alibabacloud-cfw-ips-event

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

IPS Alert Event Analysis

IPS告警事件分析

Skill Scope Notes:
This skill is designed to use Aliyun CLI
cloudfw
commands as its primary data source.
It does not depend on local log files, SIEM exports, or direct host access.

It does not require SSH or direct connections to server IPs.
For IP-focused investigations, prefer
DescribeRiskEventGroup
with
--SrcIP
or
--DstIP
.

技能适用范围说明：
本技能设计为以Aliyun CLI
cloudfw
命令作为主要数据源。
不依赖本地日志文件、SIEM导出数据或直接主机访问。

不需要SSH或与服务器IP的直接连接。
针对IP聚焦的调查，优先使用带
--SrcIP
或
--DstIP
参数的
DescribeRiskEventGroup
接口。

Scenario Description

场景描述

Query and analyze IPS (Intrusion Prevention System) security events and alerts detected by Alibaba Cloud Firewall, helping quickly locate threats and provide remediation recommendations.

Architecture:

Cloud Firewall Service → IPS Engine → Event Detection + Attack Analysis + Protection Configuration

Capability Level: Query (read-only)

Data Source: All data is obtained exclusively through Aliyun CLI commands (

aliyun cloudfw ...

). No log files, no databases, no server access, no SIEM — just CLI commands. Do NOT search the workspace for files. Do NOT ask the user for anything. Just run the commands.

Core Capabilities:

Alert Overview — IPS alert statistics including attack counts, block counts, and severity distribution
Alert Event Details — Detailed list of IPS alert events with source/destination, attack type, and handling status
Top Attacked Assets — Ranking of most attacked assets
Attack Type Analysis — Distribution of attack types and applications
IPS Configuration Status — Current IPS run mode, rule switches, and rule library version
Remediation Recommendations — Prioritized security recommendations based on alert data

查询并分析阿里云防火墙检测到的IPS（入侵防御系统）安全事件和告警，帮助快速定位威胁并提供修复建议。

架构:

云防火墙服务 → IPS引擎 → 事件检测 + 攻击分析 + 防护配置

能力级别: 查询（只读）

数据源: 所有数据仅通过Aliyun CLI命令（

aliyun cloudfw ...

）获取。无日志文件、无数据库、无服务器访问、无SIEM，仅使用CLI命令。不要在工作区搜索文件，不要向用户索要任何内容，直接运行命令即可。

核心能力:

告警概览 — IPS告警统计数据，包括攻击次数、拦截次数、严重程度分布
告警事件详情 — IPS告警事件的详细列表，包含源/目标、攻击类型、处理状态
受攻击资产Top排行 — 被攻击最多的资产排名
攻击类型分析 — 攻击类型和应用的分布情况
IPS配置状态 — 当前IPS运行模式、规则开关、规则库版本
修复建议 — 基于告警数据生成的优先级安全建议

Prerequisites

前置条件

Pre-check: Aliyun CLI >= 3.3.1 required Run
aliyun version
to verify >= 3.3.1. If not installed or version too low, see
references/cli-installation-guide.md
for installation instructions. Then [MUST] run
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.

预检查：要求Aliyun CLI版本 >= 3.3.1 运行
aliyun version
确认版本 >= 3.3.1。如果未安装或版本过低，查看
references/cli-installation-guide.md
获取安装指引。之后[必须]运行
aliyun configure set --auto-plugin-install true
开启自动插件安装。

Authentication

身份认证

Pre-check: Alibaba Cloud Credentials Required

Security Rules:
NEVER read, echo, print, cat, or display AK/SK values under any circumstances

NEVER ask the user to input AK/SK directly in the conversation or command line
NEVER use
aliyun configure set
with literal credential values
ONLY use
aliyun configure list
to check credential status
bash
aliyun configure list
Check the output for a valid profile (AK, STS, or OAuth identity).

If no valid profile exists, STOP here.
Obtain credentials from Alibaba Cloud Console
Configure credentials outside of this session (via
aliyun configure
in terminal or environment variables in shell profile)
Return and re-run after
aliyun configure list
shows a valid profile

预检查：需要阿里云凭证

安全规则:
任何情况下都绝对不要读取、回显、打印、输出或展示AK/SK值

绝对不要要求用户在对话或命令行中直接输入AK/SK
绝对不要在
aliyun configure set
命令中使用明文凭证值
仅使用
aliyun configure list
检查凭证状态
bash
aliyun configure list
检查输出是否有有效配置项（AK、STS或OAuth身份）。

如果不存在有效配置项，直接终止流程。
从阿里云控制台获取凭证
在本次会话之外配置凭证（通过终端执行
aliyun configure
或在shell配置文件中设置环境变量）
等
aliyun configure list
显示有效配置项后，返回重新运行

RAM Policy

RAM权限策略

[MUST] RAM Permission Pre-check: Before executing any commands, verify the current user has the required permissions.
Use
ram-permission-diagnose
skill to get current user's permissions
Compare against
references/ram-policies.md
Abort and prompt user if any permission is missing

Minimum required permissions — see references/ram-policies.md for full policy JSON.

Alternatively, attach the system policy: AliyunYundunCloudFirewallReadOnlyAccess

[必须]RAM权限预检查： 执行任何命令前，验证当前用户具备所需权限。
使用
ram-permission-diagnose
技能获取当前用户的权限
与
references/ram-policies.md
中的要求对比
如果缺少任何权限，终止流程并提示用户

最低所需权限 — 查看references/ram-policies.md获取完整策略JSON。

或者直接绑定系统策略：AliyunYundunCloudFirewallReadOnlyAccess

Parameter Confirmation

参数确认

IMPORTANT: Parameter Confirmation — Before executing any command or API call, check if the user has already provided necessary parameters in their request.

If the user's request explicitly mentions a parameter value (e.g., "check IPS alerts for the last 7 days" means use 7-day time range), use that value directly without asking for confirmation.

For optional parameters with sensible defaults (PageSize, CurrentPage, time ranges), use the defaults without asking unless the user indicates otherwise.

Do NOT re-ask for parameters that the user has clearly stated.

Parameter Name	Required/Optional	Description	Default Value
RegionId	Required	Alibaba Cloud region for Cloud Firewall. Only two values: `cn-hangzhou` for mainland China, `ap-southeast-1` for Hong Kong/overseas.	`cn-hangzhou` (use directly without asking; only use `ap-southeast-1` if user explicitly mentions Hong Kong/overseas/international)
StartTime	Required for most APIs	Start time for alert queries (Unix timestamp in seconds)	24 hours ago for "today", 7 days ago for "recently"/"this week" (use without asking)
EndTime	Required for most APIs	End time for alert queries (Unix timestamp in seconds)	Current time (use without asking)
PageSize	Optional	Number of items per page for paginated APIs	50 (use without asking)
CurrentPage	Optional	Page number for paginated APIs	1 (use without asking)

重要提示：参数确认 — 执行任何命令或API调用前，检查用户请求中是否已经提供了必要参数。

如果用户请求明确提及参数值（例如“查询最近7天的IPS告警”即表示使用7天时间范围），直接使用该值无需询问确认。

对于有合理默认值的可选参数（PageSize、CurrentPage、时间范围），直接使用默认值无需询问，除非用户另有说明。

不要重复询问用户已经明确给出的参数。

参数名称	必填/可选	说明	默认值
RegionId	必填	云防火墙所属阿里云区域。仅两个可选值： `cn-hangzhou` 对应中国内地， `ap-southeast-1` 对应中国香港/海外。	`cn-hangzhou` （直接使用无需询问；仅当用户明确提及香港/海外/国际时使用 `ap-southeast-1` ）
StartTime	多数API必填	告警查询开始时间（Unix时间戳，单位秒）	查询“今天”默认24小时前，查询“最近”/“本周”默认7天前（直接使用无需询问）
EndTime	多数API必填	告警查询结束时间（Unix时间戳，单位秒）	当前时间（直接使用无需询问）
PageSize	可选	分页API的每页条目数	50（直接使用无需询问）
CurrentPage	可选	分页API的页码	1（直接使用无需询问）

Input Validation (MUST)

输入校验（必须执行）

Treat all Agent-provided inputs as untrusted. Validate before building CLI commands.

Validation rules:

```
RegionId
```
: must be exactly one of
```
cn-hangzhou
```
or
```
ap-southeast-1
```
.

StartTime

EndTime

: must be 10-digit Unix seconds (

^[0-9]{10}$

), and

StartTime < EndTime

```
CurrentPage
```
: positive integer (
```
>=1
```
).
```
PageSize
```
: integer in range
```
1-100
```
.
```
SrcIP
```
/
```
DstIP
```
: must be valid IPv4 format only (
```
a.b.c.d
```
, each octet
```
0-255
```
).

Safe command construction rules:

Never concatenate raw user text into shell commands.
Only pass validated values into fixed CLI flag templates.
If any validation fails, stop execution and return a clear validation error.

将所有Agent提供的输入视为不可信内容，构建CLI命令前必须校验。

校验规则:

```
RegionId
```
: 必须严格为
```
cn-hangzhou
```
或
```
ap-southeast-1
```
其中之一。
```
StartTime
```
/
```
EndTime
```
: 必须为10位Unix秒级时间戳（正则匹配
```
^[0-9]{10}$
```
），且
```
StartTime < EndTime
```
。
```
CurrentPage
```
: 正整数（
```
>=1
```
）。
```
PageSize
```
: 1-100之间的整数。
```
SrcIP
```
/
```
DstIP
```
: 必须仅为合法IPv4格式（
```
a.b.c.d
```
，每个网段0-255）。

安全命令构建规则:

绝对不要将原始用户文本直接拼接到shell命令中。
仅将校验通过的值传入固定的CLI参数模板中。
如果任何校验失败，停止执行并返回清晰的校验错误。

Error Handling and Workflow Resilience

错误处理与流程容错

CRITICAL: Continue on failure. If any individual API call fails, do NOT stop the entire workflow. Log the error for that step, then proceed to the next step. Present whatever data was successfully collected.

关键规则：失败时继续执行。 如果单个API调用失败，不要终止整个流程。记录该步骤的错误，然后继续执行下一步。展示所有成功收集到的数据。

Retry Logic

重试逻辑

For each API call:

If the call fails with a transient error (network timeout, throttling
```
Throttling.User
```
,
```
ServiceUnavailable
```
, HTTP 500/502/503), retry up to 2 times with a 3-second delay between retries.
If the call fails with a permanent error (e.g.,
```
InvalidParameter
```
,
```
Forbidden
```
,
```
InvalidAccessKeyId
```
), do NOT retry. Record the error and move on.
After all retries are exhausted, record "[Step X] Failed: {error message}" and continue to the next step.

每个API调用的处理规则:

如果调用返回瞬时错误（网络超时、限流
```
Throttling.User
```
、
```
ServiceUnavailable
```
、HTTP 500/502/503），最多重试2次，每次重试间隔3秒。
如果调用返回永久错误（例如
```
InvalidParameter
```
、
```
Forbidden
```
、
```
InvalidAccessKeyId
```
），不要重试。记录错误继续执行下一步。
所有重试用尽后，记录“[步骤X] 失败：{错误信息}”，继续执行下一步。

Timeout Policy (MUST)

超时策略（必须执行）

Before any API call, explicitly set CLI timeouts:

bash

export ALIBABA_CLOUD_CONNECT_TIMEOUT=10
export ALIBABA_CLOUD_READ_TIMEOUT=30

```
ALIBABA_CLOUD_CONNECT_TIMEOUT=10
```
: fast fail for connect timeout.
```
ALIBABA_CLOUD_READ_TIMEOUT=30
```
: prevent long-running hangs per request.
Timeout errors are treated as transient errors and follow retry logic.

任何API调用前，显式设置CLI超时参数:

bash

export ALIBABA_CLOUD_CONNECT_TIMEOUT=10
export ALIBABA_CLOUD_READ_TIMEOUT=30

```
ALIBABA_CLOUD_CONNECT_TIMEOUT=10
```
: 连接超时快速失败。
```
ALIBABA_CLOUD_READ_TIMEOUT=30
```
: 避免单个请求长时间挂起。
超时错误视为瞬时错误，遵循重试逻辑。

No Alert Events

无告警事件的处理

If Step 1 (

DescribeRiskEventStatistic

) returns all zeros:

Inform the user: "No IPS alert events detected in the specified time range."
Still proceed with Step 6 and Step 7 to report IPS configuration status.

如果步骤1（

DescribeRiskEventStatistic

）返回所有统计值为0:

告知用户：“指定时间范围内未检测到IPS告警事件。”
仍需继续执行步骤6和步骤7，上报IPS配置状态。

Step Independence

步骤独立性

The workflow steps have these dependencies:

Step 1 (Statistics) should run first to provide context.
Steps 2-7 are independent of each other — failure in any one step should NOT prevent other steps from executing.

流程步骤的依赖关系如下:

步骤1（统计） 应优先运行，提供全局上下文。
步骤2-7相互独立 — 任意步骤失败都不应影响其他步骤执行。

Partial Results

部分结果处理

When presenting the final summary report:

For steps that succeeded, show the collected data normally.
For steps that failed, show "N/A (error: {brief error})" in the corresponding section.
Always present the summary report even if some steps failed — partial data is better than no data.

展示最终汇总报告时:

执行成功的步骤，正常展示收集到的数据。
执行失败的步骤，对应区域显示“N/A（错误：{简要错误信息}）”。
即使部分步骤失败，也要始终展示汇总报告 — 部分数据远好于无数据。

Core Workflow

核心流程

All API calls use the Aliyun CLI

cloudfw

plugin. Request/response schemas are maintained only in references/api-analysis.md. Do not duplicate field-by-field descriptions in this file.

User-Agent: All commands must include

--user-agent AlibabaCloud-Agent-Skills

Region: Specified via

--region {RegionId}

global flag

CRITICAL: Execute immediately without asking. When this skill is triggered, start executing from Step 1 right away. Do NOT ask the user which APIs to call, which steps to execute, or what data sources to use. All data comes from the Aliyun CLI commands defined below — just run them. The intent routing table below is for optimization only — if the user's intent is unclear, execute ALL steps (Step 1-7) by default.

所有API调用都使用Aliyun CLI

cloudfw

插件。请求/响应 schema 仅在references/api-analysis.md中维护，不要在本文件中重复逐字段描述。

User-Agent: 所有命令必须携带

--user-agent AlibabaCloud-Agent-Skills

参数区域: 通过全局参数

--region {RegionId}

指定

关键规则：无需询问直接立即执行。 本技能触发时，直接从步骤1开始执行。不要询问用户要调用哪些API、执行哪些步骤、使用哪些数据源。所有数据都来自下方定义的Aliyun CLI命令 — 直接运行即可。下方的意图路由表仅用于优化执行范围 — 如果用户意图不明确，默认执行所有步骤（步骤1-7）。

Intent Routing (Auto-determined, No Confirmation Needed)

意图路由（自动判定，无需确认）

Automatically determine execution scope based on user wording. Do NOT ask the user to confirm:

User Intent	Execution Steps
Full alert analysis ("what IPS alerts today", "recent security events")	Execute all Steps 1-7
Attacked asset investigation ("which assets were attacked most")	Execute Step 1 + Step 3
Specific source IP alerts ("what alerts did this IP trigger")	Execute Step 2 (with `--SrcIP` filter)
Specific target asset/server alerts ("check attacks on x.x.x.x", "server 10.0.1.88 security alerts")	Execute Step 1 + Step 2 (with `--DstIP` filter) + Step 6 + Step 7
Attack trend/types ("are attacks increasing recently")	Execute Step 1 + Step 4 + Step 5
IPS configuration check ("what mode is IPS in", "rule library version")	Execute Step 6 + Step 7

Default behavior: If user intent cannot be clearly determined, execute all Steps 1-7 without asking.

根据用户表述自动判定执行范围。不要询问用户确认:

用户意图	执行步骤
全量告警分析（“今天有什么IPS告警”、“最近的安全事件”）	执行所有步骤1-7
受攻击资产调查（“哪些资产被攻击最多”）	执行步骤1 + 步骤3
特定源IP告警（“这个IP触发了什么告警”）	执行步骤2（带 `--SrcIP` 过滤）
特定目标资产/服务器告警（“查询x.x.x.x的攻击情况”、“服务器10.0.1.88的安全告警”）	执行步骤1 + 步骤2（带 `--DstIP` 过滤） + 步骤6 + 步骤7
攻击趋势/类型（“最近攻击是不是变多了”）	执行步骤1 + 步骤4 + 步骤5
IPS配置检查（“IPS现在是什么模式”、“规则库版本”）	执行步骤6 + 步骤7

默认行为: 如果无法明确判定用户意图，无需询问直接执行所有步骤1-7。

Time Parameters

时间参数

Some APIs require

StartTime

and

EndTime

parameters (Unix timestamp in seconds).

How to get timestamps: Run

date +%s

to get the current timestamp,

date -d '1 day ago' +%s

for 24 hours ago,

date -d '7 days ago' +%s

for 7 days ago. Then use the returned numeric values directly in CLI commands.

IMPORTANT: Do NOT use bash variable substitution like
$(date +%s)
inside CLI commands — some execution environments block
$(...)
. Instead, run
date
commands separately first, note the returned values, then use them as literal numbers in the
--StartTime
and
--EndTime
parameters.

Default time ranges:

User says "today" →
```
StartTime
```
= 24 hours ago
User says "recently"/"this week" →
```
StartTime
```
= 7 days ago
No time range specified → default to 7 days ago
```
EndTime
```
→ always current timestamp

部分API需要

StartTime

和

EndTime

参数（Unix时间戳，单位秒）。

获取时间戳的方法: 运行

date +%s

获取当前时间戳，

date -d '1 day ago' +%s

获取24小时前的时间戳，

date -d '7 days ago' +%s

获取7天前的时间戳。然后将返回的数值直接用于CLI命令中。

重要提示: 不要在CLI命令中使用
$(date +%s)
这类bash变量替换 — 部分执行环境会拦截
$(...)
语法。请先单独运行
date
命令，记录返回值，然后将其作为字面量数值传入
--StartTime
和
--EndTime
参数。

默认时间范围:

用户提及“今天” →
```
StartTime
```
= 24小时前
用户提及“最近”/“本周” →
```
StartTime
```
= 7天前
未指定时间范围 → 默认7天前
```
EndTime
```
→ 始终为当前时间戳

Step 1: IPS Alert Statistics Overview

步骤1：IPS告警统计概览

Retrieve overall alert statistics to understand the current security posture.

bash

aliyun cloudfw DescribeRiskEventStatistic \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

获取全局告警统计数据，了解当前安全态势。

bash

aliyun cloudfw DescribeRiskEventStatistic \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Step 2: IPS Alert Event Details

步骤2：IPS告警事件详情

Retrieve grouped alert event list. This is the core data for analysis.

bash

aliyun cloudfw DescribeRiskEventGroup \
  --CurrentPage 1 \
  --PageSize 50 \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --DataType 1 \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Optional filter parameters (auto-added based on user intent, no confirmation needed):

By direction:
```
--Direction in
```
or
```
--Direction out
```
By source IP:
```
--SrcIP x.x.x.x
```
(query "attacks initiated by a specific IP")
By target IP:
```
--DstIP x.x.x.x
```
(query "attacks on a specific server/IP", supports private IPs like 10.x.x.x)
By vulnerability level:
```
--VulLevel 3
```
(1=low, 2=medium, 3=high)

Key: When a user mentions a specific server or IP being attacked, use the
--DstIP
filter to query all attack records for that IP — no need to access the server itself.

Pagination: Check

TotalCount

. If it exceeds 50, increment

CurrentPage

获取分组后的告警事件列表，这是分析的核心数据。

bash

aliyun cloudfw DescribeRiskEventGroup \
  --CurrentPage 1 \
  --PageSize 50 \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --DataType 1 \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

可选过滤参数（根据用户意图自动添加，无需确认）:

按方向:
```
--Direction in
```
或
```
--Direction out
```
按源IP:
```
--SrcIP x.x.x.x
```
（查询“特定IP发起的攻击”）
按目标IP:
```
--DstIP x.x.x.x
```
（查询“特定服务器/IP的攻击情况”，支持10.x.x.x这类私有IP）
按漏洞等级:
```
--VulLevel 3
```
（1=低危，2=中危，3=高危）

关键点: 当用户提及特定服务器或IP被攻击时，使用
--DstIP
过滤查询该IP的所有攻击记录 — 无需访问服务器本身。

分页处理: 检查

TotalCount

，如果超过50，递增

CurrentPage

拉取全部数据。

Step 3: Top Attacked Assets Ranking

步骤3：受攻击资产Top排行

Identify which assets are attack hotspots.

bash

aliyun cloudfw DescribeRiskEventTopAttackAsset \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

识别哪些资产是攻击热点。

bash

aliyun cloudfw DescribeRiskEventTopAttackAsset \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Step 4: Top Attack Types Ranking

步骤4：攻击类型Top排行

Understand the main threat types being faced.

bash

aliyun cloudfw DescribeRiskEventTopAttackType \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --Direction in \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

If outbound attack types are also needed, make another call with

--Direction out

Note: This API requires the

Direction

parameter, otherwise it will return an error.

了解当前面临的主要威胁类型。

bash

aliyun cloudfw DescribeRiskEventTopAttackType \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --Direction in \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

如果也需要出站攻击类型，再调用一次带

--Direction out

参数的命令。

注意：该API必须传入

Direction

参数，否则会返回错误。

Step 5: Top Attacked Applications Ranking

步骤5：受攻击应用Top排行

Understand which application-layer targets are being attacked.

bash

aliyun cloudfw DescribeRiskEventTopAttackApp \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

了解哪些应用层目标正在被攻击。

bash

aliyun cloudfw DescribeRiskEventTopAttackApp \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Step 6: IPS Protection Configuration Status

步骤6：IPS防护配置状态

Check the current IPS run mode and protection capabilities.

bash

aliyun cloudfw DescribeDefaultIPSConfig \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

检查当前IPS运行模式和防护能力。

bash

aliyun cloudfw DescribeDefaultIPSConfig \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Step 7: IPS Rule Library Version

步骤7：IPS规则库版本

bash

aliyun cloudfw DescribeSignatureLibVersion \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

bash

aliyun cloudfw DescribeSignatureLibVersion \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Analysis & Report

分析与报告

After collecting data, generate a report in the following structure. Center the analysis around alert events, covering three dimensions: "who is attacking", "what is being attacked", and "how effective is the response". Only show sections with actual data; if an API call failed, note it and continue.

收集完数据后，按照以下结构生成报告。分析以告警事件为核心，覆盖“谁在攻击”、“攻击什么”、“响应效果如何”三个维度。仅展示有实际数据的板块；如果API调用失败，标注错误后继续。

1. IPS Alert Posture Overview

1. IPS告警态势概览

Combine Step 1 statistics and Step 6 IPS configuration to display the current security posture:

Alert Statistics (Time Range: x):

Metric	Value
Total Attack Events	x
Blocked	x
Observed/Alerted	x
Untreated	x
High / Medium / Low Severity	x / x / x

IPS Configuration Status:

Configuration Item	Status
Run Mode	Observe/Block
Basic Protection	Enabled/Disabled
Virtual Patches	Enabled/Disabled
Threat Intelligence	Enabled/Disabled
AI Engine	Enabled/Disabled
Rule Library Version	x (update time)

If IPS is in observe mode and there are high-severity events, prominently flag: "IPS is currently in observe mode — high-severity attacks are NOT being blocked".

结合步骤1的统计数据和步骤6的IPS配置，展示当前安全态势:

告警统计（时间范围：x）:

指标	数值
总攻击事件数	x
已拦截	x
已观测/告警	x
未处理	x
高危/中危/低危事件数	x / x / x

IPS配置状态:

配置项	状态
运行模式	观测/拦截
基础防护	开启/关闭
虚拟补丁	开启/关闭
威胁情报	开启/关闭
AI引擎	开启/关闭
规则库版本	x（更新时间）

如果IPS处于观测模式且存在高危事件，显著提示：“IPS当前处于观测模式 — 高危攻击未被拦截”。

2. High-Severity Alert Events (Immediate Action Required)

2. 高危告警事件（需立即处理）

From Step 2, filter events with VulLevel=3 (high) or VulLevel=2 (medium with high event count), sorted by event count in descending order:

Event Name	Attack Type	Source IP	Source Location	Target IP	Target Asset	Event Count	Handling Status	First Seen	Last Seen

Handling status explanation:

Observed (RuleResult=1): IPS detected but did not block — requires manual confirmation on whether blocking is needed
Blocked (RuleResult=2): Automatically blocked by IPS

从步骤2的数据中，过滤出VulLevel=3（高危）或VulLevel=2（中危且事件数高）的事件，按事件数降序排列:

事件名称	攻击类型	源IP	源位置	目标IP	目标资产	事件数	处理状态	首次发现时间	最近发现时间

处理状态说明:

已观测（RuleResult=1）: IPS检测到但未拦截 — 需要人工确认是否需要拦截
已拦截（RuleResult=2）: IPS自动拦截

3. Attack Hotspot Analysis

3. 攻击热点分析

Top Attacked Assets

受攻击资产Top排行

Combine Step 3 data to display attack status by asset:

Rank	Target IP	Resource Name	Resource Type	Region	Attack Count	Blocked	Block Rate

Focus on assets with low block rates — this means many attacks are only being observed, not blocked.

结合步骤3的数据，按资产展示攻击情况:

排名	目标IP	资源名称	资源类型	区域	攻击次数	已拦截	拦截率

重点关注拦截率低的资产 — 这意味着很多攻击仅被观测，未被拦截。

Attack Type Distribution

攻击类型分布

Combine Step 4 data:

Attack Type	Attack Count	Blocked	Block Rate

结合步骤4的数据:

攻击类型	攻击次数	已拦截	拦截率

Attack Application Distribution

攻击应用分布

Combine Step 5 data:

Application	Attack Count	Blocked	Block Rate

结合步骤5的数据:

应用	攻击次数	已拦截	拦截率

4. Attack Source Analysis

4. 攻击源分析

Summarize source IP dimensions from Step 2 event data:

Source IP	Source Country/City	Attack Count	Primary Attack Type	Target Asset Count	Handling Status

Flag cases where the same source IP attacks multiple assets — this typically indicates organized scanning or attacks.

从步骤2的事件数据中按源IP维度汇总:

源IP	源国家/城市	攻击次数	主要攻击类型	攻击目标资产数	处理状态

标注同一源IP攻击多个资产的情况 — 这通常代表有组织的扫描或攻击。

5. Remediation Recommendations

5. 修复建议

Generate specific recommendations based on actual data, sorted by priority. Each recommendation includes: Risk Description, Impact Scope, Recommended Action.

基于实际数据生成针对性建议，按优先级排序。每条建议包含：风险描述、影响范围、建议操作。

P0 — Critical (Immediate Action)

P0 — 危急（立即处理）

High-severity events in "observe" mode, not blocked → Switch IPS to block mode, or manually block the attacking source IP
Same source IP attacking multiple assets in volume → Add that IP to Cloud Firewall ACL blacklist
IPS in observe mode with active high-severity attacks → Switch to block mode

处于“观测”模式的高危事件，未被拦截 → 将IPS切换为拦截模式，或手动拦截攻击源IP
同一源IP批量攻击多个资产 → 将该IP添加到云防火墙ACL黑名单
IPS处于观测模式且存在活跃高危攻击 → 切换为拦截模式

P1 — High (Within 24 Hours)

P1 — 高优（24小时内处理）

Medium-severity events recurring and not blocked → Check target asset vulnerabilities and remediate
Basic protection/virtual patches not enabled → Recommend enabling to enhance protection
Attacked assets with low block rate → Check IPS rule coverage

中危事件反复出现且未被拦截 → 检查目标资产漏洞并修复
基础防护/虚拟补丁未开启 → 建议开启以增强防护能力
受攻击资产拦截率低 → 检查IPS规则覆盖情况

P2 — Medium (This Week)

P2 — 中优（本周内处理）

Multiple attack types targeting the same asset → Conduct security hardening review for that asset
Threat intelligence/AI engine rules not enabled → Recommend enabling
Rule library version outdated → Update to the latest version

同一资产遭受多种类型攻击 → 对该资产进行安全加固评审
威胁情报/AI引擎规则未开启 → 建议开启
规则库版本过旧 → 更新到最新版本

P3 — Low (Periodic Review)

P3 — 低优（定期巡检）

Low-severity events persisting → Include in periodic review, assess whether they are false positives
Optimize IPS whitelist to reduce business false positives

Note: For any step that failed, show "N/A (error: {brief error})" for that section's data fields, and list all errors in the bottom section.

低危事件持续存在 → 纳入定期巡检，评估是否为误报
优化IPS白名单减少业务误报

注意: 任何执行失败的步骤，对应板块的数据字段显示“N/A（错误：{简要错误信息}）”，并在底部板块列出所有错误。

Success Verification

成功验证

See references/verification-method.md for detailed verification steps.

Quick verification: If all CLI commands return valid JSON responses without error codes, the skill executed successfully.

查看references/verification-method.md获取详细验证步骤。

快速验证：如果所有CLI命令都返回有效的JSON响应，无错误码，说明技能执行成功。

API and Command Tables

API与命令对照表

Use references/related-apis.md as the single source of truth for API tables and command mappings.

使用references/related-apis.md作为API表和命令映射的唯一可信来源。

Best Practices

最佳实践

Query in order — Start with alert statistics (Step 1) to understand the overall security posture. If all values are zero, report that no alerts were detected in the time range.
Continue on failure — If any step (2-7) fails, log the error and continue with the remaining steps. Always produce a report with whatever data was collected.
Use pagination — For alert event lists (Step 2), use
```
CurrentPage
```
and
```
PageSize
```
. Default to PageSize=50. If
```
TotalCount
```
exceeds
```
PageSize
```
, iterate through all pages.
Time range selection — Default to last 24 hours for "today", last 7 days for "recently"/"this week". Use Unix timestamps in seconds. Calculate with:
```
date +%s
```
for current time,
```
date -d '1 day ago' +%s
```
for 24 hours ago,
```
date -d '7 days ago' +%s
```
for 7 days ago. Run these commands separately, then use the returned values as literal numbers in
```
--StartTime
```
and
```
--EndTime
```
. Do NOT use
```
$(...)
```
substitution inside CLI commands.
Region awareness — Cloud Firewall only has two regions:
```
cn-hangzhou
```
(mainland China) and
```
ap-southeast-1
```
(Hong Kong/overseas). Default to
```
cn-hangzhou
```
unless user specifies otherwise.
Direction parameter — Step 4 (
```
DescribeRiskEventTopAttackType
```
) requires the
```
Direction
```
parameter. Default to
```
in
```
(inbound). Query
```
out
```
separately if needed.
Rate limiting — Space API calls to avoid throttling. If you receive a
```
Throttling.User
```
error, wait 3 seconds and retry.
Security — NEVER expose, log, echo, or display AK/SK values.
Retry on transient errors — For network timeouts or 5xx errors, retry up to 2 times with a 3-second delay.
Validate all inputs first — Reject invalid
```
RegionId
```
, timestamp, pagination, and IP values before command execution.
Set explicit timeout env vars — Always set
```
ALIBABA_CLOUD_CONNECT_TIMEOUT=10
```
and
```
ALIBABA_CLOUD_READ_TIMEOUT=30
```
before workflow commands.

按顺序查询 — 从告警统计（步骤1）开始了解全局安全态势。如果所有统计值为0，上报该时间范围内未检测到告警。
失败时继续执行 — 如果步骤2-7中任意步骤失败，记录错误并继续执行剩余步骤。始终基于收集到的所有数据生成报告。
使用分页 — 告警事件列表（步骤2）使用
```
CurrentPage
```
和
```
PageSize
```
参数，默认PageSize=50。如果
```
TotalCount
```
超过
```
PageSize
```
，遍历所有页面拉取全量数据。
时间范围选择 — “今天”默认最近24小时，“最近”/“本周”默认最近7天。使用秒级Unix时间戳，计算方式：
```
date +%s
```
获取当前时间，
```
date -d '1 day ago' +%s
```
获取24小时前时间，
```
date -d '7 days ago' +%s
```
获取7天前时间。单独运行这些命令，然后将返回值作为字面量数值传入
```
--StartTime
```
和
```
--EndTime
```
参数，不要在CLI命令中使用
```
$(...)
```
替换。
区域感知 — 云防火墙仅支持两个区域：
```
cn-hangzhou
```
（中国内地）和
```
ap-southeast-1
```
（香港/海外）。默认使用
```
cn-hangzhou
```
，除非用户另有指定。
方向参数 — 步骤4（
```
DescribeRiskEventTopAttackType
```
）必须传入
```
Direction
```
参数，默认
```
in
```
（入站）。如果需要出站数据单独查询。
限流处理 — 控制API调用间隔避免被限流。如果收到
```
Throttling.User
```
错误，等待3秒后重试。
安全规范 — 绝对不要暴露、记录、回显或展示AK/SK值。
瞬时错误重试 — 网络超时或5xx错误最多重试2次，每次间隔3秒。
优先校验所有输入 — 命令执行前拒绝非法的
```
RegionId
```
、时间戳、分页参数和IP值。
设置显式超时环境变量 — 执行流程命令前必须设置
```
ALIBABA_CLOUD_CONNECT_TIMEOUT=10
```
和
```
ALIBABA_CLOUD_READ_TIMEOUT=30
```
。

Reference Links

参考链接

Reference	Description
references/related-apis.md	Complete API table with parameters
references/ram-policies.md	Required RAM permissions and policy JSON
references/verification-method.md	Step-by-step verification commands
references/acceptance-criteria.md	Correct/incorrect usage patterns
references/cli-installation-guide.md	Aliyun CLI installation guide
references/api-analysis.md	Detailed API parameter and response documentation

参考文档	说明
references/related-apis.md	完整API参数对照表
references/ram-policies.md	所需RAM权限和策略JSON
references/verification-method.md	分步验证命令
references/acceptance-criteria.md	正确/错误使用示例
references/cli-installation-guide.md	Aliyun CLI安装指南
references/api-analysis.md	详细API参数和响应文档