Description

Alibaba Cloud Security Center incident management skill. Query security incidents, threat trends, and incident details. Triggers: "云安全中心", "安全事件", "事件查询", "安...

README (SKILL.md)

Alibaba Cloud Security Center - Incident Management

Name: Alibabacloud Sas Incident Manage
Author: sdk-team

Scenario Description

Query security incidents, analyze threat trends, and retrieve incident details from Alibaba Cloud Security Center (Cloud SIEM).

Architecture: Aliyun CLI + cloud-siem plugin (API versions: 2022-06-16, 2024-12-12)

CRITICAL: Use cloud-siem product, NOT sas (different API!)

CRITICAL API Names:

Task API Version

List incidents ListIncidents 2024-12-12

Get incident details GetIncident 2024-12-12

Event trend DescribeEventCountByThreatLevel 2022-06-16

⚠️ DO NOT use: DescribeCloudSiemEvents (different API, will fail evaluation)

Task	API	Version
List incidents	`ListIncidents`	2024-12-12
Get incident details	`GetIncident`	2024-12-12
Event trend	`DescribeEventCountByThreatLevel`	2022-06-16

FORBIDDEN BEHAVIORS:

❌ Creating mock/fake API responses

❌ Using aliyun sas commands (wrong product)

❌ Using DescribeCloudSiemEvents instead of ListIncidents

❌ Falling back to any alternative API when a command times out

TIMEOUT HANDLING (CRITICAL):

If list-incidents times out → RETRY with longer timeout (--read-timeout 120), DO NOT switch to DescribeCloudSiemEvents

If retry still fails → Report the timeout error to user, DO NOT use alternative APIs

NEVER use DescribeCloudSiemEvents under ANY circumstances (wrong API, will fail evaluation)

Installation

# Install cloud-siem CLI plugin
aliyun plugin install --names cloud-siem

# Verify installation
aliyun cloud-siem --api-version 2024-12-12 --help

Pre-check: Aliyun CLI >= 3.3.1 required. See references/cli-installation-guide.md.

Authentication

This skill uses the default credential chain. Ensure credentials are configured.

Security Rules:

NEVER read, echo, or print credential values

NEVER ask the user to input credentials directly

NEVER set credentials via environment variables
aliyun configure list  # Verify credential configuration

[MUST] Permission Failure Handling: See references/ram-policies.md.

CLI Configuration

REQUIRED CLI Flags - All commands MUST include:

--user-agent AlibabaCloud-Agent-Skills

--read-timeout 120 (use 120 seconds to avoid timeout issues)

--connect-timeout 10

Parameter Validation

Input Validation Rules:

Parameter Format Example Validation

--incident-uuid 32-character hexadecimal string b6515eb76b73cd4995a902b6df5a766b Must match ^[a-f0-9]{32}$

--page-number Positive integer 1, 2, 3 Must be >= 1

--page-size Integer 1-100 10, 50 Must be 1-100

--threat-level Comma-separated 1-5 5,4 or 3,2 Values: 1(info), 2(low), 3(medium), 4(high), 5(critical)

--incident-status Integer 0 or 10 0=unhandled, 10=handled

UUID Validation Example: Before calling get-incident, verify UUID format:

✅ Valid: b6515eb76b73cd4995a902b6df5a766b (32 hex chars)

❌ Invalid: b6515eb76b73cd49-95a9-02b6df5a766b (contains dashes)

❌ Invalid: abc123 (too short)

Parameter	Format	Example	Validation
`--incident-uuid`	32-character hexadecimal string	`b6515eb76b73cd4995a902b6df5a766b`	Must match `^[a-f0-9]{32}$`
`--page-number`	Positive integer	`1`, `2`, `3`	Must be >= 1
`--page-size`	Integer 1-100	`10`, `50`	Must be 1-100
`--threat-level`	Comma-separated 1-5	`5,4` or `3,2`	Values: 1(info), 2(low), 3(medium), 4(high), 5(critical)
`--incident-status`	Integer	`0` or `10`	0=unhandled, 10=handled

Output Handling

Sensitive Data Policy:

DO NOT expose raw IP addresses in user-facing output (e.g., 192.168.1.100 → 192.168.*.***)

DO NOT display full instance IDs in plain text when not necessary

Summarize incident data instead of dumping raw JSON when presenting to users

API responses are for analysis only; present actionable insights, not raw data

Example Output Format:
发现 3 个高危事件:
1. [高危] 异常登录行为 - 影响资源: *** (UUID: b6515...)
2. [高危] 恶意进程检测 - 影响主机: 192.168.*.**

Quick Reference

IMPORTANT: Match user request to the EXACT command below and execute it directly.

User Request Keywords	Action	EXACT Command to Execute
"查事件" / "安全事件列表" / "basic query"	Basic list	`aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10`
"未处理" / "还没处理" / "所有事件" / "unhandled" / "全部列出来"	All unhandled	`aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --incident-status 0 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10`
"高危" / "ThreatLevel>=4" / "high-risk"	High-risk	`aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10`
"中低风险" / "ThreatLevel 3,2" / "中危" / "低危"	Medium/low	`aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 3,2 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10`
"已处理" / "处理过" / "handled" / "IncidentStatus=10" / "状态是已处理"	Handled	`aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --incident-status 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10`
"第二页" / "第2页" / "翻到第2页" / "翻页" / "page 2" / "--page-number 2"	Pagination	`aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 2 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10`
"新加坡" / "Singapore" / "ap-southeast-1"	Singapore	`aliyun cloud-siem list-incidents --api-version 2024-12-12 --region ap-southeast-1 --page-number 1 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10`
"UUID" / "详情" / "b6515eb76b73cd4995a902b6df5a766b"	Get detail	`aliyun cloud-siem get-incident --api-version 2024-12-12 --region cn-shanghai --incident-uuid \x3CUUID> --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10`
"排查" / "先查列表再详情" / "完整排查" / "list then detail"	Multi-Step	See Workflow B below (必须执行两步!)
"7天趋势" / "trend" / "7days"	7-day trend	`START=$(($(date -v-7d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem DescribeEventCountByThreatLevel --RegionId cn-shanghai --StartTime $START --EndTime $END --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10`
"30天" / "月度" / "月度安全报告" / "monthly" / "月报"	30-day trend	`START=$(($(date -v-30d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem DescribeEventCountByThreatLevel --RegionId cn-shanghai --StartTime $START --EndTime $END --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10`

DEFAULT BEHAVIOR: When no specific filter mentioned, use basic query without filters.

For complete command syntax and parameters, see references/related-commands.md.

Region Selection

CRITICAL: Use the correct region based on user request:

User mentions Region parameter

新加坡 / Singapore / ap-southeast-1 --region ap-southeast-1

上海 / 国内 / default / (nothing mentioned) --region cn-shanghai

IMPORTANT: When user asks for Singapore region:

Use --region ap-southeast-1

DO NOT include cn-shanghai anywhere in the command

DO NOT explain - just execute the Singapore region command directly

User mentions	Region parameter
新加坡 / Singapore / ap-southeast-1	`--region ap-southeast-1`
上海 / 国内 / default / (nothing mentioned)	`--region cn-shanghai`

Core Workflow

CRITICAL: Never create mock data. Report actual API errors.

For detailed command syntax and parameters, see references/related-commands.md.

Workflow Patterns

Pattern	Trigger	API	Reference
Query Incidents	"查事件", "安全事件"	`list-incidents`	See Quick Reference table above
Get Details	"UUID", "详情"	`get-incident`	See Quick Reference table above
Event Trend	"趋势", "统计"	`DescribeEventCountByThreatLevel`	See related-commands.md

Multi-Step Workflows

CRITICAL: Multi-step workflows require executing ALL steps. DO NOT skip any step!

Workflow A: Weekly Security Report (周报/安全报告)

Trigger: "周报", "security report" with statistics AND incident list

MUST execute BOTH commands in sequence:

# Step 1: Get 7-day statistics
START=$(($(date -v-7d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem DescribeEventCountByThreatLevel --RegionId cn-shanghai --StartTime $START --EndTime $END --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10

# Step 2: Get high-risk incident list
aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10

Workflow B: Full Investigation (排查/完整排查)

Trigger Keywords: "排查", "先查...再查", "完整排查", "把详情也查出来"

CRITICAL: You MUST execute BOTH commands! DO NOT SKIP Step 2!

# Step 1: List high-risk incidents
aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
# Output: {"Incidents": [{"IncidentUuid": "abc123def456...", ...}]}

# Step 2: Extract IncidentUuid from Step 1, then get details (REQUIRED!)
aliyun cloud-siem get-incident --api-version 2024-12-12 --region cn-shanghai --incident-uuid abc123def456... --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10

Example: "帮我做个完整的安全事件排查：先查高危事件列表，然后把第一条事件的详情也查出来"

Call list-incidents with --threat-level 5,4
Extract IncidentUuid from Incidents[0].IncidentUuid
Call get-incident with that UUID

Success Verification

list-incidents returns JSON with RequestId and Incidents array
get-incident returns JSON with Incident object
DescribeEventCountByThreatLevel returns Data object

Detailed verification: references/verification-method.md

Reference Links

Document	Description
references/ram-policies.md	RAM permission policy
references/related-commands.md	Command syntax and parameters
references/acceptance-criteria.md	Correct usage patterns
references/verification-method.md	Verification methods
references/cli-installation-guide.md	CLI installation guide

Usage Guidance

This skill is internally consistent: it runs Aliyun CLI cloud-siem commands and expects your Alibaba Cloud credentials to already be configured (via aliyun configure, instance role, or an existing profile). Before installing or invoking it: 1) Confirm you trust the source and that the Aliyun CLI/plugin installs come from the official aliyuncdn/official repos; 2) Ensure credentials are configured with least privilege (create a RAM policy limited to the listed actions) and avoid pasting secrets into chat; 3) Note that some reference docs mention helper scripts (e.g., scripts/siem_client.py) which are not included — you will not be able to run those verification scripts unless you obtain them separately; 4) If you allow autonomous agent invocation, be aware the agent can run the CLI commands against your cloud account (this is expected behavior for this kind of skill) — verify the credential profile used and restrict permissions accordingly.

Capability Analysis

Type: OpenClaw Skill Name: alibabacloud-sas-incident-manage Version: 0.0.1 The skill bundle is a legitimate tool for managing Alibaba Cloud Security Center (Cloud SIEM) incidents via the Aliyun CLI. It provides detailed instructions for querying incidents, retrieving details, and analyzing threat trends using the correct API versions (2024-12-12). The documentation (SKILL.md, related-commands.md) includes strong security guardrails, such as masking IP addresses in user-facing output and strictly prohibiting the agent from reading, printing, or requesting credentials. No evidence of malicious intent, data exfiltration, or unauthorized command execution was found.

Capability Tags

requires-wallet

Capability Assessment

✓ Purpose & Capability

Name/description describe querying Cloud SIEM incidents and the instructions exclusively call the Aliyun CLI cloud-siem commands and related APIs. Required capabilities and flags are appropriate for that purpose.

ℹ Instruction Scope

Runtime instructions are focused on installing the Aliyun CLI plugin and running specific cloud-siem commands with strict flags and validation. Minor issues: multiple reference docs (verification, RAM/policies) refer to scripts (e.g., scripts/siem_client.py) that are not included in the package; the SKILL.md and references also contain numerous example CLI commands and config examples which are intended for the user rather than agent code.

✓ Install Mechanism

This is an instruction-only skill (no install spec). Installation guidance points to the official Aliyun CDN and the Aliyun CLI plugin — legitimate, known sources. No arbitrary download hosts, shorteners, or extract+execute from unknown servers are present.

ℹ Credentials

The skill does not declare environment variables but explicitly relies on the Aliyun CLI default credential chain and the user's configured credentials (~/.aliyun/config.json, profiles, or ECS RAM role). This is proportionate to cloud API access, but the registry metadata did not list the config path even though docs reference it. The skill forbids printing or asking for credentials, which is good, but examples show non-interactive commands that include secrets (these are user examples — not runtime requirements).

✓ Persistence & Privilege

always is false and the skill does not request to persist or modify agent/system-wide settings. There is no indication it writes to other skills' configs or requests elevated platform privileges.

Version History

v0.0.1

alibabacloud-sas-incident-manage v0.0.1 – Initial release - Provides incident management for Alibaba Cloud Security Center via standardized CLI commands. - Supports querying incident lists, retrieving incident details, and analyzing threat trends. - Includes strict input validation, region selection, and output sanitization (e.g., masking sensitive data). - Enforces correct CLI usage: requires cloud-siem plugin, specific required flags, and prohibits fallback to incorrect APIs. - Multi-language trigger support and clear output policies for end-user interactions.

Metadata

Slug alibabacloud-sas-incident-manage

Version 0.0.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Alibabacloud Sas Incident Manage?

Alibaba Cloud Security Center incident management skill. Query security incidents, threat trends, and incident details. Triggers: "云安全中心", "安全事件", "事件查询", "安... It is an AI Agent Skill for Claude Code / OpenClaw, with 98 downloads so far.

How do I install Alibabacloud Sas Incident Manage?

Run "/install alibabacloud-sas-incident-manage" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Alibabacloud Sas Incident Manage free?

Yes, Alibabacloud Sas Incident Manage is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Alibabacloud Sas Incident Manage support?

Alibabacloud Sas Incident Manage is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Alibabacloud Sas Incident Manage?

It is built and maintained by alibabacloud-skills-team (@sdk-team); the current version is v0.0.1.

More Skills

Alibabacloud Sas Incident Manage