← 返回 Skills 市场
sdk-team

Alibabacloud Sas Incident Manage

作者 alibabacloud-skills-team · GitHub ↗ · v0.0.1 · MIT-0
cross-platform ✓ 安全检测通过
98
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install alibabacloud-sas-incident-manage
功能描述
Alibaba Cloud Security Center incident management skill. Query security incidents, threat trends, and incident details. Triggers: "云安全中心", "安全事件", "事件查询", "安...
使用说明 (SKILL.md)

Alibaba Cloud Security Center - Incident Management

Scenario Description

Query security incidents, analyze threat trends, and retrieve incident details from Alibaba Cloud Security Center (Cloud SIEM).

Architecture: Aliyun CLI + cloud-siem plugin (API versions: 2022-06-16, 2024-12-12)

CRITICAL: Use cloud-siem product, NOT sas (different API!)

CRITICAL API Names:

Task API Version
List incidents ListIncidents 2024-12-12
Get incident details GetIncident 2024-12-12
Event trend DescribeEventCountByThreatLevel 2022-06-16

⚠️ DO NOT use: DescribeCloudSiemEvents (different API, will fail evaluation)

FORBIDDEN BEHAVIORS:

  • ❌ Creating mock/fake API responses
  • ❌ Using aliyun sas commands (wrong product)
  • ❌ Using DescribeCloudSiemEvents instead of ListIncidents
  • ❌ Falling back to any alternative API when a command times out

TIMEOUT HANDLING (CRITICAL):

  • If list-incidents times out → RETRY with longer timeout (--read-timeout 120), DO NOT switch to DescribeCloudSiemEvents
  • If retry still fails → Report the timeout error to user, DO NOT use alternative APIs
  • NEVER use DescribeCloudSiemEvents under ANY circumstances (wrong API, will fail evaluation)

Installation

# Install cloud-siem CLI plugin
aliyun plugin install --names cloud-siem

# Verify installation
aliyun cloud-siem --api-version 2024-12-12 --help

Pre-check: Aliyun CLI >= 3.3.1 required. See references/cli-installation-guide.md.

Authentication

This skill uses the default credential chain. Ensure credentials are configured.

Security Rules:

  • NEVER read, echo, or print credential values
  • NEVER ask the user to input credentials directly
  • NEVER set credentials via environment variables
aliyun configure list  # Verify credential configuration

[MUST] Permission Failure Handling: See references/ram-policies.md.

CLI Configuration

REQUIRED CLI Flags - All commands MUST include:

  • --user-agent AlibabaCloud-Agent-Skills
  • --read-timeout 120 (use 120 seconds to avoid timeout issues)
  • --connect-timeout 10

Parameter Validation

Input Validation Rules:

Parameter Format Example Validation
--incident-uuid 32-character hexadecimal string b6515eb76b73cd4995a902b6df5a766b Must match ^[a-f0-9]{32}$
--page-number Positive integer 1, 2, 3 Must be >= 1
--page-size Integer 1-100 10, 50 Must be 1-100
--threat-level Comma-separated 1-5 5,4 or 3,2 Values: 1(info), 2(low), 3(medium), 4(high), 5(critical)
--incident-status Integer 0 or 10 0=unhandled, 10=handled

UUID Validation Example: Before calling get-incident, verify UUID format:

  • ✅ Valid: b6515eb76b73cd4995a902b6df5a766b (32 hex chars)
  • ❌ Invalid: b6515eb76b73cd49-95a9-02b6df5a766b (contains dashes)
  • ❌ Invalid: abc123 (too short)

Output Handling

Sensitive Data Policy:

  • DO NOT expose raw IP addresses in user-facing output (e.g., 192.168.1.100192.168.*.***)
  • DO NOT display full instance IDs in plain text when not necessary
  • Summarize incident data instead of dumping raw JSON when presenting to users
  • API responses are for analysis only; present actionable insights, not raw data

Example Output Format:

发现 3 个高危事件:
1. [高危] 异常登录行为 - 影响资源: *** (UUID: b6515...)
2. [高危] 恶意进程检测 - 影响主机: 192.168.*.**

Quick Reference

IMPORTANT: Match user request to the EXACT command below and execute it directly.

User Request Keywords Action EXACT Command to Execute
"查事件" / "安全事件列表" / "basic query" Basic list aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
"未处理" / "还没处理" / "所有事件" / "unhandled" / "全部列出来" All unhandled aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --incident-status 0 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
"高危" / "ThreatLevel>=4" / "high-risk" High-risk aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
"中低风险" / "ThreatLevel 3,2" / "中危" / "低危" Medium/low aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 3,2 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
"已处理" / "处理过" / "handled" / "IncidentStatus=10" / "状态是已处理" Handled aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --incident-status 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
"第二页" / "第2页" / "翻到第2页" / "翻页" / "page 2" / "--page-number 2" Pagination aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 2 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
"新加坡" / "Singapore" / "ap-southeast-1" Singapore aliyun cloud-siem list-incidents --api-version 2024-12-12 --region ap-southeast-1 --page-number 1 --page-size 10 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
"UUID" / "详情" / "b6515eb76b73cd4995a902b6df5a766b" Get detail aliyun cloud-siem get-incident --api-version 2024-12-12 --region cn-shanghai --incident-uuid \x3CUUID> --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
"排查" / "先查列表再详情" / "完整排查" / "list then detail" Multi-Step See Workflow B below (必须执行两步!)
"7天趋势" / "trend" / "7days" 7-day trend START=$(($(date -v-7d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem DescribeEventCountByThreatLevel --RegionId cn-shanghai --StartTime $START --EndTime $END --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
"30天" / "月度" / "月度安全报告" / "monthly" / "月报" 30-day trend START=$(($(date -v-30d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem DescribeEventCountByThreatLevel --RegionId cn-shanghai --StartTime $START --EndTime $END --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10

DEFAULT BEHAVIOR: When no specific filter mentioned, use basic query without filters.

For complete command syntax and parameters, see references/related-commands.md.

Region Selection

CRITICAL: Use the correct region based on user request:

User mentions Region parameter
新加坡 / Singapore / ap-southeast-1 --region ap-southeast-1
上海 / 国内 / default / (nothing mentioned) --region cn-shanghai

IMPORTANT: When user asks for Singapore region:

  1. Use --region ap-southeast-1
  2. DO NOT include cn-shanghai anywhere in the command
  3. DO NOT explain - just execute the Singapore region command directly

Core Workflow

CRITICAL: Never create mock data. Report actual API errors.

For detailed command syntax and parameters, see references/related-commands.md.

Workflow Patterns

Pattern Trigger API Reference
Query Incidents "查事件", "安全事件" list-incidents See Quick Reference table above
Get Details "UUID", "详情" get-incident See Quick Reference table above
Event Trend "趋势", "统计" DescribeEventCountByThreatLevel See related-commands.md

Multi-Step Workflows

CRITICAL: Multi-step workflows require executing ALL steps. DO NOT skip any step!

Workflow A: Weekly Security Report (周报/安全报告)

Trigger: "周报", "security report" with statistics AND incident list

MUST execute BOTH commands in sequence:

# Step 1: Get 7-day statistics
START=$(($(date -v-7d +%s) * 1000)) && END=$(($(date +%s) * 1000)) && aliyun cloud-siem DescribeEventCountByThreatLevel --RegionId cn-shanghai --StartTime $START --EndTime $END --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10

# Step 2: Get high-risk incident list
aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10

Workflow B: Full Investigation (排查/完整排查)

Trigger Keywords: "排查", "先查...再查", "完整排查", "把详情也查出来"

CRITICAL: You MUST execute BOTH commands! DO NOT SKIP Step 2!

# Step 1: List high-risk incidents
aliyun cloud-siem list-incidents --api-version 2024-12-12 --region cn-shanghai --page-number 1 --page-size 10 --threat-level 5,4 --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10
# Output: {"Incidents": [{"IncidentUuid": "abc123def456...", ...}]}

# Step 2: Extract IncidentUuid from Step 1, then get details (REQUIRED!)
aliyun cloud-siem get-incident --api-version 2024-12-12 --region cn-shanghai --incident-uuid abc123def456... --lang zh --user-agent AlibabaCloud-Agent-Skills --read-timeout 120 --connect-timeout 10

Example: "帮我做个完整的安全事件排查:先查高危事件列表,然后把第一条事件的详情也查出来"

  1. Call list-incidents with --threat-level 5,4
  2. Extract IncidentUuid from Incidents[0].IncidentUuid
  3. Call get-incident with that UUID

Success Verification

  1. list-incidents returns JSON with RequestId and Incidents array
  2. get-incident returns JSON with Incident object
  3. DescribeEventCountByThreatLevel returns Data object

Detailed verification: references/verification-method.md

Reference Links

Document Description
references/ram-policies.md RAM permission policy
references/related-commands.md Command syntax and parameters
references/acceptance-criteria.md Correct usage patterns
references/verification-method.md Verification methods
references/cli-installation-guide.md CLI installation guide
安全使用建议
This skill is internally consistent: it runs Aliyun CLI cloud-siem commands and expects your Alibaba Cloud credentials to already be configured (via aliyun configure, instance role, or an existing profile). Before installing or invoking it: 1) Confirm you trust the source and that the Aliyun CLI/plugin installs come from the official aliyuncdn/official repos; 2) Ensure credentials are configured with least privilege (create a RAM policy limited to the listed actions) and avoid pasting secrets into chat; 3) Note that some reference docs mention helper scripts (e.g., scripts/siem_client.py) which are not included — you will not be able to run those verification scripts unless you obtain them separately; 4) If you allow autonomous agent invocation, be aware the agent can run the CLI commands against your cloud account (this is expected behavior for this kind of skill) — verify the credential profile used and restrict permissions accordingly.
功能分析
Type: OpenClaw Skill Name: alibabacloud-sas-incident-manage Version: 0.0.1 The skill bundle is a legitimate tool for managing Alibaba Cloud Security Center (Cloud SIEM) incidents via the Aliyun CLI. It provides detailed instructions for querying incidents, retrieving details, and analyzing threat trends using the correct API versions (2024-12-12). The documentation (SKILL.md, related-commands.md) includes strong security guardrails, such as masking IP addresses in user-facing output and strictly prohibiting the agent from reading, printing, or requesting credentials. No evidence of malicious intent, data exfiltration, or unauthorized command execution was found.
能力标签
requires-wallet
能力评估
Purpose & Capability
Name/description describe querying Cloud SIEM incidents and the instructions exclusively call the Aliyun CLI cloud-siem commands and related APIs. Required capabilities and flags are appropriate for that purpose.
Instruction Scope
Runtime instructions are focused on installing the Aliyun CLI plugin and running specific cloud-siem commands with strict flags and validation. Minor issues: multiple reference docs (verification, RAM/policies) refer to scripts (e.g., scripts/siem_client.py) that are not included in the package; the SKILL.md and references also contain numerous example CLI commands and config examples which are intended for the user rather than agent code.
Install Mechanism
This is an instruction-only skill (no install spec). Installation guidance points to the official Aliyun CDN and the Aliyun CLI plugin — legitimate, known sources. No arbitrary download hosts, shorteners, or extract+execute from unknown servers are present.
Credentials
The skill does not declare environment variables but explicitly relies on the Aliyun CLI default credential chain and the user's configured credentials (~/.aliyun/config.json, profiles, or ECS RAM role). This is proportionate to cloud API access, but the registry metadata did not list the config path even though docs reference it. The skill forbids printing or asking for credentials, which is good, but examples show non-interactive commands that include secrets (these are user examples — not runtime requirements).
Persistence & Privilege
always is false and the skill does not request to persist or modify agent/system-wide settings. There is no indication it writes to other skills' configs or requests elevated platform privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install alibabacloud-sas-incident-manage
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /alibabacloud-sas-incident-manage 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.0.1
alibabacloud-sas-incident-manage v0.0.1 – Initial release - Provides incident management for Alibaba Cloud Security Center via standardized CLI commands. - Supports querying incident lists, retrieving incident details, and analyzing threat trends. - Includes strict input validation, region selection, and output sanitization (e.g., masking sensitive data). - Enforces correct CLI usage: requires cloud-siem plugin, specific required flags, and prohibits fallback to incorrect APIs. - Multi-language trigger support and clear output policies for end-user interactions.
元数据
Slug alibabacloud-sas-incident-manage
版本 0.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Alibabacloud Sas Incident Manage 是什么?

Alibaba Cloud Security Center incident management skill. Query security incidents, threat trends, and incident details. Triggers: "云安全中心", "安全事件", "事件查询", "安... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 98 次。

如何安装 Alibabacloud Sas Incident Manage?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install alibabacloud-sas-incident-manage」即可一键安装,无需额外配置。

Alibabacloud Sas Incident Manage 是免费的吗?

是的,Alibabacloud Sas Incident Manage 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Alibabacloud Sas Incident Manage 支持哪些平台?

Alibabacloud Sas Incident Manage 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Alibabacloud Sas Incident Manage?

由 alibabacloud-skills-team(@sdk-team)开发并维护,当前版本 v0.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 留言讨论