All Products
Search
Document Center

ActionTrail:Management event structure

Last Updated:Jan 22, 2024

This topic describes the key fields in a management event. This topic also provides an example of a management event.

Key fields

Field

Description

acsRegion

The ID of the region where the management event is generated.

additionalEventData

The additional information about the management event.

apiVersion

If the value of eventType is ApiCall, the management event records an API operation call. In this case, the field indicates the version of the API operation.

eventCategory

The type of the event. Valid values: Management, which indicates a management event.

eventId

The ID of the management event.

eventName

The name of the management event.

  • If the value of eventType is ApiCall, the value of this field is the name of the API operation that is called.

  • If the value of eventType is not ApiCall, the value of this field indicates the operation that is recorded in the management event.

eventRW

The read/write type of the management event. Valid values:

  • Write: indicates a write event.

  • Read: indicates a read event.

eventSource

The source of the management event.

eventTime

The time when the management event is generated, in UTC.

eventType

The type of the operation that is recorded in the management event. Valid values:

  • ApiCall: indicates that an API operation is called.

  • ConsoleOperation: indicates that a management operation is performed in the console or on the buy page of a specific Alibaba Cloud service.

  • ConsoleSignin: indicates a logon to the Alibaba Cloud Management Console.

  • ConsoleSignout: indicates a logoff from the Alibaba Cloud Management Console.

  • AliyunServiceEvent: indicates that Alibaba Cloud performs a management operation on the resources that you own. For example, Alibaba Cloud releases an expired subscription instance.

eventVersion

The format version of the management event. The current version is 1.

errorCode

The error code that is returned when an error occurred during the processing of the API request.

errorMessage

The error message that is returned when an error occurred during the processing of the API request.

requestId

The request ID.

requestParameters

The parameters specified in the API request.

requestParameterJson

The parameters specified in the API request, in the JSON format. This field serves the same purpose as the requestParameters field.

resourceName

The name of the event-associated resource. The name is the unique identifier of the resource.

Note

The names of resources of the same type are separated by commas (,). The names of resources of different types are separated by semicolons (;).

resourceType

The type of the event-associated resource.

Note

Multiple resource types are separated by semicolons (;).

responseElements

The response that is returned for the API request.

referencedResources

The resources that are involved in the management event.

serviceName

The name of the Alibaba Cloud service for which the management event is generated.

sourceIpAddress

The IP address from which the management event is generated.

userAgent

The agent that sends the API request.

isGlobal

Indicates whether the event is a global event. Valid values:

  • true

  • false

eventAttributes

The attribute of the event.

For more information, see Fields included in eventAttributes.

userIdentity

The identity information about the requester.

For more information, see Fields included in userIdentity in this topic.

Table 1. Fields included in eventAttributes

Field

Description

SensitiveAction

Indicates whether the operation that is recorded in the event is a sensitive operation. Valid values: true.

Table 2. Fields included in userIdentity

Field

Description

type

The identity type. Valid values:

  • root-account: indicates an Alibaba Cloud account.

  • ram-user: indicates a Resource Access Management (RAM) user.

  • assumed-role: indicates a RAM role.

  • system: indicates an Alibaba Cloud service.

  • cloudsso-user: indicates a CloudSSO user.

  • saml-user: indicates an enterprise-specific identity based on Security Assertion Markup Language (SAML).

  • alibaba-cloud-account: indicates the identity that is authorized to perform a cross-account operation.

  • oidc-user: indicates an enterprise-specific identity based on OIDC.

principalId

The ID of the requester. You can use this field together with the type field to confirm the identity of the requester.

  • If the value of type field is root-account, the value of this field is the ID of the Alibaba Cloud account.

  • If the value of type is ram-user, the value of this field is the ID of the RAM user.

  • If the type field is set to assumed-role, the value of this field is in the RoleID:RoleSessionName format.

  • If the value of type is cloudsso-user, the value of this field is the ID of the CloudSSO user.

  • If the value of type is alibaba-cloud-account, the value of this field is one of the following IDs:

    • If the requester uses an Alibaba Cloud account to perform an operation on the resources within another Alibaba Cloud account, the value of this field is the ID of the first Alibaba Cloud account.

    • If the requester uses a RAM user to perform an operation on the resources within another Alibaba Cloud account, the value of this field is the ID of the RAM user.

    • If the requester assumes a RAM role to perform an operation on the resources within another Alibaba Cloud account, the value of this field is in the RoleID:RoleSessionName format.

  • If the value of type is saml-user, oidc-user, or system, the principalId field is not recorded.

accountId

The ID of the Alibaba Cloud account of the requester.

accessKeyId

The AccessKey ID that is used by the requester.

  • If the requester sends an API request by using an SDK, this field is recorded.

  • If the requester performs an operation in the Alibaba Cloud Management Console, this field is not recorded.

  • If the requester sends an API request by using a Security Token Service (STS) token, this field is set to the temporary AccessKey ID.

userName

The name of the requester.

  • If the value of type is ram-user, the value of this field is the name of the RAM user.

  • If the type field is set to assumed-role, the value of this field is in the RoleName:RoleSessionName format.

  • If the value of type is root-account, the value of this field is root.

  • If the value of type is cloudsso-user, the value of this field is the name of the CloudSSO user.

  • If the value of type is saml-user, the value of this field is the username of an enterprise-specific identity based on SAML.

  • If the value of type is alibaba-cloud-account or system, the userName field is not recorded.

  • If the value of type is oidc-user, the value of this field is the username of an enterprise-specific identity based on OpenID Connect (OIDC).

sessionContext

The session context that is recorded when the requester sends an API request by using an STS token or performs an operation in the Alibaba Cloud Management Console. The session context includes creationDate and mfaAuthenticated.

  • creationDate: the time when the STS token is created.

  • mfaAuthenticated: indicates whether multi-factor authentication (MFA) is enabled for logons to the Alibaba Cloud Management Console.

Example

{
  "eventId": "92b33345-0cef-47be-821f-fb9914d3****",
  "eventAttributes": {
    "SensitiveAction": "true"
  },
  "eventVersion": 1,
  "sourceIpAddress": "ecs.aliyuncs.com",
  "userAgent": "ecs.aliyuncs.com",
  "eventRW": "Write",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::ECS::Instance": [
      "i-8vb0smn1lf6g77md****"
    ],
    "ACS::ECS::Disk": [
      "d-8vbf8rpv2nn0l1zm****"
    ]
  },
  "userIdentity": {
    "type": "system",
    "userName": "ecs.aliyuncs.com"
  },
  "serviceName": "Ecs",
  "extend": "INSTANCE",
  "requestId": "32B7EB75-62EE-511E-9449-E19EBF67C2ED",
  "eventTime": "2022-10-22T21:52:00Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "DeleteDisk"
}