Cloud Security Center CWPP Alert Handling Skill

Scenario Description

This skill helps users query and handle CWPP host security alerts from Alibaba Cloud Security Center (SAS/Aegis).

Core Capabilities:

• Query security alert list
• Analyze alert details and recommend handling methods
• Execute alert handling operations (ignore, whitelist, block, quarantine, etc.)
• Query handling status and summarize results

Architecture: Alibaba Cloud Security Center (SAS) + RAM Permissions + CLI Tools

Installation Requirements

Pre-check: Aliyun CLI >= 3.3.3 required

> Run aliyun version to verify >= 3.3.3. If not installed or version too low,

> run curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash to update,

> or see references/cli-installation-guide.md for installation instructions.

Pre-check: Aliyun CLI plugin update required

> [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.

> [MUST] run aliyun plugin update to ensure that any existing plugins are always up-to-date.

[MUST] CLI User-Agent — Every aliyun CLI command invocation must include:

--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

At the start of the Core Workflow (before any CLI invocation):

[MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution.

Run the following commands before any CLI invocation:

aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler"

[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed.

AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.

aliyun configure ai-mode disable

Authentication Configuration

> Pre-check: Alibaba Cloud Credentials Required

>

> Security Rules:

> - NEVER read, output, or print AK/SK values

> - NEVER ask users to input AK/SK directly

> - ONLY use aliyun configure list to check credential status

>

> ```bash

> aliyun configure list

> ```

> Check the output for a valid profile. If no valid profile exists, STOP here.

RAM Permission Requirements

For detailed policies, see references/ram-policies.md

> [MUST] Permission Failure Handling: When permission errors occur:

> 1. Read references/ram-policies.md for required permissions

> 2. Use ram-permission-diagnose skill to guide user

> 3. Wait until user confirms permissions granted

Core Workflow

Step 0: Identify Query Scenario (Critical)

> ⚠️ IMPORTANT: Choose the correct API based on user input

Scenario A: User specified alert ID → Verify alert exists:

aliyun sas DescribeSecurityEventOperations \
  --SecurityEventId {AlertID} \
  --Lang zh \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

• Success → Alert exists, proceed to Step 5
• Failure (SecurityEventNotExists) → See references/error-handling.md

Scenario B: User did not specify alert ID → Proceed to Step 1

Step 1: Query Alert List

aliyun sas DescribeSuspEvents \
  --Lang zh \
  --From sas \
  --CurrentPage 1 \
  --PageSize 10 \
  --Levels "serious,suspicious,remind" \
  --Dealed N \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler 2>/dev/null | jq '.SuspEvents[] | {Id, Name: .AlarmEventNameDisplay, AlarmEventType, Level, InternetIp, IntranetIp, LastTime, EventStatus, Uuid}'

Key Response Fields:

Step 2: Display Alert Information and Recommendations

Display Format:

Alert List (Total X items):

[Alert 1] ID: 7009607xx
- Name: ECS login from unusual location
- Type: Unusual Login
- Severity: suspicious
- Asset: 47.xxx.xxx.xxx / 10.xxx.xxx.xxx
- Status: Pending
- Time: 2026-03-19 14:11:05
- Recommended Action: Block IP
- Reason: Unusual login behavior detected

For operateCode mappings and recommendation rules, see references/operation-codes.md

Step 3: Determine Handling Intent

Case A: User specified handling method → Proceed to Step 4

Case B: User did not specify → Must ask user:

Please confirm how to handle these alerts:

1. ✅ Handle all using recommended methods
2. 🔧 Custom handling method
3. ❌ Cancel

Please select (enter number):

Step 4: Query Available Handling Operations

> ⚠️ Strict Constraint: Each alert's available operations must be queried individually

> - NEVER assume one alert's operations apply to another

> - MUST call DescribeSecurityEventOperations for each alert

aliyun sas DescribeSecurityEventOperations \
  --SecurityEventId {AlertID} \
  --Lang zh \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

⚠️ Critical: Only execute operations where UserCanOperate=true

Step 5: Build Parameters and Execute

Quick Reference - Common Operations:

Example - ignore:

aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7009586xx \
  --OperationCode ignore \
  --OperationParams '{}' \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

Example - kill_and_quara:

aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7008619xx \
  --OperationCode kill_and_quara \
  --OperationParams '{"subOperation":"killAndQuaraFileByMd5andPath"}' \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

Example - block_ip (7 days):

# Calculate: current_timestamp_ms + 7*24*60*60*1000
aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7009607xx \
  --OperationCode block_ip \
  --OperationParams '{"expireTime":1773991205392}' \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

Example - advance_mark_mis_info:

aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7009586xx \
  --OperationCode advance_mark_mis_info \
  --OperationParams '{}' \
  --MarkMissParam '[{"uuid":"ALL","field":"loginSourceIp","operate":"strEqual","fieldValue":"59.82.xx.xx"}]' \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

> ⚠️ For advanced whitelist (advance_mark_mis_info):

> - Must ask user about whitelist rules and scope

> - Must preserve existing MarkField rules

> - See references/workflow-details.md for detailed process

For complete CLI examples and parameter details, see references/workflow-details.md

Step 6: Query Handling Status

> ⚠️ CLI Requirement: Must pass both TaskId and SecurityEventIds

aliyun sas DescribeSecurityEventOperationStatus \
  --TaskId 290511xx \
  --SecurityEventIds.1 7009607xx \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

Polling Logic:

1. TaskStatus=Processing → Wait 2s, retry (max 5 times)
2. After 10s still not complete → Mark as failed
3. TaskStatus=Success → Handling successful
4. TaskStatus=Failure → Check ErrorCode

Step 7: Loop to Handle Other Alerts

If there are other alerts, repeat Steps 3-6. Maximum 20 alerts per batch.

Step 8: Results Summary

========== Handling Results Summary ==========

✅ Successfully Handled: 3 items
  [Alert 7009607xx] Block IP - Success

❌ Handling Failed: 1 item
  [Alert 7008557xx] Kill and Quarantine - Failed (AgentOffline)

Total: 4 items, Success 3, Failed 1

For detailed format, see references/error-handling.md

operateCode Quick Reference

For complete operateCode categories and details, see references/operation-codes.md

Error Handling

For detailed error handling procedures, see references/error-handling.md

Best Practices

1. Query before handling: Call DescribeSecurityEventOperations first
2. Batch limit: Maximum 20 alerts per batch
3. Preserve existing rules: When using advanced whitelist, merge existing MarkField rules
4. Timeout handling: Polling over 10 seconds = failed
5. User confirmation: Must confirm intent before handling
6. Logging: Record all operations for auditing

Reference Documents