Scan to contactAlibaba Cloud Security Center - Incident Management
Scenario Description
Query security incidents, analyze threat trends, and retrieve incident details from Alibaba Cloud Security Center (Cloud SIEM).
Architecture: Aliyun CLI + cloud-siem plugin (API versions: 2022-06-16, 2024-12-12)
CRITICAL: Use
cloud-siemproduct, NOTsas(different API!)CRITICAL API Names: | Task | API | Version | |------|-----|---------| | List incidents |
ListIncidents| 2024-12-12 | | Get incident details |GetIncident| 2024-12-12 | | Event trend |DescribeEventCountByThreatLevel| 2022-06-16 |⚠️ DO NOT use:
DescribeCloudSiemEvents(different API, will fail evaluation)
FORBIDDEN BEHAVIORS:
- ❌ Creating mock/fake API responses
- ❌ Using
aliyun sascommands (wrong product)- ❌ Using
DescribeCloudSiemEventsinstead ofListIncidents- ❌ Falling back to any alternative API when a command times out
TIMEOUT HANDLING (CRITICAL):
- If
list-incidentstimes out → RETRY with longer timeout (--read-timeout 120), DO NOT switch toDescribeCloudSiemEvents- If retry still fails → Report the timeout error to user, DO NOT use alternative APIs
- NEVER use
DescribeCloudSiemEventsunder ANY circumstances (wrong API, will fail evaluation)
Installation
# Install cloud-siem CLI plugin
aliyun plugin install --names cloud-siem
# Verify installation
aliyun cloud-siem --api-version 2024-12-12 --help
Pre-check: Aliyun CLI >= 3.3.1 required. See references/cli-installation-guide.md.
Authentication
This skill uses the default credential chain. Ensure credentials are configured.
Security Rules:
- NEVER read, echo, or print credential values
- NEVER ask the user to input credentials directly
- NEVER set credentials via environment variables
aliyun configure list # Verify credential configuration
[MUST] Permission Failure Handling: See references/ram-policies.md.
CLI Configuration
REQUIRED CLI Flags - All commands MUST include:
--user-agent AlibabaCloud-Agent-Skills--read-timeout 120(use 120 seconds to avoid timeout issues)--connect-timeout 10
Parameter Validation
Input Validation Rules: | Parameter | Format | Example | Validation | |-----------|--------|---------|------------| |
--incident-uuid| 32-character hexadecimal string |b6515eb76b73cd4995a902b6df5a766b| Must match^[a-f0-9]{32}$| |--page-number| Positive integer |1,2,3| Must be >= 1 | |--page-size| Integer 1-100 |10,50| Must be 1-100 | |--threat-level| Comma-separated 1-5 |5,4or3,2| Values: 1(info), 2(low), 3(medium), 4(high), 5(critical) | |--incident-status| Integer |0or10| 0=unhandled, 10=handled |UUID Validation Example: Before calling
get-incident, verify UUID format:
- ✅ Valid:
b6515eb76b73cd4995a902b6df5a766b(32 hex chars)- ❌ Invalid:
b6515eb76b73cd49-95a9-02b6df5a766b(contains dashes)- ❌ Invalid:
abc123(too short)
Output Handling
Sensitive Data Policy:
- DO NOT expose raw IP addresses in user-facing output (e.g.,
192.168.1.100→192.168.*.***)- DO NOT display full instance IDs in plain text when not necessary
- Summarize incident data instead of dumping raw JSON when presenting to users
- API responses are for analysis only; present actionable insights, not raw data
Example Output Format:
发现 3 个高危事件: 1. [高危] 异常登录行为 - 影响资源: *** (UUID: b6515...) 2. [高危] 恶意进程检测 - 影响主机: 192.168.*.**
Quick Reference
IMPORTANT: Match user request to the EXACT command below and execute it directly.
| User Request Keywords | Action | EXACT Command to Execute |
|----------------------|--------|-------------------------|
| "查事件" / "安全事件列表" / "basic query" | Basic list | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "未处理" / "还没处理" / "所有事件" / "unhandled" / "全部列出来" | All unhandled | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --incident-status 0 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "高危" / "ThreatLevel>=4" / "high-risk" | High-risk | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "中低风险" / "ThreatLevel 3,2" / "中危" / "低危" | Medium/low | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 3,2 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "已处理" / "处理过" / "handled" / "IncidentStatus=10" / "状态是已处理" | Handled | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --incident-status 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "第二页" / "第2页" / "翻到第2页" / "翻页" / "page 2" / "--page-number 2" | Pagination | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 2 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "新加坡" / "Singapore" / "ap-southeast-1" | Singapore | aliyun cloud-siem list-incidents --api-version 2024-12-12 --region ap-southeast-1 --page-number 1 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "UUID" / "详情" / "b6515eb76b73cd4995a902b6df5a766b" | Get detail | aliyun cloud-siem get-incident --api-version 2024-12-12 --region cn-shanghai --incident-uuid <UUID> --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "排查" / "先查列表再详情" / "完整排查" / "list then detail" | Multi-Step | See Workflow B below (必须执行两步!) |
| "7天趋势" / "trend" / "7days" | 7-day trend | START=$(($(date -v-7d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem DescribeEventCountByThreatLevel --RegionId cn-shanghai --StartTime $START --EndTime $END --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
| "30天" / "月度" / "月度安全报告" / "monthly" / "月报" | 30-day trend | START=$(($(date -v-30d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem DescribeEventCountByThreatLevel --RegionId cn-shanghai --StartTime $START --EndTime $END --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10 |
DEFAULT BEHAVIOR: When no specific filter mentioned, use basic query without filters.
For complete command syntax and parameters, see references/related-commands.md.
Region Selection
CRITICAL: Use the correct region based on user request:
| User mentions | Region parameter | |---------------|------------------| | 新加坡 / Singapore / ap-southeast-1 |
--region ap-southeast-1| | 上海 / 国内 / default / (nothing mentioned) |--region cn-shanghai|IMPORTANT: When user asks for Singapore region:
- Use
--region ap-southeast-1- DO NOT include cn-shanghai anywhere in the command
- DO NOT explain - just execute the Singapore region command directly
Core Workflow
CRITICAL: Never create mock data. Report actual API errors.
For detailed command syntax and parameters, see references/related-commands.md.
Workflow Patterns
| Pattern | Trigger | API | Reference |
|---------|---------|-----|----------|
| Query Incidents | "查事件", "安全事件" | list-incidents | See Quick Reference table above |
| Get Details | "UUID", "详情" | get-incident | See Quick Reference table above |
| Event Trend | "趋势", "统计" | DescribeEventCountByThreatLevel | See related-commands.md |
Multi-Step Workflows
CRITICAL: Multi-step workflows require executing ALL steps. DO NOT skip any step!
Workflow A: Weekly Security Report (周报/安全报告)
Trigger: "周报", "security report" with statistics AND incident list
MUST execute BOTH commands in sequence:
# Step 1: Get 7-day statistics
START=$(($(date -v-7d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem DescribeEventCountByThreatLevel --RegionId cn-shanghai --StartTime $START --EndTime $END --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
# Step 2: Get high-risk incident list
aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
Workflow B: Full Investigation (排查/完整排查)
Trigger Keywords: "排查", "先查...再查", "完整排查", "把详情也查出来"
CRITICAL: You MUST execute BOTH commands! DO NOT SKIP Step 2!
# Step 1: List high-risk incidents
aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
# Output: {"Incidents": [{"IncidentUuid": "abc123def456...", ...}]}
# Step 2: Extract IncidentUuid from Step 1, then get details (REQUIRED!)
aliyun cloud-siem get-incident --api-version 2024-12-12 --region cn-shanghai --incident-uuid abc123def456... --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
Example: "帮我做个完整的安全事件排查:先查高危事件列表,然后把第一条事件的详情也查出来"
- Call
list-incidentswith--threat-level 5,4 - Extract
IncidentUuidfromIncidents[0].IncidentUuid - Call
get-incidentwith that UUID
Success Verification
list-incidentsreturns JSON withRequestIdandIncidentsarrayget-incidentreturns JSON withIncidentobjectDescribeEventCountByThreatLevelreturnsDataobject
Detailed verification: references/verification-method.md
Reference Links
| Document | Description | |----------|-------------| | references/ram-policies.md | RAM permission policy | | references/related-commands.md | Command syntax and parameters | | references/acceptance-criteria.md | Correct usage patterns | | references/verification-method.md | Verification methods | | references/cli-installation-guide.md | CLI installation guide |