Management event structure - key fields and example - ActionTrail

Learn about the key fields in a management event and view an event example.

Key fields

Field	Description
acsRegion	The region ID where the event was generated.
additionalEventData	Additional information about the event.
apiVersion	If eventType is ApiCall, this field indicates the API version.
eventCategory	The event category. Valid value: Management.
eventId	The unique event ID.
eventName	The event name. If eventType is ApiCall, this field is the API operation name. If eventType is not ApiCall, this field indicates the recorded operation.
eventRW	The read/write type of the event. Valid values: Write: a write event. Read: a read event.
eventSource	The event source.
eventTime	The time when the event was generated (UTC).
eventType	The operation type. Valid values: ApiCall: an API operation is called. ConsoleOperation: a management operation is performed in the console or on the buy page of an Alibaba Cloud service. ConsoleSignin: a logon to the Alibaba Cloud Management Console. ConsoleSignout: a logoff from the Alibaba Cloud Management Console. AliyunServiceEvent: Alibaba Cloud performs a management operation on your resources. Note For MaxCompute resources, eventType also includes JobEvent, TunnelEvent, TableEvent, AdminEvent, ResourceEvent, FunctionEvent, PrivilegeEvent, RoleEvent, UserEvent, and SchemaEvent. Audit logging.
eventVersion	The event format version. Current version: 1.
errorCode	The error code returned if the API request failed.
errorMessage	The error message returned if the API request failed.
requestId	The request ID.
requestParameters	The parameters specified in the API request.
requestParameterJson	The API request parameters in JSON format. Equivalent to requestParameters.
resourceName	The name of the associated resource. This is the unique identifier of the resource. Note Same-type resource names are comma-separated (,). Different-type resource names are semicolon-separated (;).
resourceType	The associated resource type. Note Multiple types are semicolon-separated (;).
responseElements	The API response.
referencedResources	The resources involved in the event.
serviceName	The Alibaba Cloud service that generated the event.
sourceIpAddress	The source IP address. Valid values: The client IP address (IPv4 or IPv6). If an Alibaba Cloud service initiated the request, the service identifier is recorded. Example: ecs.aliyuncs.com. If the source IP belongs to VPC or internal Alibaba Cloud CIDR blocks and the origin cannot be distinguished, the value is Internal.
userAgent	The user agent of the API request.
isGlobal	Whether the event is global. Valid values: true false
eventAttributes	The event attributes. Fields included in eventAttributes.
userIdentity	The requester identity. Fields included in userIdentity.

Table 1. Fields included in eventAttributes

Field	Description
SensitiveAction	Whether the recorded operation is a sensitive operation. Valid value: true.

Table 2. Fields included in userIdentity

Field	Description
type	The identity type. Valid values: root-account: an Alibaba Cloud account. ram-user: a RAM user. assumed-role: a RAM role. system: an Alibaba Cloud service. cloudsso-user: a CloudSSO user. saml-user: a SAML-based enterprise identity. alibaba-cloud-account: an identity authorized for cross-account operations. oidc-user: an OIDC-based enterprise identity.
principalId	The requester ID. Use with the type field to identify the requester. If type is root-account, this field is the Alibaba Cloud account ID. If type is ram-user, this field is the RAM user ID. If type is assumed-role, this field is in the `RoleID:RoleSessionName` format. If type is cloudsso-user, this field is the CloudSSO user ID. If type is alibaba-cloud-account, this field is one of the following IDs: If the requester uses an Alibaba Cloud account to operate on resources in another account, this field is the requester's account ID. If the requester uses a RAM user to operate on resources in another account, this field is the RAM user ID. If the requester assumes a RAM role to operate on resources in another account, this field is in the `RoleID:RoleSessionName` format. If type is saml-user, oidc-user, or system, principalId is not recorded.
accountId	The Alibaba Cloud account ID of the requester.
accessKeyId	The AccessKey ID used by the requester. Recorded when the requester sends an API request using an SDK. Not recorded for console operations. For STS token requests, this field is the temporary AccessKey ID.
userName	The requester name. If type is ram-user, this field is the RAM user name. If type is assumed-role, this field is in the `RoleName:RoleSessionName` format. If type is root-account, this field is root. If type is cloudsso-user, this field is the CloudSSO user name. If type is saml-user, this field is the SAML-based enterprise username. If type is alibaba-cloud-account or system, userName is not recorded. If type is oidc-user, this field is the OIDC-based enterprise username.
sessionContext	The session context recorded for STS token requests or console operations. Includes creationDate and mfaAuthenticated. `creationDate: the time when the STS token was created.` `mfaAuthenticated: indicates whether multi-factor authentication (MFA) is enabled for logons to the Alibaba Cloud Management Console.`

Example

{
  "eventId": "92b33345-0cef-47be-821f-fb9914d3****",
  "eventAttributes": {
    "SensitiveAction": "true"
  },
  "eventVersion": 1,
  "sourceIpAddress": "ecs.aliyuncs.com",
  "userAgent": "ecs.aliyuncs.com",
  "eventRW": "Write",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::ECS::Instance": [
      "i-8vb0smn1lf6g77md****"
    ],
    "ACS::ECS::Disk": [
      "d-8vbf8rpv2nn0l1zm****"
    ]
  },
  "userIdentity": {
    "type": "system",
    "userName": "ecs.aliyuncs.com"
  },
  "serviceName": "Ecs",
  "requestId": "32B7EB75-62EE-511E-9449-E19EBF67C2ED",
  "eventTime": "2022-10-22T21:52:00Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "DeleteDisk"
}