If you log on to the Alibaba Cloud Management Console by using an Alibaba Cloud account, a logon event (ConsoleSignin) is generated. This topic describes sample logon events and the fields in the sample logon events.

Example 1: Logon event in which MFA is disabled

In the following sample event, the Alibaba Cloud account 151266687691**** is used to log on to the Alibaba Cloud Management Console at 08:00:00 (UTC+8) on January 1, 2021, and multi-factor authentication (MFA) is disabled.

{
  "eventId": "2546c4b7-6b56-403e-97d3-500d8d29****",
  "eventVersion": 1,
  "eventSource": "http://account.aliyun.com/login/login_aliyun.htm",
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/19A5307g Ariver/1.1.0 AliApp(AP/10.2.28.6000) Nebula WK RVKType(1) AlipayDefined(nt:WIFI,ws:390|780|3.0) AlipayClient/10.2.28.6000 Language/zh-Hans Region/CN NebulaX/1.0.0",
  "eventType": "ConsoleSignin",
  "userIdentity": {
    "accountId": "151266687691****",
    "principalId": "151266687691****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "AasCustomer",
  "additionalEventData": {
    "loginAccount": "Alice",
    "isMFAChecked": "false"
  },
  "extend": "2",
  "requestId": "2546c4b7-6b56-403e-97d3-500d8d2****",
  "eventTime": "2021-01-01T00:00:00Z",
  "isGlobal": true,
  "acsRegion": "cn-hangzhou",
  "eventName": "ConsoleSignin"
}

The sample event contains the following key fields:

  • eventName: the name of the event. The value in the sample event is ConsoleSignin, which indicates a console logon event.
  • userIdentity.accountId: the ID of the Alibaba Cloud account that is used by the requester.
  • userIdentity.type: the identity type of the requester. The value in the sample event is root-account, which indicates an Alibaba Cloud account.
  • eventTime: the time when the event is generated. The time is in UTC. The value in the sample event is 2021-01-01T00:00:00Z, which indicates that the event occurred at 08:00:00 on January 1, 2021. The time is in UTC+8.
  • additionalEventData.isMFAChecked: indicates whether MFA is enabled. The value in the sample event is false, which indicates that MFA is disabled.

Example 2: Logon event in which MFA is enabled

In the following sample event, the Alibaba Cloud account 151266687691**** is used to log on to the Alibaba Cloud Management Console at 08:00:00 (UTC+8) on January 1, 2021, and MFA is enabled.

{
  "eventId": "2546c4b7-6b56-403e-97d3-500d8d29****",
  "eventVersion": 1,
  "eventSource": "http://account.aliyun.com/account_init/skip2Login.htm",
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",
  "eventType": "ConsoleSignin",
  "userIdentity": {
    "accountId": "151266687691****",
    "principalId": "151266687691****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "AasCustomer",
  "additionalEventData": {
    "loginAccount": "Alice",
    "isMFAChecked": "true"
  },
  "extend": "2",
  "requestId": "2546c4b7-6b56-403e-97d3-500d8d29****",
  "eventTime": "2021-01-01T00:00:00Z",
  "isGlobal": true,
  "acsRegion": "cn-hangzhou",
  "eventName": "ConsoleSignin"
}

The sample event contains the following key fields:

  • eventName: the name of the event. The value in the sample event is ConsoleSignin, which indicates a console logon event.
  • userIdentity.accountId: the ID of the Alibaba Cloud account that is used by the requester.
  • userIdentity.type: the identity type of the requester. The value in the sample event is root-account, which indicates an Alibaba Cloud account.
  • additionalEventData.isMFAChecked: indicates whether MFA is enabled. The value in the sample event is true, which indicates that MFA is enabled.
  • eventTime: the time when the event is generated. The time is in UTC. The value in the sample event is 2021-01-01T00:00:00Z, which indicates that the event occurred at 08:00:00 on January 1, 2021. The time is in UTC+8.

Example 3: Failed logon event

In the following sample event, the Alibaba Cloud account 151266687691**** failed to log on to the Alibaba Cloud Management Console at 08:00:00 (UTC+8) on January 1, 2021.

{
  "eventId": "6da1622f55a9c5d7a0c4f462fd81****",
  "eventVersion": 1,
  "errorMessage": "Invalid password",
  "eventSource": "https://passport.aliyun.com/mini_login.htm?lang=zh_CN&appName=aliyun&appEntrance=new_aliyun_v2&styleType=vertical&bizParams=&notLoadSsoView=true&notKeepLogin=true&isMobile=false&regUrl=https%3A%2F%2Faccount.aliyun.com%2Fregister%2Fqr_register.htm%3Foauth_callback%3Dhttps%253A%252F%252Factiontrail.console.aliyun.com%252Fcn-hangzhou%252Fevent-list&returnUrl=https%3A%2F%2Faccount.aliyun.com%2Flogin%2Flogin_aliyun.htm%3Foauth_callback%3Dhttps%253A%252F%252Factiontrail.console.aliyun.com%252Fcn-hangzhou%252Fevent-list&cssUrl=https%3A%2F%2Fg.alicdn.com%2Fdawn%2Faliyun-account-styles%2F0.0.1%2Flogin-embedder.css&pageversion=v1&rnd=0.16498232922940215",
  "errorCode": "login_illegal_password",
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36",
  "eventRW": "Write",
  "eventType": "ApiCall",
  "userIdentity": {
    "accountId": "151266687691****",
    "principalId": "151266687691****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "AasCustomer",
  "extend": "false",
  "requestId": "6da1622f55a9c5d7a0c4f462fd81****",
  "eventTime": "2021-01-01T00:00:00Z",
  "isGlobal": true,
  "acsRegion": "cn-hangzhou",
  "eventName": "ConsoleSignin"
}

The sample event contains the following key fields:

  • eventName: the name of the event. The value in the sample event is ConsoleSignin, which indicates a console logon event.
  • userIdentity.accountId: the ID of the Alibaba Cloud account that is used by the requester.
  • userIdentity.type: the identity type of the requester. The value in the sample event is root-account, which indicates an Alibaba Cloud account.
  • eventTime: the time when the event is generated. The time is in UTC. The value in the sample event is 2021-01-01T00:00:00Z, which indicates that the event occurred at 08:00:00 on January 1, 2021. The time is in UTC+8.
  • errorCode: the error code. The value in the sample event is login_illegal_password, which indicates that the password is invalid.
  • errorMessage: the error message. The value in the sample event is Invalid password, which indicates that the logon failure is caused by an invalid password.