Scan to contactCloud Security Center CWPP Alert Handling Skill
Scenario Description
This skill helps users query and handle CWPP host security alerts from Alibaba Cloud Security Center (SAS/Aegis).
Core Capabilities:
- Query security alert list
- Analyze alert details and recommend handling methods
- Execute alert handling operations (ignore, whitelist, block, quarantine, etc.)
- Query handling status and summarize results
Architecture: Alibaba Cloud Security Center (SAS) + RAM Permissions + CLI Tools
Installation Requirements
Pre-check: Aliyun CLI >= 3.3.3 required
Run
aliyun versionto verify >= 3.3.3. If not installed or version too low, runcurl -fsSL https://aliyuncli.alicdn.com/setup.sh | bashto update, or seereferences/cli-installation-guide.mdfor installation instructions.
Pre-check: Aliyun CLI plugin update required
[MUST] run
aliyun configure set --auto-plugin-install trueto enable automatic plugin installation. [MUST] runaliyun plugin updateto ensure that any existing plugins are always up-to-date.
[MUST] CLI User-Agent — Every aliyun CLI command invocation must include:
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler
At the start of the Core Workflow (before any CLI invocation): [MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution. Run the following commands before any CLI invocation:
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler"
[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed. AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.
aliyun configure ai-mode disable
Authentication Configuration
Pre-check: Alibaba Cloud Credentials Required
Security Rules:
- NEVER read, output, or print AK/SK values
- NEVER ask users to input AK/SK directly
- ONLY use
aliyun configure listto check credential statusaliyun configure listCheck the output for a valid profile. If no valid profile exists, STOP here.
RAM Permission Requirements
| Permission Name | Description |
|-----------------|-------------|
| yundun-sas:DescribeSuspEvents | Query alert list |
| yundun-sas:DescribeSecurityEventOperations | Query available operations |
| yundun-sas:HandleSecurityEvents | Handle alerts |
| yundun-sas:DescribeSecurityEventOperationStatus | Query handling status |
For detailed policies, see references/ram-policies.md
[MUST] Permission Failure Handling: When permission errors occur:
- Read
references/ram-policies.mdfor required permissions- Use
ram-permission-diagnoseskill to guide user- Wait until user confirms permissions granted
Core Workflow
Step 0: Identify Query Scenario (Critical)
⚠️ IMPORTANT: Choose the correct API based on user input
| Scenario | User Input Example | Correct Approach |
|----------|-------------------|------------------|
| User specified alert ID | "Query alert 702173474" | Directly call DescribeSecurityEventOperations --SecurityEventId {ID} |
| User did not specify alert ID | "View my alerts" | Execute Step 1 to query alert list |
Scenario A: User specified alert ID → Verify alert exists:
aliyun sas DescribeSecurityEventOperations \
--SecurityEventId {AlertID} \
--Lang zh \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler
- Success → Alert exists, proceed to Step 5
- Failure (
SecurityEventNotExists) → See references/error-handling.md
Scenario B: User did not specify alert ID → Proceed to Step 1
Step 1: Query Alert List
aliyun sas DescribeSuspEvents \
--Lang zh \
--From sas \
--CurrentPage 1 \
--PageSize 10 \
--Levels "serious,suspicious,remind" \
--Dealed N \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler 2>/dev/null | jq '.SuspEvents[] | {Id, Name: .AlarmEventNameDisplay, AlarmEventType, Level, InternetIp, IntranetIp, LastTime, EventStatus, Uuid}'
Key Response Fields:
| Field | Description | |-------|-------------| | Id | Alert event ID (core field) | | AlarmEventNameDisplay | Alert name | | AlarmEventType | Alert type | | Level | Severity (serious/suspicious/remind) | | EventStatus | 1=pending, 2=ignored, 8=false positive, 32=completed |
Step 2: Display Alert Information and Recommendations
Display Format:
Alert List (Total X items):
[Alert 1] ID: 7009607xx
- Name: ECS login from unusual location
- Type: Unusual Login
- Severity: suspicious
- Asset: 47.xxx.xxx.xxx / 10.xxx.xxx.xxx
- Status: Pending
- Time: 2026-03-19 14:11:05
- Recommended Action: Block IP
- Reason: Unusual login behavior detected
For operateCode mappings and recommendation rules, see references/operation-codes.md
Step 3: Determine Handling Intent
Case A: User specified handling method → Proceed to Step 4
Case B: User did not specify → Must ask user:
Please confirm how to handle these alerts:
1. ✅ Handle all using recommended methods
2. 🔧 Custom handling method
3. ❌ Cancel
Please select (enter number):
Step 4: Query Available Handling Operations
⚠️ Strict Constraint: Each alert's available operations must be queried individually
- NEVER assume one alert's operations apply to another
- MUST call
DescribeSecurityEventOperationsfor each alert
aliyun sas DescribeSecurityEventOperations \
--SecurityEventId {AlertID} \
--Lang zh \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler
⚠️ Critical: Only execute operations where UserCanOperate=true
Step 5: Build Parameters and Execute
Quick Reference - Common Operations:
| OperationCode | OperationParams | Notes |
|---------------|-----------------|-------|
| block_ip | {"expireTime":1773991205392} | expireTime = current + duration (ms) |
| kill_and_quara | {"subOperation":"killAndQuaraFileByMd5andPath"} | |
| virus_quara | {"subOperation":"quaraFileByMd5andPath"} | |
| quara | {} | |
| ignore | {} | |
| manual_handled | {} | |
| advance_mark_mis_info | {} + MarkMissParam | See workflow-details.md |
Example - ignore:
aliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7009586xx \
--OperationCode ignore \
--OperationParams '{}' \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler
Example - kill_and_quara:
aliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7008619xx \
--OperationCode kill_and_quara \
--OperationParams '{"subOperation":"killAndQuaraFileByMd5andPath"}' \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler
Example - block_ip (7 days):
# Calculate: current_timestamp_ms + 7*24*60*60*1000
aliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7009607xx \
--OperationCode block_ip \
--OperationParams '{"expireTime":1773991205392}' \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler
Example - advance_mark_mis_info:
aliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7009586xx \
--OperationCode advance_mark_mis_info \
--OperationParams '{}' \
--MarkMissParam '[{"uuid":"ALL","field":"loginSourceIp","operate":"strEqual","fieldValue":"59.82.xx.xx"}]' \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler
⚠️ For advanced whitelist (advance_mark_mis_info):
- Must ask user about whitelist rules and scope
- Must preserve existing MarkField rules
- See references/workflow-details.md for detailed process
For complete CLI examples and parameter details, see references/workflow-details.md
Step 6: Query Handling Status
⚠️ CLI Requirement: Must pass both TaskId and SecurityEventIds
aliyun sas DescribeSecurityEventOperationStatus \
--TaskId 290511xx \
--SecurityEventIds.1 7009607xx \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler
Polling Logic:
TaskStatus=Processing→ Wait 2s, retry (max 5 times)- After 10s still not complete → Mark as failed
TaskStatus=Success→ Handling successfulTaskStatus=Failure→ Check ErrorCode
Step 7: Loop to Handle Other Alerts
If there are other alerts, repeat Steps 3-6. Maximum 20 alerts per batch.
Step 8: Results Summary
========== Handling Results Summary ==========
✅ Successfully Handled: 3 items
[Alert 7009607xx] Block IP - Success
❌ Handling Failed: 1 item
[Alert 7008557xx] Kill and Quarantine - Failed (AgentOffline)
Total: 4 items, Success 3, Failed 1
For detailed format, see references/error-handling.md
operateCode Quick Reference
| operateCode | Description | Additional Params | |-------------|-------------|-------------------| | block_ip | Block IP | expireTime (required) | | kill_and_quara | Kill and Quarantine | subOperation (required) | | virus_quara | Quarantine File | subOperation (required) | | quara | Quarantine | None | | advance_mark_mis_info | Advanced Whitelist | MarkMissParam | | ignore | Ignore | None | | manual_handled | Mark as Handled | None | | kill_process | Kill Process | None |
For complete operateCode categories and details, see references/operation-codes.md
Error Handling
| Error Scenario | Handling Method | |----------------|------------------| | UserCanOperate=false | Operation not supported, version limitation | | Timeout (>10s) | Mark as failed, continue next | | *.AgentOffline | Client offline, cannot handle | | *.ProcessNotExist | Suggest using virus_quara_bin | | NoPermission | Contact admin for authorization | | SecurityEventNotExists | Search in handled alerts first |
For detailed error handling procedures, see references/error-handling.md
Best Practices
- Query before handling: Call
DescribeSecurityEventOperationsfirst - Batch limit: Maximum 20 alerts per batch
- Preserve existing rules: When using advanced whitelist, merge existing MarkField rules
- Timeout handling: Polling over 10 seconds = failed
- User confirmation: Must confirm intent before handling
- Logging: Record all operations for auditing
Reference Documents
| Document | Description | |----------|-------------| | references/workflow-details.md | Detailed workflow, CLI examples, advanced whitelist | | references/operation-codes.md | Complete operateCode reference | | references/error-handling.md | Error handling procedures | | references/related-apis.md | API parameter details | | references/ram-policies.md | RAM permission policies | | references/verification-method.md | Verification methods | | references/cli-installation-guide.md | CLI installation guide |