This topic describes the types of ActionTrail events that can be published to EventBridge.

Background information

ActionTrail can be used as an event source for the following Alibaba Cloud services:

  • Apsara File Storage NAS
    Server Load Balancer (SLB)
    Alibaba Cloud CDN
    Elasticsearch
    DataV
    Cloud Enterprise Network
    ApsaraDB for HBase
    Key Management Service (KMS)
    ApsaraDB RDS
    Container Service for Kubernetes (ACK)
    Elastic Compute Service (ECS)
    PolarDB for MySQL
    Message Queue for Apache Kafka
    ActionTrail
    Resource Orchestration Service (ROS)
    Function Compute
    Smart Access Gateway
    Cloud Config
    ApsaraDB for Cassandra
    Virtual Private Cloud (VPC)
    Blockchain as a Service (BaaS)
    Object Storage Service (OSS)
    Resource Access Management (RAM)
    Tablestore
    CloudMonitor
    Batch Compute
    Dynamic Route for CDN (DCDN)
    Auto Scaling
    Elastic Container Instance (ECI)
    Container Registry
    Hologres
    ApsaraVideo for Media Processing
    AnalyticDB for MySQL
    Operation Orchestration Service (OOS)
    Security Center
    E-MapReduce
    Fraud Detection
    Domains
    Data Transmission Service (DTS)
    Quick BI
    ApsaraVideo VOD
    ApsaraVideo Live
    IoT Platform
    Elastic High Performance Computing (E-HPC)

Event types

The following table describes the types of ActionTrail events that can be published to EventBridge.

Event type Value of the type parameter
Operation performed by Alibaba Cloud on a resource actiontrail:ActionTrail:AliyunServiceEvent
API operation call actiontrail:ActionTrail:ApiCall
Operation performed in a console actiontrail:ActionTrail:ConsoleOperation

For more information about the parameters defined in the CloudEvents specification, see Overview.

Notice EventBridge supports only write events in ActionTrail.

API operation call

The following example shows the event that EventBridge receives when you call an API operation in OpenAPI Explorer:

{
    "acsRegion":"cn-hangzhou",
    "additionalEventData":{
        "Scheme":"http"
    },
    "apiVersion":"2014-05-26",
    "eventCategory":"Management",
    "eventId":"F7393A43-6A4A-4409-AEDD-8B1C47DE****",
    "eventName":"RunInstances",
    "eventRW":"Write",
    "eventSource":"ecs-cn-hangzhou-inner.aliyuncs.com",
    "eventTime":"2021-07-13T07:33:46Z",
    "eventType":"ApiCall",
    "eventVersion":"1",
    "referencedResources":{
        "ACS::ECS::Instance":[
            "i-0xiiz1v0vw4epqjc****"
        ],
        "ACS::ECS::SecurityGroup":[
            "sg-0xi2js0u6m03jbmv****"
        ],
        "ACS::ECS::Image":[
            "aliyun_2_1903_x64_20G_alibase_20200529.vhd"
        ],
        "ACS::ECS::KeyPair":[
            "sshkey-cn-hangzhou"
        ],
        "ACS::VPC::VSwitch":[
            "vsw-0xikxv8p1akh4ki43****"
        ]
    },
    "requestId":"F7393A43-6A4A-4409-AEDD-8B1C47DE45ED",
    "requestParameters":{
        "Amount":1,
        "VSwitchId":"vsw-0xikxv8p1akh4ki43****"
    },
    "resourceName":"i-0xiiz1v0vw4epqjc****;sg-0xi2js0u6m03jbmv****;aliyun_2_1903_x64_20G_alibase_20200529.vhd;sshkey-cn-hangzhou;vsw-0xikxv8p1akh4ki43****",
    "resourceType":"ACS::ECS::Instance;ACS::ECS::SecurityGroup;ACS::ECS::Image;ACS::ECS::KeyPair;ACS::VPC::VSwitch",
    "responseElements":{
        "RequestId":"F7393A43-6A4A-4409-AEDD-8B1C47DE45ED",
        "InstanceIdSets":{
            "InstanceIdSet":[
                "i-0xiiz1v0vw4epqjc****"
            ]
        }
    },
    "serviceName":"Ecs",
    "sourceIpAddress":"Internal",
    "userAgent":"AlibabaCloud (Linux; amd64) Java/1.8.0_102-b52 Core/4.5.3 HTTPClient/InternalHttpClient",
    "userIdentity":{
        "accessKeyId":"STS.NUQNP4PiGyckMsNiGELCs****",
        "accountId":"116214297662****",
        "principalId":"32886943330935****:ess-session-ecs_default",
        "sessionContext":{
            "attributes":{
                "mfaAuthenticated":"false",
                "creationDate":"2021-07-13T07:33:46Z"
            }
        },
        "type":"assumed-role",
        "userName":"aliyunserviceroleforautoscaling:ess-session-ecs_default"
    }
}

The following table describes the fields in the data parameter.

Note For more information about the newly added fields, see Announcement: ActionTrail will add new fields to event logs.
Field Type Required Example Description
acsRegion String Yes cn-hangzhou The ID of the region where the management event was generated.
additionalEventData JSON No Schema: "http" The additional information about the management event. The following content describes the settings that represent different meanings:
  • This field has no practical significance.
    additionalEventData: {
      Schema: "http"
    }
  • This field provides additional information about a logon event.
    {
        "additionalEventData":{
            "callbackUrl":"https://homenew.console.aliyun.com/",
            "mfaChecked":"true"
        }
    }
  • This field provides the additional information about a MaxCompute-related event.
    {
      "additionalEventData": {
        "TableName": "table_1",
        "Partition": "dt=20210708,hh=17,region=cn-shenzhen",
        "CurrentProject": "project_1",
        "ProjectName": "project_1",
        "SesssionId": "202107081800166d37d****"
      }
    }
apiVersion String No 2014-05-26 The version of the API operation that was called. If the eventType field is set to ApiCall, the management event log records an API operation call. In this case, this field indicates the version of the API operation.
eventCategory String Yes Management The type of the generated event. Valid values:
  • Management: indicates a management event.
  • Insight: indicates an insight event.
eventId String Yes F23A3DD5-7842-4EF9-9DA1-3776396A**** The ID of the management event. ActionTrail generates a globally unique identifier (GUID) for each management event.
eventName String Yes CreateNetworkInterface The name of the management event.
  • If the eventType field is set to ApiCall, this field is set to the name of the API operation that was called.
  • If the eventType field is not set to ApiCall, this field is set to a string that indicates the action recorded in the management event log.
eventRW String Yes Write The read/write type of the management event. Valid values:
  • Write: indicates a write event.
  • Read: indicates a read event.
eventSource String Yes ecs.aliyuncs.com The source of the management event.
eventTime String Yes 2020-01-09T12:12:14Z The time when the management event was generated, in UTC.
eventType String Yes ApiCall The type of the action that was recorded in the management event log. Valid values:
  • ApiCall: indicates that an API operation was called. The consoles of most Alibaba Cloud services are developed based on APIs. If an action was performed in one of these consoles, ActionTrail records the action as ApiCall.
  • ConsoleOperation (ConsoleCall): indicates that a management action was performed in the console or on the buy page of a specific Alibaba Cloud service. The consoles or buy pages of specific Alibaba Cloud services are not developed based on APIs. If an action was performed in one of these consoles or on one of these buy pages, ActionTrail records this action as ConsoleOperation or ConsoleCall. For an action of this type, the value of the eventName field is a string that indicates the action.
  • AliyunServiceEvent: indicates that Alibaba Cloud performed a management action on the resources that you own, such as releasing a subscription instance upon expiration.
  • PasswordReset: indicates that your password was reset.
  • ConsoleSignin: indicates a logon to the Alibaba Cloud Management Console.
  • ConsoleSignout: indicates a logoff from the Alibaba Cloud Management Console.
eventVersion String Yes 1 The version of the event log format. The current version is 1.
errorCode String No NoPermission The error code returned if an error occurred during the processing of the API request.
errorMessage String No You are not authorized. The error message returned if an error occurred during the processing of the API request.
requestId String Yes F23A3DD5-7842-4EF9-9DA1-3776396AD58D The ID of the API request.
requestParameters Dictionary No N/A The parameters specified in the API request.
requestParameterJson String No "{"AcsHost":"actiontrail.cn-hangzhou.aliyuncs.com","AcsProduct":"Actiontrail","RequestId":"32B8BA8F-3738-46D3-BCCA-1B2257AEF9BB","AcceptLanguage":"zh-CN","Region":"cn-hangzhou","HostId":"actiontrail.cn-hangzhou.aliyuncs.com","Name":"create-service-tmp"}" The parameters specified in the API request. This field is in the JSON format and serves the same purpose as the requestParameters field.
Note This field applies only to the management events that are delivered to Log Service.
resourceName String No "i-0xiiz1v0vw4epqjc****;sg-0xi2js0u6m03jbmv****;aliyun_2_1903_x64_20G_alibase_20200529.vhd;sshkey-cn-hangzhou;vsw-0xikxv8p1akh4ki43****" The name of the event-associated resource. The name is the unique identifier of the resource.

You can use this field as an index in Log Service to query the event.

The format of the value varies based on the number and types of event-associated resources. The following examples show the possible formats:

  • A single event-associated resource of a specific type: i-bp1example1.
  • Multiple event-associated resources of a specific type: i-bp1example1,i-bp1example2.
  • Multiple event-associated resources of different types: i-bp1example1,i-bp1example2;v-bp1example1.
Note The names of the resources of the same type are separated with commas (,). The names of the resources of different types are separated with semicolons (;).
resourceType List No "ACS::ECS::Instance;ACS::ECS::SecurityGroup;ACS::ECS::Image;ACS::ECS::KeyPair;ACS::VPC::VSwitch" The type of the event-associated resource.

You can use this field as an index in Log Service to query the event.

The format of the value varies based on the number and types of event-associated resources. The following examples show the possible formats:

  • A single event-associated resource of a specific type: ACS::ECS::Instance.
  • Multiple event-associated resources of a specific type: ACS::ECS::Instance.
  • Multiple event-associated resources of different types: ACS::ECS::Instance;ACS::VPC::VPC.
Note Multiple resource types are separated with semicolons (;).
responseElements Dictionary No N/A The response returned for the API request.
referencedResources Dictionary No N/A The resources that the action recorded in the management event log involves.
serviceName String Yes Ecs The name of the Alibaba Cloud service to which the management event log belongs.
sourceIpAddress String Yes 11.168.XX.XX The IP address from which the management event was generated.
userAgent String No Apache-HttpClient/4.5.7 (Java/1.8.0_152) The user agent that sent the API request. Examples:
  • AlibabaCloud (Linux 3.10.0-693.2.2.el7.x86_64;x86_64) Python/2.7.5 Core/2.13.16 python-requests/2.18.3
  • Apache-HttpClient/4.5.7 (Java/1.8.0_152)
userIdentity Dictionary Yes N/A The identity information about the requester.

For more information, see the "Fields contained in userIdentity" section in this topic.

The following table describes the fields that userIdentity contains.

Table 1. Fields contained in userIdentity
Field Type Required Example Description
type String Yes ram-user The identity type of the requester. Valid values:
  • root-account: indicates an Alibaba Cloud account.
  • ram-user: indicates a RAM user.
  • assumed-role: indicates a RAM role.
  • system: indicates an Alibaba Cloud service.
  • cloudsso-user: indicates a CloudSSO user.
  • saml-user: indicates an enterprise-specific identity.
  • alibaba-cloud-account: indicates the identity that is authorized to perform a cross-account action.
principalId String No 28815334868278**** The ID of the requester. You can check the type field and this field to confirm the identity of the requester.
  • If the type field is set to root-account, this field is set to the ID of the Alibaba Cloud account.
  • If the type field is set to ram-user, this field is set to the ID of the RAM user.
  • If the type field is set to assumed-role, this field is set to a string in the RoleID:RoleSessionName format.
  • If the type field is set to cloudsso-user, this field is set to the ID of the CloudSSO user.
  • Possible value formats if the type field is set to alibaba-cloud-account:
    • The ID of the authorized Alibaba Cloud account. This format applies if the requester used the Alibaba Cloud account to perform an action on a resource within another Alibaba Cloud account.
    • The ID of the authorized RAM user. This format applies if the requester performed an action as the RAM user on a resource within another Alibaba Cloud account.
    • RoleID:RoleSessionName. This format applies if the requester assumed the authorized RAM role to perform an action on a resource within another Alibaba Cloud account.
  • If the type field is set to saml-user or system, this field is not recorded.
accountId String Yes 112233445566**** The ID of the Alibaba Cloud account of the requester.
accessKeyId String No 55nCtAwmPLkk****
  • The AccessKey ID that is used by the requester. If the requester sent an API request by using an SDK, this field is recorded.
  • If the requester performed an action in the Alibaba Cloud Management Console, this field is not recorded.
  • If the requester sent an API request by using a Security Token Service (STS) token, this field is set to the temporary AccessKey ID.
userName String No Alice The name of the requester.
  • If the type field is set to ram-user, this field is set to the name of the RAM user.
  • If the type field is set to assumed-role, this field is set to a string in the RoleName:RoleSessionName format.
  • If the type field is set to root-account, this field is set to root.
  • If the type field is set to cloudsso-user, this field is set to the name of the CloudSSO user.
  • If the type field is set to saml-user, this field is set to the name of the enterprise-specific identity.
  • If the type field is set to alibaba-cloud-account, this field is not recorded.
sessionContext String No {"attributes": {"mfaAuthenticated": "true", "creationDate": "2020-01-09T12:12:14Z" } The session context recorded when the requester called an API operation by using an STS token or performed an action in the Alibaba Cloud Management Console. The session context contains the following attributes:
  • creationDate: the time when the STS token was created.
  • mfaAuthenticated: indicates whether multi-factor authentication (MFA) was enabled for logging on to the Alibaba Cloud Management Console.