDataObject := &model.AlertRemediation{
		Recommendation: &recommendationRemediation,
		Url: &urlRemediation,
	}
	idResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	nameResourceList:= "MyXXX"
	typeResourceList:= "MyXXX"
	regionIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	domainIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	projectIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	epIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	epNameResourceList:= "MyXXX"
	tagsResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	var listResourceListDataObject = []model.AlertResourceList{
        {
            Id: &idResourceList,
            Name: &nameResourceList,
            Type: &typeResourceList,
            RegionId: &regionIdResourceList,
            DomainId: &domainIdResourceList,
            ProjectId: &projectIdResourceList,
            EpId: &epIdResourceList,
            EpName: &epNameResourceList,
            Tags: &tagsResourceList,
        },
    }
	latitudeDestGeo:= float32(90)
	longitudeDestGeo:= float32(180)
	destGeoNetworkList := &model.AlertDestGeo{
		Latitude: &latitudeDestGeo,
		Longitude: &longitudeDestGeo,
	}
	latitudeSrcGeo:= float32(90)
	longitudeSrcGeo:= float32(180)
	srcGeoNetworkList := &model.AlertSrcGeo{
		Latitude: &latitudeSrcGeo,
		Longitude: &longitudeSrcGeo,
	}
	directionNetworkList:= model.GetAlertNetworkListDirectionEnum().{}
	protocolNetworkList:= "TCP"
	srcIpNetworkList:= "192.168.0.1"
	srcPortNetworkList:= int32(1)
	srcDomainNetworkList:= "xxx"
	destIpNetworkList:= "192.168.0.1"
	destPortNetworkList:= "1"
	destDomainNetworkList:= "xxx"
	var listNetworkListDataObject = []model.AlertNetworkList{
        {
            Direction: &directionNetworkList,
            Protocol: &protocolNetworkList,
            SrcIp: &srcIpNetworkList,
            SrcPort: &srcPortNetworkList,
            SrcDomain: &srcDomainNetworkList,
            SrcGeo: srcGeoNetworkList,
            DestIp: &destIpNetworkList,
            DestPort: &destPortNetworkList,
            DestDomain: &destDomainNetworkList,
            DestGeo: destGeoNetworkList,
        },
    }
	sourceTypeDataSource:= int32(3)
	domainIdDataSource:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	projectIdDataSource:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	regionIdDataSource:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	productNameDataSource:= "test"
	productFeatureDataSource:= "test"
	dataSourceDataObject := &model.AlertDataSource{
		SourceType: &sourceTypeDataSource,
		DomainId: &domainIdDataSource,
		ProjectId: &projectIdDataSource,
		RegionId: &regionIdDataSource,
		ProductName: &productNameDataSource,
		ProductFeature: &productFeatureDataSource,
	}
	vendorTypeEnvironment:= "MyXXX"
	domainIdEnvironment:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	regionIdEnvironment:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	projectIdEnvironment:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	environmentDataObject := &model.AlertEnvironment{
		VendorType: &vendorTypeEnvironment,
		DomainId: &domainIdEnvironment,
		RegionId: &regionIdEnvironment,
		ProjectId: &projectIdEnvironment,
	}
	versionDataObject:= "1.0"
	idDataObject:= "909494e3-558e-46b6-a9eb-07a8e18ca62f"
	workspaceIdDataObject:= "909494e3-558e-46b6-a9eb-07a8e18ca620"
	labelsDataObject:= "MyXXX"
	firstObservedTimeDataObject:= "2021-01-30T23:00:00Z+0800"
	lastObservedTimeDataObject:= "2021-01-30T23:00:00Z+0800"
	createTimeDataObject:= "2021-01-30T23:00:00Z+0800"
	arriveTimeDataObject:= "2021-01-30T23:00:00Z+0800"
	titleDataObject:= "MyXXX"
	descriptionDataObject:= "This my XXXX"
	sourceUrlDataObject:= "http://xxx"
	countDataObject:= int32(4)
	confidenceDataObject:= int32(4)
	severityDataObject:= model.GetAlertSeverityEnum().TIPS
	criticalityDataObject:= int32(4)
	verificationStateDataObject:= model.GetAlertVerificationStateEnum().UNKNOWN,TRUE_POSITIVE,FALSE_POSITIVE_THE_DEFAULT_VALUE_IS_UNKNOWN_
	handleStatusDataObject:= model.GetAlertHandleStatusEnum().OPEN__ENABLED_BLOCK__BLOCKED_CLOSED__CLOSED_THE_DEFAULT_VALUE_IS_OPEN_
	slaDataObject:= int32(60000)
	updateTimeDataObject:= "2021-01-30T23:00:00Z+0800"
	closeTimeDataObject:= "2021-01-30T23:00:00Z+0800"
	ipdrrPhaseDataObject:= model.GetAlertIpdrrPhaseEnum().PREPARTION|DETECTION_AND_ANALYSIS|CONTAINM,ERADICATION&_RECOVERY|_POST_INCIDENT_ACTIVITY
	simulationDataObject:= "false"
	actorDataObject:= "Tom"
	ownerDataObject:= "MyXXX"
	creatorDataObject:= "MyXXX"
	closeReasonDataObject:= model.GetAlertCloseReasonEnum().FALSE_POSITIVE;_RESOLVED;_DUPLICATE;_OTHERS
	closeCommentDataObject:= "False positive; Resolved; Duplicate; Others"
	var systemInfoDataObject interface{} = make(map[string]string)
	var systemAlertTableDataObject interface{} = make(map[string]string)
	dataObjectbody := &model.Alert{
		Version: &versionDataObject,
		Id: &idDataObject,
		WorkspaceId: &workspaceIdDataObject,
		Labels: &labelsDataObject,
		Environment: environmentDataObject,
		DataSource: dataSourceDataObject,
		FirstObservedTime: &firstObservedTimeDataObject,
		LastObservedTime: &lastObservedTimeDataObject,
		CreateTime: &createTimeDataObject,
		ArriveTime: &arriveTimeDataObject,
		Title: &titleDataObject,
		Description: &descriptionDataObject,
		SourceUrl: &sourceUrlDataObject,
		Count: &countDataObject,
		Confidence: &confidenceDataObject,
		Severity: &severityDataObject,
		Criticality: &criticalityDataObject,
		NetworkList: &listNetworkListDataObject,
		ResourceList: &listResourceListDataObject,
		Remediation: remediationDataObject,
		VerificationState: &verificationStateDataObject,
		HandleStatus: &handleStatusDataObject,
		Sla: &slaDataObject,
		UpdateTime: &updateTimeDataObject,
		CloseTime: &closeTimeDataObject,
		IpdrrPhase: &ipdrrPhaseDataObject,
		Simulation: &simulationDataObject,
		Actor: &actorDataObject,
		Owner: &ownerDataObject,
		Creator: &creatorDataObject,
		CloseReason: &closeReasonDataObject,
		CloseComment: &closeCommentDataObject,
		Malware: malwareDataObject,
		SystemInfo: &systemInfoDataObject,
		Process: &listProcessDataObject,
		UserInfo: &listUserInfoDataObject,
		FileInfo: &listFileInfoDataObject,
		SystemAlertTable: &systemAlertTableDataObject,
	}
	request.Body = &model.CreateAlertRequestBody{
		DataObject: dataObjectbody,
	}
	response, err := client.CreateAlert(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

Response body of the request for creating alerts.

400

Response body of the request for creating alerts.

Error Codes

See Error Codes.

Parent Topic: Alert Management