Security Center's log analysis feature centralizes storage, querying, and analysis of host activity and security events, supporting security audits, incident tracing, and threat detection. This topic describes the log types Security Center supports, edition availability, log fields, and the __topic__ values needed to query each log type in Simple Log Service (SLS).
The log samples and field descriptions below are for reference only. Fields may change with product updates. For the most current field list, refer to the data collected in Simple Log Service.
Version support
The log types available depend on your edition or protection level.
Subscription editions
Host logs
| Log type | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
|---|---|---|---|---|---|
| Logon logs | Not supported | Supported | Supported | Supported | Supported |
| Network connection logs | Not supported | Supported | Supported | Supported | Supported |
| Process startup logs | Not supported | Supported | Supported | Supported | Supported |
| Brute-force attack logs | Not supported | Supported | Supported | Supported | Supported |
| DNS query logs | Not supported | Supported | Supported | Supported | Supported |
| Client event logs | Supported | Supported | Supported | Supported | Supported |
| Account snapshot logs | Not supported | Not supported | Not supported | Supported | Supported |
| Network snapshot logs | Not supported | Not supported | Not supported | Supported | Supported |
| Process snapshot logs | Not supported | Not supported | Not supported | Supported | Supported |
Security logs
| Log type | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
|---|---|---|---|---|---|
| Security alert logs | Supported — only alerts available in the Basic edition | Supported | Supported | Supported | Supported |
| Vulnerability logs | Supported — only vulnerabilities detected in the Basic edition | Supported | Supported | Supported | Supported |
| Network defense logs | Not supported | Supported | Supported | Supported | Supported |
| Core file monitoring event logs | Not supported | Not supported | Not supported | Supported | Supported |
| CSPM - Baseline check logs | Not supported | Not supported | Supported | Supported | Supported |
Value-added service logs
If you enable the following value-added services, Security Center analyzes the logs they generate:
Malicious File Detection
Agentless Detection
Application Protection
CSPM (Baseline Check logs and CSPM logs)
Pay-as-you-go: Host and Container Security
If you purchase the Host and Container Security pay-as-you-go service, available log types vary by the protection level bound to the server.
Host logs
| Log type | Unprotected | Antivirus | Host Protection | Hosts and Container Protection |
|---|---|---|---|---|
| Logon logs | Not supported | Supported | Supported | Supported |
| Network connection logs | Not supported | Supported | Supported | Supported |
| Process startup logs | Not supported | Supported | Supported | Supported |
| Brute-force attack logs | Not supported | Supported | Supported | Supported |
| DNS query logs | Not supported | Supported | Supported | Supported |
| Client event logs | Supported | Supported | Supported | Supported |
| Account snapshot logs | Not supported | Not supported | Supported | Supported |
| Network snapshot logs | Not supported | Not supported | Supported | Supported |
| Process snapshot logs | Not supported | Not supported | Supported | Supported |
Security logs
| Log type | Unprotected | Antivirus | Host Protection | Hosts and Container Protection |
|---|---|---|---|---|
| Security alert logs | Supported — only alerts for the Unprotected level | Supported | Supported | Supported |
| Vulnerability logs | Supported — only vulnerabilities not covered by a protection level | Supported | Supported | Supported |
| Network defense logs | Not supported | Supported | Supported | Supported |
| Core file monitoring event logs | Not supported | Not supported | Supported | Supported |
Pay-as-you-go service logs
If you enable the following pay-as-you-go services, Security Center analyzes the logs they generate:
Malicious File Detection
Agentless Detection
Application Protection
CSPM (Baseline Check logs and CSPM logs)
Log type overview
Each log type has a __topic__ value that identifies it in SLS. Use this value in your SLS queries to filter for a specific log type.
| Log type | __topic__ value | Collection |
|---|---|---|
| Logon logs | aegis-log-login | Real-time |
| Network connection logs | aegis-log-network | Real-time |
| Process startup logs | aegis-log-process | Real-time |
| Brute-force attack logs | aegis-log-crack | Real-time |
| DNS query logs | aegis-log-dns-query | Real-time |
| Client event logs | aegis-log-client | Real-time |
| Account snapshot logs | aegis-snapshot-host | Asset Fingerprints interval (default: once a day) |
| Network snapshot logs | aegis-snapshot-port | Asset Fingerprints interval (default: once a day) |
| Process snapshot logs | aegis-snapshot-process | Asset Fingerprints interval (default: once a day) |
| Vulnerability logs | sas-vul-log | Real-time |
| CSPM - Baseline check logs | sas-hc-log | Real-time |
| Security alert logs | sas-security-log | Real-time |
| CSPM - Cloud platform configuration check logs | sas-cspm-log | Real-time |
| Network defense logs | sas-net-block | Real-time |
| Application protection logs | sas-rasp-log | Real-time |
| Malware detection logs | sas-filedetect-log | Real-time |
| Core file monitoring event logs | aegis-file-protect-log | Real-time |
| Agentless detection logs | sas-agentless-log | Real-time |
Snapshot log collection: Snapshot logs (account, network, process) are collected automatically at the interval configured in Asset Fingerprints. If no interval is set, data is collected once a day. You can also trigger a manual collection.
Host log descriptions
Logon logs
`__topic__`: aegis-log-login
Records user logon events on servers, including source IP address, username, and logon result. Use these logs to monitor user activity and detect abnormal logon patterns.
Important
Security Center does not collect logon logs for Windows Server 2008.
Repeated logons within one minute are merged into a single log entry. Alogin_countof3means three logons occurred within the last minute.
Network connection logs
`__topic__`: aegis-log-network
Records network connection activity on the server in real time, including the connection 5-tuple and associated processes. Use these logs to detect abnormal connections and potential network attacks.
Important
The agent collects only a subset of connection states between establishment and termination.
Inbound traffic is not recorded.
Process startup logs
`__topic__`: aegis-log-process
Records startup events for all new processes, including process name, command-line parameters, and parent process. Use these logs to detect abnormal process activity, malware intrusions, and security threats. Logs are reported immediately after a process starts.
Brute-force attack logs
`__topic__`: aegis-log-crack
Records brute-force attack attempts, including logon and credential cracking attempts against systems, applications, or accounts. Use these logs to detect abnormal logons, weak passwords, and credential exposure.
Repeated logon attempts within one minute are merged into a single log entry. Alogin_countof3means three attempts within the last minute.
Account snapshot logs
`__topic__`: aegis-snapshot-host
Records detailed user account information, including username, password policy, and logon history. Compare snapshots across time to detect unauthorized access and abnormal account status changes.
Network snapshot logs
`__topic__`: aegis-snapshot-port
Records network connection information, including the connection 5-tuple, connection status, and associated processes. Use these logs to identify active connections and detect abnormal behavior.
Process snapshot logs
`__topic__`: aegis-snapshot-process
Records process activity, including process ID, name, and startup time. Use these logs to detect abnormal processes, high CPU usage, and memory leaks.
DNS query logs
`__topic__`: aegis-log-dns-query
Records DNS query requests initiated by the server, including queried domain name, query type, and source process. Use these logs to detect abnormal queries, domain hijacking, and DNS poisoning.
Important
Log collection is not supported for Linux servers with a kernel version earlier than 4.x.x.
Client event logs
`__topic__`: aegis-log-client
Records online and offline events of the Security Center agent, letting you monitor the agent's running status.
Security log descriptions
All security logs are collected in real time.
Vulnerability logs
`__topic__`: sas-vul-log
Records vulnerabilities found in your systems or applications, including vulnerability name, status, and handling action. Use these logs to track vulnerabilities, assess risk, and monitor remediation.
CSPM - Baseline check logs
`__topic__`: sas-hc-log
Records baseline risk check results, including baseline level, category, and risk level. Use these logs to understand baseline security status and identify configuration risks.
Important
Only check items that fail for the first time are recorded. Items that previously passed but now fail a new check are also recorded.
Security alert logs
`__topic__`: sas-security-log
Records security events and alerts, including alert data source, details, and alert level. Use these logs to track security events and coordinate response actions.
CSPM - Cloud platform configuration check logs
`__topic__`: sas-cspm-log
Records cloud platform configuration check results and whitelisting operations. Use these logs to detect configuration issues and potential security risks in your cloud environment.
Network defense logs
`__topic__`: sas-net-block
Records network attack events, including attack type and source and destination IP addresses. Use these logs to understand network threats and coordinate defense actions.
Application protection logs
`__topic__`: sas-rasp-log
Records attack alerts from Runtime Application Self-Protection (RASP), including attack type, behavioral data, and attacker IP address. Use these logs to detect and respond to application-layer attacks.
Malware detection logs
`__topic__`: sas-filedetect-log
Records detection results from the Malicious File Detection SDK, including file information, detection scenario, and results. Use these logs to identify and respond to malicious programs in offline files or cloud storage.
Core file monitoring event logs
`__topic__`: aegis-file-protect-log
Records alert events from the Core File Monitoring feature, including file path, operation type, and alert level. Use these logs to detect unauthorized access or tampering with critical files.
Agentless detection logs
`__topic__`: sas-agentless-log
Records security risks detected in cloud servers, disk snapshots, and images — including vulnerabilities, baseline failures, malicious samples, and sensitive files. Use these logs to track asset risk status over time and detect potential threats.
Common fields
The following fields appear in most log types. They are listed here once to avoid repetition in each field table.
| Field | Description | Example |
|---|---|---|
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
sas_group_name | The asset group of the server in Security Center. | default |
start_time | The event timestamp, in seconds. | 1719472214 |
Host log fields
Logon logs
| Field | Description | Example |
|---|---|---|
src_ip | The source IP address of the logon. | 221.11.XX.XX |
dst_port | The logon port. | 22 |
login_type | The logon type. Values: SSHLOGIN, SSH (SSH logon); RDPLOGIN (Remote Desktop logon); IPCLOGIN (IPC connection logon). | SSH |
username | The logon username. | admin |
login_count | The number of logons. Repeated logons within one minute are merged into a single entry. | 3 |
Network connection logs
| Field | Description | Example |
|---|---|---|
cmd_chain | The process chain. | [ { "9883":"bash -c kill -0 -- -'6274'" } ......] |
cmd_chain_index | The index of the process chain. Use this index to look up the process chain. | B184 |
container_hostname | The hostname in the container. | nginx-ingress-controller-765f67fd4d-**** |
container_id | The container ID. | 4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d**** |
container_image_id | The container image ID. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0**** |
container_image_name | The container image name. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-**** |
container_name | The container name. | nginx-ingress-**** |
container_pid | The process ID in the container. | 0 |
net_connect_dir | The direction of the network connection. Values: in (inbound); out (outbound).
| in |
dst_ip | The IP address of the connection receiver. If net_connect_dir is out, this is the peer host. If in, this is the local host.
| 192.168.XX.XX |
dst_port | The port of the connection receiver. | 443 |
parent_proc_name | The filename of the parent process. | /usr/bin/bash |
pid | The process ID. | 14275 |
ppid | The parent process ID. | 14268 |
proc_name | The process name. | nginx |
proc_path | The process path. | /usr/local/nginx/sbin/nginx |
proc_start_time | The process startup time. | N/A |
connection_type | The protocol. Values: tcp; raw (raw socket). | tcp |
src_ip | The source IP address. | 100.127.XX.XX |
src_port | The source port. | 41897 |
srv_comm | The command name associated with the grandparent process. | containerd-shim |
status | The network connection status. Values: 1 (Closed); 2 (Listening); 3 (SYN sent); 4 (SYN received); 5 (Established); 6 (Close wait); 7 (Closing); 8 (FIN wait 1); 9 (FIN wait 2); 10 (Time wait); 11 (TCB deleted). | 5 |
type | The type of real-time network connection. Values: connect (active TCP connection initiated); accept (TCP connection received); listen (port is listening). | listen |
uid | The ID of the process user. | 101 |
username | The username of the process. | root |
Process startup logs
| Field | Description | Example |
|---|---|---|
cmd_chain | The process chain. | [ { "9883":"bash -c kill -0 -- -'6274'" } ......] |
cmd_chain_index | The index of the process chain. | B184 |
cmd_index | The index of each parameter in the command line. Each pair of indexes marks the start and end of a parameter. | 0,3,5,8 |
cmdline | The full command line used to start the process. | ipset list KUBE-6-CLUSTER-IP |
comm | The command name associated with the process. | N/A |
container_hostname | The hostname in the container. | nginx-ingress-controller-765f67fd4d-**** |
container_id | The container ID. | 4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d**** |
container_image_id | The container image ID. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0**** |
container_image_name | The container image name. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-**** |
container_name | The container name. | nginx-ingress-**** |
container_pid | The process ID in the container. | 0 |
cwd | The working directory of the process. | N/A |
proc_name | The process filename. | ipset |
proc_path | The full path of the process file. | /usr/sbin/ipset |
gid | The process group ID. | 0 |
groupname | The user group name. | group1 |
parent_cmd_line | The command line of the parent process. | /usr/local/bin/kube-proxy --config=/var/lib/kube-proxy/config.conf --hostname-override=cn-beijing.192.168.XX.XX |
parent_proc_name | The parent process filename. | kube-proxy |
parent_proc_path | The full path of the parent process file. | /usr/local/bin/kube-proxy |
pid | The process ID. | 14275 |
ppid | The parent process ID. | 14268 |
proc_start_time | The process startup time. | 2024-08-01 16:45:40 |
parent_proc_start_time | The startup time of the parent process. | 2024-07-12 19:45:19 |
srv_cmd | The command line of the grandparent process. | /usr/bin/containerd |
tty | The logon terminal. N/A means the account has never logged on to a terminal. | N/A |
uid | The user ID. | 123 |
username | The username of the process. | root |
Brute-force attack logs
| Field | Description | Example |
|---|---|---|
login_count | The number of failed logon attempts. Repeated attempts within one minute are merged into a single entry. | 3 |
src_ip | The source IP address of the logon attempt. | 47.92.XX.XX |
dst_port | The logon port. | 22 |
login_type | The logon type. Values: SSHLOGIN, SSH (SSH logon); RDPLOGIN (Remote Desktop logon); IPCLOGIN (IPC connection logon); SQLSERVER (SQL Server logon failed). | SSH |
username | The logon username. | user |
Account snapshot logs
| Field | Description | Example |
|---|---|---|
account_expire | The account expiration date. never means the account never expires. | never |
domain | The domain or directory service the account belongs to. N/A means no domain. | N/A |
groups | The group the account belongs to. N/A means no group. | ["nscd"] |
home_dir | The home directory. | /Users/abc |
last_chg | The date the password was last changed. | 2022-11-29 |
last_logon | The date and time of the last logon. N/A means the account has never been used. | 2023-08-18 09:21:21 |
login_ip | The remote IP address of the last logon. N/A means the account has never logged on. | 192.168.XX.XX |
passwd_expire | The password expiration date. never means the password never expires. | 2024-08-24 |
perm | Whether the account has root permissions. Values: 0 (no root permissions); 1 (has root permissions). | 0 |
shell | The Linux shell. | /sbin/nologin |
status | The account status. Values: 0 (logon prohibited); 1 (logon permitted). | 0 |
tty | The logon terminal. N/A means the account has never logged on to a terminal. | N/A |
username | The username. | nscd |
warn_time | The password expiration reminder date. never means no reminder is set. | 2024-08-20 |
Network snapshot logs
| Field | Description | Example |
|---|---|---|
net_connect_dir | The direction of the network connection. in means inbound. | in |
dst_ip | The peer IP address. Generally empty. | |
dst_port | The port of the connection receiver. | 443 |
pid | The process ID. | 682 |
proc_name | The process name. | sshd |
connection_type | The protocol. Values: tcp4 (TCP over IPv4); tcp6 (TCP over IPv6). | tcp4 |
src_ip | The local IP address. | 100.127.XX.XX |
src_port | The listening port. | 41897 |
status | The connection status. A value of 2 means the port is in a listening state; src_ip and src_port represent the listening address.
| 5 |
Process snapshot logs
| Field | Description | Example |
|---|---|---|
cmdline | The full command line used to start the process. | /usr/local/share/assist-daemon/assist_daemon |
md5 | The MD5 hash of the binary file. Not calculated for files larger than 1 MB. | 1086e731640751c9802c19a7f53a64f5 |
proc_name | The process filename. | assist_daemon |
proc_path | The full path of the process file. | /usr/local/share/assist-daemon/assist_daemon |
pid | The process ID. | 1692 |
pname | The parent process filename. | systemd |
proc_start_time | The process startup time. | 2023-08-18 20:00:12 |
uid | The process user ID. | 101 |
username | The username of the process. | root |
DNS query logs
| Field | Description | Example |
|---|---|---|
domain | The queried domain name. | example.aliyundoc.com |
pid | The ID of the process that initiated the query. | 3544 |
ppid | The ID of the parent process that initiated the query. | 3408 |
cmd_chain | The process chain that initiated the query. | "3544":"\"C:\\\Program Files (x86)\\\Alibaba\\\Aegis\\\AliDetect\\\AliDetect.exe\"" |
cmdline | The command line that initiated the query. | C:\Program Files (x86)\Alibaba\Aegis\AliDetect\AliDetect.exe |
proc_path | The path of the process that initiated the query. | C:/Program Files (x86)/Alibaba/Aegis/AliDetect/AliDetect.exe |
time | The time the DNS query event was captured. This is generally the same as when the query occurred. | 2023-08-17 20:05:04 |
Client event logs
| Field | Description | Example |
|---|---|---|
agent_version | The client version. | aegis_11_91 |
last_login | The timestamp of the last logon, in milliseconds. | 1716444387617 |
platform | The operating system type. Values: windows; linux. | linux |
region_id | The region where the server resides. | cn-beijing |
status | The agent status. Values: online; offline. | online |
Security log fields
Vulnerability logs
1: Unfixed
2: Fix failed
3: Rollback failed
4: Fixing
5: Rolling back
6: Verifying
7: Fixed
8: Fixed, restart required
9: Rolled back
10: Ignored
11: Rolled back, restart required
12: Does not exist
13: Invalid
| Field | Description | Example |
|---|---|---|
vul_alias_name | The vulnerability alias. | CESA-2023:1335: openssl Security Update |
risk_level | The risk level. Values: asap (High); Later (Medium); nntf (Low). | later |
extend_content | Extended vulnerability information, in JSON format. | {"cveList":["CVE-2023-0286"],...} |
internet_ip | The public IP address of the asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the asset. | 192.168.XX.XX |
instance_name | The hostname. | hhht-linux-*** |
vul_name | The vulnerability name. | centos:7:cesa-2023:1335 |
operation | The action performed on the vulnerability. Values: new (New); verify (Verify); fix (Fix). | new |
status | The vulnerability status. Values: 1 (Unfixed); 2 (Fix failed); 3 (Rollback failed); 4 (Fixing); 5 (Rolling back); 6 (Verifying); 7 (Fixed); 8 (Fixed, restart required); 9 (Rolled back); 10 (Ignored); 11 (Rolled back, restart required); 12 (Does not exist); 13 (Invalid). | 1 |
tag | The vulnerability tag. Values: oval (Linux software vulnerability); system (Windows system vulnerability); cms (Web-CMS vulnerability). Tags for other vulnerability types are random strings. | oval |
type | The vulnerability type. Values: sys (Windows system vulnerability); cve (Linux software vulnerability); cms (Web-CMS vulnerability); emg (Urgent vulnerability). | sys |
CSPM - Baseline check logs
| Field | Description | Example |
|---|---|---|
check_item_name | The name of the check item. | Set minimum interval for password changes |
check_item_level | The check severity level. Values: high; Medium; low. | medium |
check_type | The type of the check item. | Identity authentication |
risk_level | The risk level. Values: high; medium; low. | medium |
operation | The operation. Values: new (New); verity (Validation). | new |
risk_name | The name of the risk item. | Password policy compliance check |
status | The status. Values: 1 (Failed); 2 (Verifying); 6 (Ignored); 7 (Fixing). | 1 |
sub_type_alias_name | The alias of the subtype. | International security best practices - Ubuntu 16/18/20/22 security baseline check |
sub_type_name | The baseline subtype name. For valid values, see List of baseline types and subtypes. | hc_ubuntu16_cis_rules |
type_alias_name | The alias of the type. | International security best practices |
type_name | The baseline type. For valid values, see List of baseline types and subtypes. | cis |
Security alert logs
| Field | Description | Example |
|---|---|---|
data_source | The data source. Values: aegis_suspicious_event (anomalous host activity); aegis_suspicious_file_v2 (webshell); aegis_login_log (anomalous logon); honeypot (cloud honeypot alert); object_scan (file detection anomaly); security_event (Security Center anomaly); sas_ak_leak (AK leak event). | aegis_login_log |
detail | A JSON object with detailed alert context. Fields vary by alert type. The alert_reason field (reason for anomaly) has these common values: reason1 (IP not from a common logon location); reason2 (API call failed); reason3 (IP not from a common logon location and API call failed). | {"loginSourceIp":"221.11.XX.XX","loginDestinationPort":22,...} |
internet_ip | The public IP address of the asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the asset. | 192.168.XX.XX |
level | The alert risk level. Values: serious (Urgent); suspicious (Suspicious); remind (Reminder). | suspicious |
name | The alert name. | Anomalous Logon - Unusual Account Logon to ECS |
operation | The operation. Values: new (New); dealing (Processing); update (Updated). | new |
status | The alert status. Values: 1 (Unhandled); 2 (Ignored); 8 (Whitelisted); 16 (Processing); 32 (Processed); 64 (Expired — alerts not processed within 30 days); 513 (Automatically blocked by the precise defense feature). | 1 |
unique_info | The unique identifier of the alert. | 2536dd765f804916a1fa3b9516b5**** |
suspicious_event_id | The alert event ID. | 650226318 |
handle_time | The timestamp of the operation. | 1765272845 |
alert_first_time | The timestamp when the alert first occurred. | 1764226915 |
alert_last_time | The timestamp when the alert last occurred. | 1765273425 |
strict_mode | Whether this is a strict mode alert. Values: true; false. | true |
user_id | The account ID. | 1358******3357 |
CSPM - Cloud platform configuration check logs
| Field | Description | Example |
|---|---|---|
check_id | The check item ID. To get this ID, call the ListCheckResult operation. | 11 |
check_item_name | The name of the check item. | Origin fetch configuration |
instance_name | The instance name. | lsm |
instance_result | The impact of the risk, as a JSON string. | {"Checks":[{}],...} |
instance_sub_type | The instance subtype. Values depend on instance_type: for ECS — INSTANCE, DISK, SECURITY_GROUP; for ACR — REPOSITORY_ENTERPRISE, REPOSITORY_PERSON; for RAM — ALIAS, USER, POLICY, GROUP; for WAF — DOMAIN; for all others — INSTANCE. | INSTANCE |
instance_type | The instance type. Values: ECS; SLB; RDS; MONGODB; KVSTORE (Redis); ACR (Container Registry); CSK; VPC; ActionTrail; CDN; CAS (Certificate Management Service); RDC (Apsara DevOps); RAM; DDOS (Anti-DDoS); WAF; OSS; POLARDB; POSTGRESQL; MSE (Microservices Engine); NAS; SDDP (Sensitive Data Discovery and Protection); EIP. | ECS |
region_id | The region where the instance resides. | cn-hangzhou |
requirement_id | The requirement ID. To get this ID, call the ListCheckStandard operation. | 5 |
risk_level | The risk level. Values: LOW; MEDIUM; HIGH. | MEDIUM |
section_id | The section ID. To get this ID, call the ListCheckResult operation. | 1 |
standard_id | The standard ID. To get this ID, call the ListCheckStandard operation. | 1 |
status | The check item status. Values: NOT_CHECK (Not checked); CHECKING (Checking); PASS (Passed); NOT_PASS (Failed); WHITELIST (Whitelisted). | PASS |
vendor | The cloud service provider. Fixed value: ALIYUN. | ALIYUN |
Network defense logs
| Field | Description | Example |
|---|---|---|
cmd | The command line of the attacked process. | nginx: master process nginx |
cur_time | The time the attack event occurred. | 2023-09-14 09:21:59 |
decode_payload | The payload converted from HEX to characters. | POST /Services/FileService/UserFiles/ |
dst_ip | The IP address of the attacked asset. | 172.16.XX.XX |
dst_port | The port of the attacked asset. | 80 |
func | The type of the intercepted event. Values: payload (malicious payload detected); tuple (malicious IP access detected). | payload |
rule_type | The defense rule type. Values: alinet_payload (payload event rule); alinet_tuple (tuple event rule). | alinet_payload |
internet_ip | The public IP address of the attacked asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the attacked asset. | 192.168.XX.XX |
final_action | The defense action. Fixed value: block. | block |
payload | The payload in HEX format. | 504f5354...**** |
pid | The ID of the attacked process. | 7107 |
platform | The OS type of the attacked asset. Values: windows; linux. | linux |
proc_path | The path of the attacked process. | /usr/sbin/nginx |
src_ip | The source IP address of the attack. | 106.11.XX.XX |
src_port | The source port of the attack. | 29575 |
Application protection logs
| Field | Description | Example |
|---|---|---|
app_dir | The directory where the application resides. | /usr/local/aegis/rasp/apps/1111 |
app_id | The application ID. | 6492a391fc9b4e2aad94**** |
app_name | The application name. | test |
confidence_level | The detection algorithm confidence level. Values: high; medium; low. | low |
request_body | The request body. | {"@type":"_com.sun.rowset.JdbcRowSetImpl_",...} |
request_content_length | The length of the request body. | 112 |
data | The hook point parameters. | {"cmd":"bash -c kill -0 -- -'31098' "} |
headers | The request headers. | {"content-length":"112",...} |
hostname | The name of the host or network device. | testhostname |
host_ip | The private IP address of the host. | 172.16.XX.XX |
is_cliped | Whether the log was truncated because it was too long. Values: true (truncated); false (not truncated). | false |
jdk_version | The JDK version. | 1.8.0_292 |
message | The alert description. | Unsafe class serial. |
request_method | The HTTP request method. | Post |
platform | The operating system type. | Linux |
arch | The operating system architecture. | amd64 |
kernel_version | The operating system kernel version. | 3.10.0-1160.59.1.el7.x86_64 |
param | The request parameters (GET parameters or application/x-www-form-urlencoded). | {"url":["http://127.0.0.1.xip.io"]} |
payload | The effective attack payload. | bash -c kill -0 -- -'31098' |
payload_length | The length of the attack payload. | 27 |
rasp_id | The unique ID of the RASP probe. | fa00223c8420e256c0c98ca0bd0d**** |
rasp_version | The RASP probe version. | 0.8.5 |
src_ip | The IP address of the requester. | 172.0.XX.XX |
final_action | The alert handling result. Values: block (blocked); monitor (monitoring only). | block |
rule_action | The alert handling method defined by the rule. Values: block; monitor. | block |
risk_level | The risk level. Values: High; medium; low. | high |
stacktrace | The stack trace. | [java.io.FileInputStream.<init>(FileInputStream.java:123),...] |
time | The time the alert was triggered. | 2023-10-09 15:19:15 |
timestamp | The timestamp when the alert was triggered, in milliseconds. | 1696835955070 |
type | The attack type. Values: attach (malicious attachment); beans (malicious beans binding); classloader (malicious class loading); dangerous_protocol (dangerous protocol); dns (malicious DNS query); engine (engine injection); expression (expression injection); file (malicious file read/write); file_delete (arbitrary file deletion); file_list (directory traversal); file_read (arbitrary file read); file_upload (malicious file upload); jndi (JNDI injection); jni (JNI injection); jstl (JSTL arbitrary file inclusion); memory_shell (in-memory webshell injection); rce (remote code execution); read_object (deserialization attack); reflect (malicious reflection call); sql (SQL injection); ssrf (malicious outbound connection); thread_inject (thread injection); xxe (XXE attack). | rce |
url | The request URL. | http://127.0.0.1:999/xxx |
rasp_attack_uuid | The UUID of the attack event. | 18823b23-7ad4-47c0-b5ac-e5f036a2**** |
internet_ip | The public IP address of the host. | 1.2.XX.XX |
intranet_ip | The private IP address of the host. | 172.16.XX.XX |
Malware detection logs
| Field | Description | Example |
|---|---|---|
bucket_name | The OSS bucket name. | ***-test |
event_id | The alert ID. | 802210 |
event_name | The alert name. | Mining program |
md5 | The MD5 hash of the file. | 6bc2bc******53d409b1 |
sha256 | The SHA256 hash of the file. | f038f9525******7772981e87f85 |
result | The detection result. Values: 0 (safe); 1 (malicious file detected). | 0 |
file_path | The file path. | test.zip/bin_test |
etag | The OSS file identifier. | 6BC2B******853D409B1 |
risk_level | The risk level. Values: serious (Urgent); suspicious (Suspicious); remind (Reminder). | remind |
source | The detection scenario. Values: OSS (file detection in an OSS bucket via the Security Center console); API (malicious file detection via the Java or Python SDK). | OSS |
parent_md5 | The MD5 hash of the parent file or archive. | 3d0f8045bb9****** |
parent_sha256 | The SHA256 hash of the parent file or archive. | 69b643d6******a3fb859fa |
parent_file_path | The name of the parent file or archive. | test.zip |
compress_file_number | The position of this file in the archive, in the format [current]/[total]. | 1/10 (this is file 1 of 10 in the archive) |
Core file monitoring event logs
| Field | Description | Example |
|---|---|---|
file_path | The file path. | /etc/passwd |
proc_path | The process path. | /usr/bin/bash |
rule_id | The ID of the rule that was triggered. | 123 |
rule_name | The rule name. | file_test_rule |
cmdline | The command line. | bash /opt/a |
operation | The file operation type. | READ |
risk_level | The alert level. | 2 |
pid | The process ID. | 45324 |
proc_permission | The process permissions. | rwxrwxrwx |
internet_ip | The public IP address. | 192.0.2.1 |
intranet_ip | The private IP address. | 172.16.0.1 |
instance_name | The instance name. | aegis-test |
platform | The operating system type. | Linux |
Agentless detection logs
Agentless detection logs share a set of common fields across all subtypes, plus subtype-specific fields.
Common fields
| Field | Description | Example |
|---|---|---|
internet_ip | The public IP address of the asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the asset. | 192.168.XX.XX |
Vulnerability risk fields
| Field | Description | Example |
|---|---|---|
vul_name | The vulnerability name. | imgsca:java:gson:AVD-2022-25647 |
vul_alias_name | The vulnerability alias. | gson code issue vulnerability (CVE-2022-25647) |
vul_primary_id | The primary key ID of the vulnerability. | 990174361 |
type | The vulnerability type. Values: sys (Windows system vulnerability); cve (Linux software vulnerability); sca (application vulnerability, software component analysis type); emg (urgent vulnerability). | sca |
alert_level | The vulnerability risk level. Values: asap (High); Later (Medium); nntf (Low). | asap |
instance_name | The hostname. | hhht-linux-*** |
operation | The action. Values: new (New); update (Updated). | new |
status | The vulnerability status. Values: 1 (Unfixed); 7 (Fixed). | 1 |
tag | The vulnerability tag. Values: oval (Linux software vulnerability); system (Windows system vulnerability). Tags for other vulnerability types are random strings. | oval |
Baseline check fields
| Field | Description | Example |
|---|---|---|
check_item_name | The name of the check item. | Set password expiration time |
check_item_level | The check item severity. Values: high; medium; low. | high |
check_type | The type of check item. | Identity authentication |
risk_level | The risk level. Values: high; medium; low. | low |
operation | The action. Values: new (New); update (Updated). | new |
risk_name | The name of the risk item. | Password policy compliance check |
status | The check item status. Values: 1 (Failed); 3 (Passed). | 1 |
sub_type_alias_name | The alias of the subtype. | Alibaba Cloud standard - CentOS Linux 7/8 security baseline |
sub_type_name | The baseline subtype name. For valid values, see List of baseline types and subtypes. | hc_centos7 |
type_name | The baseline type name. | hc_best_secruity |
type_alias_name | The alias of the type. | Best practices |
container_id | The container ID. | b564567427272d46f9b1cc4ade06a85fdf55075c06fdb870818d5925fa86**** |
container_name | The container name. | k8s_gamify-answer-bol_gamify-answer-bol-5-6876d5dc78-vf6rb_study-gamify-answer-bol_483a1ed1-28b7-11eb-bc35-00163e01****_0 |
Malicious sample fields
| Field | Description | Example |
|---|---|---|
alert_level | The risk level. Values: serious (Urgent); suspicious (Suspicious); remind (Reminder). | suspicious |
alert_name | The name of the malicious sample alert. | Suspicious Process - SSH-based |
operation | The action. Values: new (New); update (Updated). | new |
status | The risk status. Values: 0 (Unhandled); 3 (Whitelisted). | 0 |
suspicious_event_id | The alert event ID. | 909361 |
Sensitive file fields
| Field | Description | Example |
|---|---|---|
alert_level | The risk level. Values: high; medium; low. | high |
rule_name | The file type name. | Ionic token |
file_path | The path of the sensitive file. | /Windows/Microsoft.NET/assembly/GAC_MSIL/System.WorkflowServices/... |
result | The check result. | {"result":"[\"[\\\\\"mysql-uqjtwadmin-xxx"} |
Appendix
List of baseline types and subtypes
| Type name | Subtype name | Description |
|---|---|---|
hc_exploit | hc_exploit_redis | Important threat exploit: Unauthorized access to Redis |
hc_exploit_activemq | Important threat exploit: Unauthorized access to ActiveMQ | |
hc_exploit_couchdb | Important threat exploit: Unauthorized access to CouchDB | |
hc_exploit_docker | Important threat exploit: Unauthorized access to Docker | |
hc_exploit_es | Important threat exploit: Unauthorized access to Elasticsearch | |
hc_exploit_hadoop | Important threat exploit: Unauthorized access to Hadoop | |
hc_exploit_jboss | Important threat exploit: Unauthorized access to JBoss | |
hc_exploit_jenkins | Important threat exploit: Unauthorized access to Jenkins | |
hc_exploit_k8s_api | Important threat exploit: Unauthorized access to Kubernetes API server | |
hc_exploit_ldap | Important threat exploit: Unauthorized access to LDAP (Windows) | |
hc_exploit_ldap_linux | Important threat exploit: Unauthorized access to OpenLDAP (Linux) | |
hc_exploit_memcache | Important threat exploit: Unauthorized access to Memcached | |
hc_exploit_mongo | Important threat exploit: Unauthorized access to MongoDB | |
hc_exploit_pgsql | Important threat exploit: Unauthorized access to PostgreSQL | |
hc_exploit_rabbitmq | Important threat exploit: Unauthorized access to RabbitMQ | |
hc_exploit_rsync | Important threat exploit: Unauthorized access to rsync | |
hc_exploit_tomcat | Important threat exploit: Apache Tomcat AJP file inclusion vulnerability | |
hc_exploit_zookeeper | Important threat exploit: Unauthorized access to ZooKeeper | |
hc_container | hc_docker | Alibaba Cloud standard: Docker security baseline check |
hc_middleware_ack_master | International security best practices: Kubernetes (ACK) master node security baseline check | |
hc_middleware_ack_node | International security best practices: Kubernetes (ACK) node security baseline check | |
hc_middleware_k8s | Alibaba Cloud standard: Kubernetes master node security baseline check | |
hc_middleware_k8s_node | Alibaba Cloud standard: Kubernetes node security baseline check | |
cis | hc_suse 15_djbh | MLPS 2.0 Level 3: SUSE 15 compliance baseline check |
hc_aliyun_linux3_djbh_l3 | MLPS 2.0 Level 3: Alibaba Cloud Linux 3 compliance baseline check | |
hc_aliyun_linux_djbh_l3 | MLPS 2.0 Level 3: Alibaba Cloud Linux/Aliyun Linux 2 compliance baseline check | |
hc_bind_djbh | MLPS 2.0 Level 3: Bind compliance baseline check | |
hc_centos 6_djbh_l3 | MLPS 2.0 Level 3: CentOS Linux 6 compliance baseline check | |
hc_centos 7_djbh_l3 | MLPS 2.0 Level 3: CentOS Linux 7 compliance baseline check | |
hc_centos 8_djbh_l3 | MLPS 2.0 Level 3: CentOS Linux 8 compliance baseline check | |
hc_debian_djbh_l3 | MLPS 2.0 Level 3: Debian Linux 8/9/10 compliance baseline check | |
hc_iis_djbh | MLPS 2.0 Level 3: IIS compliance baseline check | |
hc_informix_djbh | MLPS 2.0 Level 3: Informix compliance baseline check | |
hc_jboss_djbh | MLPS 2.0 Level 3: JBoss compliance baseline check | |
hc_mongo_djbh | MLPS 2.0 Level 3: MongoDB compliance baseline check | |
hc_mssql_djbh | MLPS 2.0 Level 3: SQL Server compliance baseline check | |
hc_mysql_djbh | MLPS 2.0 Level 3: MySQL compliance baseline check | |
hc_nginx_djbh | MLPS 2.0 Level 3: Nginx compliance baseline check | |
hc_oracle_djbh | MLPS 2.0 Level 3: Oracle compliance baseline check | |
hc_pgsql_djbh | MLPS 2.0 Level 3: PostgreSQL compliance baseline check | |
hc_redhat 6_djbh_l3 | MLPS 2.0 Level 3: Red Hat Linux 6 compliance baseline check | |
hc_redhat_djbh_l3 | MLPS 2.0 Level 3: Red Hat Linux 7 compliance baseline check | |
hc_redis_djbh | MLPS 2.0 Level 3: Redis compliance baseline check | |
hc_suse 10_djbh_l3 | MLPS 2.0 Level 3: SUSE 10 compliance baseline check | |
hc_suse 12_djbh_l3 | MLPS 2.0 Level 3: SUSE 12 compliance baseline check | |
hc_suse_djbh_l3 | MLPS 2.0 Level 3: SUSE 11 compliance baseline check | |
hc_ubuntu 14_djbh_l3 | MLPS 2.0 Level 3: Ubuntu 14 compliance baseline check | |
hc_ubuntu_djbh_l3 | MLPS 2.0 Level 3: Ubuntu 16/18/20 compliance baseline check | |
hc_was_djbh | MLPS 2.0 Level 3: WebSphere Application Server compliance baseline check | |
hc_weblogic_djbh | MLPS 2.0 Level 3: WebLogic compliance baseline check | |
hc_win 2008_djbh_l3 | MLPS 2.0 Level 3: Windows 2008 R2 compliance baseline check | |
hc_win 2012_djbh_l3 | MLPS 2.0 Level 3: Windows 2012 R2 compliance baseline check | |
hc_win 2016_djbh_l3 | MLPS 2.0 Level 3: Windows 2016/2019 compliance baseline check | |
hc_aliyun_linux_djbh_l2 | MLPS 2.0 Level 2: Alibaba Cloud Linux/Aliyun Linux 2 compliance baseline check | |
hc_centos 6_djbh_l2 | MLPS 2.0 Level 2: CentOS Linux 6 compliance baseline check | |
hc_centos 7_djbh_l2 | MLPS 2.0 Level 2: CentOS Linux 7 compliance baseline check | |
hc_debian_djbh_l2 | MLPS 2.0 Level 2: Debian Linux 8 compliance baseline check | |
hc_redhat 7_djbh_l2 | MLPS 2.0 Level 2: Red Hat Linux 7 compliance baseline check | |
hc_ubuntu_djbh_l2 | MLPS 2.0 Level 2: Ubuntu 16/18 compliance baseline check | |
hc_win 2008_djbh_l2 | MLPS 2.0 Level 2: Windows 2008 R2 compliance baseline check | |
hc_win 2012_djbh_l2 | MLPS 2.0 Level 2: Windows 2012 R2 compliance baseline check | |
hc_win 2016_djbh_l2 | MLPS 2.0 Level 2: Windows 2016/2019 compliance baseline check | |
hc_aliyun_linux_cis | International security best practices: Alibaba Cloud Linux/Aliyun Linux 2 security baseline check | |
hc_centos 6_cis_rules | International security best practices: CentOS Linux 6 security baseline check | |
hc_centos 7_cis_rules | International security best practices: CentOS Linux 7 security baseline check | |
hc_centos 8_cis_rules | International security best practices: CentOS Linux 8 security baseline check | |
hc_debian 8_cis_rules | International security best practices: Debian Linux 8 security baseline check | |
hc_ubuntu 14_cis_rules | International security best practices: Ubuntu 14 security baseline check | |
hc_ubuntu 16_cis_rules | International security best practices: Ubuntu 16/18/20 security baseline check | |
hc_win 2008_cis_rules | International security best practices: Windows Server 2008 R2 security baseline check | |
hc_win 2012_cis_rules | International security best practices: Windows Server 2012 R2 security baseline check | |
hc_win 2016_cis_rules | International security best practices: Windows Server 2016/2019 security baseline check | |
hc_kylin_djbh_l3 | MLPS 2.0 Level 3: Kylin compliance baseline check | |
hc_uos_djbh_l3 | MLPS 2.0 Level 3: UOS compliance baseline check | |
hc_best_security | hc_aliyun_linux | Alibaba Cloud standard: Alibaba Cloud Linux/Aliyun Linux 2 security baseline check |
hc_centos 6 | Alibaba Cloud standard: CentOS Linux 6 security baseline check | |
hc_centos 7 | Alibaba Cloud standard: CentOS Linux 7/8 security baseline check | |
hc_debian | Alibaba Cloud standard: Debian Linux 8/9/10 security baseline check | |
hc_redhat 6 | Alibaba Cloud standard: Red Hat Linux 6 security baseline check | |
hc_redhat 7 | Alibaba Cloud standard: Red Hat Linux 7/8 security baseline check | |
hc_ubuntu | Alibaba Cloud standard: Ubuntu security baseline check | |
hc_windows_2008 | Alibaba Cloud standard: Windows 2008 R2 security baseline check | |
hc_windows_2012 | Alibaba Cloud standard: Windows 2012 R2 security baseline check | |
hc_windows_2016 | Alibaba Cloud standard: Windows 2016/2019 security baseline check | |
hc_db_mssql | Alibaba Cloud standard: SQL Server security baseline check | |
hc_memcached_ali | Alibaba Cloud standard: Memcached security baseline check | |
hc_mongodb | Alibaba Cloud standard: MongoDB 3.x security baseline check | |
hc_mysql_ali | Alibaba Cloud standard: MySQL security baseline check | |
hc_oracle | Alibaba Cloud standard: Oracle 11g security baseline check | |
hc_pgsql_ali | Alibaba Cloud standard: PostgreSQL security baseline check | |
hc_redis_ali | Alibaba Cloud standard: Redis security baseline check | |
hc_apache | Alibaba Cloud standard: Apache security baseline check | |
hc_iis_8 | Alibaba Cloud standard: IIS 8 security baseline check | |
hc_nginx_linux | Alibaba Cloud standard: Nginx security baseline check | |
hc_suse 15 | Alibaba Cloud standard: SUSE Linux 15 security baseline check | |
tomcat 7 | Alibaba Cloud standard: Apache Tomcat security baseline check | |
weak_password | hc_mongodb_pwd | Weak password: MongoDB logon weak password detection (version 2.x) |
hc_weakpwd_ftp_linux | Weak password: FTP logon weak password check | |
hc_weakpwd_linux_sys | Weak password: Linux system logon weak password check | |
hc_weakpwd_mongodb 3 | Weak password: MongoDB logon weak password detection | |
hc_weakpwd_mssql | Weak password: SQL Server database logon weak password check | |
hc_weakpwd_mysql_linux | Weak password: MySQL database logon weak password check | |
hc_weakpwd_mysql_win | Weak password: MySQL database logon weak password check (Windows) | |
hc_weakpwd_openldap | Weak password: OpenLDAP logon weak password check | |
hc_weakpwd_oracle | Weak password: Oracle logon weak password detection | |
hc_weakpwd_pgsql | Weak password: PostgreSQL database logon weak password check | |
hc_weakpwd_pptp | Weak password: pptpd service logon weak password check | |
hc_weakpwd_redis_linux | Weak password: Redis database logon weak password check | |
hc_weakpwd_rsync | Weak password: rsync service logon weak password check | |
hc_weakpwd_svn | Weak password: SVN service logon weak password check | |
hc_weakpwd_tomcat_linux | Weak password: Apache Tomcat console weak password check | |
hc_weakpwd_vnc | Weak password: VNC Server weak password check | |
hc_weakpwd_weblogic | Weak password: WebLogic 12c logon weak password detection | |
hc_weakpwd_win_sys | Weak password: Windows system logon weak password check |