Creating an Alert Rule
Function
Creating an Alert Rule
Calling Method
For details, see Calling APIs.
URI
POST /v1/{project_id}/workspaces/{workspace_id}/soc/alerts
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
project_id |
Yes |
String |
Project ID. |
workspace_id |
Yes |
String |
Workspace ID |
Request Parameters
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
X-Auth-Token |
Yes |
String |
User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token. |
content-type |
Yes |
String |
Content type. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
data_object |
Yes |
Alert object |
Alert entity information. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
version |
No |
String |
Version of the data source of the alert. The value must be one officially released by the Cloud SSA service. |
id |
No |
String |
Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters. |
domain_id |
No |
String |
ID of the account (domain_id) to whom the data is delivered and hosted. |
region_id |
No |
String |
ID of the region where the account to whom the data is delivered and hosted belongs to. |
workspace_id |
No |
String |
ID of the current workspace. |
labels |
No |
String |
Tag (display only) |
environment |
No |
environment object |
Coordinates of the environment where the alert was generated. |
data_source |
No |
data_source object |
Source the data is first reported. |
first_observed_time |
No |
String |
First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
last_observed_time |
No |
String |
First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
create_time |
No |
String |
Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
arrive_time |
No |
String |
Data receiving time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
title |
No |
String |
Alert title. |
description |
No |
String |
Alert description. |
source_url |
No |
String |
Alert URL, which points to the page of the current incident description in the data source product. |
count |
No |
Integer |
Incident occurrences |
confidence |
No |
Integer |
Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or incident. Value range -- 0-100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%. |
severity |
No |
String |
Severity level. Value range: Tips | Low | Medium | High | Fatal Description:
|
criticality |
No |
Integer |
Criticality, which specifies the importance level of the resources involved in an incident. Value range -- 0 to 100. The value 0 indicates that the resource is not critical, and 100 indicates that the resource is critical. |
alert_type |
No |
alert_type object |
Alert classification. For details, see the Alert Type Definition. |
network_list |
No |
Array of network_list objects |
Network Information |
resource_list |
No |
Array of resource_list objects |
Affected resources. |
remediation |
No |
remediation object |
Remedy measure. |
verification_state |
No |
String |
Verification status, which identifies the accuracy of an incident. The options are as follows: – Unknown – True_Positive – False_Positive Enter Unknown by default. |
handle_status |
No |
String |
Incident handling status. The options are as follows:
|
sla |
No |
Integer |
Risk close time -- Set the acceptable risk duration. Unit -- Hour |
update_time |
No |
String |
Update time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the alert occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
close_time |
No |
String |
Closing time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
ipdrr_phase |
No |
String |
Period/Handling phase No. Prepartion|Detection and Analysis|Containm,Eradication& Recovery|Post-Incident-Activity |
simulation |
No |
String |
Debugging field. |
actor |
No |
String |
Alert investigator. |
owner |
No |
String |
Owner and service owner. |
creator |
No |
String |
Creator |
close_reason |
No |
String |
Close reason.
|
close_comment |
No |
String |
Whether to close comment. |
malware |
No |
malware object |
Malware |
system_info |
No |
Object |
System information. |
process |
No |
Array of process objects |
Process information. |
user_info |
No |
Array of user_info objects |
User Details |
file_info |
No |
Array of file_info objects |
Document information. |
system_alert_table |
No |
Object |
Layout fields in the alerts list. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
vendor_type |
No |
String |
Environment provider. |
domain_id |
No |
String |
Tenant ID. |
region_id |
No |
String |
Region ID. global is returned for global services. |
cross_workspace_id |
No |
String |
ID of the source workspace for the data delivery. If the source workspace ID is null, then the destination workspace account ID is used. |
project_id |
No |
String |
Project ID. The default value is null for global services. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
source_type |
No |
Integer |
Data source type. The options are as follows-- 1- cloud product 2- Third-party product 3- Tenant product |
domain_id |
No |
String |
Account ID to which the data source product belongs. |
project_id |
No |
String |
ID of the project to which the data source product belongs. |
region_id |
No |
String |
Region where the data source is located, for example, cn-north1. For details about the value range, see Regions and Endpoints. |
company_name |
No |
String |
Name of the company to which a data source belongs. |
product_name |
No |
String |
Name of the data source. |
product_feature |
No |
String |
Name of the feature of the product that detects the incident. |
product_module |
No |
String |
Threat detection module list. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
category |
No |
String |
Type |
alert_type |
No |
String |
Alert type. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
direction |
No |
String |
Direction. The value can be IN or OUT. |
protocol |
No |
String |
Protocol, including Layer 7 and Layer 4 protocols. For details, see IANA registered name. https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml. |
src_ip |
No |
String |
Source IP address |
src_port |
No |
Integer |
Source port. The value ranges from 0 to 65535. |
src_domain |
No |
String |
Source domain name. |
src_geo |
No |
src_geo object |
Geographical location of the source IP address. |
dest_ip |
No |
String |
Destination IP address |
dest_port |
No |
String |
Destination port. The value ranges from 0 to 65535. |
dest_domain |
No |
String |
Destination domain name |
dest_geo |
No |
dest_geo object |
Geographical location of the destination IP address. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
latitude |
No |
Number |
Latitude |
longitude |
No |
Number |
Longitude |
city_code |
No |
String |
City code. For example, Beijing or Shanghai. |
country_code |
No |
String |
Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
latitude |
No |
Number |
Latitude |
longitude |
No |
Number |
Longitude |
city_code |
No |
String |
City code. For example, Beijing or Shanghai. |
country_code |
No |
String |
Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
id |
No |
String |
Cloud service resource ID. |
name |
No |
String |
Resource name. |
type |
No |
String |
Resource type. This parameter references the value of RMS type on Cloud. |
provider |
No |
String |
Cloud service name, which is the same as the provider field in the RMS service. |
region_id |
No |
String |
Region ID in Cloud, for example, cn-north-1. |
domain_id |
No |
String |
ID of the account to which the resource belongs, in UUID format. |
project_id |
No |
String |
ID of the account to which the resource belongs, in UUID format. |
ep_id |
No |
String |
Specifies the enterprise project ID. |
ep_name |
No |
String |
Enterprise Project Name |
tags |
No |
String |
Resource tag.
|
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
recommendation |
No |
String |
Recommended solution. |
url |
No |
String |
Link to the general fix information for the incident. The URL must be accessible from the public network with no credentials required. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
malware_family |
No |
String |
Malicious family. |
malware_class |
No |
String |
Malware category. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
process_name |
No |
String |
Process name. |
process_path |
No |
String |
Process execution file path. |
process_pid |
No |
Integer |
Process ID. |
process_uid |
No |
Integer |
Process user ID. |
process_cmdline |
No |
String |
Process command line. |
process_parent_name |
No |
String |
Parent process name. |
process_parent_path |
No |
String |
Parent process execution file path. |
process_parent_pid |
No |
Integer |
Parent process ID. |
process_parent_uid |
No |
Integer |
Parent process user ID. |
process_parent_cmdline |
No |
String |
Parent process command line. |
process_child_name |
No |
String |
Subprocess name. |
process_child_path |
No |
String |
Subprocess execution file path. |
process_child_pid |
No |
Integer |
Subprocess ID. |
process_child_uid |
No |
Integer |
Subprocess user ID. |
process_child_cmdline |
No |
String |
Subprocess command line |
process_launche_time |
No |
String |
Incident start time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
process_terminate_time |
No |
String |
Process end time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
user_id |
No |
String |
User UID |
user_name |
No |
String |
Username |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
file_path |
No |
String |
File path/name. |
file_content |
No |
String |
File path/name. |
file_new_path |
No |
String |
New file path/name. |
file_hash |
No |
String |
File Hash |
file_md5 |
No |
String |
File MD5 |
file_sha256 |
No |
String |
File SHA256 |
file_attr |
No |
String |
File attribute. |
Response Parameters
Status code: 200
Parameter |
Type |
Description |
---|---|---|
X-request-id |
String |
Request ID, in the format request_uuid-timestamp-hostname. |
Parameter |
Type |
Description |
---|---|---|
code |
String |
Error code |
message |
String |
Error Message |
data |
AlertDetail object |
Alert Detail |
Parameter |
Type |
Description |
---|---|---|
create_time |
String |
Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
data_object |
Alert object |
Alert entity information. |
dataclass_ref |
dataclass_ref object |
Data class object. |
format_version |
Integer |
Format version. |
id |
String |
Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters. |
type |
String |
Data Types. |
project_id |
String |
ID of the current project. |
update_time |
String |
Update time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
version |
Integer |
Version. |
workspace_id |
String |
ID of the current workspace. |
Parameter |
Type |
Description |
---|---|---|
version |
String |
Version of the data source of the alert. The value must be one officially released by the Cloud SSA service. |
id |
String |
Unique identifier of an incident. The value is in UUID format and can contain a maximum of 36 characters. |
domain_id |
String |
ID of the account (domain_id) to whom the data is delivered and hosted. |
region_id |
String |
ID of the region where the account to whom the data is delivered and hosted belongs to. |
workspace_id |
String |
ID of the current workspace. |
labels |
String |
Tag (display only) |
environment |
environment object |
Coordinates of the environment where the alert was generated. |
data_source |
data_source object |
Source the data is first reported. |
first_observed_time |
String |
First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
last_observed_time |
String |
First discovery time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
create_time |
String |
Recording time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
arrive_time |
String |
Data receiving time. The format is ISO 8601- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
title |
String |
Alert title. |
description |
String |
Alert description. |
source_url |
String |
Alert URL, which points to the page of the current incident description in the data source product. |
count |
Integer |
Incident occurrences |
confidence |
Integer |
Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or incident. Value range -- 0-100. 0 indicates that the confidence is 0%, and 100 indicates that the confidence is 100%. |
severity |
String |
Severity level. Value range: Tips | Low | Medium | High | Fatal Description:
|
criticality |
Integer |
Criticality, which specifies the importance level of the resources involved in an incident. Value range -- 0 to 100. The value 0 indicates that the resource is not critical, and 100 indicates that the resource is critical. |
alert_type |
alert_type object |
Alert classification. For details, see the Alert Type Definition. |
network_list |
Array of network_list objects |
Network Information |
resource_list |
Array of resource_list objects |
Affected resources. |
remediation |
remediation object |
Remedy measure. |
verification_state |
String |
Verification status, which identifies the accuracy of an incident. The options are as follows: – Unknown – True_Positive – False_Positive Enter Unknown by default. |
handle_status |
String |
Incident handling status. The options are as follows:
|
sla |
Integer |
Risk close time -- Set the acceptable risk duration. Unit -- Hour |
update_time |
String |
Update time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the alert occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
close_time |
String |
Closing time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Timezone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
ipdrr_phase |
String |
Period/Handling phase No. Prepartion|Detection and Analysis|Containm,Eradication& Recovery|Post-Incident-Activity |
simulation |
String |
Debugging field. |
actor |
String |
Alert investigator. |
owner |
String |
Owner and service owner. |
creator |
String |
Creator |
close_reason |
String |
Close reason.
|
close_comment |
String |
Whether to close comment. |
malware |
malware object |
Malware |
system_info |
Object |
System information. |
process |
Array of process objects |
Process information. |
user_info |
Array of user_info objects |
User Details |
file_info |
Array of file_info objects |
Document information. |
system_alert_table |
Object |
Layout fields in the alerts list. |
Parameter |
Type |
Description |
---|---|---|
vendor_type |
String |
Environment provider. |
domain_id |
String |
Tenant ID. |
region_id |
String |
Region ID. global is returned for global services. |
cross_workspace_id |
String |
ID of the source workspace for the data delivery. If the source workspace ID is null, then the destination workspace account ID is used. |
project_id |
String |
Project ID. The default value is null for global services. |
Parameter |
Type |
Description |
---|---|---|
source_type |
Integer |
Data source type. The options are as follows-- 1- cloud product 2- Third-party product 3- Tenant product |
domain_id |
String |
Account ID to which the data source product belongs. |
project_id |
String |
ID of the project to which the data source product belongs. |
region_id |
String |
Region where the data source is located, for example, cn-north1. For details about the value range, see Regions and Endpoints. |
company_name |
String |
Name of the company to which a data source belongs. |
product_name |
String |
Name of the data source. |
product_feature |
String |
Name of the feature of the product that detects the incident. |
product_module |
String |
Threat detection module list. |
Parameter |
Type |
Description |
---|---|---|
direction |
String |
Direction. The value can be IN or OUT. |
protocol |
String |
Protocol, including Layer 7 and Layer 4 protocols. For details, see IANA registered name. https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml. |
src_ip |
String |
Source IP address |
src_port |
Integer |
Source port. The value ranges from 0 to 65535. |
src_domain |
String |
Source domain name. |
src_geo |
src_geo object |
Geographical location of the source IP address. |
dest_ip |
String |
Destination IP address |
dest_port |
String |
Destination port. The value ranges from 0 to 65535. |
dest_domain |
String |
Destination domain name |
dest_geo |
dest_geo object |
Geographical location of the destination IP address. |
Parameter |
Type |
Description |
---|---|---|
latitude |
Number |
Latitude |
longitude |
Number |
Longitude |
city_code |
String |
City code. For example, Beijing or Shanghai. |
country_code |
String |
Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG. |
Parameter |
Type |
Description |
---|---|---|
latitude |
Number |
Latitude |
longitude |
Number |
Longitude |
city_code |
String |
City code. For example, Beijing or Shanghai. |
country_code |
String |
Country code. For details, see ISO 3166-1 alpha-2. For example, CN | US | DE | IT | SG. |
Parameter |
Type |
Description |
---|---|---|
id |
String |
Cloud service resource ID. |
name |
String |
Resource name. |
type |
String |
Resource type. This parameter references the value of RMS type on Cloud. |
provider |
String |
Cloud service name, which is the same as the provider field in the RMS service. |
region_id |
String |
Region ID in Cloud, for example, cn-north-1. |
domain_id |
String |
ID of the account to which the resource belongs, in UUID format. |
project_id |
String |
ID of the account to which the resource belongs, in UUID format. |
ep_id |
String |
Specifies the enterprise project ID. |
ep_name |
String |
Enterprise Project Name |
tags |
String |
Resource tag.
|
Parameter |
Type |
Description |
---|---|---|
recommendation |
String |
Recommended solution. |
url |
String |
Link to the general fix information for the incident. The URL must be accessible from the public network with no credentials required. |
Parameter |
Type |
Description |
---|---|---|
malware_family |
String |
Malicious family. |
malware_class |
String |
Malware category. |
Parameter |
Type |
Description |
---|---|---|
process_name |
String |
Process name. |
process_path |
String |
Process execution file path. |
process_pid |
Integer |
Process ID. |
process_uid |
Integer |
Process user ID. |
process_cmdline |
String |
Process command line. |
process_parent_name |
String |
Parent process name. |
process_parent_path |
String |
Parent process execution file path. |
process_parent_pid |
Integer |
Parent process ID. |
process_parent_uid |
Integer |
Parent process user ID. |
process_parent_cmdline |
String |
Parent process command line. |
process_child_name |
String |
Subprocess name. |
process_child_path |
String |
Subprocess execution file path. |
process_child_pid |
Integer |
Subprocess ID. |
process_child_uid |
Integer |
Subprocess user ID. |
process_child_cmdline |
String |
Subprocess command line |
process_launche_time |
String |
Incident start time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
process_terminate_time |
String |
Process end time. The format is ISO 8601 -- YYYY-MM-DDTHH:mm:ss.ms+Time zone. Time zone where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
Parameter |
Type |
Description |
---|---|---|
file_path |
String |
File path/name. |
file_content |
String |
File path/name. |
file_new_path |
String |
New file path/name. |
file_hash |
String |
File Hash |
file_md5 |
String |
File MD5 |
file_sha256 |
String |
File SHA256 |
file_attr |
String |
File attribute. |
Parameter |
Type |
Description |
---|---|---|
id |
String |
Unique identifier of a data class. The value is in UUID format and can contain a maximum of 36 characters. |
name |
String |
Data class name. |
Status code: 400
Parameter |
Type |
Description |
---|---|---|
X-request-id |
String |
Request ID, in the format request_uuid-timestamp-hostname. |
Parameter |
Type |
Description |
---|---|---|
code |
String |
Error Code |
message |
String |
Error Description |
Example Requests
Create an alarm. Set Alarm Name to MyXXX, Tag to MyXXX, URL to http://xxx, Number of occurrences to 4, Confidence to 4, and Severity to tips.
{ "data_object" : { "version" : "1.0", "environment" : { "vendor_type" : "MyXXX", "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f" }, "data_source" : { "source_type" : 3, "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "product_name" : "test", "product_feature" : "test" }, "first_observed_time" : "2021-01-30T23:00:00Z+0800", "last_observed_time" : "2021-01-30T23:00:00Z+0800", "create_time" : "2021-01-30T23:00:00Z+0800", "arrive_time" : "2021-01-30T23:00:00Z+0800", "title" : "MyXXX", "labels" : "MyXXX", "description" : "This my XXXX", "source_url" : "http://xxx", "count" : 4, "confidence" : 4, "severity" : "TIPS", "criticality" : 4, "alert_type" : { }, "network_list" : [ { "direction" : { "IN" : null }, "protocol" : "TCP", "src_ip" : "192.168.0.1", "src_port" : "1", "src_domain" : "xxx", "dest_ip" : "192.168.0.1", "dest_port" : "1", "dest_domain" : "xxx", "src_geo" : { "latitude" : 90, "longitude" : 180 }, "dest_geo" : { "latitude" : 90, "longitude" : 180 } } ], "resource_list" : [ { "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "name" : "MyXXX", "type" : "MyXXX", "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "ep_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "ep_name" : "MyXXX", "tags" : "909494e3-558e-46b6-a9eb-07a8e18ca62f" } ], "remediation" : { "recommendation" : "MyXXX", "url" : "MyXXX" }, "verification_state" : "Unknown,True_Positive,False_Positive The default value is Unknown.", "handle_status" : "Open – enabled.Block – blocked.Closed – closed.The default value is Open.", "sla" : 60000, "update_time" : "2021-01-30T23:00:00Z+0800", "close_time" : "2021-01-30T23:00:00Z+0800", "ipdrr_phase" : "Prepartion|Detection and Analysis|Containm,Eradication& Recovery| Post-Incident-Activity", "simulation" : "false", "actor" : "Tom", "owner" : "MyXXX", "creator" : "MyXXX", "close_reason" : "False positive; Resolved; Duplicate; Others", "close_comment" : "False positive; Resolved; Duplicate; Others", "malware" : { "malware_family" : "family", "malware_class" : "Malicious memory occupation." }, "system_info" : { }, "process" : [ { "process_name" : "MyXXX", "process_path" : "MyXXX", "process_pid" : 123, "process_uid" : 123, "process_cmdline" : "MyXXX" } ], "user_info" : [ { "user_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "user_name" : "MyXXX" } ], "file_info" : [ { "file_path" : "MyXXX", "file_content" : "MyXXX", "file_new_path" : "MyXXX", "file_hash" : "MyXXX", "file_md5" : "MyXXX", "file_sha256" : "MyXXX", "file_attr" : "MyXXX" } ], "system_alert_table" : { }, "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca620" } }
Example Responses
Status code: 200
Response body of the request for creating alerts.
{ "code" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "message" : "Error message", "data" : { "data_object" : { "version" : "1.0", "environment" : { "vendor_type" : "MyXXX", "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f" }, "data_source" : { "source_type" : 3, "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f" }, "first_observed_time" : "2021-01-30T23:00:00Z+0800", "last_observed_time" : "2021-01-30T23:00:00Z+0800", "create_time" : "2021-01-30T23:00:00Z+0800", "arrive_time" : "2021-01-30T23:00:00Z+0800", "title" : "MyXXX", "description" : "This my XXXX", "source_url" : "http://xxx", "count" : 4, "confidence" : 4, "severity" : "TIPS", "criticality" : 4, "alert_type" : { }, "network_list" : [ { "direction" : { "IN" : null }, "protocol" : "TCP", "src_ip" : "192.168.0.1", "src_port" : "1", "src_domain" : "xxx", "dest_ip" : "192.168.0.1", "dest_port" : "1", "dest_domain" : "xxx", "src_geo" : { "latitude" : 90, "longitude" : 180 }, "dest_geo" : { "latitude" : 90, "longitude" : 180 } } ], "resource_list" : [ { "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "name" : "MyXXX", "type" : "MyXXX", "domain_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "region_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "ep_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "ep_name" : "MyXXX", "tags" : "909494e3-558e-46b6-a9eb-07a8e18ca62f" } ], "remediation" : { "recommendation" : "MyXXX", "url" : "MyXXX" }, "verification_state" : "Unknown,True_Positive,False_Positive The default value is Unknown.", "handle_status" : "Open – enabled.Block – blocked.Closed – closed.The default value is Open.", "sla" : 60000, "update_time" : "2021-01-30T23:00:00Z+0800", "close_time" : "2021-01-30T23:00:00Z+0800", "ipdrr_phase" : "Preparation | Detection and Analysis | Containment, Eradication&Recovery | Post-Incident-Activity", "simulation" : "false", "actor" : "Tom", "owner" : "MyXXX", "creator" : "MyXXX", "close_reason" : "False positive; Resolved; Duplicate; Others", "close_comment" : "False positive; Resolved; Duplicate; Others", "malware" : { "malware_family" : "family", "malware_class" : "Malicious memory occupation." }, "system_info" : { }, "process" : [ { "process_name" : "MyXXX", "process_path" : "MyXXX", "process_pid" : 123, "process_uid" : 123, "process_cmdline" : "MyXXX" } ], "user_info" : [ { "user_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "user_name" : "MyXXX" } ], "file_info" : [ { "file_path" : "MyXXX", "file_content" : "MyXXX", "file_new_path" : "MyXXX", "file_hash" : "MyXXX", "file_md5" : "MyXXX", "file_sha256" : "MyXXX", "file_attr" : "MyXXX" } ], "system_alert_table" : { }, "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca620" }, "create_time" : "2021-01-30T23:00:00Z+0800", "update_time" : "2021-01-30T23:00:00Z+0800", "project_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "workspace_id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "id" : "MyXXX", "version" : 123, "format_version" : 123, "dataclass_ref" : { "id" : "909494e3-558e-46b6-a9eb-07a8e18ca62f", "name" : "MyXXX" } } }
SDK Sample Code
The SDK sample code is as follows.
Create an alarm. Set Alarm Name to MyXXX, Tag to MyXXX, URL to http://xxx, Number of occurrences to 4, Confidence to 4, and Severity to tips.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 |
package com.huaweicloud.sdk.test; import com.huaweicloud.sdk.core.auth.ICredential; import com.huaweicloud.sdk.core.auth.BasicCredentials; import com.huaweicloud.sdk.core.exception.ConnectionException; import com.huaweicloud.sdk.core.exception.RequestTimeoutException; import com.huaweicloud.sdk.core.exception.ServiceResponseException; import com.huaweicloud.sdk.secmaster.v2.region.SecMasterRegion; import com.huaweicloud.sdk.secmaster.v2.*; import com.huaweicloud.sdk.secmaster.v2.model.*; import java.util.List; import java.util.ArrayList; public class CreateAlertSolution { public static void main(String[] args) { // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment String ak = System.getenv("CLOUD_SDK_AK"); String sk = System.getenv("CLOUD_SDK_SK"); String projectId = "{project_id}"; ICredential auth = new BasicCredentials() .withProjectId(projectId) .withAk(ak) .withSk(sk); SecMasterClient client = SecMasterClient.newBuilder() .withCredential(auth) .withRegion(SecMasterRegion.valueOf("<YOUR REGION>")) .build(); CreateAlertRequest request = new CreateAlertRequest(); request.withWorkspaceId("{workspace_id}"); CreateAlertRequestBody body = new CreateAlertRequestBody(); List<AlertFileInfo> listDataObjectFileInfo = new ArrayList<>(); listDataObjectFileInfo.add( new AlertFileInfo() .withFilePath("MyXXX") .withFileContent("MyXXX") .withFileNewPath("MyXXX") .withFileHash("MyXXX") .withFileMd5("MyXXX") .withFileSha256("MyXXX") .withFileAttr("MyXXX") ); List<AlertUserInfo> listDataObjectUserInfo = new ArrayList<>(); listDataObjectUserInfo.add( new AlertUserInfo() .withUserId("909494e3-558e-46b6-a9eb-07a8e18ca62f") .withUserName("MyXXX") ); List<AlertProcess> listDataObjectProcess = new ArrayList<>(); listDataObjectProcess.add( new AlertProcess() .withProcessName("MyXXX") .withProcessPath("MyXXX") .withProcessPid(123) .withProcessUid(123) .withProcessCmdline("MyXXX") ); AlertMalware malwareDataObject = new AlertMalware(); malwareDataObject.withMalwareFamily("family") .withMalwareClass("Malicious memory occupation."); AlertRemediation remediationDataObject = new AlertRemediation(); remediationDataObject.withRecommendation("MyXXX") .withUrl("MyXXX"); List<AlertResourceList> listDataObjectResourceList = new ArrayList<>(); listDataObjectResourceList.add( new AlertResourceList() .withId("909494e3-558e-46b6-a9eb-07a8e18ca62f") .withName("MyXXX") .withType("MyXXX") .withRegionId("909494e3-558e-46b6-a9eb-07a8e18ca62f") .withDomainId("909494e3-558e-46b6-a9eb-07a8e18ca62f") .withProjectId("909494e3-558e-46b6-a9eb-07a8e18ca62f") .withEpId("909494e3-558e-46b6-a9eb-07a8e18ca62f") .withEpName("MyXXX") .withTags("909494e3-558e-46b6-a9eb-07a8e18ca62f") ); AlertDestGeo destGeoNetworkList = new AlertDestGeo(); destGeoNetworkList.withLatitude(java.math.BigDecimal.valueOf(90)) .withLongitude(java.math.BigDecimal.valueOf(180)); AlertSrcGeo srcGeoNetworkList = new AlertSrcGeo(); srcGeoNetworkList.withLatitude(java.math.BigDecimal.valueOf(90)) .withLongitude(java.math.BigDecimal.valueOf(180)); List<AlertNetworkList> listDataObjectNetworkList = new ArrayList<>(); listDataObjectNetworkList.add( new AlertNetworkList() .withDirection(AlertNetworkList.DirectionEnum.fromValue("{}")) .withProtocol("TCP") .withSrcIp("192.168.0.1") .withSrcPort(1) .withSrcDomain("xxx") .withSrcGeo(srcGeoNetworkList) .withDestIp("192.168.0.1") .withDestPort("1") .withDestDomain("xxx") .withDestGeo(destGeoNetworkList) ); AlertDataSource dataSourceDataObject = new AlertDataSource(); dataSourceDataObject.withSourceType(3) .withDomainId("909494e3-558e-46b6-a9eb-07a8e18ca62f") .withProjectId("909494e3-558e-46b6-a9eb-07a8e18ca62f") .withRegionId("909494e3-558e-46b6-a9eb-07a8e18ca62f") .withProductName("test") .withProductFeature("test"); AlertEnvironment environmentDataObject = new AlertEnvironment(); environmentDataObject.withVendorType("MyXXX") .withDomainId("909494e3-558e-46b6-a9eb-07a8e18ca62f") .withRegionId("909494e3-558e-46b6-a9eb-07a8e18ca62f") .withProjectId("909494e3-558e-46b6-a9eb-07a8e18ca62f"); Alert dataObjectbody = new Alert(); dataObjectbody.withVersion("1.0") .withId("909494e3-558e-46b6-a9eb-07a8e18ca62f") .withWorkspaceId("909494e3-558e-46b6-a9eb-07a8e18ca620") .withLabels("MyXXX") .withEnvironment(environmentDataObject) .withDataSource(dataSourceDataObject) .withFirstObservedTime("2021-01-30T23:00:00Z+0800") .withLastObservedTime("2021-01-30T23:00:00Z+0800") .withCreateTime("2021-01-30T23:00:00Z+0800") .withArriveTime("2021-01-30T23:00:00Z+0800") .withTitle("MyXXX") .withDescription("This my XXXX") .withSourceUrl("http://xxx") .withCount(4) .withConfidence(4) .withSeverity(Alert.SeverityEnum.fromValue("TIPS")) .withCriticality(4) .withNetworkList(listDataObjectNetworkList) .withResourceList(listDataObjectResourceList) .withRemediation(remediationDataObject) .withVerificationState(Alert.VerificationStateEnum.fromValue("Unknown,True_Positive,False_Positive The default value is Unknown.")) .withHandleStatus(Alert.HandleStatusEnum.fromValue("Open – enabled.Block – blocked.Closed – closed.The default value is Open.")) .withSla(60000) .withUpdateTime("2021-01-30T23:00:00Z+0800") .withCloseTime("2021-01-30T23:00:00Z+0800") .withIpdrrPhase(Alert.IpdrrPhaseEnum.fromValue("Prepartion|Detection and Analysis|Containm,Eradication& Recovery| Post-Incident-Activity")) .withSimulation("false") .withActor("Tom") .withOwner("MyXXX") .withCreator("MyXXX") .withCloseReason(Alert.CloseReasonEnum.fromValue("False positive; Resolved; Duplicate; Others")) .withCloseComment("False positive; Resolved; Duplicate; Others") .withMalware(malwareDataObject) .withSystemInfo(new Object()) .withProcess(listDataObjectProcess) .withUserInfo(listDataObjectUserInfo) .withFileInfo(listDataObjectFileInfo) .withSystemAlertTable(new Object()); body.withDataObject(dataObjectbody); request.withBody(body); try { CreateAlertResponse response = client.createAlert(request); System.out.println(response.toString()); } catch (ConnectionException e) { e.printStackTrace(); } catch (RequestTimeoutException e) { e.printStackTrace(); } catch (ServiceResponseException e) { e.printStackTrace(); System.out.println(e.getHttpStatusCode()); System.out.println(e.getRequestId()); System.out.println(e.getErrorCode()); System.out.println(e.getErrorMsg()); } } } |
Create an alarm. Set Alarm Name to MyXXX, Tag to MyXXX, URL to http://xxx, Number of occurrences to 4, Confidence to 4, and Severity to tips.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 |
# coding: utf-8 import os from huaweicloudsdkcore.auth.credentials import BasicCredentials from huaweicloudsdksecmaster.v2.region.secmaster_region import SecMasterRegion from huaweicloudsdkcore.exceptions import exceptions from huaweicloudsdksecmaster.v2 import * if __name__ == "__main__": # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment ak = os.environ["CLOUD_SDK_AK"] sk = os.environ["CLOUD_SDK_SK"] projectId = "{project_id}" credentials = BasicCredentials(ak, sk, projectId) client = SecMasterClient.new_builder() \ .with_credentials(credentials) \ .with_region(SecMasterRegion.value_of("<YOUR REGION>")) \ .build() try: request = CreateAlertRequest() request.workspace_id = "{workspace_id}" listFileInfoDataObject = [ AlertFileInfo( file_path="MyXXX", file_content="MyXXX", file_new_path="MyXXX", file_hash="MyXXX", file_md5="MyXXX", file_sha256="MyXXX", file_attr="MyXXX" ) ] listUserInfoDataObject = [ AlertUserInfo( user_id="909494e3-558e-46b6-a9eb-07a8e18ca62f", user_name="MyXXX" ) ] listProcessDataObject = [ AlertProcess( process_name="MyXXX", process_path="MyXXX", process_pid=123, process_uid=123, process_cmdline="MyXXX" ) ] malwareDataObject = AlertMalware( malware_family="family", malware_class="Malicious memory occupation." ) remediationDataObject = AlertRemediation( recommendation="MyXXX", url="MyXXX" ) listResourceListDataObject = [ AlertResourceList( id="909494e3-558e-46b6-a9eb-07a8e18ca62f", name="MyXXX", type="MyXXX", region_id="909494e3-558e-46b6-a9eb-07a8e18ca62f", domain_id="909494e3-558e-46b6-a9eb-07a8e18ca62f", project_id="909494e3-558e-46b6-a9eb-07a8e18ca62f", ep_id="909494e3-558e-46b6-a9eb-07a8e18ca62f", ep_name="MyXXX", tags="909494e3-558e-46b6-a9eb-07a8e18ca62f" ) ] destGeoNetworkList = AlertDestGeo( latitude=90, longitude=180 ) srcGeoNetworkList = AlertSrcGeo( latitude=90, longitude=180 ) listNetworkListDataObject = [ AlertNetworkList( direction="{}", protocol="TCP", src_ip="192.168.0.1", src_port=1, src_domain="xxx", src_geo=srcGeoNetworkList, dest_ip="192.168.0.1", dest_port="1", dest_domain="xxx", dest_geo=destGeoNetworkList ) ] dataSourceDataObject = AlertDataSource( source_type=3, domain_id="909494e3-558e-46b6-a9eb-07a8e18ca62f", project_id="909494e3-558e-46b6-a9eb-07a8e18ca62f", region_id="909494e3-558e-46b6-a9eb-07a8e18ca62f", product_name="test", product_feature="test" ) environmentDataObject = AlertEnvironment( vendor_type="MyXXX", domain_id="909494e3-558e-46b6-a9eb-07a8e18ca62f", region_id="909494e3-558e-46b6-a9eb-07a8e18ca62f", project_id="909494e3-558e-46b6-a9eb-07a8e18ca62f" ) dataObjectbody = Alert( version="1.0", id="909494e3-558e-46b6-a9eb-07a8e18ca62f", workspace_id="909494e3-558e-46b6-a9eb-07a8e18ca620", labels="MyXXX", environment=environmentDataObject, data_source=dataSourceDataObject, first_observed_time="2021-01-30T23:00:00Z+0800", last_observed_time="2021-01-30T23:00:00Z+0800", create_time="2021-01-30T23:00:00Z+0800", arrive_time="2021-01-30T23:00:00Z+0800", title="MyXXX", description="This my XXXX", source_url="http://xxx", count=4, confidence=4, severity="TIPS", criticality=4, network_list=listNetworkListDataObject, resource_list=listResourceListDataObject, remediation=remediationDataObject, verification_state="Unknown,True_Positive,False_Positive The default value is Unknown.", handle_status="Open – enabled.Block – blocked.Closed – closed.The default value is Open.", sla=60000, update_time="2021-01-30T23:00:00Z+0800", close_time="2021-01-30T23:00:00Z+0800", ipdrr_phase="Prepartion|Detection and Analysis|Containm,Eradication& Recovery| Post-Incident-Activity", simulation="false", actor="Tom", owner="MyXXX", creator="MyXXX", close_reason="False positive; Resolved; Duplicate; Others", close_comment="False positive; Resolved; Duplicate; Others", malware=malwareDataObject, system_info={}, process=listProcessDataObject, user_info=listUserInfoDataObject, file_info=listFileInfoDataObject, system_alert_table={} ) request.body = CreateAlertRequestBody( data_object=dataObjectbody ) response = client.create_alert(request) print(response) except exceptions.ClientRequestException as e: print(e.status_code) print(e.request_id) print(e.error_code) print(e.error_msg) |
Create an alarm. Set Alarm Name to MyXXX, Tag to MyXXX, URL to http://xxx, Number of occurrences to 4, Confidence to 4, and Severity to tips.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 |
package main import ( "fmt" "github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic" secmaster "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2" "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2/model" region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/secmaster/v2/region" ) func main() { // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment ak := os.Getenv("CLOUD_SDK_AK") sk := os.Getenv("CLOUD_SDK_SK") projectId := "{project_id}" auth := basic.NewCredentialsBuilder(). WithAk(ak). WithSk(sk). WithProjectId(projectId). Build() client := secmaster.NewSecMasterClient( secmaster.SecMasterClientBuilder(). WithRegion(region.ValueOf("<YOUR REGION>")). WithCredential(auth). Build()) request := &model.CreateAlertRequest{} request.WorkspaceId = "{workspace_id}" filePathFileInfo:= "MyXXX" fileContentFileInfo:= "MyXXX" fileNewPathFileInfo:= "MyXXX" fileHashFileInfo:= "MyXXX" fileMd5FileInfo:= "MyXXX" fileSha256FileInfo:= "MyXXX" fileAttrFileInfo:= "MyXXX" var listFileInfoDataObject = []model.AlertFileInfo{ { FilePath: &filePathFileInfo, FileContent: &fileContentFileInfo, FileNewPath: &fileNewPathFileInfo, FileHash: &fileHashFileInfo, FileMd5: &fileMd5FileInfo, FileSha256: &fileSha256FileInfo, FileAttr: &fileAttrFileInfo, }, } userIdUserInfo:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" userNameUserInfo:= "MyXXX" var listUserInfoDataObject = []model.AlertUserInfo{ { UserId: &userIdUserInfo, UserName: &userNameUserInfo, }, } processNameProcess:= "MyXXX" processPathProcess:= "MyXXX" processPidProcess:= int32(123) processUidProcess:= int32(123) processCmdlineProcess:= "MyXXX" var listProcessDataObject = []model.AlertProcess{ { ProcessName: &processNameProcess, ProcessPath: &processPathProcess, ProcessPid: &processPidProcess, ProcessUid: &processUidProcess, ProcessCmdline: &processCmdlineProcess, }, } malwareFamilyMalware:= "family" malwareClassMalware:= "Malicious memory occupation." malwareDataObject := &model.AlertMalware{ MalwareFamily: &malwareFamilyMalware, MalwareClass: &malwareClassMalware, } recommendationRemediation:= "MyXXX" urlRemediation:= "MyXXX" remediationDataObject := &model.AlertRemediation{ Recommendation: &recommendationRemediation, Url: &urlRemediation, } idResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" nameResourceList:= "MyXXX" typeResourceList:= "MyXXX" regionIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" domainIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" projectIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" epIdResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" epNameResourceList:= "MyXXX" tagsResourceList:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" var listResourceListDataObject = []model.AlertResourceList{ { Id: &idResourceList, Name: &nameResourceList, Type: &typeResourceList, RegionId: ®ionIdResourceList, DomainId: &domainIdResourceList, ProjectId: &projectIdResourceList, EpId: &epIdResourceList, EpName: &epNameResourceList, Tags: &tagsResourceList, }, } latitudeDestGeo:= float32(90) longitudeDestGeo:= float32(180) destGeoNetworkList := &model.AlertDestGeo{ Latitude: &latitudeDestGeo, Longitude: &longitudeDestGeo, } latitudeSrcGeo:= float32(90) longitudeSrcGeo:= float32(180) srcGeoNetworkList := &model.AlertSrcGeo{ Latitude: &latitudeSrcGeo, Longitude: &longitudeSrcGeo, } directionNetworkList:= model.GetAlertNetworkListDirectionEnum().{} protocolNetworkList:= "TCP" srcIpNetworkList:= "192.168.0.1" srcPortNetworkList:= int32(1) srcDomainNetworkList:= "xxx" destIpNetworkList:= "192.168.0.1" destPortNetworkList:= "1" destDomainNetworkList:= "xxx" var listNetworkListDataObject = []model.AlertNetworkList{ { Direction: &directionNetworkList, Protocol: &protocolNetworkList, SrcIp: &srcIpNetworkList, SrcPort: &srcPortNetworkList, SrcDomain: &srcDomainNetworkList, SrcGeo: srcGeoNetworkList, DestIp: &destIpNetworkList, DestPort: &destPortNetworkList, DestDomain: &destDomainNetworkList, DestGeo: destGeoNetworkList, }, } sourceTypeDataSource:= int32(3) domainIdDataSource:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" projectIdDataSource:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" regionIdDataSource:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" productNameDataSource:= "test" productFeatureDataSource:= "test" dataSourceDataObject := &model.AlertDataSource{ SourceType: &sourceTypeDataSource, DomainId: &domainIdDataSource, ProjectId: &projectIdDataSource, RegionId: ®ionIdDataSource, ProductName: &productNameDataSource, ProductFeature: &productFeatureDataSource, } vendorTypeEnvironment:= "MyXXX" domainIdEnvironment:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" regionIdEnvironment:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" projectIdEnvironment:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" environmentDataObject := &model.AlertEnvironment{ VendorType: &vendorTypeEnvironment, DomainId: &domainIdEnvironment, RegionId: ®ionIdEnvironment, ProjectId: &projectIdEnvironment, } versionDataObject:= "1.0" idDataObject:= "909494e3-558e-46b6-a9eb-07a8e18ca62f" workspaceIdDataObject:= "909494e3-558e-46b6-a9eb-07a8e18ca620" labelsDataObject:= "MyXXX" firstObservedTimeDataObject:= "2021-01-30T23:00:00Z+0800" lastObservedTimeDataObject:= "2021-01-30T23:00:00Z+0800" createTimeDataObject:= "2021-01-30T23:00:00Z+0800" arriveTimeDataObject:= "2021-01-30T23:00:00Z+0800" titleDataObject:= "MyXXX" descriptionDataObject:= "This my XXXX" sourceUrlDataObject:= "http://xxx" countDataObject:= int32(4) confidenceDataObject:= int32(4) severityDataObject:= model.GetAlertSeverityEnum().TIPS criticalityDataObject:= int32(4) verificationStateDataObject:= model.GetAlertVerificationStateEnum().UNKNOWN,TRUE_POSITIVE,FALSE_POSITIVE_THE_DEFAULT_VALUE_IS_UNKNOWN_ handleStatusDataObject:= model.GetAlertHandleStatusEnum().OPEN_–_ENABLED_BLOCK_–_BLOCKED_CLOSED_–_CLOSED_THE_DEFAULT_VALUE_IS_OPEN_ slaDataObject:= int32(60000) updateTimeDataObject:= "2021-01-30T23:00:00Z+0800" closeTimeDataObject:= "2021-01-30T23:00:00Z+0800" ipdrrPhaseDataObject:= model.GetAlertIpdrrPhaseEnum().PREPARTION|DETECTION_AND_ANALYSIS|CONTAINM,ERADICATION&_RECOVERY|_POST_INCIDENT_ACTIVITY simulationDataObject:= "false" actorDataObject:= "Tom" ownerDataObject:= "MyXXX" creatorDataObject:= "MyXXX" closeReasonDataObject:= model.GetAlertCloseReasonEnum().FALSE_POSITIVE;_RESOLVED;_DUPLICATE;_OTHERS closeCommentDataObject:= "False positive; Resolved; Duplicate; Others" var systemInfoDataObject interface{} = make(map[string]string) var systemAlertTableDataObject interface{} = make(map[string]string) dataObjectbody := &model.Alert{ Version: &versionDataObject, Id: &idDataObject, WorkspaceId: &workspaceIdDataObject, Labels: &labelsDataObject, Environment: environmentDataObject, DataSource: dataSourceDataObject, FirstObservedTime: &firstObservedTimeDataObject, LastObservedTime: &lastObservedTimeDataObject, CreateTime: &createTimeDataObject, ArriveTime: &arriveTimeDataObject, Title: &titleDataObject, Description: &descriptionDataObject, SourceUrl: &sourceUrlDataObject, Count: &countDataObject, Confidence: &confidenceDataObject, Severity: &severityDataObject, Criticality: &criticalityDataObject, NetworkList: &listNetworkListDataObject, ResourceList: &listResourceListDataObject, Remediation: remediationDataObject, VerificationState: &verificationStateDataObject, HandleStatus: &handleStatusDataObject, Sla: &slaDataObject, UpdateTime: &updateTimeDataObject, CloseTime: &closeTimeDataObject, IpdrrPhase: &ipdrrPhaseDataObject, Simulation: &simulationDataObject, Actor: &actorDataObject, Owner: &ownerDataObject, Creator: &creatorDataObject, CloseReason: &closeReasonDataObject, CloseComment: &closeCommentDataObject, Malware: malwareDataObject, SystemInfo: &systemInfoDataObject, Process: &listProcessDataObject, UserInfo: &listUserInfoDataObject, FileInfo: &listFileInfoDataObject, SystemAlertTable: &systemAlertTableDataObject, } request.Body = &model.CreateAlertRequestBody{ DataObject: dataObjectbody, } response, err := client.CreateAlert(request) if err == nil { fmt.Printf("%+v\n", response) } else { fmt.Println(err) } } |
For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.
Status Codes
Status Code |
Description |
---|---|
200 |
Response body of the request for creating alerts. |
400 |
Response body of the request for creating alerts. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot