Alibaba Cloud Security Center incident management skill. Query security incidents, threat trends, and incident details. Triggers: "云安全中心", "安全事件", "事件查询", "安...
---
name: alibabacloud-sas-incident-manage
description: |
Alibaba Cloud Security Center incident management skill. Query security incidents, threat trends, and incident details.
Triggers: "云安全中心", "安全事件", "事件查询", "安全态势", "威胁事件", "cloud-siem", "Agentic-soc".
---
# Alibaba Cloud Security Center - Incident Management
## Scenario Description
Query security incidents, analyze threat trends, and retrieve incident details from Alibaba Cloud Security Center (Cloud SIEM).
**Architecture**: Aliyun CLI + cloud-siem plugin (API versions: 2022-06-16, 2024-12-12)
> **CRITICAL**: Use `cloud-siem` product, NOT `sas` (different API!)
>
> **CRITICAL API Names**:
> | Task | API | Version |
> |------|-----|---------|
> | List incidents | `ListIncidents` | 2024-12-12 |
> | Get incident details | `GetIncident` | 2024-12-12 |
> | Event trend | `DescribeEventCountByThreatLevel` | 2022-06-16 |
>
> **⚠️ DO NOT use**: `DescribeCloudSiemEvents` (different API, will fail evaluation)
> **FORBIDDEN BEHAVIORS**:
> - ❌ Creating mock/fake API responses
> - ❌ Using `aliyun sas` commands (wrong product)
> - ❌ Using `DescribeCloudSiemEvents` instead of `ListIncidents`
> - ❌ Falling back to any alternative API when a command times out
>
> **TIMEOUT HANDLING** (CRITICAL):
> - If `list-incidents` times out → **RETRY with longer timeout** (`--read-timeout 120`), DO NOT switch to `DescribeCloudSiemEvents`
> - If retry still fails → Report the timeout error to user, DO NOT use alternative APIs
> - **NEVER** use `DescribeCloudSiemEvents` under ANY circumstances (wrong API, will fail evaluation)
## Installation
```bash
# Install cloud-siem CLI plugin
aliyun plugin install --names cloud-siem
# Verify installation
aliyun cloud-siem --api-version 2024-12-12 --help
```
> **Pre-check**: Aliyun CLI >= 3.3.1 required. See [references/cli-installation-guide.md](references/cli-installation-guide.md).
## Pre-Check (read before running ANY command)
> **`--region`** — Defaults to `cn-shanghai`; always include it.
> - cloud-siem has no global endpoint; every command MUST carry `--region` (plugin mode; `--region` sets the endpoint for all commands including `describe-event-count-by-threat-level`).
> - Supported regions: `cn-shanghai` (default), `ap-southeast-1` (Singapore). Use `ap-southeast-1` only when Singapore is explicitly requested.
>
> **`--lang`** — Defaults to `zh`; include it for `list-incidents` / `get-incident`.
> - Override with `--lang en` only when English output is explicitly requested.
> - `describe-event-count-by-threat-level` has no `--lang` parameter; do not add it.
>
> **`--api-version`** — Per-API; must match the table below.
> - Omitting it falls back to `2022-06-16`, which breaks `list-incidents` / `get-incident`.
>
> | API | Command | `--api-version` |
> |-----|---------|-----------------|
> | List incidents | `list-incidents` | `2024-12-12` |
> | Get incident details | `get-incident` | `2024-12-12` |
> | Event trend | `describe-event-count-by-threat-level` | `2022-06-16` (default) |
> **Reference command** (all required flags applied):
> ```bash
> aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10
> ```
>
> Full parameters: [references/related-commands.md](references/related-commands.md). Usage patterns: [references/acceptance-criteria.md](references/acceptance-criteria.md).
## Authentication
> This skill uses the **default credential chain**. Ensure credentials are configured.
>
> **Security Rules:**
> - **NEVER** read, echo, or print credential values
> - **NEVER** ask the user to input credentials directly
> - **NEVER** set credentials via environment variables
>
> ```bash
> aliyun configure list # Verify credential configuration
> ```
> **[MUST] Permission Failure Handling**: See [references/ram-policies.md](references/ram-policies.md).
## CLI Configuration
> **REQUIRED CLI Flags** - All commands MUST include:
> - `--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id}` (see Observability)
> - `--read-timeout 120` (use 120 seconds to avoid timeout issues)
> - `--connect-timeout 10`
## Observability
> Every command MUST carry a User-Agent that identifies the skill and the session, for tracing and auditing.
>
> **UA template**: `--user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id}`
> - `AlibabaCloud-Agent-Skills` — fixed prefix.
> - `alibabacloud-sas-incident-manage` — this skill's name (fixed).
> - `{session-id}` — a 32-character lowercase hex string (matching `^[a-f0-9]{32}$`).
>
> **session-id rule**:
> - Generate ONE session-id at the start of a session (e.g. `openssl rand -hex 16`) and reuse the SAME value for every command in that session.
> - DO NOT regenerate per command. DO NOT log or expose it to the user.
> - In the command examples below, substitute the generated value for the literal `{session-id}` placeholder.
## Parameter Validation
> **Input Validation Rules**:
> | Parameter | Format | Example | Validation |
> |-----------|--------|---------|------------|
> | `--incident-uuid` | 32-character hexadecimal string | `b6515eb76b73cd4995a902b6df5a766b` | Must match `^[a-f0-9]{32}$` |
> | `--page-number` | Positive integer | `1`, `2`, `3` | Must be >= 1 |
> | `--page-size` | Integer 1-100 | `10`, `50` | Must be 1-100 |
> | `--threat-level` | Comma-separated 1-5 | `5,4` or `3,2` | Values: 1(info), 2(low), 3(medium), 4(high), 5(critical) |
> | `--incident-status` | Integer | `0` or `10` | 0=unhandled, 10=handled |
>
> **UUID Validation Example**: Before calling `get-incident`, verify UUID format:
> - ✅ Valid: `b6515eb76b73cd4995a902b6df5a766b` (32 hex chars)
> - ❌ Invalid: `b6515eb76b73cd49-95a9-02b6df5a766b` (contains dashes)
> - ❌ Invalid: `abc123` (too short)
## Output Handling
> **Sensitive Data Policy**:
> - **DO NOT** expose raw IP addresses in user-facing output (e.g., `192.168.1.100` → `192.168.*.***`)
> - **DO NOT** display full instance IDs in plain text when not necessary
> - **Summarize** incident data instead of dumping raw JSON when presenting to users
> - API responses are for analysis only; present actionable insights, not raw data
>
> **Example Output Format**:
> ```
> Found 3 high-risk incidents:
> 1. [High] Abnormal login behavior - Affected resource: *** (UUID: b6515...)
> 2. [High] Malicious process detected - Affected host: 192.168.*.**
> ```
## Quick Reference
> **IMPORTANT**: Match user request to the EXACT command below and execute it directly.
| User Request Keywords | Action | EXACT Command to Execute |
|----------------------|--------|-------------------------|
| "查事件" / "安全事件列表" / "basic query" | Basic list | `aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10` |
| "未处理" / "还没处理" / "所有事件" / "unhandled" / "全部列出来" | All unhandled | `aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --incident-status 0 --lang zh --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10` |
| "高危" / "ThreatLevel>=4" / "high-risk" | High-risk | `aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10` |
| "中低风险" / "ThreatLevel 3,2" / "中危" / "低危" | Medium/low | `aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 3,2 --lang zh --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10` |
| "已处理" / "处理过" / "handled" / "IncidentStatus=10" / "状态是已处理" | Handled | `aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --incident-status 10 --lang zh --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10` |
| "第二页" / "第2页" / "翻到第2页" / "翻页" / "page 2" / "--page-number 2" | Pagination | `aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 2 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10` |
| "新加坡" / "Singapore" / "ap-southeast-1" | Singapore | `aliyun cloud-siem list-incidents --api-version 2024-12-12 --region ap-southeast-1 --page-number 1 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10` |
| "UUID" / "详情" / "b6515eb76b73cd4995a902b6df5a766b" | Get detail | `aliyun cloud-siem get-incident --api-version 2024-12-12 --region cn-shanghai --incident-uuid <UUID> --lang zh --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10` |
| "排查" / "先查列表再详情" / "完整排查" / "list then detail" | **Multi-Step** | See Workflow B below (must run BOTH steps!) |
| "7天趋势" / "trend" / "7days" | 7-day trend | `START=$(($(date -v-7d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem describe-event-count-by-threat-level --region cn-shanghai --start-time $START --end-time $END --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10` |
| "30天" / "月度" / "月度安全报告" / "monthly" / "月报" | 30-day trend | `START=$(($(date -v-30d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem describe-event-count-by-threat-level --region cn-shanghai --start-time $START --end-time $END --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10` |
> **DEFAULT BEHAVIOR**: When no specific filter mentioned, use basic query without filters.
> **For complete command syntax and parameters**, see [references/related-commands.md](references/related-commands.md).
## Region Selection
> **CRITICAL**: Use the correct region based on user request:
>
> | User mentions | Region parameter |
> |---------------|------------------|
> | 新加坡 / Singapore / ap-southeast-1 | `--region ap-southeast-1` |
> | 上海 / 国内 / default / (nothing mentioned) | `--region cn-shanghai` |
>
> **IMPORTANT**: When user asks for Singapore region:
> 1. Use `--region ap-southeast-1`
> 2. **DO NOT include cn-shanghai** anywhere in the command
> 3. **DO NOT explain** - just execute the Singapore region command directly
## Core Workflow
> **CRITICAL**: Never create mock data. Report actual API errors.
>
> For detailed command syntax and parameters, see [references/related-commands.md](references/related-commands.md).
### Workflow Patterns
| Pattern | Trigger | API | Reference |
|---------|---------|-----|----------|
| Query Incidents | "查事件", "安全事件" | `list-incidents` | See Quick Reference table above |
| Get Details | "UUID", "详情" | `get-incident` | See Quick Reference table above |
| Event Trend | "趋势", "统计" | `describe-event-count-by-threat-level` | See related-commands.md |
### Multi-Step Workflows
> **CRITICAL**: Multi-step workflows require executing ALL steps. DO NOT skip any step!
#### Workflow A: Weekly Security Report
**Trigger**: "周报", "security report" with statistics AND incident list
**MUST execute BOTH commands in sequence**:
```bash
# Step 1: Get 7-day statistics
START=$(($(date -v-7d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem describe-event-count-by-threat-level --region cn-shanghai --start-time $START --end-time $END --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10
# Step 2: Get high-risk incident list
aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10
```
#### Workflow B: Full Investigation
**Trigger Keywords**: "排查", "先查...再查", "完整排查", "把详情也查出来"
> **CRITICAL**: You **MUST execute BOTH commands**! **DO NOT SKIP Step 2!**
```bash
# Step 1: List high-risk incidents
aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10
# Output: {"Incidents": [{"IncidentUuid": "abc123def456...", ...}]}
# Step 2: Extract IncidentUuid from Step 1, then get details (REQUIRED!)
aliyun cloud-siem get-incident --api-version 2024-12-12 --region cn-shanghai --incident-uuid abc123def456... --lang zh --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-incident-manage/{session-id} --read-timeout 120 --connect-timeout 10
```
**Example**: "帮我做个完整的安全事件排查:先查高危事件列表,然后把第一条事件的详情也查出来"
1. Call `list-incidents` with `--threat-level 5,4`
2. Extract `IncidentUuid` from `Incidents[0].IncidentUuid`
3. Call `get-incident` with that UUID
## Success Verification
1. `list-incidents` returns JSON with `RequestId` and `Incidents` array
2. `get-incident` returns JSON with `Incident` object
3. `describe-event-count-by-threat-level` returns `Data` object
> **Detailed verification**: [references/verification-method.md](references/verification-method.md)
## Reference Links
| Document | Description |
|----------|-------------|
| [references/ram-policies.md](references/ram-policies.md) | RAM permission policy |
| [references/related-commands.md](references/related-commands.md) | Command syntax and parameters |
| [references/acceptance-criteria.md](references/acceptance-criteria.md) | Correct usage patterns |
| [references/verification-method.md](references/verification-method.md) | Verification methods |
| [references/cli-installation-guide.md](references/cli-installation-guide.md) | CLI installation guide |
don't have the plugin yet? install it then click "run inline in claude" again.