SAS Overview Data Query
Retrieves the 5 core modules of the Security Center (SAS) overview dashboard:
- Security Overview — score, fixed vulns, baseline risk, handled alerts
- Usage Info — service days, asset scale, uninstalled clients
- Security Operations — risk governance (AI risk, CSPM, key config, system vulns), security protection (WAF blocks), security response
- Asset Risk Trend — host/container/cloud product risk ratios + trend chart
- Billing & Subscription — post-pay switches, subscription validity, bills
Execution Scope: Each module and data item can be queried independently. Match the scope to the user's request:
- Single data item — e.g., "What is my security score?" → only command 1a
- Single module — e.g., "Show asset risk trend" → all of Module 4
- Full overview — e.g., "SAS overview" → all 5 modules
Architecture: SAS + WAF + BssOpenApi
Observability
User-Agent Template:
AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
Session-ID Generation Rule:
- Generate a UUID v4 (e.g.,
550e8400-e29b-41d4-a716-446655440000) at the start of each skill execution session. - The same
{session-id}MUST be used for ALLaliyunCLI commands within a single session, ensuring all requests from one execution can be correlated in logs. - Each new skill invocation MUST generate a fresh session-id.
Usage: Pass the full UA string via the --user-agent flag on every aliyun CLI command:
SESSION_ID=$(python3 -c "import uuid; print(uuid.uuid4())")
aliyun sas describe-version-config --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/$SESSION_ID"
Prerequisites
Pre-check: Aliyun CLI >= 3.3.1 required Run
aliyun versionto verify >= 3.3.1. If not installed or version too low, runcurl -fsSL https://aliyuncli.alicdn.com/setup.sh | bashto update, or seereferences/cli-installation-guide.mdfor installation instructions.
Pre-check: Aliyun CLI plugin update required [MUST] run
aliyun configure set --auto-plugin-install trueto enable automatic plugin installation. [MUST] runaliyun plugin updateto ensure that any existing plugins are always up-to-date.With
--auto-plugin-install trueset, the required plugins (sas, waf-openapi, bssopenapi) are installed automatically on first use — no manualaliyun plugin installstep is needed.
Pre-check: Alibaba Cloud Credentials Required
Security Rules:
- NEVER read, echo, or print AK/SK values (e.g.,
echo $ALIBABA_CLOUD_ACCESS_KEY_IDis FORBIDDEN)- NEVER ask the user to input AK/SK directly in the conversation or command line
- NEVER use
aliyun configure setwith literal credential values- ONLY use
aliyun configure listto check credential statusaliyun configure listCheck the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.
- Obtain credentials from Alibaba Cloud Console
- Configure credentials outside of this session (via
aliyun configurein terminal or environment variables in shell profile)- Return and re-run after
aliyun configure listshows a valid profile
Parameters
IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., RegionId, WAF InstanceId, BillingCycle, etc.) MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.
| Parameter | Required | Description | Default |
|-----------|----------|-------------|---------|
| Regions | Yes | SAS regions to aggregate data from | cn-shanghai, ap-southeast-1 |
| WAF Instance ID | Auto-fetched | Auto-fetched via WAF DescribeInstance for DescribeFlowChart | Auto |
| Billing Cycle | Only for billing | Billing month in YYYY-MM format | Current month |
| Time Range | No | Days of history for score/trend queries | 7 (last 7 days) |
RAM Permissions
See references/ram-policies.md for the full RAM policy JSON.
Required: AliyunYundunSASReadOnlyAccess, AliyunWAFReadOnlyAccess, AliyunBSSReadOnlyAccess.
Core Workflow
Based on the user's query, execute the relevant module(s) below. Each module — and each data item within a module — can be executed independently. For APIs marked multi-region, always query both cn-shanghai and ap-southeast-1, then sum the results.
Module 1: Security Overview
# 1a. Security Score (region-agnostic)
aliyun sas describe-secure-suggestion --cal-type home_security_score --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Extract: Score field from response as current security score
#
# NOTE: DescribeScreenScoreThread is currently unavailable (CalType not supported).
# Once supported, switch to the command below for score + historical trend:
# START=$(python3 -c "import time; print(int((time.time()-86400*7)*1000))")
# END=$(python3 -c "import time; print(int(time.time()*1000))")
# aliyun sas describe-screen-score-thread \
# --cal-type home_security_score \
# --start-time "$START" --end-time "$END" \
# --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Extract: Data.SocreThread[-1] = current score, full SocreThread list = historical trend
# 1b. Fixed Vulnerabilities (multi-region: sum FixTotal)
aliyun sas describe-vul-fix-statistics --region cn-shanghai --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
aliyun sas describe-vul-fix-statistics --region ap-southeast-1 --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# 1c. Baseline Risk Statistics (multi-region: sum each Summary field)
aliyun sas get-check-risk-statistics --region cn-shanghai --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
aliyun sas get-check-risk-statistics --region ap-southeast-1 --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Extract: Summary.RiskCheckCnt, Summary.RiskWarningCnt,
# Summary.HandledCheckTotal, Summary.HandledCheckToday
# Sum each field across regions
# 1d. Handled Alerts (multi-region: sum SuspiciousDealtCount)
aliyun sas get-defence-count --region cn-shanghai --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
aliyun sas get-defence-count --region ap-southeast-1 --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
Module 2: Usage Info
# 2a. Service Duration + Subscription (region-agnostic)
aliyun sas describe-version-config --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Check IsPaidUser first:
# IsPaidUser == true → Extract CreateTime, calculate (now - CreateTime) as days
# IsPaidUser == false → Service duration not applicable, display N/A
# Extract: ReleaseTime → subscription expiry (pre-pay only)
# 2b. Host Asset Info (multi-region: sum TotalCount and Cores)
aliyun sas describe-cloud-center-instances \
--region cn-shanghai --machine-types ecs --current-page 1 --page-size 20 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
aliyun sas describe-cloud-center-instances \
--region ap-southeast-1 --machine-types ecs --current-page 1 --page-size 20 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Extract: PageInfo.TotalCount (sum across regions) for host count
# Extract: Sum all instances' Cores field for total core count
# Optionally list host details if user requests
# 2c. Uninstalled Clients (multi-region: sum TotalCount)
aliyun sas list-uninstall-aegis-machines --region cn-shanghai --current-page 1 --page-size 1 --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
aliyun sas list-uninstall-aegis-machines --region ap-southeast-1 --current-page 1 --page-size 1 --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
Module 3: Security Operations
3a. Risk Governance (region-agnostic, single API call)
aliyun sas describe-secure-suggestion --cal-type home_security_score --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Process Suggestions[] by SuggestType:
# SS_AI_RISK → AI Risk
# SSI_AISPM_RISK (AI security posture risks)
# SSI_AI_VUL_RISK (AI application vulnerabilities)
# SSI_AI_SENSITIVE_RISK (AI application plaintext keys)
# Aggregate RiskCount by region
# SS_SAS_CLOUD_HC → CSPM risks (aggregate by HIGH/MEDIUM/LOW and region)
# Cloud: SSI_SAS_CLOUD_HC_HIGH / MEDIUM / LOW
# Host: SSI_SAS_HOST_HC_HIGH / MEDIUM / LOW
# SS_KEY_CONFIG → Key Config (SubType not fixed; analyze Description for unknown SubTypes)
# Aggregate RiskCount by region
# SS_SAS_SYS_VUL → System Vulns (aggregate by HIGH/MEDIUM/LOW and region)
# SSI_SAS_SYS_VUL_HIGH / SSI_SAS_SYS_VUL_MEDIUM / SSI_SAS_SYS_VUL_LOW
# SS_SAS_EMG_VUL → Emergency Vulns (unfixed emergency vulnerabilities)
# SSI_SAS_EMG_VUL
# SS_SAS_APP_VUL → Application Vulns (aggregate by HIGH/MEDIUM and region)
# SSI_SAS_APP_VUL_HIGH / SSI_SAS_APP_VUL_MEDIUM
# SS_PRODUCT_CONNECT → Product Connection (asset protection not enabled)
# SSI_PRODUCT_CONNECT (Description is JSON array with itemDescKey/itemDescText)
# SS_SAS_ALARM → Security Response (see Module 3c)
# SSI_SAS_ALARM_HIGH (emergency) / SSI_SAS_ALARM_MEDIUM (suspicious) / SSI_SAS_ALARM_LOW (reminder)
3b. Security Protection — WAF Blocks (multi-region, two-step, WAF 3.0 only)
WAF Version Requirement: This module uses WAF 3.0 API (Product:
waf-openapi, Version:2021-10-01). WAF 2.0 instances (Version2019-09-10) are NOT compatible — fields such asInstanceIdandWafBlockSummay be missing or structured differently. If the user's WAF instance is 2.0, inform them that this module is not supported for their instance version.Region note:
waf-openapi(WAF 3.0) is a centralized-endpoint product — the China-site RegionId iscn-hangzhou(do NOT usecn-shanghai). Also do NOT pass--versionon these commands: it forces the Location-service endpoint resolver, which only knowscn-hangzhou/ap-southeast-1and would fail on other RegionIds.
# Step 1: Get WAF Instance ID (per region)
aliyun waf-openapi describe-instance --region cn-hangzhou --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
aliyun waf-openapi describe-instance --region ap-southeast-1 --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Extract: InstanceId from each region's response
# Step 2: Query WAF flow chart using each region's InstanceId
START_SEC=$(python3 -c "import time; print(int(time.time()-86400*7))")
aliyun waf-openapi describe-flow-chart \
--region cn-hangzhou \
--instance-id "<InstanceId from cn-hangzhou>" \
--start-timestamp "$START_SEC" \
--interval 3600 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
aliyun waf-openapi describe-flow-chart \
--region ap-southeast-1 \
--instance-id "<InstanceId from ap-southeast-1>" \
--start-timestamp "$START_SEC" \
--interval 3600 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Sum all WafBlockSum values from both regions
3c. Security Response (region-agnostic, same API as 3a)
aliyun sas describe-secure-suggestion --cal-type home_security_score --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Process Suggestions[] where SuggestType == "SS_SAS_ALARM":
# SSI_SAS_ALARM_HIGH → Emergency alarm events count
# SSI_SAS_ALARM_MEDIUM → Suspicious alarm events count
# SSI_SAS_ALARM_LOW → Reminder alarm events count
Module 4: Asset Risk Trend
# 4a. Host Assets (multi-region)
aliyun sas describe-cloud-center-instances \
--region cn-shanghai --machine-types ecs --current-page 1 --page-size 1 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Extract: PageInfo.TotalCount
aliyun sas describe-field-statistics \
--region cn-shanghai \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Extract: GroupedFields.RiskInstanceCount
# Repeat for ap-southeast-1, sum both
# 4b. Container Assets (multi-region)
aliyun sas describe-container-field-statistics \
--region cn-shanghai \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Extract: ClusterCount, RiskClusterCount
# Repeat for ap-southeast-1, sum both
# 4c. Cloud Product Assets (multi-region)
aliyun sas get-cloud-asset-summary \
--region cn-shanghai \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Extract: GroupedFields.InstanceCountTotal, GroupedFields.InstanceRiskCountTotal
# Repeat for ap-southeast-1, sum both
# 4d. Trend Chart Data (multi-region)
START_MS=$(python3 -c "import time; print(int((time.time()-86400*7)*1000))")
END_MS=$(python3 -c "import time; print(int(time.time()*1000))")
aliyun sas describe-chart-data \
--region cn-shanghai \
--chart-id CID_ASSET_RISK_TREND \
--report-id -1 \
--time-start "$START_MS" --time-end "$END_MS" \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Returns time series: host / container / cloud risk counts
Module 5: Billing & Subscription
# 5a. Query billing mode (from Module 2a response, can reuse cached result)
aliyun sas describe-version-config --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# Check IsPaidUser field to determine billing mode:
#
# If IsPaidUser == true → Pre-pay (subscription) user:
# Extract CreateTime → purchase date (convert ms timestamp to YYYY-MM-DD)
# Extract ReleaseTime → expiry date (convert ms timestamp to YYYY-MM-DD)
#
# If IsPaidUser == false → Post-pay user:
# Extract PostPayModuleSwitch (JSON string — must parse)
# Map codes to product names using the table below:
# POST_HOST → Host and Container Security
# VUL → Vulnerability Fixing
# CSPM → CSPM
# CTDR → Agentic SOC
# AGENTLESS → Agentless Detection
# SERVERLESS → Serverless Asset Protection
# RASP → Application Protection
# SDK → Malicious File Detection
# CTDR_STORAGE → Log Management
# ANTI_RANSOMWARE → Anti-ransomware
# Value 1 = Enabled, 0 = Disabled
# 5c. Billing Details (try each region, skip on permission error)
BILLING_CYCLE=$(date +%Y-%m)
aliyun bssopenapi query-bill \
--region cn-shanghai \
--billing-cycle "$BILLING_CYCLE" --product-code sas \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# If the above returns a permission error, do NOT silently skip — inform the user (see Data Processing Rules §1)
aliyun bssopenapi query-bill \
--region ap-southeast-1 \
--billing-cycle "$BILLING_CYCLE" --product-code sas \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-overview/{session-id}
# If the above returns a permission error, do NOT silently skip — inform the user (see Data Processing Rules §1)
# Aggregate results from whichever regions succeeded, and explicitly report any skipped regions
Product Code Mapping
| Product Name | Code | Status Values |
|:---|:---|:---|
| Host and Container Security | POST_HOST | 1: Enabled, 0: Disabled |
| Vulnerability Fixing | VUL | 1: Enabled, 0: Disabled |
| CSPM | CSPM | 1: Enabled, 0: Disabled |
| Agentic SOC | CTDR | 1: Enabled, 0: Disabled |
| Agentless Detection | AGENTLESS | 1: Enabled, 0: Disabled |
| Serverless Asset Protection | SERVERLESS | 1: Enabled, 0: Disabled |
| Application Protection | RASP | 1: Enabled, 0: Disabled |
| Malicious File Detection | SDK | 1: Enabled, 0: Disabled |
| Log Management | CTDR_STORAGE | 1: Enabled, 0: Disabled |
| Anti-ransomware | ANTI_RANSOMWARE | 1: Enabled, 0: Disabled |
Data Processing Rules
- Multi-region aggregation: APIs requiring regions must query
cn-shanghai+ap-southeast-1separately, then sum the numeric results.- Permission error handling: If a region returns a permission error (e.g.,
ForbiddenorNoPermission), do NOT silently skip it. You MUST explicitly inform the user which regions succeeded and which failed, including the missing permission. Example: "Data retrieved from cn-shanghai, but ap-southeast-1 returned permission denied (missing sas:DescribeSecureSuggestion). Results only reflect cn-shanghai."
- Permission error handling: If a region returns a permission error (e.g.,
- Timestamps: SAS APIs use millisecond timestamps. WAF APIs use second timestamps.
- PostPayModuleSwitch: Is a JSON string — must
JSON.parse()/json.loads()before reading. - Score extraction: Use
Scorefield fromDescribeSecureSuggestionresponse as current score. Note:Scoreis returned as a string (e.g.,"90.0"), not a number — cast to float before comparison or display. Note:DescribeScreenScoreThreadis currently unavailable (CalType not supported); once supported, switch to using the last element ofData.SocreThread[]as current score and the full list as historical trend. - Security Response: Extracted from
DescribeSecureSuggestionwhereSuggestType == "SS_SAS_ALARM". SubTypes:SSI_SAS_ALARM_HIGH(emergency),SSI_SAS_ALARM_MEDIUM(suspicious),SSI_SAS_ALARM_LOW(reminder). - Timestamp formatting: Convert ms timestamps to
YYYY-MM-DD HH:mm:ssfor display.
Success Verification
See references/verification-method.md for step-by-step verification commands.
Cleanup
This skill is read-only (query operations only). No resources are created, so no cleanup is needed.
Best Practices
- Always query both
cn-shanghaiandap-southeast-1for multi-region APIs before aggregating. - Cache the
DescribeVersionConfigresponse — it is used by both Module 2 and Module 5. - Use
--cli-query(JMESPath) to extract specific fields and reduce output noise. - Set
--page-size 1when onlyTotalCountis needed (e.g.,ListUninstallAegisMachines). - WAF
DescribeFlowChartrequires a valid WAF instance ID — auto-fetch viaDescribeInstancefirst; query bothcn-shanghaiandap-southeast-1. - Billing queries (
QueryBill) require--region— try each region (cn-shanghai,ap-southeast-1) in turn; skip any region that returns a permission error. - All timestamps returned by SAS are in milliseconds — divide by 1000 for human-readable conversion.
Reference Links
| Document | Content | |----------|---------| | references/related-apis.md | Full API and CLI command reference table | | references/ram-policies.md | Required RAM permissions and policies | | references/verification-method.md | Step-by-step verification commands | | references/acceptance-criteria.md | Correct/incorrect CLI patterns | | references/cli-installation-guide.md | CLI installation guide |
微信扫一扫