This topic describes the fields of Security Center logs. Security Center logs include network logs, security logs, and host logs.
Network logs
Domain Name System (DNS) logs
Log field
Description
__topic__
The topic of the log. The value is fixed as sas-log-dns.
owner_id
The ID of the Alibaba Cloud account.
additional
The fields in the additional section. Multiple fields are separated by vertical bars (|).
additional_num
The number of additional fields.
answer
The DNS responses. Multiple responses are separated by vertical bars (|).
answer_num
The number of DNS responses.
authority
The fields in the authority section.
authority_num
The number of fields in the authority section.
client_subnet
The subnet where the client resides.
dst_ip
The destination IP address.
dst_port
The destination port.
net_connect_dir
The direction of data flows. Valid values:
in: inbound
out: outbound
qid
The ID of the query.
query_name
The domain name that is queried.
query_type
The type of the query.
query_datetime
The timestamp of the query. Unit: milliseconds.
rcode
The returned code.
region
The ID of the source region. Valid values:
1: China (Beijing)
2: China (Qingdao)
3: China (Hangzhou)
4: China (Shanghai)
5: China (Shenzhen)
6: Other regions
response_datetime
The time when the response is returned.
src_ip
The source IP address.
src_port
The source port.
start_time
The start timestamp. Unit: seconds.
Local DNS logs
Log field
Description
__topic__
The topic of the log. The value is fixed as local-dns.
owner_id
The ID of the Alibaba Cloud account.
answer_rdata
The DNS responses. Multiple responses are separated by vertical bars (|).
answer_ttl
The time-to-live (TTL) values of resource records in DNS responses. Multiple values are separated by vertical bars (|).
answer_type
The types of resource records in DNS responses. Multiple types are separated by vertical bars (|). Valid values:
1: A record
2: NS record
5: CNAME record
6: SOA record
10: NULL record
12: PTR record
15: MX record
16: TXT record
25: KEY record
28: AAAA record
33: SRV record
41: OPT record
43: DS record
44: SSHFP record
45: IPSECKEY record
46: RRSIG record
47: NSEC record
answer_name
The domain names in DNS responses. Multiple names are separated by vertical bars (|).
dst_ip
The destination IP address.
dst_port
The destination port.
group_id
The ID of the group to which the host belongs.
host
The hostname.
id
The ID of the query.
instance_id
The instance ID
internet_ip
The public IP address of the host.
ip_ttl
The TTL of the data packets that are sent by the host.
query_name
The domain name that is queried.
query_type
The type of the query.
src_ip
The source IP address.
src_port
The source port.
start_time
The timestamp of the query. Unit: seconds.
time_usecond
The response duration. Unit: microseconds.
tunnel_id
The tunnel ID.
Network session logs
Log field
Description
__topic__
The topic of the log. The value is fixed as sas-log-session.
owner_id
The ID of the Alibaba Cloud account.
asset_type
The type of the associated Alibaba Cloud service, such as Elastic Compute Service (ECS), Server Load Balancer (SLB), or ApsaraDB RDS.
net_connect_dir
The direction of the network connection.
dst_ip
The destination IP address.
dst_port
The destination port.
l4_proto
The protocol type, such as TCP or UDP.
session_time
The duration of the session.
src_ip
The source IP address.
src_port
The source port.
start_time
The start timestamp. Unit: seconds.
Web logs
Log field
Description
__topic__
The topic of the log. The value is fixed as sas-log-http.
owner_id
The ID of the Alibaba Cloud account.
response_content_length
The content length of the HTTP request.
dst_ip
The destination IP address.
dst_port
The destination port.
host
The hostname of the web server.
jump_location
The IP address of the HTTP redirect.
request_method
The HTTP request method.
request_datetime
The time when the request is sent.
status
The HTTP status code.
content_type
The content type of the HTTP request.
response_content_type
The content type of the HTTP response.
src_ip
The source IP address.
src_port
The source port.
request_uri
The URI of the request.
http_user_agent
The User-Agent HTTP header. This field records the client that sends the request.
http_x_forward_for
The X-Forwarded-For (XFF) HTTP header.
Security logs
Vulnerability logs
Log field
Description
__topic__
The topic of the log. The value is fixed as sas-vul-log.
owner_id
The ID of the Alibaba Cloud account.
vul_name
The name of the vulnerability.
vul_alias_name
The alias of the vulnerability.
risk_level
The risk level of the vulnerability.
vul_primary_id
The identifier of the vulnerability.
instance_name
The instance name.
operation
The action that is performed. Valid values:
new
verify
fix
status
The status. For more information, see the Table 2. Status codes of security logs section of this topic.
tag
The tag of the vulnerability, such as oval, system, or cms. This field is used to distinguish between urgent vulnerabilities.
type
The type of the vulnerability. Valid values:
sys: Windows vulnerability
cve: Linux vulnerability
cms: Web-CMS vulnerability
emg: urgent vulnerability
uuid
The UUID of the client.
extend_content
The extended information about the vulnerability.
instance_id
The instance ID
internet_ip
The public IP address of the asset.
intranet_ip
The private IP address of the asset.
start_time
The start timestamp. Unit: seconds.
Baseline logs
Log field
Description
__topic__
The topic of the log. The value is fixed as sas-hc-log.
owner_id
The ID of the Alibaba Cloud account.
risk_level
The risk level.
operation
The action that is performed. Valid values:
new
verify
risk_name
The name of the risk.
status
The status. For more information, see the Table 2. Status codes of security logs section of this topic.
sub_type_alias_name
The subtype alias of the baseline.
sub_type_name
The subtype of the baseline.
type_name
The type of the baseline. For more information, see the Table 1. Types and subtypes of baselines section of this topic.
type_alias_name
The type alias of the baseline.
uuid
The UUID of the client.
check_item_name
The name of the check item.
check_item_level
The level of the check item.
check_type
The type of the check item.
instance_id
The instance ID.
start_time
The start timestamp. Unit: seconds.
Table 1. Types and subtypes of baselines
Type name
Subtype name
system
baseline
weak_password
postsql_weak_password
database
redis_check
account
system_account_security
account
system_account_security
weak_password
mysq_weak_password
weak_password
ftp_anonymous
weak_password
rdp_weak_password
system
group_policy
system
register
account
system_account_security
weak_password
sqlserver_weak_password
system
register
weak_password
ssh_weak_password
weak_password
ftp_weak_password
cis
centos7
cis
tomcat7
cis
memcached-check
cis
mongodb-check
cis
ubuntu14
cis
win2008_r2
system
file_integrity_mon
cis
linux-httpd-2.2-cis
cis
linux-docker-1.6-cis
cis
SUSE11
cis
redhat6
cis
bind9.9
cis
centos6
cis
debain8
cis
redhat7
cis
SUSE12
cis
ubuntu16
Table 2. Status codes of security logs
Status code
Description
1
Unfixed.
2
Failed to be fixed.
3
Failed to be rolled back.
4
Fixing.
5
Rolling back.
6
Verifying.
7
Fixed.
8
Fixed and to be restarted.
9
Rolled back.
10
Ignoring
11
Rolled back and to be restarted.
12
No longer exists.
20
Expired.
Security alert logs
Log field
Description
__topic__
The topic of the log. The value is fixed as sas-security-log.
data_source
The data source. For more information, see the Table 3. Valid values of the data_source field in security alert logs section of this topic.
level
The severity of the alert.
name
The name of the alert.
operation
The action that is performed. Valid values:
new
dealing
status
The status. For more information, see the Table 2. Status codes of security logs section of this topic.
uuid
The UUID of the client.
detail
The details of the alert.
unique_info
The unique identifier of the alert.
instance_id
The instance ID.
internet_ip
The public IP address of the asset.
intranet_ip
The private IP address of the asset.
start_time
The start timestamp. Unit: seconds.
Table 3. Valid values of the data_source field in security alert logs
Value
Description
aegis_suspicious_event
Server exceptions
aegis_suspicious_file_v2
Webshells
aegis_login_log
Suspicious logons
security_event
Security Center exceptions
Configuration assessment logs
Log field
Description
__topic__
The topic of the log. The value is fixed as sas-cspm-log.
check_id
The ID of the check item. You can call the ListCheckResult operation to query the IDs of check items. The operation is used to query the details of the risk items that are detected in the configuration checks on cloud services.
check_item_name
The name of the check item.
instance_id
The instance ID.
instance_name
The instance name.
instance_result
The impacts of risks. The value is a JSON string.
instance_sub_type
The subtype of the instance.
If the type of the instance is ECS, the following valid values are supported:
INSTANCE
DISK
SECURITY_GROUP
If the type of the instance is ACR, the following valid values are supported:
REPOSITORY_ENTERPRISE
REPOSITORY_PERSON
If the type of the instance is RAM, the following valid values are supported:
ALIAS
USER
POLICY
GROUP
If the type of the instance is WAF, the value is fixed as DOMAIN.
If the instance is of another type, the value is fixed as INSTANCE.
instance_type
The type of the instance. Valid values:
ECS
SLB
RDS: ApsaraDB RDS
MONGODB: ApsaraDB for MongoDB
KVSTORE: ApsaraDB for Redis
ACR: Container Registry
CSK: Container Service for Kubernetes (ACK)
VPC: Virtual Private Cloud (VPC)
ACTIONTRAIL: ActionTrail
CDN: Content Delivery Network (CDN)
CAS: Certificate Management Service (formerly SSL Certificates Service)
RDC: Apsara Devops
RAM: Resource Access Management (RAM)
DDoS: Anti-DDoS
WAF: Web Application Firewall (WAF)
OSS: Object Storage Service (OSS)
POLARDB: PolarDB
POSTGRESQL: ApsaraDB RDS for PostgreSQL
MSE: Microservices Engine (MSE)
NAS: File Storage NAS (NAS)
SDDP: Data Security Center (DSC)
EIP: Elastic IP Address (EIP)
region_id
The region ID of the instance.
requirement_id
The requirement item ID. You can call the ListCheckStandard operation to query the IDs of requirement items. The operation is used to query the standards of configuration checks.
risk_level
The risk level. Valid values:
LOW
MEDIUM
HIGH
section_id
The section ID. You can call the ListCheckResult operation to query section IDs. The operation is used to query the details of the risk items that are detected in the configuration checks on cloud services.
standard_id
The standard ID. You can call the ListCheckStandard operation to query standard IDs. The operation is used to query the standards of configuration checks.
status
The status of the check item. Valid values:
NOT_CHECK: not checked
CHECKING: being checked
PASS: passed
NOT_PASS: failed
WHITELIST: added to the whitelist
vendor
The cloud service provider. The value is fixed as ALIYUN.
start_time
The start timestamp. Unit: seconds.
Network defense logs
Log field
Description
__topic__
The topic of the log. The value is fixed as sas-net-block.
cmd
The command line of the attacked process.
cur_time
The time when the attack event occurred.
decode_payload
The decoded hexadecimal payload.
dst_ip
The IP address of the attacked asset.
dst_port
The port of the attacked asset.
func
The type of the blocked event. Valid values:
payload: indicates that an event is blocked when malicious data or instructions are detected.
tuple: indicates that an event is blocked when malicious IP addresses are detected.
rule_type
The type of the rule that is used in the blocked event. Valid values:
alinet_payload: indicates a payload defense rule that is specified in Security Center.
alinet_tuple: indicates a tuple defense rule that is specified in Security Center.
instance_id
The instance ID of the attacked asset.
internet_ip
The public IP address of the attacked asset.
intranet_ip
The private IP address of the attacked asset.
final_action
The defense action. The value is fixed as block. The value indicates that the attack is blocked.
payload
The hexadecimal payload.
pid
The ID of the attacked process.
platform
The type of the operating system of the attacked asset. Valid values:
win
linux
proc_path
The path to the attacked process.
sas_group_name
The asset group to which the server belongs in Security Center.
src_ip
The source IP address of the attack.
src_port
The source port of the attack.
uuid
The UUID of the server.
owner_id
The ID of the Alibaba Cloud account.
start_time
The start timestamp. Unit: seconds.
Application protection logs
Log field
Description
__topic__
The topic of the log. The value is fixed as sas-rasp-log.
app_dir
The directory in which the application is stored.
app_id
The application ID.
app_name
The application name.
confidence_level
The confidence level of the detection algorithm. Valid values:
high
medium
low
request_body
The information about the request body.
request_content_length
The length of the request body.
data
The hook.
headers
The information about the request header.
hostname
The name of the host or network device.
host_ip
The private IP address of the host.
is_clipped
Indicates whether the log is truncated due to an excessive length. Valid values:
true
false
jdk_version
The JDK version.
message
The description of the alert.
request_method
The method of the request.
platform
The type of the operating system.
arch
The architecture of the operating system.
kernel_version
The kernel version of the operating system.
param
The request parameter. In most cases, the parameter is in one of the following formats:
GET parameter
application/x-www-form-urlencoded
payload
The attack payload.
payload_length
The length of the attack payload.
rasp_id
The ID of the Runtime Application Self Protection (RASP) agent.
rasp_version
The version of the RASP agent.
src_ip
The IP address from which the request is initiated.
final_action
The handling result of the alert. Valid values:
block
monitor
rule_action
The alert handling action that is specified in the application protection rule. Valid values:
block
monitor
risk_level
The risk level. Valid values:
high
medium
low
stacktrace
The stack information.
time
The time when the alert was generated.
timestamp
The timestamp when the alert was generated. Unit: milliseconds.
type
The type of the vulnerability. Valid values:
attach: malicious Attach API
beans: malicious beans binding
classloader: malicious class loading
dangerous_protocol: usage of vulnerable protocols
dns: malicious DNS query
engine: engine injection
expression: expression injection
file: malicious file read and write
file_delete: arbitrary file deletion
file_list: directory traversal
file_read: arbitrary file read
file_upload: malicious file upload
jndi: Java Naming and Directory Interface (JNDI) injection
jni: Java Native Interface (JNI) injection
jstl: JavaServer Pages Standard Tag Library (JSTL) arbitrary file inclusion
memory_shell: in-memory webshell injection
rce: command execution
read_object: deserialization attack
reflect: malicious reflection call
sql: SQL injection
ssrf: malicious external connection
thread_inject: thread injection
xxe: XML external entity (XXE) attack
url
The request URL.
rasp_attack_uuid
The UUID of the vulnerability.
uuid
The UUID of the host.
internet_ip
The public IP address of the host.
intranet_ip
The private IP address of the host.
sas_group_name
The group to which the server belongs in Security Center.
instance_id
The instance ID of the host.
owner_id
The ID of the Alibaba Cloud account.
start_time
The start timestamp. Unit: seconds.
File detection logs
Log field
Description
__topic__
The topic of the log. The value is fixed as sas-filedetect-log.
bucket_name
The name of the OSS bucket.
event_id
The ID of the alert.
event_name
The name of the alert.
md5
The MD5 hash value of the file.
sha256
The SHA-256 hash value of the file.
result
The detection result. Valid values:
0: normal file
1: malicious file
file_path
The path to the file.
etag
The tag of the file.
risk_level
The risk level.
serious
suspicions
remind
source
The method that is used for detection. Valid values:
OSS: The Security Center console is used to detect malicous files in OSS buckets.
API: An SDK for Java or Python is used to detect malicious files.
parent_md5
The MD5 hash value of the parent file or compressed package file.
parent_sha256
The SHA-256 hash value of the parent file or compressed package file.
parent_file_path
The name of the parent file or compressed package file.
owner_id
The ID of the Alibaba Cloud account.
start_time
The timestamp when the detection started. Unit: seconds.
Host logs
Process startup logs
Log field
Description
__topic__
The topic of the log. The value is fixed as aegis-log-process.
uuid
The UUID of the client.
host_ip
The IP address of the client.
cmdline
The full command line that starts the process.
username
The username.
uid
The user ID.
pid
The ID of the process.
proc_name
The name of the process file.
proc_path
The full path to the process file.
proc_start_time
The time when the process was started.
parent_proc_start_time
The time when the parent process was started.
groupname
The name of the user group.
ppid
The ID of the parent process.
parent_proc_name
The name of the parent process file.
parent_proc_path
The full path of the parent process file.
cmd_chain
The process chain.
container_hostname
The hostname of the container.
container_pid
The process ID of the container.
container_image_id
The image ID.
container_image_name
The image name.
container_name
The container name.
container_id
The container ID.
cwd
The current working directory (CWD) of the process.
owner_id
The ID of the Alibaba Cloud account.
start_time
The start timestamp. Unit: seconds.
cmd_chain_index
The index of the process chain. You can use an index to search for a process chain.
cmd_index
The index of a parameter in the command line. Every two indexes are grouped to identify the start of a parameter and the end of the parameter.
comm
The command name related to the process.
gid
The ID of the process group.
instance_id
The instance ID
parent_cmd_line
The command line of the parent process.
sas_group_name
The asset group to which the server belongs in Security Center.
srv_cmd
The command line of the ancestor process.
tty
The terminal that is logged on to. The value N/A indicates that the account has not been used for terminal logons.
uid
The user ID.
start_time
The start timestamp. Unit: seconds.
Process snapshot logs
Log field
Description
__topic__
The topic of the log. The value is fixed as aegis-snapshot-process.
owner_id
The ID of the Alibaba Cloud account.
uuid
The UUID of the client.
host_ip
The IP address of the client.
cmdline
The full command line that starts the process.
pid
The ID of the process.
proc_name
The name of the process file.
proc_path
The full path to the process file.
md5
The MD5 hash value of the process file. If the size of the process file exceeds 1 MB, the MD5 hash value is not calculated.
parent_proc_name
The name of the parent process file.
proc_start_time
The time when the process starts. This field is a built-in field.
user
The username.
uid
The user ID.
start_time
The start timestamp. Unit: seconds.
instance_id
The instance ID
pname
The name of the parent process file.
sas_group_name
The asset group to which the server belongs in Security Center.
Logon logs
The repeated logon attempts within 1 minute are recorded in one log.
Log field
Description
__topic__
The topic of the log. The value is fixed as aegis-log-login.
owner_id
The ID of the Alibaba Cloud account.
uuid
The UUID of the client.
host_ip
The IP address of the client.
src_ip
The source IP address.
dst_port
The logon port.
login_type
The type of the logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
username
The logon username.
login_count
The number of logon attempts. If the value is 3, two logon requests are sent 1 minute before the current logon.
instance_id
The instance ID
sas_group_name
The asset group to which the server belongs in Security Center.
start_time
The start timestamp of the query. Unit: seconds.
Brute-force cracking logs
Log field
Description
__topic__
The topic of the log. The value is fixed as aegis-log-crack.
owner_id
The ID of the Alibaba Cloud account.
uuid
The UUID of the client.
host_ip
The IP address of the client.
src_ip
The source IP address.
dst_port
The logon port.
login_type
The type of the logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
username
The logon username.
login_count
The number of failed logon attempts.
instance_id
The instance ID
sas_group_name
The asset group to which the server belongs in Security Center.
start_time
The start timestamp. Unit: seconds.
Network connection logs
The changes in network connections are collected from hosts every 10 seconds to 1 minute.
Log field
Description
__topic__
The topic of the log. The value is fixed as aegis-log-network.
owner_id
The ID of the Alibaba Cloud account.
uuid
The UUID of the client.
host_ip
The IP address of the client.
src_ip
The source IP address.
src_port
The source port.
dst_ip
The destination IP address.
dst_port
The destination port.
proc_name
The name of the process.
proc_path
The path to the process.
connection_type
The protocol that is used to establish network connection.
status
The connection status. For more information, see the Table 4. Status codes of network connections section of this topic.
net_connect_dir
The direction of the network connection.
parent_proc_name
The name of the parent process file.
cmd_chain
The process chain.
cmd_chain_index
The index of the process chain. You can use an index to search for a process chain.
container_hostname
The name of the server in the container.
container_id
The container ID.
container_image_id
The image ID.
container_image_name
The image name.
container_name
The container name.
container_pid
The ID of the process in the container.
instance_id
The instance ID
pid
The ID of the process.
ppid
The ID of the parent process.
proc_start_time
The time when the process was started.
src_ip
The source IP address.
src_port
The source port.
srv_comm
The command name associated with the parent process of the parent process.
type
The type of the real-time network connection. Valid values:
connect: TCP connection initiated
accept: TCP connection received
listen: port listening
uid
The ID of the user who started the process.
username
The name of the user who started the process.
start_time
The start timestamp. Unit: seconds.
Table 4. Status codes of network connections
Status code
Description
1
closed
2
listen
3
syn send
4
syn recv
5
establisted
6
close wait
7
closing
8
fin_wait1
9
fin_wait2
10
time_wait
11
delete_tcb
Port listening snapshot logs
Log field
Description
__topic__
The topic of the log. The value is fixed as aegis-snapshot-port.
owner_id
The ID of the Alibaba Cloud account.
uuid
The UUID of the client.
host_ip
The IP address of the client.
connection_type
The listener protocol.
src_ip
The IP address of the listener.
src_port
The listening port.
pid
The ID of the process.
proc_name
The name of the process.
net_connect_dir
The direction of the network connection.
dst_ip
The destination IP address.
If the value of dir is out, the value of this field is the IP address of the peer host.
If the value of dir is in, the value of this field is the IP address of your host.
dst_port
The destination port.
instance_id
The instance ID
sas_group_name
The asset group to which the server belongs in Security Center.
status
The status of the network connection. Valid values:
1: The connection is closed.
2: The connection is to be established.
3: The SYN packet is sent.
4: The SYN packet is received.
5: The connection is established.
6: The connection is waiting to be closed.
7: The connection is being closed.
8: The local endpoint is waiting for an acknowledgment of the connection closing request from the peer endpoint.
9: The local endpoint is waiting for a connection closing request from the peer endpoint after it has received the acknowledgment from the peer endpoint.
10: The local endpoint is waiting for enough time to elapse to ensure that the peer endpoint receives the acknowledgment from the local endpoint.
11: The TCB for the connection is deleted.
start_time
The start timestamp. Unit: seconds.
Account snapshot logs
Log field
Description
__topic__
The topic of the log. The value is fixed as aegis-snapshot-host.
owner_id
The ID of the Alibaba Cloud account.
name
The name of the vulnerability.
alias_name
The alias of the vulnerability.
op
The action that is performed. Valid values:
new
verify
fix
status
The connection status. For more information, see the Table 4. Status codes of network connections section of this topic.
tag
The tag of the vulnerability, such as oval, system, or cms. This field is used to distinguish between urgent vulnerabilities.
type
The type of the vulnerability. Valid values:
sys: Windows vulnerability
cve: Linux vulnerability
cms: Web-CMS vulnerability
EMG: urgent vulnerability
uuid
The UUID of the client.
username
The logon username.
host_ip
The IP address of the server.
account_expire
The date when the account expires. The value never indicates that the account never expires.
domain
The domain or directory to which the account belongs. The value N/A indicates that the account does not belong to a domain.
groups
The group to which the account belongs. The value N/A indicates that the account does not belong to a group.
home_dir
The home directory, which is the default directory to store and manage files in the system.
instance_id
The instance ID
last_chg
The date when the password was last changed.
last_logon
The date and time when the account was last used for logon. The value N/A indicates that the account has not been used for logons.
login_ip
The IP address from which the account was last used for logon. The value N/A indicates that the account has not been used for logons.
passwd_expire
The date when the password expires. The value never indicates that the password never expires.
perm
Indicates whether the account has root permissions. Valid values:
0: The account has no root permissions.
1: The account has root permissions.
sas_group_name
The asset group to which the server belongs in Security Center.
shell
The Linux shell command.
tty
The terminal that is logged on to. The value N/A indicates that the account has not been used for terminal logons.
warn_time
The date when you are notified of password expiration. The value never indicates that no notifications are sent.
start_time
The start timestamp. Unit: seconds.
DNS request logs
Log field
Description
__topic__
The topic of the log. The value is fixed as aegis-log-dns-query.
owner_id
The ID of the Alibaba Cloud account.
uuid
The UUID of the client.
host_ip
The IP address of the client.
pid
The process ID of the DNS requester.
ppid
The parent process ID of the DNS requester.
time
The time when the DNS request is initiated.
domain
The domain name that is contained in the DNS request.
proc_path
The path to the process that initiates the DNS request.
cmdline
The command line of the process that initiates the DNS request.
cmd_chain
The process chain of the DNS requester.
sas_group_name
The group to which the server belongs in Security Center.
instance_id
The instance ID
start_time
The start timestamp. Unit: seconds.
Client event logs
Log field
Description
__topic__
The topic of the log. The value is fixed as aegis-log-client.
uuid
The UUID of the server.
host_ip
The IP address of the server.
agent_version
The version of the client.
last_login
The timestamp of the last logon to the account. Unit: milliseconds.
platform
The type of the operating system. Valid values:
windows
linux
region_id
The region ID of the server.
status
The status of the client. Valid values:
online
offline
owner_id
The ID of the Alibaba Cloud account.
start_time
The start timestamp. Unit: seconds.
