> Skill Scope Notes:
> - This skill is designed to use Aliyun CLI cloudfw commands as its primary data source.
> - It does not depend on local log files, SIEM exports, or direct host access.
> - It does not require SSH or direct connections to server IPs.
> - For IP-focused investigations, prefer DescribeRiskEventGroup with --SrcIP or --DstIP.
Query and analyze IPS (Intrusion Prevention System) security events and alerts detected by Alibaba Cloud Firewall, helping quickly locate threats and provide remediation recommendations.
Architecture: Cloud Firewall Service → IPS Engine → Event Detection + Attack Analysis + Protection Configuration
Capability Level: Query (read-only)
Data Source: All data is obtained exclusively through Aliyun CLI commands (aliyun cloudfw ...). No log files, no databases, no server access, no SIEM — just CLI commands. Do NOT search the workspace for files. Do NOT ask the user for anything. Just run the commands.
Core Capabilities:
> Pre-check: Aliyun CLI >= 3.3.3 required
> Run aliyun version to verify >= 3.3.3. If not installed or version too low,
> run curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash to install/update,
> or see references/cli-installation-guide.md for installation instructions.
> Pre-check: Aliyun CLI plugin update required
> [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.
> [MUST] run aliyun plugin update to ensure that any existing plugins are always up-to-date.
[MUST] CLI User-Agent — Every aliyun CLI command invocation must include:
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-ips-event
At the start of the Core Workflow (before any CLI invocation):
[MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution.
Run the following commands before any CLI invocation:
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-cfw-ips-event"
[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed.
AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.
aliyun configure ai-mode disable
> Pre-check: Alibaba Cloud Credentials Required
>
> Security Rules:
> - NEVER read, echo, print, cat, or display AK/SK values under any circumstances
> - NEVER ask the user to input AK/SK directly in the conversation or command line
> - NEVER use aliyun configure set with literal credential values
> - ONLY use aliyun configure list to check credential status
>
> ```bash
> aliyun configure list
> ```
>
> Check the output for a valid profile (AK, STS, or OAuth identity).
>
> If no valid profile exists, STOP here.
> 1. Obtain credentials from Alibaba Cloud Console
> 2. Configure credentials outside of this session (via aliyun configure in terminal or environment variables in shell profile)
> 3. Return and re-run after aliyun configure list shows a valid profile
> [MUST] RAM Permission Pre-check: Before executing any commands, verify the current user has the required permissions.
> 1. Use ram-permission-diagnose skill to get current user's permissions
> 2. Compare against references/ram-policies.md
> 3. Abort and prompt user if any permission is missing
Minimum required permissions — see references/ram-policies.md for full policy JSON.
Alternatively, attach the system policy: AliyunYundunCloudFirewallReadOnlyAccess
> IMPORTANT: Parameter Confirmation — Before executing any command or API call,
> check if the user has already provided necessary parameters in their request.
> - If the user's request explicitly mentions a parameter value (e.g., "check IPS alerts for the last 7 days" means use 7-day time range), use that value directly without asking for confirmation.
> - For optional parameters with sensible defaults (PageSize, CurrentPage, time ranges), use the defaults without asking unless the user indicates otherwise.
> - Do NOT re-ask for parameters that the user has clearly stated.
| Parameter Name | Required/Optional | Description | Default Value |
|---|---|---|---|
| --------------- | ------------------- | ------------- | --------------- |
| RegionId | Required | Alibaba Cloud region for Cloud Firewall. Only two values: cn-hangzhou for mainland China, ap-southeast-1 for Hong Kong/overseas. | cn-hangzhou (use directly without asking; only use ap-southeast-1 if user explicitly mentions Hong Kong/overseas/international) |
| StartTime | Required for most APIs | Start time for alert queries (Unix timestamp in seconds) | 24 hours ago for "today", 7 days ago for "recently"/"this week" (use without asking) |
| EndTime | Required for most APIs | End time for alert queries (Unix timestamp in seconds) | Current time (use without asking) |
| PageSize | Optional | Number of items per page for paginated APIs | 50 (use without asking) |
| CurrentPage | Optional | Page number for paginated APIs | 1 (use without asking) |
Treat all Agent-provided inputs as untrusted. Validate before building CLI commands.
Validation rules:
RegionId: must be exactly one of cn-hangzhou or ap-southeast-1.StartTime / EndTime: must be 10-digit Unix seconds (^[0-9]{10}$), and StartTime < EndTime.CurrentPage: positive integer (>=1).PageSize: integer in range 1-100.SrcIP / DstIP: must be valid IPv4 format only (a.b.c.d, each octet 0-255).Safe command construction rules:
> CRITICAL: Continue on failure. If any individual API call fails, do NOT stop the entire workflow.
> Log the error for that step, then proceed to the next step. Present whatever data was successfully collected.
For each API call:
Throttling.User, ServiceUnavailable, HTTP 500/502/503), retry up to 2 times with a 3-second delay between retries.InvalidParameter, Forbidden, InvalidAccessKeyId), do NOT retry. Record the error and move on.Before any API call, explicitly set CLI timeouts:
export ALIBABA_CLOUD_CONNECT_TIMEOUT=10
export ALIBABA_CLOUD_READ_TIMEOUT=30
ALIBABA_CLOUD_CONNECT_TIMEOUT=10: fast fail for connect timeout.ALIBABA_CLOUD_READ_TIMEOUT=30: prevent long-running hangs per request.If Step 1 (DescribeRiskEventStatistic) returns all zeros:
The workflow steps have these dependencies:
When presenting the final summary report:
All API calls use the Aliyun CLI cloudfw plugin.
Request/response schemas are maintained only in references/api-analysis.md. Do not duplicate field-by-field descriptions in this file.
User-Agent: All commands must include --user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-ips-event
Region: Specified via --region {RegionId} global flag
> CRITICAL: This skill is read-only (query only). All commands below are safe, read-only queries that do not modify any cloud resources.
> Before executing, confirm the execution plan with the user: briefly list which steps will be executed and the target region. Proceed only after user confirmation.
> Do NOT ask the user which specific APIs to call or what data sources to use — those are determined by the workflow below.
> The intent routing table below is for optimization only — if the user's intent is unclear, plan to execute ALL steps (Step 1-7) by default.
Automatically determine execution scope based on user wording. Present the execution plan to the user for confirmation before running commands:
| User Intent | Execution Steps |
|---|---|
| ------------- | ---------------- |
| Full alert analysis ("what IPS alerts today", "recent security events") | Execute all Steps 1-7 |
| Attacked asset investigation ("which assets were attacked most") | Execute Step 1 + Step 3 |
| Specific source IP alerts ("what alerts did this IP trigger") | Execute Step 2 (with --SrcIP filter) |
| Specific target asset/server alerts ("check attacks on x.x.x.x", "server 10.0.1.88 security alerts") | Execute Step 1 + Step 2 (with --DstIP filter) + Step 6 + Step 7 |
| Attack trend/types ("are attacks increasing recently") | Execute Step 1 + Step 4 + Step 5 |
| IPS configuration check ("what mode is IPS in", "rule library version") | Execute Step 6 + Step 7 |
Default behavior: If user intent cannot be clearly determined, plan to execute all Steps 1-7 and confirm with user before proceeding.
Some APIs require StartTime and EndTime parameters (Unix timestamp in seconds).
How to get timestamps: Run date +%s to get the current timestamp, date -d '1 day ago' +%s for 24 hours ago, date -d '7 days ago' +%s for 7 days ago. Then use the returned numeric values directly in CLI commands.
> IMPORTANT: Do NOT use bash variable substitution like $(date +%s) inside CLI commands — some execution environments block $(...). Instead, run date commands separately first, note the returned values, then use them as literal numbers in the --StartTime and --EndTime parameters.
Default time ranges:
StartTime = 24 hours agoStartTime = 7 days agoEndTime → always current timestampRetrieve overall alert statistics to understand the current security posture.
aliyun cloudfw describe-risk-event-statistic \
--StartTime {StartTime} \
--EndTime {EndTime} \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-ips-event
Retrieve grouped alert event list. This is the core data for analysis.
aliyun cloudfw describe-risk-event-group \
--CurrentPage 1 \
--PageSize 50 \
--StartTime {StartTime} \
--EndTime {EndTime} \
--DataType 1 \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-ips-event
Optional filter parameters (auto-added based on user intent, no confirmation needed):
--Direction in or --Direction out--SrcIP x.x.x.x (query "attacks initiated by a specific IP")--DstIP x.x.x.x (query "attacks on a specific server/IP", supports private IPs like 10.x.x.x)--VulLevel 3 (1=low, 2=medium, 3=high)> Key: When a user mentions a specific server or IP being attacked, use the --DstIP filter to query all attack records for that IP — no need to access the server itself.
Pagination: Check TotalCount. If it exceeds 50, increment CurrentPage.
Identify which assets are attack hotspots.
aliyun cloudfw describe-risk-event-top-attack-asset \
--StartTime {StartTime} \
--EndTime {EndTime} \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-ips-event
Understand the main threat types being faced.
aliyun cloudfw describe-risk-event-top-attack-type \
--StartTime {StartTime} \
--EndTime {EndTime} \
--Direction in \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-ips-event
If outbound attack types are also needed, make another call with --Direction out.
Note: This API requires the Direction parameter, otherwise it will return an error.
Understand which application-layer targets are being attacked.
aliyun cloudfw describe-risk-event-top-attack-app \
--StartTime {StartTime} \
--EndTime {EndTime} \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-ips-event
Check the current IPS run mode and protection capabilities.
aliyun cloudfw describe-default-ipsconfig \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-ips-event
aliyun cloudfw describe-signature-lib-version \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-ips-event
After collecting data, generate a report in the following structure. Center the analysis around alert events, covering three dimensions: "who is attacking", "what is being attacked", and "how effective is the response". Only show sections with actual data; if an API call failed, note it and continue.
Combine Step 1 statistics and Step 6 IPS configuration to display the current security posture:
Alert Statistics (Time Range: x):
| Metric | Value |
|---|---|
| -------- | ------- |
| Total Attack Events | x |
| Blocked | x |
| Observed/Alerted | x |
| Untreated | x |
| High / Medium / Low Severity | x / x / x |
IPS Configuration Status:
| Configuration Item | Status |
|---|---|
| ------------------- | -------- |
| Run Mode | Observe/Block |
| Basic Protection | Enabled/Disabled |
| Virtual Patches | Enabled/Disabled |
| Threat Intelligence | Enabled/Disabled |
| AI Engine | Enabled/Disabled |
| Rule Library Version | x (update time) |
If IPS is in observe mode and there are high-severity events, prominently flag: "IPS is currently in observe mode — high-severity attacks are NOT being blocked".
From Step 2, filter events with VulLevel=3 (high) or VulLevel=2 (medium with high event count), sorted by event count in descending order:
| Event Name | Attack Type | Source IP | Source Location | Target IP | Target Asset | Event Count | Handling Status | First Seen | Last Seen |
|---|---|---|---|---|---|---|---|---|---|
| ----------- | ------------ | ---------- | ---------------- | ---------- | ------------- | ------------ | ---------------- | ----------- | ---------- |
Handling status explanation:
Combine Step 3 data to display attack status by asset:
| Rank | Target IP | Resource Name | Resource Type | Region | Attack Count | Blocked | Block Rate |
|---|---|---|---|---|---|---|---|
| ------ | ---------- | -------------- | -------------- | -------- | ------------- | --------- | ------------ |
Focus on assets with low block rates — this means many attacks are only being observed, not blocked.
Combine Step 4 data:
| Attack Type | Attack Count | Blocked | Block Rate |
|---|---|---|---|
| ------------ | ------------- | --------- | ------------ |
Combine Step 5 data:
| Application | Attack Count | Blocked | Block Rate |
|---|---|---|---|
| ------------ | ------------- | --------- | ------------ |
Summarize source IP dimensions from Step 2 event data:
| Source IP | Source Country/City | Attack Count | Primary Attack Type | Target Asset Count | Handling Status |
|---|---|---|---|---|---|
| ---------- | ------------------- | ------------- | ------------------- | ------------------- | ---------------- |
Flag cases where the same source IP attacks multiple assets — this typically indicates organized scanning or attacks.
Generate specific recommendations based on actual data, sorted by priority. Each recommendation includes: Risk Description, Impact Scope, Recommended Action.
> Note: For any step that failed, show "N/A (error: {brief error})" for that section's data fields, and list all errors in the bottom section.
See references/verification-method.md for detailed verification steps.
Quick verification: If all CLI commands return valid JSON responses without error codes, the skill executed successfully.
Use references/related-apis.md as the single source of truth for API tables and command mappings.
CurrentPage and PageSize. Default to PageSize=50. If TotalCount exceeds PageSize, iterate through all pages.date +%s for current time, date -d '1 day ago' +%s for 24 hours ago, date -d '7 days ago' +%s for 7 days ago. Run these commands separately, then use the returned values as literal numbers in --StartTime and --EndTime. Do NOT use $(...) substitution inside CLI commands.cn-hangzhou (mainland China) and ap-southeast-1 (Hong Kong/overseas). Default to cn-hangzhou unless user specifies otherwise.DescribeRiskEventTopAttackType) requires the Direction parameter. Default to in (inbound). Query out separately if needed.Throttling.User error, wait 3 seconds and retry.RegionId, timestamp, pagination, and IP values before command execution.ALIBABA_CLOUD_CONNECT_TIMEOUT=10 and ALIBABA_CLOUD_READ_TIMEOUT=30 before workflow commands.| Reference | Description |
|---|---|
| ----------- | ------------- |
| references/related-apis.md | Complete API table with parameters |
| references/ram-policies.md | Required RAM permissions and policy JSON |
| references/verification-method.md | Step-by-step verification commands |
| references/acceptance-criteria.md | Correct/incorrect usage patterns |
| references/cli-installation-guide.md | Aliyun CLI installation guide |
| references/api-analysis.md | Detailed API parameter and response documentation |
共 1 个版本