CloudSIEM组件主要提供告警处理及成员账号管理功能。
功能描述
动作 | 描述 | 使用场景 |
创建告警。 | 给用户告警通道写入告警数据,配合剧本类检测下使用。 | |
根据事件ID查询告警。 | 获取事件的告警列表。 | |
查询成员账号信息。 | 获取多账号管理场景下,管理账号或委派管理员账号管控的成员账号。 |
组件配置示例
本文提供了CloudSIEM组件各动作的参数配置示例,您可将其作为测试剧本导入。通过可视化流程编辑器,能更直观地了解和测试各动作的配置参数,轻松掌握组件的功能逻辑与使用方式。操作步骤可参考剧本导入。
说明
请先将示例数据保存为JSON文件。
createAlert
给用户告警通道写入告警数据。
参数说明
参数 | 描述 |
start_time | 开始时间戳,单位秒,也用于表示事件发生的时间。示例值:1715258000。 |
end_time | 结束时间戳,单位秒。示例值:1715258321。 |
user_id | 阿里云日志所属账号ID。示例值:127XXXXXX。 |
cloud_code | 云code,枚举值:alibaba_cloud、huawei_cloud、tencent_cloud。 示例值:alibaba_cloud。 |
product_code | 产品code,示例值:waf。 |
cloud_user_id | 其他云云账号ID,若为阿里云账号,则同aliuid;若为其他云账号,则为绑定的账号ID。示例值:127XXXXXX。 |
extend_content | 扩展字段内容,示例值:{"a":"111","b":"222"}。 |
relate_alert_uuids | 关联告警的uuid,示例值:1001。 |
describeAlertsByIncidentUuid
根据事件ID获取事件的告警列表。
参数说明
参数 | 描述 |
incidentUuid | 事件uuid。 说明 你可通过DescribeCloudSiemEvents接口获取事件uuid。 |
incidentAccount | 事件所属的账号ID,默认为登录态的账号ID。 |
输出示例
{
"AlertDescEn": "The IP address that is used to log on to the server is not within the IP addresses that you specify. We recommend that you check whether the logon is valid.",
"AttCk": [],
"EndTime": "2025-05-07T02:32:55.000+00:00",
"AlertTypeEn": "Unusual Logon",
"LogTime": "2025-05-07T02:32:55.000+00:00",
"GmtModified": "2025-05-08T04:01:47.000+00:00",
"AlertTypeCode": "security_event_config.event_name.unusuallogon",
"SubUserId": 123,
"IsDefend": "0",
"AlertType": "异常登录",
"AlertInfoList": [
{
"KeyName": "${aliyun.siem.alert.host}",
"Values": "ed9aede1-9acd-****-****-16c54d441213",
"Key": "${aliyun.siem.alert.host}"
},
{
"KeyName": "${aliyun.siem.alert.status}",
"Values": "0",
"Key": "${aliyun.siem.alert.status}"
}
],
"AlertTitle": "异常登录-ECS非常用IP登录",
"AlertDetail": {
"gmtModified": "2025-05-07 10:32:50",
"intra_ip": "192.***.***.51",
"proc_path": "N/A",
"pid": "N/A",
"type": "login_common_ip",
"product_code": "sas",
"uuid": "ed9aede1-9acd-****-****-16c54d441213",
"host_uuid": "ed9aede1-9acd-****-****-16c54d441213",
"loginUser": "administrator",
"protocol": 1,
"os_info": "windows",
"protocolName": "RDP",
"inter_ip": "118.***.***.158",
"cloud_code": "aliyun",
"cloud_user_id": "1766****4675",
"sub_user_id": "1766****4675",
"id": 123,
"assetInfo": "{\"aliUid\":1766****4675,\"bid\":\"233\",\"clientStatus\":\"online\",\"eip\":\"\",\"flag\":0,\"groupId\":91,\"groupName\":\"default\",\"internetIp\":\"118.***.***.158\",\"intranetIp\":\"192.***.0.51\",\"machineInstanceId\":\"i-bp13h2hjh****1pyxngn\",\"machineIp\":\"118.***.***.158\",\"machineName\":\"win11-enterprise-lenovo-manage-x64-zh\",\"machineRegion\":\"cn-hangzhou-dg-a01\",\"machineType\":0,\"os\":\"windows\",\"regionId\":\"cn-hangzhou\",\"status\":\"Running\",\"tag\":\"InternetIp\",\"uuid\":\"ed9aede1-9acd-****-****-16c54d441213\",\"vpcInstanceId\":\"vpc-bp1ih********2hyq8m5\"}",
"cmdLine": "N/A",
"loginSourceIp": "221.***.***.122",
"os": "windows",
"loginTimes": 1,
"gmtCreate": "2025-05-07 10:32:50",
"loginDestinationPort": 3329,
"clientIp": "192.***.***.51",
"location": "西安市",
"aliUid": 123,
"host_name": "win11-enterprise-lenovo-manage-x64-zh",
"status": 0,
"siem_vpc_instance_id": "vpc-bp1ihs*****ihq2hyq8m5"
},
"AlertTitleEn": "Unusual Logon-Login with unusual IP",
"AlertLevel": "suspicious",
"AssetList": [
{
"entity_user_id": "1766****4675",
"asset_name": "win11-enterprise-lenovo-manage-x64-zh",
"os_type": "windows",
"cloud_code": "alibaba_cloud",
"asset_type": "host",
"asset_id": "win11-enterprise-lenovo-manage-x64-zh",
"product_code": "sas",
"host_uuid": "ed9aede1-9acd-****-****-16c54d441213",
"host_name": "win11-enterprise-lenovo-manage-x64-zh"
}
],
"AlertNameCode": "security_event_config.event_name.ilp",
"AlertUuid": "sas_7c316ebfa92e79b*****9d62d25c0",
"MainUserId": 12,
"CloudCode": "aliyun",
"AlertName": "ECS非常用IP登录",
"AlertSrcProd": "云安全中心",
"AlertSrcProdModule": "aegis_login_log",
"AlertDescCode": "security_event_config.yd.lcid",
"StartTime": "2025-05-07T02:32:55.000+00:00",
"LogUuid": "sas_3c042c0*****81a7144107",
"EntityList": [
{
"entity_user_id": "1766****4675",
"entity_uuid": "909315f7c595*******b436e65f2d4",
"entity_type": "host",
"entity_name": "win11-enterprise-lenovo-manage-x64-zh",
"os_type": "windows",
"cloud_code": "alibaba_cloud",
"is_asset": "1",
"entity_id": "win11-enterprise-lenovo-manage-x64-zh",
"product_code": "sas",
"host_uuid": "ed9aede1-9acd-****-****-16c54d441213",
"host_name": "win11-enterprise-lenovo-manage-x64-zh"
},
{
"entity_user_id": "1766****4675",
"entity_uuid": "14447f89554d7bb****e389328",
"entity_type": "host_account",
"entity_name": "administrator",
"cloud_code": "alibaba_cloud",
"is_asset": "0",
"entity_id": "administrator",
"product_code": "sas",
"host_uuid": {
"entity_user_id": "17****4675",
"entity_uuid": "90931****5fef0b436e65f2d4",
"entity_type": "host",
"entity_name": "win11-enterprise-lenovo-manage-x64-zh",
"os_type": "windows",
"cloud_code": "alibaba_cloud",
"is_asset": "1",
"entity_id": "win11-enterprise-lenovo-manage-x64-zh",
"product_code": "sas",
"host_uuid": "ed9aede1-9acd-****-****-16c54d441213",
"host_name": "win11-enterprise-lenovo-manage-x64-zh"
},
"username": "administrator"
},
{
"is_private": "0",
"entity_name": "221.**.17.122",
"ip": "221.**.17.122",
"is_asset": "0",
"entity_id": "221.**.17.122",
"product_code": "sas",
"entity_user_id": "176****4104675",
"op_code": "6",
"entity_uuid": "d41d8cd98f00b****800998ecf8427e",
"entity_type": "ip",
"ip_version": "v4",
"cloud_code": "alibaba_cloud",
"net_connectDir": "in",
"aliuid": "1766****4675",
"op_level": "1",
"malware_type": "${aliyun.siem.sas.alert_tag.login_unusual_ip}"
}
],
"SubUserName": "user1",
"OccurTime": "2025-05-07T02:32:55.000+00:00",
"AlertDesc": "本次登录的IP非您定义的合法IP范畴,请您确认登录行为合法性。",
"GmtCreate": "2025-05-08T04:01:47.000+00:00",
"AlertNameEn": "Login with unusual IP",
"Id": 123,
"IncidentUuid": "355955f705b34*****4232a"
}describeSubUserInfo
获取多账号管理场景下,管理账号或委派管理员账号管控的成员账号。
参数说明
参数 | 描述 |
input | 无实际含义,可不传入。 |
输出示例
[
{
"SubUserId": "12"
},
{
"SubUserId": "23"
}
]该文章对您有帮助吗?