Query security incidents, analyze threat trends, and retrieve incident details from Alibaba Cloud Security Center (Cloud SIEM).
Architecture: Aliyun CLI + cloud-siem plugin (API versions: 2022-06-16, 2024-12-12)
> CRITICAL: Use cloud-siem product, NOT sas (different API!)
>
> CRITICAL API Names:
> | Task | API | Version |
> |------|-----|---------|
> | List incidents | ListIncidents | 2024-12-12 |
> | Get incident details | GetIncident | 2024-12-12 |
> | Event trend | DescribeEventCountByThreatLevel | 2022-06-16 |
>
> ⚠️ DO NOT use: DescribeCloudSiemEvents (different API, will fail evaluation)
> FORBIDDEN BEHAVIORS:
> - ❌ Creating mock/fake API responses
> - ❌ Using aliyun sas commands (wrong product)
> - ❌ Using DescribeCloudSiemEvents instead of ListIncidents
> - ❌ Falling back to any alternative API when a command times out
>
> TIMEOUT HANDLING (CRITICAL):
> - If list-incidents times out → RETRY with longer timeout (--read-timeout 120), DO NOT switch to DescribeCloudSiemEvents
> - If retry still fails → Report the timeout error to user, DO NOT use alternative APIs
> - NEVER use DescribeCloudSiemEvents under ANY circumstances (wrong API, will fail evaluation)
# Install cloud-siem CLI plugin
aliyun plugin install --names cloud-siem
# Verify installation
aliyun cloud-siem --api-version 2024-12-12 --help
> Pre-check: Aliyun CLI >= 3.3.1 required. See references/cli-installation-guide.md.
> This skill uses the default credential chain. Ensure credentials are configured.
>
> Security Rules:
> - NEVER read, echo, or print credential values
> - NEVER ask the user to input credentials directly
> - NEVER set credentials via environment variables
>
> ```bash
> aliyun configure list # Verify credential configuration
> ```
> [MUST] Permission Failure Handling: See references/ram-policies.md.
> REQUIRED CLI Flags - All commands MUST include:
> - --user-agent AlibabaCloud-Agent-Skills
> - --read-timeout 120 (use 120 seconds to avoid timeout issues)
> - --connect-timeout 10
> Input Validation Rules:
> | Parameter | Format | Example | Validation |
> |-----------|--------|---------|------------|
> | --incident-uuid | 32-character hexadecimal string | b6515eb76b73cd4995a902b6df5a766b | Must match ^[a-f0-9]{32}$ |
> | --page-number | Positive integer | 1, 2, 3 | Must be >= 1 |
> | --page-size | Integer 1-100 | 10, 50 | Must be 1-100 |
> | --threat-level | Comma-separated 1-5 | 5,4 or 3,2 | Values: 1(info), 2(low), 3(medium), 4(high), 5(critical) |
> | --incident-status | Integer | 0 or 10 | 0=unhandled, 10=handled |
>
> UUID Validation Example: Before calling get-incident, verify UUID format:
> - ✅ Valid: b6515eb76b73cd4995a902b6df5a766b (32 hex chars)
> - ❌ Invalid: b6515eb76b73cd49-95a9-02b6df5a766b (contains dashes)
> - ❌ Invalid: abc123 (too short)
> Sensitive Data Policy:
> - DO NOT expose raw IP addresses in user-facing output (e.g., 192.168.1.100 → 192.168..**)
> - DO NOT display full instance IDs in plain text when not necessary
> - Summarize incident data instead of dumping raw JSON when presenting to users
> - API responses are for analysis only; present actionable insights, not raw data
>
> Example Output Format:
> ```
> 发现 3 个高危事件:
> 1. [高危] 异常登录行为 - 影响资源: * (UUID: b6515...)
> 2. [高危] 恶意进程检测 - 影响主机: 192.168..*
> ```
> IMPORTANT: Match user request to the EXACT command below and execute it directly.
| User Request Keywords | Action | EXACT Command to Execute |
|---|---|---|
| ---------------------- | -------- | ------------------------- |
| "查事件" / "安全事件列表" / "basic query" | Basic list | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "未处理" / "还没处理" / "所有事件" / "unhandled" / "全部列出来" | All unhandled | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --incident-status 0 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "高危" / "ThreatLevel>=4" / "high-risk" | High-risk | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "中低风险" / "ThreatLevel 3,2" / "中危" / "低危" | Medium/low | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 3,2 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "已处理" / "处理过" / "handled" / "IncidentStatus=10" / "状态是已处理" | Handled | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --incident-status 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "第二页" / "第2页" / "翻到第2页" / "翻页" / "page 2" / "--page-number 2" | Pagination | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 2 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "新加坡" / "Singapore" / "ap-southeast-1" | Singapore | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region ap-southeast-1 --page-number 1 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "UUID" / "详情" / "b6515eb76b73cd4995a902b6df5a766b" | Get detail | aliyun cloud-siem get-incident --api-version 2024-12-12 --region cn-shanghai --incident-uuid |
| "排查" / "先查列表再详情" / "完整排查" / "list then detail" | Multi-Step | See Workflow B below (必须执行两步!) |
| "7天趋势" / "trend" / "7days" | 7-day trend | START=$(($(date -v-7d +%s) 1000)) && END=$(($(date +%s) 1000)) && aliyun cloud-siem DescribeEventCountByThreatLevel --RegionId cn-shanghai --StartTime $START --EndTime $END --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "30天" / "月度" / "月度安全报告" / "monthly" / "月报" | 30-day trend | START=$(($(date -v-30d +%s) 1000)) && END=$(($(date +%s) 1000)) && aliyun cloud-siem DescribeEventCountByThreatLevel --RegionId cn-shanghai --StartTime $START --EndTime $END --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
> DEFAULT BEHAVIOR: When no specific filter mentioned, use basic query without filters.
> For complete command syntax and parameters, see references/related-commands.md.
> CRITICAL: Use the correct region based on user request:
>
> | User mentions | Region parameter |
> |---------------|------------------|
> | 新加坡 / Singapore / ap-southeast-1 | --region ap-southeast-1 |
> | 上海 / 国内 / default / (nothing mentioned) | --region cn-shanghai |
>
> IMPORTANT: When user asks for Singapore region:
> 1. Use --region ap-southeast-1
> 2. DO NOT include cn-shanghai anywhere in the command
> 3. DO NOT explain - just execute the Singapore region command directly
> CRITICAL: Never create mock data. Report actual API errors.
>
> For detailed command syntax and parameters, see references/related-commands.md.
| Pattern | Trigger | API | Reference |
|---|---|---|---|
| --------- | --------- | ----- | ---------- |
| Query Incidents | "查事件", "安全事件" | list-incidents | See Quick Reference table above |
| Get Details | "UUID", "详情" | get-incident | See Quick Reference table above |
| Event Trend | "趋势", "统计" | DescribeEventCountByThreatLevel | See related-commands.md |
> CRITICAL: Multi-step workflows require executing ALL steps. DO NOT skip any step!
Trigger: "周报", "security report" with statistics AND incident list
MUST execute BOTH commands in sequence:
# Step 1: Get 7-day statistics
START=$(($(date -v-7d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem DescribeEventCountByThreatLevel --RegionId cn-shanghai --StartTime $START --EndTime $END --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
# Step 2: Get high-risk incident list
aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
Trigger Keywords: "排查", "先查...再查", "完整排查", "把详情也查出来"
> CRITICAL: You MUST execute BOTH commands! DO NOT SKIP Step 2!
# Step 1: List high-risk incidents
aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
# Output: {"Incidents": [{"IncidentUuid": "abc123def456...", ...}]}
# Step 2: Extract IncidentUuid from Step 1, then get details (REQUIRED!)
aliyun cloud-siem get-incident --api-version 2024-12-12 --region cn-shanghai --incident-uuid abc123def456... --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
Example: "帮我做个完整的安全事件排查:先查高危事件列表,然后把第一条事件的详情也查出来"
list-incidents with --threat-level 5,4IncidentUuid from Incidents[0].IncidentUuidget-incident with that UUIDlist-incidents returns JSON with RequestId and Incidents arrayget-incident returns JSON with Incident objectDescribeEventCountByThreatLevel returns Data object> Detailed verification: references/verification-method.md
| Document | Description |
|---|---|
| ---------- | ------------- |
| references/ram-policies.md | RAM permission policy |
| references/related-commands.md | Command syntax and parameters |
| references/acceptance-criteria.md | Correct usage patterns |
| references/verification-method.md | Verification methods |
| references/cli-installation-guide.md | CLI installation guide |
共 1 个版本