alibabacloud-sas-alert-handler

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Cloud Security Center CWPP Alert Handling Skill

云安全中心CWPP告警处理技能

Scenario Description

场景描述

This skill helps users query and handle CWPP host security alerts from Alibaba Cloud Security Center (SAS/Aegis).

Core Capabilities:

Query security alert list
Analyze alert details and recommend handling methods
Execute alert handling operations (ignore, whitelist, block, quarantine, etc.)
Query handling status and summarize results

Architecture:

Alibaba Cloud Security Center (SAS) + RAM Permissions + CLI Tools

本技能可帮助用户查询并处理阿里云安全中心（SAS/Aegis）的CWPP主机安全告警。

核心能力：

查询安全告警列表
分析告警详情并推荐处理方案
执行告警处理操作（忽略、加白名单、阻断、隔离等）
查询处理状态并汇总结果

架构：

Alibaba Cloud Security Center (SAS) + RAM Permissions + CLI Tools

Installation Requirements

安装要求

Pre-check: Aliyun CLI >= 3.3.1 Run
aliyun version
to verify version >= 3.3.1. If not installed or version is too low, see
references/cli-installation-guide.md
for installation instructions. Then [MUST] run
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.

bash

aliyun version
aliyun configure set --auto-plugin-install true

前置检查：Aliyun CLI >= 3.3.1 运行
aliyun version
确认版本 >= 3.3.1。如果未安装或版本过低，请参考
references/cli-installation-guide.md
查看安装说明。之后[必须]运行
aliyun configure set --auto-plugin-install true
开启自动插件安装功能。

bash

aliyun version
aliyun configure set --auto-plugin-install true

Authentication Configuration

认证配置

Pre-check: Alibaba Cloud Credentials Required

Security Rules:
NEVER read, output, or print AK/SK values

NEVER ask users to input AK/SK directly
ONLY use
aliyun configure list
to check credential status
bash
aliyun configure list
Check the output for a valid profile. If no valid profile exists, STOP here.

前置检查：需要阿里云凭证

安全规则：
严禁读取、输出或打印AK/SK值

严禁要求用户直接输入AK/SK
仅可使用
aliyun configure list
检查凭证状态
bash
aliyun configure list
检查输出中是否存在有效配置文件。如果不存在有效配置文件，请停止后续操作。

RAM Permission Requirements

RAM权限要求

Permission Name	Description
`yundun-sas:DescribeSuspEvents`	Query alert list
`yundun-sas:DescribeSecurityEventOperations`	Query available operations
`yundun-sas:HandleSecurityEvents`	Handle alerts
`yundun-sas:DescribeSecurityEventOperationStatus`	Query handling status

For detailed policies, see references/ram-policies.md

[MUST] Permission Failure Handling: When permission errors occur:
Read
references/ram-policies.md
for required permissions
Use
ram-permission-diagnose
skill to guide user
Wait until user confirms permissions granted

权限名称	描述
`yundun-sas:DescribeSuspEvents`	查询告警列表
`yundun-sas:DescribeSecurityEventOperations`	查询可用操作
`yundun-sas:HandleSecurityEvents`	处理告警
`yundun-sas:DescribeSecurityEventOperationStatus`	查询处理状态

如需查看完整策略，请参考 references/ram-policies.md

[必须]权限失败处理： 出现权限错误时：
阅读
references/ram-policies.md
查看所需权限
使用
ram-permission-diagnose
技能引导用户操作
等待用户确认已授予权限

Core Workflow

核心工作流

Step 0: Identify Query Scenario (Critical)

步骤0：确定查询场景（关键）

⚠️ IMPORTANT: Choose the correct API based on user input

Scenario	User Input Example	Correct Approach
User specified alert ID	"Query alert 702173474"	Directly call `DescribeSecurityEventOperations --SecurityEventId {ID}`
User did not specify alert ID	"View my alerts"	Execute Step 1 to query alert list

Scenario A: User specified alert ID → Verify alert exists:

bash

aliyun sas DescribeSecurityEventOperations \
  --SecurityEventId {AlertID} \
  --Lang zh \
  --user-agent AlibabaCloud-Agent-Skills

Success → Alert exists, proceed to Step 5
Failure (
```
SecurityEventNotExists
```
) → See references/error-handling.md

Scenario B: User did not specify alert ID → Proceed to Step 1

⚠️ 重要提示：根据用户输入选择正确的API

场景	用户输入示例	正确处理方式
用户指定了告警ID	"查询告警702173474"	直接调用 `DescribeSecurityEventOperations --SecurityEventId {ID}`
用户未指定告警ID	"查看我的告警"	执行步骤1查询告警列表

场景A：用户指定了告警ID → 验证告警是否存在：

bash

aliyun sas DescribeSecurityEventOperations \
  --SecurityEventId {AlertID} \
  --Lang zh \
  --user-agent AlibabaCloud-Agent-Skills

成功 → 告警存在，进入步骤5
失败 (
```
SecurityEventNotExists
```
) → 参考 references/error-handling.md

场景B：用户未指定告警ID → 进入步骤1

Step 1: Query Alert List

步骤1：查询告警列表

bash

aliyun sas DescribeSuspEvents \
  --Lang zh \
  --From sas \
  --CurrentPage 1 \
  --PageSize 10 \
  --Levels "serious,suspicious,remind" \
  --Dealed N \
  --user-agent AlibabaCloud-Agent-Skills 2>/dev/null | jq '.SuspEvents[] | {Id, Name: .AlarmEventNameDisplay, AlarmEventType, Level, InternetIp, IntranetIp, LastTime, EventStatus, Uuid}'

Key Response Fields:

Field	Description
Id	Alert event ID (core field)
AlarmEventNameDisplay	Alert name
AlarmEventType	Alert type
Level	Severity (serious/suspicious/remind)
EventStatus	1=pending, 2=ignored, 8=false positive, 32=completed

bash

aliyun sas DescribeSuspEvents \
  --Lang zh \
  --From sas \
  --CurrentPage 1 \
  --PageSize 10 \
  --Levels "serious,suspicious,remind" \
  --Dealed N \
  --user-agent AlibabaCloud-Agent-Skills 2>/dev/null | jq '.SuspEvents[] | {Id, Name: .AlarmEventNameDisplay, AlarmEventType, Level, InternetIp, IntranetIp, LastTime, EventStatus, Uuid}'

核心返回字段：

字段	描述
Id	告警事件ID（核心字段）
AlarmEventNameDisplay	告警名称
AlarmEventType	告警类型
Level	严重程度（serious/高危、suspicious/可疑、remind/提醒）
EventStatus	1=待处理, 2=已忽略, 8=误报, 32=处理完成

Step 2: Display Alert Information and Recommendations

步骤2：展示告警信息和处理建议

Display Format:

Alert List (Total X items):

[Alert 1] ID: 7009607xx
- Name: ECS login from unusual location
- Type: Unusual Login
- Severity: suspicious
- Asset: 47.xxx.xxx.xxx / 10.xxx.xxx.xxx
- Status: Pending
- Time: 2026-03-19 14:11:05
- Recommended Action: Block IP
- Reason: Unusual login behavior detected

For operateCode mappings and recommendation rules, see references/operation-codes.md

展示格式：

告警列表（共X条）：

[告警1] ID: 7009607xx
- 名称：ECS异常地域登录
- 类型：异常登录
- 严重程度：可疑
- 资产：47.xxx.xxx.xxx / 10.xxx.xxx.xxx
- 状态：待处理
- 时间：2026-03-19 14:11:05
- 建议操作：阻断IP
- 原因：检测到异常登录行为

如需查看operateCode映射关系和建议规则，请参考 references/operation-codes.md

Step 3: Determine Handling Intent

步骤3：确认处理意图

Case A: User specified handling method → Proceed to Step 4

Case B: User did not specify → Must ask user:

Please confirm how to handle these alerts:

1. ✅ Handle all using recommended methods
2. 🔧 Custom handling method
3. ❌ Cancel

Please select (enter number):

情况A：用户指定了处理方式 → 进入步骤4

情况B：用户未指定 → 必须询问用户：

请确认如何处理这些告警：

1. ✅ 全部按照建议方式处理
2. 🔧 自定义处理方式
3. ❌ 取消

请选择（输入数字）：

Step 4: Query Available Handling Operations

步骤4：查询可用处理操作

⚠️ Strict Constraint: Each alert's available operations must be queried individually
NEVER assume one alert's operations apply to another
MUST call
DescribeSecurityEventOperations
for each alert

bash

aliyun sas DescribeSecurityEventOperations \
  --SecurityEventId {AlertID} \
  --Lang zh \
  --user-agent AlibabaCloud-Agent-Skills

⚠️ Critical: Only execute operations where
UserCanOperate=true

⚠️ 严格约束：每个告警的可用操作必须单独查询
严禁假设某条告警的操作适用于其他告警
必须为每个告警调用
DescribeSecurityEventOperations

bash

aliyun sas DescribeSecurityEventOperations \
  --SecurityEventId {AlertID} \
  --Lang zh \
  --user-agent AlibabaCloud-Agent-Skills

⚠️ 关键：仅可执行
UserCanOperate=true
的操作

Step 5: Build Parameters and Execute

步骤5：构造参数并执行

Quick Reference - Common Operations:

OperationCode	OperationParams	Notes
block_ip	`{"expireTime":1773991205392}`	expireTime = current + duration (ms)
kill_and_quara	`{"subOperation":"killAndQuaraFileByMd5andPath"}`
virus_quara	`{"subOperation":"quaraFileByMd5andPath"}`
quara	`{}`
ignore	`{}`
manual_handled	`{}`
advance_mark_mis_info	`{}` + MarkMissParam	See workflow-details.md

Example - ignore:

bash

aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7009586xx \
  --OperationCode ignore \
  --OperationParams '{}' \
  --user-agent AlibabaCloud-Agent-Skills

Example - kill_and_quara:

bash

aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7008619xx \
  --OperationCode kill_and_quara \
  --OperationParams '{"subOperation":"killAndQuaraFileByMd5andPath"}' \
  --user-agent AlibabaCloud-Agent-Skills

Example - block_ip (7 days):

bash

undefined

快速参考 - 常见操作：

OperationCode	OperationParams	备注
block_ip	`{"expireTime":1773991205392}`	expireTime = 当前时间 + 时长（毫秒）
kill_and_quara	`{"subOperation":"killAndQuaraFileByMd5andPath"}`
virus_quara	`{"subOperation":"quaraFileByMd5andPath"}`
quara	`{}`
ignore	`{}`
manual_handled	`{}`
advance_mark_mis_info	`{}` + MarkMissParam	参考workflow-details.md

示例 - 忽略：

bash

aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7009586xx \
  --OperationCode ignore \
  --OperationParams '{}' \
  --user-agent AlibabaCloud-Agent-Skills

示例 - 查杀并隔离：

bash

aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7008619xx \
  --OperationCode kill_and_quara \
  --OperationParams '{"subOperation":"killAndQuaraFileByMd5andPath"}' \
  --user-agent AlibabaCloud-Agent-Skills

示例 - 阻断IP（7天）：

bash

undefined

Calculate: current_timestamp_ms + 72460601000

计算方式：当前时间戳（毫秒） + 72460601000

aliyun sas HandleSecurityEvents
--SecurityEventIds.1 7009607xx
--OperationCode block_ip
--OperationParams '{"expireTime":1773991205392}'
--user-agent AlibabaCloud-Agent-Skills


**Example - advance_mark_mis_info:**
```bash
aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7009586xx \
  --OperationCode advance_mark_mis_info \
  --OperationParams '{}' \
  --MarkMissParam '[{"uuid":"ALL","field":"loginSourceIp","operate":"strEqual","fieldValue":"59.82.xx.xx"}]' \
  --user-agent AlibabaCloud-Agent-Skills

⚠️ For advanced whitelist (advance_mark_mis_info):

Must ask user about whitelist rules and scope

Must preserve existing MarkField rules

See references/workflow-details.md for detailed process

For complete CLI examples and parameter details, see references/workflow-details.md

aliyun sas HandleSecurityEvents
--SecurityEventIds.1 7009607xx
--OperationCode block_ip
--OperationParams '{"expireTime":1773991205392}'
--user-agent AlibabaCloud-Agent-Skills


**示例 - 高级误报加白：**
```bash
aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7009586xx \
  --OperationCode advance_mark_mis_info \
  --OperationParams '{}' \
  --MarkMissParam '[{"uuid":"ALL","field":"loginSourceIp","operate":"strEqual","fieldValue":"59.82.xx.xx"}]' \
  --user-agent AlibabaCloud-Agent-Skills

⚠️ 高级白名单（advance_mark_mis_info）注意事项：

必须询问用户白名单规则和生效范围

必须保留已有的MarkField规则

详细流程参考 references/workflow-details.md

如需查看完整CLI示例和参数详情，请参考 references/workflow-details.md

Step 6: Query Handling Status

步骤6：查询处理状态

⚠️ CLI Requirement: Must pass both TaskId and SecurityEventIds

bash

aliyun sas DescribeSecurityEventOperationStatus \
  --TaskId 290511xx \
  --SecurityEventIds.1 7009607xx \
  --user-agent AlibabaCloud-Agent-Skills

Polling Logic:

```
TaskStatus=Processing
```
→ Wait 2s, retry (max 5 times)
After 10s still not complete → Mark as failed
```
TaskStatus=Success
```
→ Handling successful
```
TaskStatus=Failure
```
→ Check ErrorCode

⚠️ CLI要求：必须同时传入TaskId和SecurityEventIds

bash

aliyun sas DescribeSecurityEventOperationStatus \
  --TaskId 290511xx \
  --SecurityEventIds.1 7009607xx \
  --user-agent AlibabaCloud-Agent-Skills

轮询逻辑：

```
TaskStatus=Processing
```
→ 等待2秒后重试，最多重试5次
10秒后仍未完成 → 标记为失败
```
TaskStatus=Success
```
→ 处理成功
```
TaskStatus=Failure
```
→ 检查ErrorCode

Step 7: Loop to Handle Other Alerts

步骤7：循环处理其他告警

If there are other alerts, repeat Steps 3-6. Maximum 20 alerts per batch.

如果存在其他告警，重复步骤3-6。每批最多处理20条告警。

Step 8: Results Summary

步骤8：结果汇总

========== Handling Results Summary ==========

✅ Successfully Handled: 3 items
  [Alert 7009607xx] Block IP - Success

❌ Handling Failed: 1 item
  [Alert 7008557xx] Kill and Quarantine - Failed (AgentOffline)

Total: 4 items, Success 3, Failed 1

For detailed format, see references/error-handling.md

========== 处理结果汇总 ==========

✅ 处理成功：3条
  [告警7009607xx] 阻断IP - 成功

❌ 处理失败：1条
  [告警7008557xx] 查杀并隔离 - 失败（AgentOffline）

总计：4条，成功3条，失败1条

如需查看完整格式，请参考 references/error-handling.md

operateCode Quick Reference

operateCode快速参考

operateCode	Description	Additional Params
block_ip	Block IP	expireTime (required)
kill_and_quara	Kill and Quarantine	subOperation (required)
virus_quara	Quarantine File	subOperation (required)
quara	Quarantine	None
advance_mark_mis_info	Advanced Whitelist	MarkMissParam
ignore	Ignore	None
manual_handled	Mark as Handled	None
kill_process	Kill Process	None

For complete operateCode categories and details, see references/operation-codes.md

operateCode	描述	额外参数
block_ip	阻断IP	expireTime（必填）
kill_and_quara	查杀并隔离	subOperation（必填）
virus_quara	隔离文件	subOperation（必填）
quara	隔离	无
advance_mark_mis_info	高级白名单	MarkMissParam
ignore	忽略	无
manual_handled	标记为已处理	无
kill_process	杀掉进程	无

如需查看完整operateCode分类和详情，请参考 references/operation-codes.md

Error Handling

错误处理

Error Scenario	Handling Method
UserCanOperate=false	Operation not supported, version limitation
Timeout (>10s)	Mark as failed, continue next
*.AgentOffline	Client offline, cannot handle
*.ProcessNotExist	Suggest using virus_quara_bin
NoPermission	Contact admin for authorization
SecurityEventNotExists	Search in handled alerts first

For detailed error handling procedures, see references/error-handling.md

错误场景	处理方式
UserCanOperate=false	不支持该操作，版本限制
超时（>10秒）	标记为失败，继续处理下一条
*.AgentOffline	客户端离线，无法处理
*.ProcessNotExist	建议使用virus_quara_bin
NoPermission	联系管理员授权
SecurityEventNotExists	先在已处理告警中搜索

如需查看详细错误处理流程，请参考 references/error-handling.md

Best Practices

最佳实践

Query before handling: Call
```
DescribeSecurityEventOperations
```
first
Batch limit: Maximum 20 alerts per batch
Preserve existing rules: When using advanced whitelist, merge existing MarkField rules
Timeout handling: Polling over 10 seconds = failed
User confirmation: Must confirm intent before handling
Logging: Record all operations for auditing

处理前先查询：先调用
```
DescribeSecurityEventOperations
```
批次限制：每批最多处理20条告警
保留已有规则：使用高级白名单时，合并已有的MarkField规则
超时处理：轮询超过10秒判定为失败
用户确认：处理前必须确认用户意图
日志记录：记录所有操作以便审计

Reference Documents

参考文档

Document	Description
references/workflow-details.md	Detailed workflow, CLI examples, advanced whitelist
references/operation-codes.md	Complete operateCode reference
references/error-handling.md	Error handling procedures
references/related-apis.md	API parameter details
references/ram-policies.md	RAM permission policies
references/verification-method.md	Verification methods
references/cli-installation-guide.md	CLI installation guide

文档	描述
references/workflow-details.md	详细工作流、CLI示例、高级白名单说明
references/operation-codes.md	完整operateCode参考
references/error-handling.md	错误处理流程
references/related-apis.md	API参数详情
references/ram-policies.md	RAM权限策略
references/verification-method.md	验证方法
references/cli-installation-guide.md	CLI安装指南