All Products
Search

This Product

    ActionTrail:Logon events within an Alibaba Cloud account

    Document Center

    ActionTrail:Logon events within an Alibaba Cloud account

    Last Updated:Nov 28, 2025

    If you log on to the Alibaba Cloud Management Console by using an Alibaba Cloud account, a logon event (ConsoleSignin) is generated. This topic describes sample logon events and the fields in the sample logon events.

    Filter for logon events

    To query Alibaba Cloud account logon events, filter by the event type ConsoleSignin. For more information, see Query events in the ActionTrail console.

    Example 1: Logon event in which MFA is disabled

    In the following sample event, the Alibaba Cloud account 151266687691**** is used to log on to the Alibaba Cloud Management Console at 08:00:00 (UTC+8) on January 1, 2021, and multi-factor authentication (MFA) is disabled. 

    {
  "eventId": "2546c4b7-6b56-403e-97d3-500d8d29****",
  "eventVersion": 1,
  "eventSource": "http://account.aliyun.com/login/login_aliyun.htm",
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/19A5307g Ariver/1.1.0 AliApp(AP/10.2.28.6000) Nebula WK RVKType(1) AlipayDefined(nt:WIFI,ws:390|780|3.0) AlipayClient/10.2.28.6000 Language/zh-Hans Region/CN NebulaX/1.0.0",
  "eventType": "ConsoleSignin",
  "userIdentity": {
    "accountId": "151266687691****",
    "principalId": "151266687691****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "AasCustomer",
  "additionalEventData": {
    "loginAccount": "Alice",
    "isMFAChecked": "false"
  },
  "requestId": "2546c4b7-6b56-403e-97d3-500d8d2****",
  "eventTime": "2021-01-01T00:00:00Z",
  "isGlobal": true,
  "acsRegion": "cn-hangzhou",
  "eventName": "ConsoleSignin"
}

    The sample event contains the following key fields:

    • eventName: the name of the event. The value in the sample event is ConsoleSignin, which indicates a console logon event.

    • userIdentity.accountId: the ID of the Alibaba Cloud account that is used by the requester.

    • userIdentity.type: the identity type of the requester. The value in the sample event is root-account, which indicates an Alibaba Cloud account.

    • eventTime: the time when the event is generated. The time is in UTC. The value in the sample event is 2021-01-01T00:00:00Z, which indicates that the event is generated at 08:00:00 (UTC+8) on January 1, 2021.

    • additionalEventData.isMFAChecked: indicates whether MFA is enabled. The value in the sample event is false, which indicates that MFA is disabled.

    Example 2: Logon event in which MFA is enabled

    In the following sample event, the Alibaba Cloud account 151266687691**** is used to log on to the Alibaba Cloud Management Console at 08:00:00 (UTC+8) on January 1, 2021, and MFA is enabled. 

    {
  "eventId": "2546c4b7-6b56-403e-97d3-500d8d29****",
  "eventVersion": 1,
  "eventSource": "http://account.aliyun.com/account_init/skip2Login.htm",
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",
  "eventType": "ConsoleSignin",
  "userIdentity": {
    "accountId": "151266687691****",
    "principalId": "151266687691****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "AasCustomer",
  "additionalEventData": {
    "loginAccount": "Alice",
    "isMFAChecked": "true"
  },
  "requestId": "2546c4b7-6b56-403e-97d3-500d8d29****",
  "eventTime": "2021-01-01T00:00:00Z",
  "isGlobal": true,
  "acsRegion": "cn-hangzhou",
  "eventName": "ConsoleSignin"
}

    The sample event contains the following key fields:

    • eventName: the name of the event. The value in the sample event is ConsoleSignin, which indicates a console logon event.

    • userIdentity.accountId: the ID of the Alibaba Cloud account that is used by the requester.

    • userIdentity.type: the identity type of the requester. The value in the sample event is root-account, which indicates an Alibaba Cloud account.

    • additionalEventData.isMFAChecked: indicates whether MFA is enabled. The value in the sample event is true, which indicates that MFA is enabled.

    • eventTime: the time when the event is generated. The time is in UTC. The value in the sample event is 2021-01-01T00:00:00Z, which indicates that the event is generated at 08:00:00 (UTC+8) on January 1, 2021.

    Example 3: Failed logon event

    In the following sample event, the Alibaba Cloud account 151266687691**** is used to log on to the Alibaba Cloud Management Console at 08:00:00 (UTC+8) on January 1, 2021, and the logon fails. 

    {
  "eventId": "6da1622f55a9c5d7a0c4f462fd81****",
  "eventVersion": 1,
  "errorMessage": "Invalid password",
  "eventSource": "https://passport.aliyun.com/mini_login.htm?lang=zh_CN&appName=aliyun&appEntrance=new_aliyun_v2&styleType=vertical&bizParams=&notLoadSsoView=true&notKeepLogin=true&isMobile=false&regUrl=https%3A%2F%2Faccount.aliyun.com%2Fregister%2Fqr_register.htm%3Foauth_callback%3Dhttps%253A%252F%252Factiontrail.console.alibabacloud.com%252Fcn-hangzhou%252Fevent-list&returnUrl=https%3A%2F%2Faccount.aliyun.com%2Flogin%2Flogin_aliyun.htm%3Foauth_callback%3Dhttps%253A%252F%252Factiontrail.console.alibabacloud.com%252Fcn-hangzhou%252Fevent-list&cssUrl=https%3A%2F%2Fg.alicdn.com%2Fdawn%2Faliyun-account-styles%2F0.0.1%2Flogin-embedder.css&pageversion=v1&rnd=0.16498232922940215",
  "errorCode": "login_illegal_password",
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36",
  "eventRW": "Write",
  "eventType": "ApiCall",
  "userIdentity": {
    "accountId": "151266687691****",
    "principalId": "151266687691****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "AasCustomer",
  "requestId": "6da1622f55a9c5d7a0c4f462fd81****",
  "eventTime": "2021-01-01T00:00:00Z",
  "isGlobal": true,
  "acsRegion": "cn-hangzhou",
  "eventName": "ConsoleSignin"
}

    The sample event contains the following key fields:

    • eventName: the name of the event. The value in the sample event is ConsoleSignin, which indicates a console logon event.

    • userIdentity.accountId: the ID of the Alibaba Cloud account that is used by the requester.

    • userIdentity.type: the identity type of the requester. The value in the sample event is root-account, which indicates an Alibaba Cloud account.

    • eventTime: the time when the event is generated. The time is in UTC. The value in the sample event is 2021-01-01T00:00:00Z, which indicates that the event is generated at 08:00:00 (UTC+8) on January 1, 2021.

    • errorCode: the error code. The value in the sample event is login_illegal_password, which indicates that the password is invalid.

    • errorMessage: the error message. The value in the sample event is Invalid password, which indicates that the logon failure is caused by an invalid password.