← 返回
未分类 Key 中文

Alibabacloud Dsc Audit

Query and handle security risk events from Alibaba Cloud Data Security Center. Supports viewing the list of unprocessed risk events and performing manual han...
查询和处理阿里云数据安全中心的风险事件,支持查看未处理风险事件列表并执行手动处理。
sdk-team sdk-team 来源
未分类 clawhub v0.0.2 1 版本 100000 Key: 需要
★ 0
Stars
📥 342
下载
💾 0
安装
1
版本
#latest

概述

Alibaba Cloud Data Security Center Risk Event Query and Handling

This skill uses Alibaba Cloud Python Common SDK (generic invocation) to query security risk events from the Data Security Center and handle them.

Architecture

User → Python Common SDK → Data Security Center (Sddp) API
                              ├── DescribeRiskRules (Query risk events)
                              └── PreHandleAuditRisk (Handle risk events)

Installation

pip3 install -r scripts/requirements.txt

Or install packages individually:

pip3 install alibabacloud_tea_openapi==0.4.3 alibabacloud_credentials==1.0.8 alibabacloud_tea_util==0.3.14 alibabacloud_openapi_util==0.2.4

[MUST] CLI User-Agent — Every aliyun CLI command invocation must include:

--user-agent AlibabaCloud-Agent-Skills/alibabacloud-dsc-audit

> Pre-check: Aliyun CLI >= 3.3.3 required

> Run aliyun version to verify >= 3.3.3. If not installed or version too low,

> run curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash to update,

> or see references/cli-installation-guide.md for installation instructions.

> Pre-check: Aliyun CLI plugin update required

> [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.

> [MUST] run aliyun plugin update to ensure that any existing plugins are always up-to-date.

At the start of the Core Workflow (before any CLI invocation):

[MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution.

Run the following commands before any CLI invocation:

aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-dsc-audit"

[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed.

AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.

aliyun configure ai-mode disable

Authentication

> Pre-check: Alibaba Cloud Credentials Required

>

> Security Rules:

> - NEVER read, echo, or print AK/SK values (e.g., echo $ALIBABA_CLOUD_ACCESS_KEY_ID is FORBIDDEN)

> - NEVER ask the user to input AK/SK directly in the conversation or command line

> - NEVER use aliyun configure set with literal credential values

> - ONLY use aliyun configure list to check credential status

>

> ```bash

> aliyun configure list

> ```

> Check the output for a valid profile (AK, STS, or OAuth identity).

>

> If no valid profile exists, STOP here.

> 1. Obtain credentials from Alibaba Cloud Console

> 2. Configure credentials outside of this session (via aliyun configure in terminal or environment variables in shell profile)

> 3. Return and re-run after aliyun configure list shows a valid profile

RAM Permissions

Before using this skill, ensure the current user has the required RAM permissions. For detailed permission lists and policy configurations, refer to references/ram-policies.md

Parameter Confirmation

> IMPORTANT: Parameter Confirmation — Before executing any command or API call,

> ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks,

> passwords, domain names, resource specifications, etc.) MUST be confirmed with the

> user. Do NOT assume or use default values without explicit user approval.

ParameterRequired/OptionalDescriptionDefault
----------------------------------------------------
CurrentPageOptionalCurrent page number1
PageSizeOptionalRecords per page10
HandleStatusOptionalProcessing status, PROCESSED means handled, UNPROCESSED means not handledUNPROCESSED
RiskIdRequired for handlingRisk event ID-
HandleDetailRequired for handlingHandling details description-

Core Workflow

Step 1: Query Unprocessed Security Risk Events

Use the scripts/query_risk.py script to query unprocessed security risk events. This is a paginated API that returns the first 20 records by default.

python3 scripts/query_risk.py

Example output:

Found 31 unprocessed security risk events
================================================================================
Risk ID: 75110196
Rule Name: jiangyu_test_mysqldump
Risk Level: High Risk
Product Type: RDS
Alert Count: 20
Asset Count: 2
Rule Category: Database Dump Attack
--------------------------------------------------------------------------------

Query Result Field Descriptions

The query results return the following key fields. Risk Event ID (RiskId) is a required parameter for handling:

FieldDescription
--------------------
RiskIdRisk event ID, required for handling
RuleNameRule name
WarnLevelNameRisk level (High Risk/Medium Risk/Low Risk)
ProductCodeProduct type (RDS/OSS, etc.)
AlarmCountAlert count
InstanceCountNumber of affected assets
FirstAlarmTimeFirst discovery time
LastAlarmTimeLast discovery time

Step 2: Handle Security Risk Events

Use the scripts/handle_risk.py script to handle specified risk events.

python3 scripts/handle_risk.py <RiskID> <HandleDetail>

Example:

python3 scripts/handle_risk.py 75110196 "Confirmed as false positive, closing this alert"

Example output:

Handling risk event...
Risk ID: 75110196
Handle Detail: Confirmed as false positive, closing this alert
--------------------------------------------------
✅ Handling successful!
RequestId: C34D813F-A234-5D66-842D-504D84D5C680

Handling Parameter Descriptions

ParameterDescription
------------------------
RiskIdRisk event ID, obtained from DescribeRiskRules API
HandleTypeHandling type, fixed as Manual (manual handling)
HandleMethodHandling method, fixed as 0
HandleDetailHandling details, requires user to input specific handling description

Success Verification

Verify Query Operation

  1. After executing the query code, check if the returned statusCode is 200
  2. Check if the returned body contains the Items list
  3. Verify that TotalCount matches the actual number of returned records

Verify Handling Operation

  1. After executing the handling code, check if the returned statusCode is 200
  2. Call DescribeRiskRules again to query the RiskId and confirm the status has changed

Cleanup

This skill is primarily used for query and handling operations, does not involve resource creation, and requires no cleanup.

API and Command Reference

ProductAPI ActionScriptDescription
------------------------------------------
SddpDescribeRiskRulesscripts/query_risk.pyQuery security risk events
SddpPreHandleAuditRiskscripts/handle_risk.pyHandle security risk events

Script Usage

ScriptUsageDescription
----------------------------
query_risk.pypython3 scripts/query_risk.pyExecute directly, no parameters required
handle_risk.pypython3 scripts/handle_risk.py Requires Risk ID and handling description

For detailed API information, refer to references/related-apis.md

Best Practices

  1. Paginated Query: When using paginated APIs, increment the CurrentPage parameter until all records are retrieved
  2. Record RiskId: The RiskId in query results is a required parameter for handling operations, make sure to record it
  3. Handle Description: Provide a clear HandleDetail description when handling for subsequent auditing
  4. Error Handling: Implement retry mechanisms for temporary errors like Throttling
  5. Credential Security: Use CredentialClient to manage credentials, do not hardcode AK/SK

Reference Links

Reference DocumentDescription
---------------------------------
references/related-apis.mdAPI detailed documentation
references/ram-policies.mdRAM permission configuration
references/cli-installation-guide.mdCLI installation guide
references/acceptance-criteria.mdAcceptance criteria
Generic Invocation DocumentationAlibaba Cloud Python SDK generic invocation documentation

Important Notes

> Warning: This skill only uses the Data Security Center's DescribeRiskRules and PreHandleAuditRisk APIs.

> If these two APIs cannot be found, report an error. Do NOT call other OpenAPIs without authorization.

> Do not use Alibaba Cloud CLI tools to call APIs.

版本历史

共 1 个版本

  • v0.0.2 当前
    2026-05-07 08:55 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

ai-agent

Alibabacloud Find Skills

sdk-team
用于搜索、发现、浏览或查找阿里云(Alibaba Cloud)代理技能。触发词包括“查找X技能”“搜索阿里云…”等。
★ 0 📥 1,214
it-ops-security

MoltGuard - Security & Antivirus & Guardrails

thomaslwang
MoltGuard — OpenClaw 安全守卫,由 OpenGuardrails 提供。安装后可防止您和您的用户受到提示注入、数据泄露及恶意行为的侵害。
★ 116 📥 31,038
it-ops-security

1password

steipete
设置和使用 1Password CLI (op)。适用于:安装 CLI、启用桌面应用集成、登录(单/多账户)、通过 op 读取/注入/运行密钥。
★ 53 📥 31,952