Loading...
Loading...
Compare original and translation side by side
Alibaba Cloud Security Center (SAS) + RAM Permissions + CLI ToolsAlibaba Cloud Security Center (SAS) + RAM Permissions + CLI ToolsPre-check: Aliyun CLI >= 3.3.1 Runto verify version >= 3.3.1. If not installed or version is too low, seealiyun versionfor installation instructions. Then [MUST] runreferences/cli-installation-guide.mdto enable automatic plugin installation.aliyun configure set --auto-plugin-install true
aliyun version
aliyun configure set --auto-plugin-install true前置检查:Aliyun CLI >= 3.3.1 运行确认版本 >= 3.3.1。如果未安装或版本过低, 请参考aliyun version查看安装说明。 之后[必须]运行references/cli-installation-guide.md开启自动插件安装功能。aliyun configure set --auto-plugin-install true
aliyun version
aliyun configure set --auto-plugin-install truePre-check: Alibaba Cloud Credentials RequiredSecurity Rules:
- NEVER read, output, or print AK/SK values
- NEVER ask users to input AK/SK directly
- ONLY use
to check credential statusaliyun configure listbashaliyun configure listCheck the output for a valid profile. If no valid profile exists, STOP here.
前置检查:需要阿里云凭证安全规则:
- 严禁读取、输出或打印AK/SK值
- 严禁要求用户直接输入AK/SK
- 仅可使用
检查凭证状态aliyun configure listbashaliyun configure list检查输出中是否存在有效配置文件。如果不存在有效配置文件,请停止后续操作。
| Permission Name | Description |
|---|---|
| Query alert list |
| Query available operations |
| Handle alerts |
| Query handling status |
[MUST] Permission Failure Handling: When permission errors occur:
- Read
for required permissionsreferences/ram-policies.md- Use
skill to guide userram-permission-diagnose- Wait until user confirms permissions granted
| 权限名称 | 描述 |
|---|---|
| 查询告警列表 |
| 查询可用操作 |
| 处理告警 |
| 查询处理状态 |
[必须]权限失败处理: 出现权限错误时:
- 阅读
查看所需权限references/ram-policies.md- 使用
技能引导用户操作ram-permission-diagnose- 等待用户确认已授予权限
⚠️ IMPORTANT: Choose the correct API based on user input
| Scenario | User Input Example | Correct Approach |
|---|---|---|
| User specified alert ID | "Query alert 702173474" | Directly call |
| User did not specify alert ID | "View my alerts" | Execute Step 1 to query alert list |
aliyun sas DescribeSecurityEventOperations \
--SecurityEventId {AlertID} \
--Lang zh \
--user-agent AlibabaCloud-Agent-SkillsSecurityEventNotExists⚠️ 重要提示:根据用户输入选择正确的API
| 场景 | 用户输入示例 | 正确处理方式 |
|---|---|---|
| 用户指定了告警ID | "查询告警702173474" | 直接调用 |
| 用户未指定告警ID | "查看我的告警" | 执行步骤1查询告警列表 |
aliyun sas DescribeSecurityEventOperations \
--SecurityEventId {AlertID} \
--Lang zh \
--user-agent AlibabaCloud-Agent-SkillsSecurityEventNotExistsaliyun sas DescribeSuspEvents \
--Lang zh \
--From sas \
--CurrentPage 1 \
--PageSize 10 \
--Levels "serious,suspicious,remind" \
--Dealed N \
--user-agent AlibabaCloud-Agent-Skills 2>/dev/null | jq '.SuspEvents[] | {Id, Name: .AlarmEventNameDisplay, AlarmEventType, Level, InternetIp, IntranetIp, LastTime, EventStatus, Uuid}'| Field | Description |
|---|---|
| Id | Alert event ID (core field) |
| AlarmEventNameDisplay | Alert name |
| AlarmEventType | Alert type |
| Level | Severity (serious/suspicious/remind) |
| EventStatus | 1=pending, 2=ignored, 8=false positive, 32=completed |
aliyun sas DescribeSuspEvents \
--Lang zh \
--From sas \
--CurrentPage 1 \
--PageSize 10 \
--Levels "serious,suspicious,remind" \
--Dealed N \
--user-agent AlibabaCloud-Agent-Skills 2>/dev/null | jq '.SuspEvents[] | {Id, Name: .AlarmEventNameDisplay, AlarmEventType, Level, InternetIp, IntranetIp, LastTime, EventStatus, Uuid}'| 字段 | 描述 |
|---|---|
| Id | 告警事件ID(核心字段) |
| AlarmEventNameDisplay | 告警名称 |
| AlarmEventType | 告警类型 |
| Level | 严重程度(serious/高危、suspicious/可疑、remind/提醒) |
| EventStatus | 1=待处理, 2=已忽略, 8=误报, 32=处理完成 |
Alert List (Total X items):
[Alert 1] ID: 7009607xx
- Name: ECS login from unusual location
- Type: Unusual Login
- Severity: suspicious
- Asset: 47.xxx.xxx.xxx / 10.xxx.xxx.xxx
- Status: Pending
- Time: 2026-03-19 14:11:05
- Recommended Action: Block IP
- Reason: Unusual login behavior detected告警列表(共X条):
[告警1] ID: 7009607xx
- 名称:ECS异常地域登录
- 类型:异常登录
- 严重程度:可疑
- 资产:47.xxx.xxx.xxx / 10.xxx.xxx.xxx
- 状态:待处理
- 时间:2026-03-19 14:11:05
- 建议操作:阻断IP
- 原因:检测到异常登录行为Please confirm how to handle these alerts:
1. ✅ Handle all using recommended methods
2. 🔧 Custom handling method
3. ❌ Cancel
Please select (enter number):请确认如何处理这些告警:
1. ✅ 全部按照建议方式处理
2. 🔧 自定义处理方式
3. ❌ 取消
请选择(输入数字):⚠️ Strict Constraint: Each alert's available operations must be queried individually
- NEVER assume one alert's operations apply to another
- MUST call
for each alertDescribeSecurityEventOperations
aliyun sas DescribeSecurityEventOperations \
--SecurityEventId {AlertID} \
--Lang zh \
--user-agent AlibabaCloud-Agent-SkillsUserCanOperate=true⚠️ 严格约束:每个告警的可用操作必须单独查询
- 严禁假设某条告警的操作适用于其他告警
- 必须为每个告警调用
DescribeSecurityEventOperations
aliyun sas DescribeSecurityEventOperations \
--SecurityEventId {AlertID} \
--Lang zh \
--user-agent AlibabaCloud-Agent-SkillsUserCanOperate=true| OperationCode | OperationParams | Notes |
|---|---|---|
| block_ip | | expireTime = current + duration (ms) |
| kill_and_quara | | |
| virus_quara | | |
| quara | | |
| ignore | | |
| manual_handled | | |
| advance_mark_mis_info | | See workflow-details.md |
aliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7009586xx \
--OperationCode ignore \
--OperationParams '{}' \
--user-agent AlibabaCloud-Agent-Skillsaliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7008619xx \
--OperationCode kill_and_quara \
--OperationParams '{"subOperation":"killAndQuaraFileByMd5andPath"}' \
--user-agent AlibabaCloud-Agent-Skillsundefined| OperationCode | OperationParams | 备注 |
|---|---|---|
| block_ip | | expireTime = 当前时间 + 时长(毫秒) |
| kill_and_quara | | |
| virus_quara | | |
| quara | | |
| ignore | | |
| manual_handled | | |
| advance_mark_mis_info | | 参考workflow-details.md |
aliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7009586xx \
--OperationCode ignore \
--OperationParams '{}' \
--user-agent AlibabaCloud-Agent-Skillsaliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7008619xx \
--OperationCode kill_and_quara \
--OperationParams '{"subOperation":"killAndQuaraFileByMd5andPath"}' \
--user-agent AlibabaCloud-Agent-Skillsundefined
**Example - advance_mark_mis_info:**
```bash
aliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7009586xx \
--OperationCode advance_mark_mis_info \
--OperationParams '{}' \
--MarkMissParam '[{"uuid":"ALL","field":"loginSourceIp","operate":"strEqual","fieldValue":"59.82.xx.xx"}]' \
--user-agent AlibabaCloud-Agent-Skills⚠️ For advanced whitelist (advance_mark_mis_info):
- Must ask user about whitelist rules and scope
- Must preserve existing MarkField rules
- See references/workflow-details.md for detailed process
**示例 - 高级误报加白:**
```bash
aliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7009586xx \
--OperationCode advance_mark_mis_info \
--OperationParams '{}' \
--MarkMissParam '[{"uuid":"ALL","field":"loginSourceIp","operate":"strEqual","fieldValue":"59.82.xx.xx"}]' \
--user-agent AlibabaCloud-Agent-Skills⚠️ 高级白名单(advance_mark_mis_info)注意事项:
- 必须询问用户白名单规则和生效范围
- 必须保留已有的MarkField规则
- 详细流程参考 references/workflow-details.md
⚠️ CLI Requirement: Must pass both TaskId and SecurityEventIds
aliyun sas DescribeSecurityEventOperationStatus \
--TaskId 290511xx \
--SecurityEventIds.1 7009607xx \
--user-agent AlibabaCloud-Agent-SkillsTaskStatus=ProcessingTaskStatus=SuccessTaskStatus=Failure⚠️ CLI要求:必须同时传入TaskId和SecurityEventIds
aliyun sas DescribeSecurityEventOperationStatus \
--TaskId 290511xx \
--SecurityEventIds.1 7009607xx \
--user-agent AlibabaCloud-Agent-SkillsTaskStatus=ProcessingTaskStatus=SuccessTaskStatus=Failure========== Handling Results Summary ==========
✅ Successfully Handled: 3 items
[Alert 7009607xx] Block IP - Success
❌ Handling Failed: 1 item
[Alert 7008557xx] Kill and Quarantine - Failed (AgentOffline)
Total: 4 items, Success 3, Failed 1========== 处理结果汇总 ==========
✅ 处理成功:3条
[告警7009607xx] 阻断IP - 成功
❌ 处理失败:1条
[告警7008557xx] 查杀并隔离 - 失败(AgentOffline)
总计:4条,成功3条,失败1条| operateCode | Description | Additional Params |
|---|---|---|
| block_ip | Block IP | expireTime (required) |
| kill_and_quara | Kill and Quarantine | subOperation (required) |
| virus_quara | Quarantine File | subOperation (required) |
| quara | Quarantine | None |
| advance_mark_mis_info | Advanced Whitelist | MarkMissParam |
| ignore | Ignore | None |
| manual_handled | Mark as Handled | None |
| kill_process | Kill Process | None |
| operateCode | 描述 | 额外参数 |
|---|---|---|
| block_ip | 阻断IP | expireTime(必填) |
| kill_and_quara | 查杀并隔离 | subOperation(必填) |
| virus_quara | 隔离文件 | subOperation(必填) |
| quara | 隔离 | 无 |
| advance_mark_mis_info | 高级白名单 | MarkMissParam |
| ignore | 忽略 | 无 |
| manual_handled | 标记为已处理 | 无 |
| kill_process | 杀掉进程 | 无 |
| Error Scenario | Handling Method |
|---|---|
| UserCanOperate=false | Operation not supported, version limitation |
| Timeout (>10s) | Mark as failed, continue next |
| *.AgentOffline | Client offline, cannot handle |
| *.ProcessNotExist | Suggest using virus_quara_bin |
| NoPermission | Contact admin for authorization |
| SecurityEventNotExists | Search in handled alerts first |
| 错误场景 | 处理方式 |
|---|---|
| UserCanOperate=false | 不支持该操作,版本限制 |
| 超时(>10秒) | 标记为失败,继续处理下一条 |
| *.AgentOffline | 客户端离线,无法处理 |
| *.ProcessNotExist | 建议使用virus_quara_bin |
| NoPermission | 联系管理员授权 |
| SecurityEventNotExists | 先在已处理告警中搜索 |
DescribeSecurityEventOperationsDescribeSecurityEventOperations| Document | Description |
|---|---|
| references/workflow-details.md | Detailed workflow, CLI examples, advanced whitelist |
| references/operation-codes.md | Complete operateCode reference |
| references/error-handling.md | Error handling procedures |
| references/related-apis.md | API parameter details |
| references/ram-policies.md | RAM permission policies |
| references/verification-method.md | Verification methods |
| references/cli-installation-guide.md | CLI installation guide |
| 文档 | 描述 |
|---|---|
| references/workflow-details.md | 详细工作流、CLI示例、高级白名单说明 |
| references/operation-codes.md | 完整operateCode参考 |
| references/error-handling.md | 错误处理流程 |
| references/related-apis.md | API参数详情 |
| references/ram-policies.md | RAM权限策略 |
| references/verification-method.md | 验证方法 |
| references/cli-installation-guide.md | CLI安装指南 |