This topic describes the types of ActionTrail events that can be published to EventBridge.

Background information

ActionTrail can be used as an event source for the following Alibaba Cloud services:

  • Apsara File Storage NAS
    Server Load Balancer (SLB)
    EventBridge
    CDN
    Elasticsearch
    DataV
    Cloud Enterprise Network
    ApsaraDB for HBase
    Key Management Service (KMS)
    City Visual Intelligence Engine
    Microservice Engine (MSE)
    ApsaraDB RDS
    DBAudit
    Container Service for Kubernetes
    Elastic Compute Service (ECS)
    PolarDB for MySQL
    Message Queue for Apache Kafka
    ActionTrail
    Intelligent Media Management
    Multimedia AI
    Resource Orchestration Service (ROS)
    Function Compute
    Smart Access Gateway
    Cloud Config
    ApsaraDB for Cassandra
    Virtual Private Cloud (VPC)
    Blockchain as a Service (BaaS)
    Cloud Video Conferencing
    Database File System (DBFS)
    Object Storage Service (OSS)
    Resource Access Management (RAM)
    Open Search
    Tablestore
    Cloud Monitor
    Batch Compute
    Cloud Photos
    Real-Time Communication
    Message Queue for Apache RocketMQ
    Dynamic Route for CDN (DCDN)
    LinkVisual
    Auto Scaling
    Elastic Container Instance (ECI)
    Container Registry
    Hologres
    ApsaraVideo for Media Processing
    AnalyticDB for MySQL
    Operation Orchestration Service (OOS)
    PolarDB-X
    Cloud Security Scanner
    Security Center
    E-MapReduce
    Fraud Detection
    Domains
    Data Transmission Service (DTS)
    Server Guard
    Quick BI
    ApsaraVideo VOD
    Edge Node Service (ENS)
    Performance Testing (PTS)
    ApsaraVideo Live
    IoT Platform
    Elastic High Performance Computing (E-HPC)
    PCDN
    AIRec

Event types

The following table describes the types of ActionTrail events that can be published to EventBridge.

Event type Value of the type parameter
Operations performed by Alibaba Cloud on resources actiontrail:ActionTrail:AliyunServiceEvent
API operation calls actiontrail:ActionTrail:ApiCall
Operations performed in the console actiontrail:ActionTrail:ConsoleOperation

For more information about the parameters defined in the CloudEvents specification, see Overview.

Notice EventBridge supports only write events in ActionTrail.

API operation calls

The following example shows the event that EventBridge receives when you call an API operation in OpenAPI Explorer:

{
    "acsRegion":"cn-hangzhou",
    "additionalEventData":{
        "Scheme":"http"
    },
    "apiVersion":"2014-05-26",
    "eventCategory":"Management",
    "eventId":"F7393A43-6A4A-4409-AEDD-8B1C47DE****",
    "eventName":"RunInstances",
    "eventRW":"Write",
    "eventSource":"ecs-cn-hangzhou-inner.aliyuncs.com",
    "eventTime":"2021-07-13T07:33:46Z",
    "eventType":"ApiCall",
    "eventVersion":"1",
    "referencedResources":{
        "ACS::ECS::Instance":[
            "i-0xiiz1v0vw4epqjc****"
        ],
        "ACS::ECS::SecurityGroup":[
            "sg-0xi2js0u6m03jbmv****"
        ],
        "ACS::ECS::Image":[
            "aliyun_2_1903_x64_20G_alibase_20200529.vhd"
        ],
        "ACS::ECS::KeyPair":[
            "sshkey-cn-hangzhou"
        ],
        "ACS::VPC::VSwitch":[
            "vsw-0xikxv8p1akh4ki43****"
        ]
    },
    "requestId":"F7393A43-6A4A-4409-AEDD-8B1C47DE45ED",
    "requestParameters":{
        "Amount":1,
        "VSwitchId":"vsw-0xikxv8p1akh4ki43****"
    },
    "resourceName":"i-0xiiz1v0vw4epqjc****;sg-0xi2js0u6m03jbmv****;aliyun_2_1903_x64_20G_alibase_20200529.vhd;sshkey-cn-hangzhou;vsw-0xikxv8p1akh4ki43****",
    "resourceType":"ACS::ECS::Instance;ACS::ECS::SecurityGroup;ACS::ECS::Image;ACS::ECS::KeyPair;ACS::VPC::VSwitch",
    "responseElements":{
        "RequestId":"F7393A43-6A4A-4409-AEDD-8B1C47DE45ED",
        "InstanceIdSets":{
            "InstanceIdSet":[
                "i-0xiiz1v0vw4epqjc****"
            ]
        }
    },
    "serviceName":"Ecs",
    "sourceIpAddress":"Internal",
    "userAgent":"AlibabaCloud (Linux; amd64) Java/1.8.0_102-b52 Core/4.5.3 HTTPClient/InternalHttpClient",
    "userIdentity":{
        "accessKeyId":"STS.NUQNP4PiGyckMsNiGELCs****",
        "accountId":"116214297662****",
        "principalId":"32886943330935****:ess-session-ecs_default",
        "sessionContext":{
            "attributes":{
                "mfaAuthenticated":"false",
                "creationDate":"2021-07-13T07:33:46Z"
            }
        },
        "type":"assumed-role",
        "userName":"aliyunserviceroleforautoscaling:ess-session-ecs_default"
    }
}

The following table describes the fields in the data parameter.

Note For more information about the newly added fields, see Announcement: ActionTrail will add new fields to event logs.
Field Type Required Example Description
acsRegion String Yes cn-hangzhou The ID of the region where the event occurred.
additionalEventData Json Yes Schema: "http" The additional information about the event. The following content describes the settings that represent different meanings:
  • This field has no practical significance.
    additionalEventData: {
      Schema: "http"
    }
  • This field provides additional information about a logon event.
    {
        "additionalEventData":{
            "callbackUrl":"https://homenew.console.aliyun.com/",
            "mfaChecked":"true"
        }
    }
  • This field provides the additional information about a MaxCompute-related event.
    {
      "additionalEventData": {
        "TableName": "table_1",
        "Partition": "dt=20210708,hh=17,region=cn-shenzhen",
        "CurrentProject": "project_1",
        "ProjectName": "project_1",
        "SesssionId": "202107081800166d37d****"
      }
    }
apiVersion String No 2014-05-26 The version of the API operation that was called. If the eventType field is set to ApiCall, the event log records an API operation.
eventCategory String Yes Management The type of the event.

This field is set to Management, which indicates that the event is a management event.

eventId String Yes F23A3DD5-7842-4EF9-9DA1-3776396A**** The ID of the event. ActionTrail generates a globally unique identifier (GUID) for each event.
eventName String Yes CreateNetworkInterface The name of the event.
  • If the eventType field is set to ApiCall, this field is set to the name of the API operation that was called.
  • If the eventType field is not set to ApiCall, this field is set to a string that indicates the action recorded in the event log.
eventRW String Yes Write The read/write type of the event. Valid values:
  • Write: indicates a write event.
  • Read: indicates a read event.
eventSource String Yes ecs.aliyuncs.com The source of the event.
eventTime String Yes 2020-01-09T12:12:14Z The time when the event occurred, in UTC.
eventType String Yes ApiCall The type of the action that was recorded in the event log. Valid values:
  • ApiCall: indicates that an API operation was called. The consoles of most Alibaba Cloud services are developed based on APIs. If an action was performed in these consoles, ActionTrail records the action as ApiCall.
  • ConsoleOperation (ConsoleCall): indicates that an action was performed in the consoles or on the buy pages of specific Alibaba Cloud services. These consoles or buy pages are not developed based on APIs. If an action was performed in these consoles or on these buy pages, ActionTrail records this action as ConsoleOperation or ConsoleCall. For an action of this type, the value of the eventName field is a string that indicates the action.
  • AliyunServiceEvent: indicates that Alibaba Cloud performed an action on your resources. For example, Alibaba Cloud released a subscription instance upon expiration.
  • PasswordReset: indicates that your password was reset.
  • ConsoleSignin: indicates a logon to a console.
  • ConsoleSignout: indicates a logoff from a console.
eventVersion String Yes 1 The version of the event log format. The current version is 1.
errorCode String No NoPermission The error code returned if an error occurred during the processing of the API request. ·
errorMessage String No You are not authorized. The error message returned if an error occurred during the processing of the API request.
requestId String Yes F23A3DD5-7842-4EF9-9DA1-3776396AD58D The ID of the API request.
requestParameters Dictionary No N/A The parameters specified in the API request.
requestParameterJson String No "{"AcsHost":"actiontrail.cn-hangzhou.aliyuncs.com","AcsProduct":"Actiontrail","RequestId":"32B8BA8F-3738-46D3-BCCA-1B2257AEF9BB","AcceptLanguage":"zh-CN","Region":"cn-hangzhou","HostId":"actiontrail.cn-hangzhou.aliyuncs.com","Name":"create-service-tmp"}" The parameters specified in the API request. This field is in the JSON format and serves the same purpose as the requestParameters field.
Note This field applies only to the events that are delivered to Log Service.
responseElements Dictionary No N/A The response returned for the API request.
referencedResources Dictionary No N/A The list of resources that the action recorded in the event log involves.
serviceName String Yes Ecs The name of the Alibaba Cloud service to which the event log belongs.
sourceIpAddress String Yes 11.168.XX.XX The IP address from which the event occurred.
userAgent String Yes Apache-HttpClient/4.5.7 (Java/1.8.0_152) The user agent that sent the API request. Examples:
  • AlibabaCloud (Linux 3.10.0-693.2.2.el7.x86_64;x86_64) Python/2.7.5 Core/2.13.16 python-requests/2.18.3
  • Apache-HttpClient/4.5.7 (Java/1.8.0_152)
userIdentity Dictionary Yes N/A The identity information about the requester.

The following table describes the fields that userIdentity contains.

Field Type Required Example Description
type String Yes ram-user The type of the identity. Valid values:
  • root-account: indicates an Alibaba Cloud account.
  • ram-user: indicates a RAM user.
  • assumed-role: indicates a RAM role.
  • system: indicates an Alibaba Cloud service.
principalId String Yes 28815334868278**** The ID of the requester.
  • If the type field is set to root-account, this field is set to the ID of the Alibaba Cloud account.
  • If the type field is set to ram-user, this field is set to the ID of the RAM user.
  • If the type field is set to assumed-role, this field is set to a string in the RoleID:RoleSessionName format.
accountId String Yes 112233445566**** The ID of the Alibaba Cloud account.
accessKeyId String No 55nCtAwmPLkk**** The AccessKey ID that is used by the requester.
  • If the requester sent the API request by using an SDK, this field is recorded.
  • If the requester logged on to the Alibaba Cloud Management Console, this field is not recorded.
userName String No Alice The name of the requester.
  • If the type field is set to ram-user, this field is set to the name of the RAM user.
  • If the type field is set to assumed-role, this field is set to a string in the RoleName:RoleSessionName format.
sessionContext String No {"attributes": {"mfaAuthenticated": "true", "creationDate": "2020-01-09T12:12:14Z" } The session context recorded when the requester called an API operation by using a Security Token Service (STS) token or logged on to the Alibaba Cloud Management Console. The session context contains the following attributes:
  • creationDate: the time when the STS token was created.
  • mfaAuthenticated: indicates whether multi-factor authentication was used for logging on to the Alibaba Cloud Management Console.