Cloud Security Center CWPP Alert Handling Skill

Scenario Description

This skill helps users query and handle CWPP host security alerts from Alibaba Cloud Security Center (SAS/Aegis).

Core Capabilities:

- Query security alert list
Analyze alert details and recommend handling methods
Execute alert handling operations (ignore, whitelist, block, quarantine, etc.)
Query handling status and summarize results

Architecture: Alibaba Cloud Security Center (SAS) + RAM Permissions + CLI Tools

Installation Requirements

Pre-check: Aliyun CLI >= 3.3.1
Run aliyun version to verify version >= 3.3.1. If not installed or version is too low,
see references/cli-installation-guide.md for installation instructions.
Then [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.

CODEBLOCK0

Authentication Configuration

Pre-check: Alibaba Cloud Credentials Required
Security Rules:

- NEVER read, output, or print AK/SK values
NEVER ask users to input AK/SK directly
ONLY use aliyun configure list to check credential status
> aliyun configure list
> 
Check the output for a valid profile. If no valid profile exists, STOP here.

RAM Permission Requirements

Permission Name	Description
INLINECODE5	Query alert list
INLINECODE6

For detailed policies, see references/ram-policies.md

[MUST] Permission Failure Handling: When permission errors occur:

1. Read references/ram-policies.md for required permissions
Use ram-permission-diagnose skill to guide user
Wait until user confirms permissions granted

Core Workflow

Step 0: Identify Query Scenario (Critical)

⚠️ IMPORTANT: Choose the correct API based on user input

Scenario	User Input Example	Correct Approach
User specified alert ID	"Query alert 702173474"	Directly call INLINECODE11
User did not specify alert ID

"View my alerts" | Execute Step 1 to query alert list |

Scenario A: User specified alert ID → Verify alert exists:

aliyun sas DescribeSecurityEventOperations \
  --SecurityEventId {AlertID} \
  --Lang zh \
  --user-agent AlibabaCloud-Agent-Skills

- Success → Alert exists, proceed to Step 5
Failure (SecurityEventNotExists) → See references/error-handling.md

Scenario B: User did not specify alert ID → Proceed to Step 1

Step 1: Query Alert List

CODEBLOCK3

Key Response Fields:

Field	Description
Id	Alert event ID (core field)
AlarmEventNameDisplay

Step 2: Display Alert Information and Recommendations

Display Format:
CODEBLOCK4

For operateCode mappings and recommendation rules, see references/operation-codes.md

Step 3: Determine Handling Intent

Case A: User specified handling method → Proceed to Step 4

Case B: User did not specify → Must ask user:

Please confirm how to handle these alerts:

1. ✅ Handle all using recommended methods
2. 🔧 Custom handling method
3. ❌ Cancel

Please select (enter number):

Step 4: Query Available Handling Operations

⚠️ Strict Constraint: Each alert's available operations must be queried individually

- NEVER assume one alert's operations apply to another
MUST call DescribeSecurityEventOperations for each alert

CODEBLOCK6

⚠️ Critical: Only execute operations where UserCanOperate=true

Step 5: Build Parameters and Execute

Quick Reference - Common Operations:

OperationCode	OperationParams	Notes
blockip	INLINECODE15	expireTime = current + duration (ms)
killand_quara

{"subOperation":"killAndQuaraFileByMd5andPath"} | |
| virus_quara | {"subOperation":"quaraFileByMd5andPath"} | |
| quara | {} | |
| ignore | {} | |
| manual_handled | {} | |
| advancemarkmis_info | {} + MarkMissParam | See workflow-details.md |

Example - ignore:
CODEBLOCK7

Example - killandquara:
CODEBLOCK8

Example - block_ip (7 days):
CODEBLOCK9

Example - advancemarkmis_info:
CODEBLOCK10

⚠️ For advanced whitelist (advancemarkmis_info):

- Must ask user about whitelist rules and scope
Must preserve existing MarkField rules
See references/workflow-details.md for detailed process

For complete CLI examples and parameter details, see references/workflow-details.md

Step 6: Query Handling Status

⚠️ CLI Requirement: Must pass both TaskId and SecurityEventIds

CODEBLOCK11

Polling Logic:

1. TaskStatus=Processing → Wait 2s, retry (max 5 times)
After 10s still not complete → Mark as failed
INLINECODE23 → Handling successful
INLINECODE24 → Check ErrorCode

Step 7: Loop to Handle Other Alerts

If there are other alerts, repeat Steps 3-6. Maximum 20 alerts per batch.

Step 8: Results Summary

CODEBLOCK12

For detailed format, see references/error-handling.md

operateCode Quick Reference

operateCode	Description	Additional Params
blockip	Block IP	expireTime (required)
killand_quara

For complete operateCode categories and details, see references/operation-codes.md

Error Handling

Error Scenario	Handling Method
UserCanOperate=false	Operation not supported, version limitation
Timeout (>10s)

For detailed error handling procedures, see references/error-handling.md

Best Practices

1. Query before handling: Call DescribeSecurityEventOperations first
Batch limit: Maximum 20 alerts per batch
Preserve existing rules: When using advanced whitelist, merge existing MarkField rules
Timeout handling: Polling over 10 seconds = failed
User confirmation: Must confirm intent before handling
Logging: Record all operations for auditing

Reference Documents

Document	Description
references/workflow-details.md	Detailed workflow, CLI examples, advanced whitelist
references/operation-codes.md

云安全中心CWPP告警处理技能

场景描述

本技能帮助用户查询和处理来自阿里云安全中心（SAS/Aegis）的CWPP主机安全告警。

核心能力：

- 查询安全告警列表
分析告警详情并推荐处理方法
执行告警处理操作（忽略、加白名单、拦截、隔离等）
查询处理状态并汇总结果

架构： 阿里云安全中心（SAS）+ RAM权限 + CLI工具

安装要求

前置检查：Aliyun CLI >= 3.3.1
运行 aliyun version 验证版本 >= 3.3.1。如果未安装或版本过低，
请参阅 references/cli-installation-guide.md 获取安装说明。
然后[必须]运行 aliyun configure set --auto-plugin-install true 启用自动插件安装。

bash
aliyun version
aliyun configure set --auto-plugin-install true

认证配置

前置检查：需要阿里云凭证
安全规则：

- 禁止读取、输出或打印AK/SK值
禁止要求用户直接输入AK/SK
仅使用 aliyun configure list 检查凭证状态

bash
aliyun configure list

检查输出中是否存在有效配置文件。如果没有有效配置文件，在此停止。

RAM权限要求

权限名称	描述
yundun-sas:DescribeSuspEvents	查询告警列表
yundun-sas:DescribeSecurityEventOperations

详细策略请参见 references/ram-policies.md

[必须] 权限失败处理： 当出现权限错误时：

1. 阅读 references/ram-policies.md 了解所需权限
使用 ram-permission-diagnose 技能引导用户
等待用户确认权限已授予

核心工作流

步骤0：识别查询场景（关键）

⚠️ 重要：根据用户输入选择正确的API

场景	用户输入示例	正确方法
用户指定了告警ID	查询告警702173474	直接调用 DescribeSecurityEventOperations --SecurityEventId {ID}
用户未指定告警ID

查看我的告警 | 执行步骤1查询告警列表 |

场景A：用户指定了告警ID → 验证告警是否存在：
bash
aliyun sas DescribeSecurityEventOperations \
--SecurityEventId {AlertID} \
--Lang zh \
--user-agent AlibabaCloud-Agent-Skills

- 成功 → 告警存在，继续步骤5
失败（SecurityEventNotExists）→ 参见 references/error-handling.md

场景B：用户未指定告警ID → 继续步骤1

步骤1：查询告警列表

bash
aliyun sas DescribeSuspEvents \
--Lang zh \
--From sas \
--CurrentPage 1 \
--PageSize 10 \
--Levels serious,suspicious,remind \
--Dealed N \
--user-agent AlibabaCloud-Agent-Skills 2>/dev/null | jq .SuspEvents[] | {Id, Name: .AlarmEventNameDisplay, AlarmEventType, Level, InternetIp, IntranetIp, LastTime, EventStatus, Uuid}

关键响应字段：

字段	描述
Id	告警事件ID（核心字段）
AlarmEventNameDisplay

步骤2：展示告警信息和建议

展示格式：

告警列表（共X条）：

[告警1] ID: 7009607xx

- 名称：来自异常位置的ECS登录
类型：异常登录
严重等级：可疑
资产：47.xxx.xxx.xxx / 10.xxx.xxx.xxx
状态：待处理
时间：2026-03-19 14:11:05
推荐操作：拦截IP
原因：检测到异常登录行为

operateCode映射和推荐规则请参见 references/operation-codes.md

步骤3：确定处理意图

情况A：用户指定了处理方法 → 继续步骤4

情况B：用户未指定 → 必须询问用户：

请确认如何处理这些告警：

1. ✅ 全部使用推荐方法处理
🔧 自定义处理方法
❌ 取消

请选择（输入数字）：

步骤4：查询可用处理操作

⚠️ 严格约束：每个告警的可用操作必须单独查询

- 禁止假设一个告警的操作适用于另一个告警
必须为每个告警调用 DescribeSecurityEventOperations

bash
aliyun sas DescribeSecurityEventOperations \
--SecurityEventId {AlertID} \
--Lang zh \
--user-agent AlibabaCloud-Agent-Skills

⚠️ 关键：仅执行 UserCanOperate=true 的操作

步骤5：构建参数并执行

快速参考 - 常用操作：

OperationCode	OperationParams	说明
blockip	{expireTime:1773991205392}	expireTime = 当前时间 + 时长（毫秒）
killand_quara

{subOperation:killAndQuaraFileByMd5andPath} | |
| virus_quara | {subOperation:quaraFileByMd5andPath} | |
| quara | {} | |
| ignore | {} | |
| manual_handled | {} | |
| advancemarkmis_info | {} + MarkMissParam | 参见 workflow-details.md |

示例 - 忽略：
bash
aliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7009586xx \
--OperationCode ignore \
--OperationParams {} \
--user-agent AlibabaCloud-Agent-Skills

示例 - 隔离并杀进程：
bash
aliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7008619xx \
--OperationCode killandquara \
--OperationParams {subOperation:killAndQuaraFileByMd5andPath} \
--user-agent AlibabaCloud-Agent-Skills

示例 - 拦截IP（7天）：
bash

计算：当前时间戳毫秒 + 72460601000

aliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7009607xx \
--OperationCode block_ip \
--OperationParams {expireTime:1773991205392} \
--user-agent AlibabaCloud-Agent-Skills

示例 - 高级加白名单：
bash
aliyun sas HandleSecurityEvents \
--SecurityEventIds.1 7009586xx \
--OperationCode advancemarkmis_info \
--OperationParams {} \
--MarkMissParam [{uuid:ALL,field:loginSourceIp,operate:strEqual,fieldValue:59.82.xx.xx}] \
--user-agent AlibabaCloud-Agent-Skills

⚠️ 对于高级加白名单（advancemarkmis_info）：

- 必须询问用户白名单规则和范围
必须保留现有的MarkField规则
详细流程参见 references/workflow-details.md

完整的CLI示例和参数详情请参见 references/workflow-details.md

步骤6：查询处理状态

⚠️ CLI要求：必须同时传递TaskId和SecurityEventIds

bash
aliyun sas DescribeSecurityEventOperationStatus \
--TaskId 290511xx \
--SecurityEventIds.1 7009607xx \
--user-agent AlibabaCloud-Agent-Skills

轮询逻辑：

1. TaskStatus=Processing →

alibabacloud-sas-alert-handler阿里云安全告警处理

alibabacloud-sas-alert-handler

Cloud Security Center CWPP Alert Handling Skill

Scenario Description

Installation Requirements

Authentication Configuration

RAM Permission Requirements

Core Workflow

Step 0: Identify Query Scenario (Critical)

Step 1: Query Alert List

Step 2: Display Alert Information and Recommendations

Step 3: Determine Handling Intent

Step 4: Query Available Handling Operations

Step 5: Build Parameters and Execute

Step 6: Query Handling Status

Step 7: Loop to Handle Other Alerts

Step 8: Results Summary

operateCode Quick Reference

Error Handling

Best Practices

Reference Documents

云安全中心CWPP告警处理技能

场景描述

安装要求

认证配置

RAM权限要求

核心工作流

步骤0：识别查询场景（关键）

步骤1：查询告警列表

步骤2：展示告警信息和建议

步骤3：确定处理意图

步骤4：查询可用处理操作

步骤5：构建参数并执行

计算：当前时间戳毫秒 + 72460601000

步骤6：查询处理状态

标签

通过对话安装

方式一：安装 SkillHub 和技能

方式二：设置 SkillHub 为优先技能安装源

通过命令行安装

下载

相关推荐

self-improvement

self-improvement

self-improvement

self-improvement