Help Center/ SecMaster/ User Guide/ Threat Operations/ Security Analysis/ Log Fields
Updated on 2024-04-24 GMT+08:00
View PDF

Log Fields

If you access WAF, HSS, CFW, CTS, and IPS logs through the console, SecMaster adds information such as log sources and timestamps to these logs in the form of key-value pairs.

This section describes the meaning of each field.

Common Fields

Table 1 Common fields

Parameter

Field Type

Description

__time

Date

Time when a log is generated

__raw

String

Raw log

ops.source

String

Data source

ops.rgn

String

Site

ops.csvc

String

Data source (cloud service)

ops.ver

String

Data warehouse version

ops.hash

String

Integrity verification of extend hash value of original

[src_/dest_]asset.domain.id

String

Domain ID

[src_/dest_]asset.domain.name

String

Domain name

[src_/dest_]asset.id

String

Asset ID

[src_/dest_]asset.name

String

Asset name

[src_/dest_]asset.type

String

Asset type

[src./dest.]asset.region

String

Asset site

[src_/dest_]geo.ip

String

IP address

[src_/dest_]geo.country

String

Country name (Chinese)

[src_/dest_]geo.prov

String

Province name (Chinese)

[src_/dest_]geo.city

String

City name (Chinese)

[src_/dest_]geo.org

String

Organization that registers the IP address

[src_/dest_]geo.isp

String

Carrier

[src_/dest_]geo.loc.lat

Float

Latitude

[src_/dest_]geo.loc.lon

Float

Longitude

[src_/dest_]geo.tz

Integer

Time zone

[src_/dest_]geo.utc_off

Integer

Time zone

[src_/dest_]geo.cac

String

Time zone

[src_/dest_]geo.iddc

String

International call prefix code

[src_/dest_]geo.cc

String

Country code (ISO)

[src_/dest_]geo.contc

String

Continental code (ISO)

[src_/dest_]geo.idc

String

Data center (equipment room)

[src_/dest_]geo.bs

String

Mobile base station

[src_/dest_]geo.cc3

String

Country code (3 digits)

[src_/dest_]geo.euro

String

EU member states

sec-waf-attack

Fields in WAF attack logs

Table 2 sec-waf-attack

Field

Type

Description

category

String

Category. The value is attack.

time

Date

Log time.

time_iso8601

Date

ISO 8601 time of the log.

policy_id

String

Protection policy ID.

level

Integer

Protection policy level. The value can be 1 (loose), 2 (medium), or 3 (strict).

attack

String

Attack type The value can be:

  • default: default attacks
  • xss: cross-site scripting (XSS) attacks
  • sqli: SQL injections
  • cmdi: command injections
  • lfi: local file inclusion attacks
  • rfi: remote file inclusion attacks
  • webshell: web shells
  • robot: crawler attacks (blocked based on the user agent blacklist)
  • vuln: vulnerability exploits
  • cc: attacks that hit the CC rules
  • custom_custom: attacks that hit a precise protection rule
  • custom_whiteip: attacks that hit a whitelist rule
  • custom_geoip: attacks that hit a geolocation rule
  • illegal: unauthorized requests
  • anticrawler: attacks that hit the anti-crawler rule, such as JS challenges
  • antitamper: attacks that hit a web tamper protection rule
  • leakage: attacks that hit a sensitive data protection rule
  • followed_action: attacks that hit a known attack source rule
  • trojan: Website Trojans

action

String

Processing action. The value can be:

  • block: WAF blocks attacks.
  • log: WAF only logs detected attacks.
  • captcha: verification code.

rule

String

ID of the triggered rule or the description of the custom policy type.

sub_type

String

When attack is set to robot, this field cannot be left blank. It indicates the subtype of a crawler.

  • script_tool: script tools
  • search_engine: search engines
  • scanner: scanning tools
  • uncategorized: other crawlers

location

String

Location of the triggered payload.

resp_headers

String

Response header.

resp_body

String

Response body.

hit_data

String

Triggered payload string.

status

String

Status code of the response to the request.

reqid

String

Random ID.

id

String

Attack ID.

method

String

Request method.

sip

String

Request IP address of the client.

sport

String

Request port of the client.

host

String

Domain name of the requested server.

http_host

String

Port number of the requested server.

uri

String

Request URL.

header

String

Request header information.

mutipart

String

Request multipart header (file upload).

cookie

String

Request cookie.

params

String

Parameters following the request URI.

body_bytes_sent

String

Total number of bytes of the response body sent to the client.

upstream_response_time

String

Response time of the backend server.

process_time

String

Detection duration of the engine.

engine_id

String

Unique ID of the engine.

group_id

String

Log group ID used for interconnecting with LTS.

attack_stream_id

String

ID of access_stream of the user in the log group identified by the group_id field.

hostid

String

ID of a protected domain name.

tenantid

String

Tenant ID of the protected domain name.

projectid

String

Project ID of the protected domain name.

backend

Object

Address of the backend server to which the request is forwarded.

backend

type

String

Backend host type (IP address or domain name).

alive

String

Backend host status.

host

String

Backend host value.

protocol

String

Backend protocol.

port

Integer

Backend port.

sec-waf-access

Table 3 describes the fields in WAF access logs.

Table 3 sec-waf-access

Field

Type

Description

requestid

String

Random ID

time

Date

Log time

eng_ip

String

Engine IP address

hostid

String

ID of a protected domain name

tenantid

String

Tenant ID of the protected domain name

projectid

String

Project ID of the protected domain name

remote_ip

String

IP address of the client that sends the request

scheme

String

Request protocol type

response_code

String

Response code of a request

method

String

Request method

http_host

String

Domain name of the requested server

url

String

Request URL

request_length

String

Request length

bytes_send

String

Total number of bytes sent to the client

body_bytes_sent

String

Total number of bytes of the response body sent to the client

upstream_addr

String

IP address of the selected backend server

request_time

String

Request processing time, which starts from the first byte sent from the client

upstream_response_time

String

Response time of the backend server

upstream_status

String

Response code of the backend server

upstream_connect_time

String

Duration for connecting to the backend server

upstream_header_time

String

Time used by the backend server to receive the first byte of the response header

bind_ip

String

Retrieval IP address of the engine

engine_id

String

Unique ID of the engine

time_iso8601

Date

ISO 8601 time of the log

sni

String

Domain name requested through the SNI

tls_version

String

Version of the protocol used to establish an SSL connection

ssl_curves

String

List of curves supported by the client

ssl_session_reused

String

Whether an SSL session is reused

  • r: It is reused.
  • .: It is not used.

process_time

String

Detection duration of the engine

x_forwarded_for

String

Content of X-Forwarded-For in the request header

cdn_src_ip

String

Content of Cdn-Src-Ip in the request header

x_real_ip

String

Content of X-Real-Ip in the request header

sec-obs-access

Fields in OBS access logs

Table 4 sec-obs-access

Field

Type

Description

srcip

String

Source IP address for accessing OBS.

srcport

String

Source port for accessing OBS.

logtime

Date

Time when the log is generated.

ces_log_version

String

Version number, which is V0 for an internal request. V0 does not record Cloud Eye audit logs, and V1 records Cloud Eye audit logs.

request_start_time

String

Request start time.

ctx_request_id

String

Request ID, which uniquely identifies a request to be traced.

request_method

String

Request method (GET/POST).

remote_ip

String

Remote IP address, in the format of Client IP address:Port number.

operation

String

Operation type, for example, GET.OBJECT.

bucket_name

String

Bucket name.

object_name

String

Object name (file name).

query_string

String

Request query.

http_status

String

HTTP request status code, for example, 200.

content_length

String

Length of the requested content.

user_agent

String

Client agent.

storage_class

String

OBS storage class.

user_name

String

Username of the requester.

user_id

String

User ID of the requester.

domain_name

String

Domain name of the requester.

domain_id

String

Domain ID of the requester.

project_id

String

Project ID of the requester.

owner_domain_name

String

Tenant name of the bucket owner.

owner_domain_id

String

Tenant ID of the bucket owner.

owner_project_id

String

Project ID of the bucket owner.

transmission_type

String

Network type. The value can be:

  • 1: intranet
  • 2: public network

scheme

String

Network protocol.

http_version

String

HTTP version.

host

String

OBS domain name.

port

String

Port number.

auth_v2_v4

String

Authentication mode.

host_type

String

Access type.

x_forwarded_for

String

IP address of the proxy client.

pub_bkt

String

Whether the bucket is accessed anonymously.

pub_obj

String

Whether an object is accessed anonymously.

website_req

String

Whether the request is a website request.

crr_req

String

Whether the request is a CRR request.

huawei_cloud_service

String

Whether the request is a CDN request.

  • CDN_F: Authentication failed.
  • CDN: Authentication succeeded.

batch_delete_success_count

String

Number of successful batch deletions.

ctc_log_urn

String

Agency.

requester

String

Agency account.

is_over_write

String

Whether to overwrite data.

error_code

String

Cause of an error.

detail_error_code

String

Detailed error cause.

request_content_type

String

Request object type.

request_content_md5

String

MD5 of the request object.

total_bytes_received

String

Total bytes of received content.

response_content_type

String

Response object type.

total_bytes_sent

String

Total bytes of sent content in the response header and response body.

referrer

String

Reference page.

index_read_count

String

Metadata table query latency.

persistence_read_count

String

Number of times that data is read.

vpc_id

String

ID of the VPC to which the request client belongs.

access_with_security_token

String

Access using the STS token.

copy_size

String

Copy size.

vpcep_traffic

String

Transmission through VPCEP.

access_key

String

AK.

sec-nip-attack

Fields in IPS attack logs

Table 5 sec-nip-attack

Field

Type

Description

SyslogId

String

Log serial number (SN).

Vsys

String

Virtual system name.

Policy

String

Name of a security policy.

SrcIp

String

Source IP address of a packet.

DstIp

String

Destination IP address of a packet.

SrcPort

String

Source port of a packet. For an ICMP packet, the value of this field is 0.

DstPort

String

Destination port of a packet. For an ICMP packet, the value of this field is 0.

SrcZone

String

Source security zone of a packet.

DstZone

String

Destination security zone of a packet.

User

String

Username.

Protocol

String

Protocol of the packet detected by a signature.

Application

String

Application that the packet detected by a signature belongs to.

Profile

String

Name of a configuration file.

SignName

String

Name of a signature.

SignId

String

ID of a signature.

EventNum

String

The field is used for log mergence. Whether logs are merged is determined by the mergence frequency and conditions. The value is 1 if logs are not merged.

Target

String

Object attacked by the packet detected by a signature. The value can be:

  • server: The attack object is the server.
  • client: The attack object is the client.
  • both: The attack objects are both the server and client.

Severity

String

Severity of the attack caused by the packet detected by a signature. The value can be:

  • information
  • low
  • medium
  • high

Os

String

OS attacked by the packet detected by a signature. The value can be:

  • all: all OSs
  • android: Android
  • ios: iOS
  • unix-like: Unix
  • windows: Windows
  • other: other OSs

Category

String

Threat type of the detected attack packet features.

Action

String

Signature action.

  • Alert
  • Block

Reference

String

Reference information about the signature.

Extend

String

Evidence collection field in enhanced mode.

sec-iam-audit

Fields in IAM audit logs

Table 6 sec-iam-audit

Field

Type

Description

uid

String

User ID

un

String

Username

did

String

Domain ID

dn

String

Domain name

src

String

Request domain name

opl

String

Operation level

op

String

Operation type

res

String

IAM service invoking result

ter

String

Source IP address

dtl

String

IAM authentication details

tn

Date

Occurrence time

ts

Long

Timestamp when the IAM service is invoked

tid

String

Trace ID

evnt

String

Incident

tobj

String

Service

sec-hss-vul

Fields in HSS vulnerability scanning results

Table 7 sec-hss-vul

Field

Type

Description

agentUuid

String

Agent UUID.

alarmCsn

String

Alert UUID, which is randomly generated when the master generates an alert.

alarmKey

String

Alert keyword. For an alert, it is the msg_id reported by the transparent transmission agent. For a vulnerability, it is generated by the master.

alarmVersion

String

Agent version.

occurTime

Int64

Vulnerability detection time (ms).

severity

Int32

Vulnerability level defined by HSS.

hostUuid

String

UUID of the affected host.

hostName

String

Name of the affected host.

hostIp

String

Communication IP address of the affected host.

ipList

String

List of IP addresses of affected hosts.

cloudId

String

Cloud agent SN.

region

String

Region where the affected host is located.

projectId

String

ID of the affected tenant.

enterpriseProjectId

String

ID of the affected enterprise tenant.

appendInfo

Object

Vulnerability details.

appendInfo

vulId

String

Official vulnerability ID.

type

Int32

Vulnerability type. The value can be:

  • 0: Linux
  • 1: Windows
  • 2: Web CMS

repairNecessity

Int32

Necessity level of vulnerability fixing. The value can be:

  • 1: low-risk
  • 2&3: medium-risk
  • 4: high risk

status

Int32

Reserved field.

cve_ids

String

CVE ID list. Use commas (,) to separate CVE IDs.

url

String

URL of the official website where the vulnerability details are available.

vulNameEn

String

Vulnerability name in English.

vulNameCn

String

Vulnerability name in Chinese.

severityLevel

String

Vulnerability severity. The options are as follows:

  • Critical
  • High
  • Medium
  • Low

descriptionEn

String

Vulnerability description in English.

descriptionCn

String

Vulnerability description in Chinese.

solutionEn

String

Solution description in English.

solutionCn

String

Solution description in Chinese.

repairCmd

String

Fix command.

needBoot

Int32

Whether to restart the system. The default value is 1, which means not to restart the system.

errorInfo

String

Fix failure cause.

appName

String

Name of the software that has the vulnerability (only for Linux vulnerabilities).

version

String

Version of the software that has the vulnerability (only for Linux vulnerabilities).

createTime

Int64

First detection time (ms).

updateTime

Int64

Vulnerability fixing time (ms). The initial value is the same as that of createTime.

agentId

String

UUID of the associated host agent.

projectId

String

ID of the affected tenant.

sec-hss-alarm

Fields in HSS alert logs

Table 8 sec-hss-alarm

Field

Type

Description

agentUuid

String

Agent UUID.

alarmCsn

String

Alert UUID.

alarmKey

String

Alert keyword. For an alert, it is the msg_id reported by the transparent transmission agent. For a vulnerability, it is generated by the master.

alarmVersion

String

Agent version.

occurTime

Long

Incident occurrence time (accurate to millisecond).

severity

Long

Severity.

hostUuid

String

UUID of the affected host.

hostName

String

Name of the affected host.

hostIp

String

Communication IP address of the affected host.

ipList

String

List of IP addresses of affected hosts.

cloudId

String

Cloud agent SN.

region

String

Region where the affected host is located.

projectId

String

ID of the affected tenant.

enterpriseProjectId

String

ID of the affected enterprise tenant.

appendInfo

Object

Alert details.

appendInfo

agent_id

String

Agent ID.

version

String

Incident version.

container_name

String

Container ID (in container security scenarios).

image_name

String

Image name (in container security scenarios).

event_id

String

Incident ID (GUID).

event_name

String

Incident name.

event_classid

String

Unique incident ID.

occur_time

Long

Occurrence time (accurate to second).

recent_time

Long

Last occurrence time (accurate to second).

event_category

Integer

Incident category.

event_type

Integer

Incident type.

event_count

Integer

Number of incidents.

severity

Integer

Severity.

attack_phase

Integer

Attack phase.

attack_tag

Integer

Attack tag.

confidence

Integer

Confidence.

action

Integer

Action.

detect_module

String

Detection module.

report_source

String

Report source.

related_events

String

Related incident ID.

resource_info

Object

Resource information.

network_info

Object

Network information.

app_info

Object

Application information.

system_info

Object

System information.

process_info

list

Process information.

user_info

list

User information.

file_info

list

File information.

geo_info

Object

Geographic information.

malware_info

Object

Malware information.

forensic_info

String

Evidence collection field.

recommendation

String

Handling suggestions.

extend_info

String

Extended incident information.

resource_info

project_id

String

Project ID.

region_name

String

Region name.

vpc_id

String

VPC ID.

host_name

String

Host name.

host_ip

String

Host IP address.

host_id

String

Host ID (ECS ID).

cloud_id

String

Cloud agent SN.

vm_name

String

VM name.

vm_uuid

String

VM UUID.

container_id

String

Container ID.

image_id

String

Image ID.

sys_arch

String

System CPU architecture.

os_bit

String

OS bit version.

os_type

String

OS type.

os_name

String

OS name.

os_version

String

OS version.

network_info

local_address

String

Local address.

local_port

Integer

Local port.

remote_address

String

Remote address.

remote_port

Integer

Remote port.

src_ip

String

Source IP address.

src_port

Integer

Source port.

src_domain

String

Source domain.

dest_ip

String

Destination IP address.

dest_port

Integer

Destination port.

dest_domain

String

Destination domain.

protocol

String

Protocol.

app_protocol

String

Application layer protocol.

flow_direction

String

Flow direction.

app_info

sql

String

Executed SQL statement.

domain_name

String

DNS domain name.

url_path

String

URL.

url_method

String

URL method.

req_refer

String

URL request referrer.

email_subject

String

Email subject.

email_sender

String

Email sender.

email_receiver

String

Email recipient.

email_keyword

String

Email keyword.

process_info

process_name

String

Process name.

process_path

String

Process file path.

process_pid

Integer

Process ID.

process_uid

Integer

Process user ID.

process_username

String

Process username.

process_cmdline

String

Process file command line.

process_filename

String

Process file name.

process_start_time

Long

Process start time.

process_gid

Integer

Process group ID.

process_egid

Integer

Effective process group ID.

process_euid

Integer

Effective process user ID.

parent_process_name

String

Parent process name.

parent_process_path

String

Parent process file path.

parent_process_pid

Integer

Parent process ID.

parent_process_uid

Integer

Parent process user ID.

parent_process_cmdline

String

Parent process file command line.

parent_process_filename

String

Parent process file name.

parent_process_start_time

Long

Parent process start time.

parent_process_gid

Integer

Parent process group ID.

parent_process_egid

Integer

Effective parent process group ID.

parent_process_euid

Integer

Effective parent process user ID.

child_process_name

String

Subprocess name.

child_process_path

String

Subprocess file path.

child_process_pid

Integer

Subprocess ID.

child_process_uid

Integer

Subprocess user ID.

child_process_cmdline

String

Subprocess file command line.

child_process_filename

String

Subprocess file name.

child_process_start_time

Long

Subprocess start time.

child_process_gid

Integer

Subprocess group ID.

child_process_egid

Integer

Effective subprocess group ID.

child_process_euid

Integer

Effective subprocess user ID.

virt_cmd

String

Virtualization command.

virt_process_name

String

Virtualization process name.

escape mode

String

Escape mode.

escape cmd

String

Command executed after the escape.

user_info

user_id

Integer

User ID.

user_gid

Integer

User GID.

user_name

String

Username.

user_group_name

String

User group name.

user_home_dir

String

User home directory.

login_ip

String

User login IP address.

service_type

String

Login service type.

service_port

Integer

Login service port.

login_mode

String

Login mode.

login_lasttime

Long

Last login time of a user.

login_fail_count

Integer

Failed login attempts.

pwd_hash

String

Password hash.

pwd_with_fuzzing

String

Anonymized password.

pwd_used_days

Integer

Password age (days).

pwd_min_days

Integer

Minimum password validity period.

pwd_max_days

Integer

Maximum password validity period.

pwd_warn_left_days

Integer

Advance warning of password expiration (days).

file_info

file_path

String

File path/name.

file_alias

String

File alias.

file_size

Integer

File size.

file_mtime

Long

Time when the file is last modified.

file_atime

Long

Time when the file is last accessed.

file_ctime

Long

Time when the file status last changes.

file_hash

String

File hash value.

file_md5

String

File MD5 value.

file_sha256

String

File SHA256 value.

file_type

String

File type.

file_content

String

File content.

file_attr

String

File attribute.

file_operation

String

File operation type.

file_change_attr

String

Old/New attribute.

file_new_path

String

New file path.

file_desc

String

File description.

file_key_word

String

File keyword.

is_dir

Boolean

Whether the file is a directory.

fd_info

String

File handle information.

fd_count

Integer

Number of file handles.

forensic_info

monitor_process

String

Monitoring process.

escape_mode

String

Escape mode.

abnormal_port

String

Abnormal port.

geo_info

src_country

String

Source country/region.

src_city

String

Source city.

src_latitude

Long

Source latitude.

src_longitude

Long

Source longitude.

dest_country

String

Destination country/region.

dest_city

String

Destination city.

dest_latitude

Long

Destination latitude.

dest_longitude

Long

Destination longitude.

malware_info

malware_family

String

Malware family.

malware_class

String

Malware classification.

system_info

pwd_valid

Boolean

Whether the password is valid.

pwd_min_len

Integer

Password length.

pwd_digit_credit

Integer

Digits contained in the password.

pwd_uppercase_letter

Integer

Uppercase letters contained in the password.

pwd_lowercase_letter

Integer

Lowercase letters contained in the password.

pwd_special_characters

Integer

Special characters contained in the password.

extend_info

hit_rule

String

Hit rule.

rule_name

String

Rule name.

rulesetname

String

Rule set name.

report_type

String

Reported data type.

ti_info

ti_source

String

Intelligence source.

ti_class

String

Intelligence classification.

ti_threat_type

String

Intelligence threat type.

ti_first_time

Long

First detection time.

ti_last_time

Long

Last detection time.

sec-hss-log

Fields in HSS security logs

Table 9 sec-hss-log

Field

Type

Description

agentUuid

String

Agent UUID.

alarmCsn

String

Alert UUID.

alarmKey

String

Alert keyword. For an alert, it is the msg_id reported by the transparent transmission agent. For a vulnerability, it is generated by the master.

alarmVersion

String

Agent version.

occurTime

Long

Incident occurrence time (accurate to millisecond).

severity

Long

Severity.

hostUuid

String

UUID of the affected host.

hostName

String

Name of the affected host.

hostIp

String

Communication IP address of the affected host.

ipList

String

List of IP addresses of affected hosts.

cloudId

String

Cloud agent SN.

region

String

Region where the affected host is located.

projectId

String

ID of the affected tenant.

enterpriseProjectId

String

ID of the affected enterprise tenant.

appendInfo

Object

Alert details.

appendInfo

agent_id

String

Agent ID.

version

String

Incident version.

container_name

String

Container ID (in container security scenarios).

image_name

String

Image name (in container security scenarios).

event_id

String

Incident ID (GUID).

event_name

String

Incident name.

event_classid

String

Unique incident ID.

occur_time

Long

Occurrence time (accurate to second).

recent_time

Long

Last occurrence time (accurate to second).

event_category

Integer

Incident category.

event_type

Integer

Incident type.

event_count

Integer

Number of incidents.

severity

Integer

Severity.

attack_phase

Integer

Attack phase.

attack_tag

Integer

Attack tag.

confidence

Integer

Confidence.

action

Integer

Action.

detect_module

String

Detection module.

report_source

String

Report source.

related_events

String

Related incident ID.

resource_info

Object

Resource information.

network_info

Object

Network information.

app_info

Object

Application information.

system_info

Object

System information.

process_info

list

Process information.

user_info

list

User information.

file_info

list

File information.

geo_info

Object

Geographic information.

malware_info

Object

Malware information.

forensic_info

String

Evidence collection field.

recommendation

String

Handling suggestions.

extend_info

String

Extended incident information.

resource_info

project_id

String

Project ID.

region_name

String

Region name.

vpc_id

String

VPC ID.

host_name

String

Host name.

host_ip

String

Host IP address.

host_id

String

Host ID (ECS ID).

cloud_id

String

Cloud agent SN.

vm_name

String

VM name.

vm_uuid

String

VM UUID.

container_id

String

Container ID.

image_id

String

Image ID.

sys_arch

String

System CPU architecture.

os_bit

String

OS bit version.

os_type

String

OS type.

os_name

String

OS name.

os_version

String

OS version.

network_info

local_address

String

Local address.

local_port

Integer

Local port.

remote_address

String

Remote address.

remote_port

Integer

Remote port.

src_ip

String

Source IP address.

src_port

Integer

Source port.

src_domain

String

Source domain.

dest_ip

String

Destination IP address.

dest_port

Integer

Destination port.

dest_domain

String

Destination domain.

protocol

String

Protocol.

app_protocol

String

Application layer protocol.

flow_direction

String

Flow direction.

app_info

sql

String

Executed SQL statement.

domain_name

String

DNS domain name.

url_path

String

URL.

url_method

String

URL method.

req_refer

String

URL request referrer.

email_subject

String

Email subject.

email_sender

String

Email sender.

email_receiver

String

Email recipient.

email_keyword

String

Email keyword.

process_info

process_name

String

Process name.

process_path

String

Process file path.

process_pid

Integer

Process ID.

process_uid

Integer

Process user ID.

process_username

String

Process username.

process_cmdline

String

Process file command line.

process_filename

String

Process file name.

process_start_time

Long

Process start time.

process_gid

Integer

Process group ID.

process_egid

Integer

Effective process group ID.

process_euid

Integer

Effective process user ID.

parent_process_name

String

Parent process name.

parent_process_path

String

Parent process file path.

parent_process_pid

Integer

Parent process ID.

parent_process_uid

Integer

Parent process user ID.

parent_process_cmdline

String

Parent process file command line.

parent_process_filename

String

Parent process file name.

parent_process_start_time

Long

Parent process start time.

parent_process_gid

Integer

Parent process group ID.

parent_process_egid

Integer

Effective parent process group ID.

parent_process_euid

Integer

Effective parent process user ID.

child_process_name

String

Subprocess name.

child_process_path

String

Subprocess file path.

child_process_pid

Integer

Subprocess ID.

child_process_uid

Integer

Subprocess user ID.

child_process_cmdline

String

Subprocess file command line.

child_process_filename

String

Subprocess file name.

child_process_start_time

Long

Subprocess start time.

child_process_gid

Integer

Subprocess group ID.

child_process_egid

Integer

Effective subprocess group ID.

child_process_euid

Integer

Effective subprocess user ID.

virt_cmd

String

Virtualization command.

virt_process_name

String

Virtualization process name.

escape mode

String

Escape mode.

escape cmd

String

Command executed after the escape.

user_info

user_id

Integer

User ID.

user_gid

Integer

User GID.

user_name

String

Username.

user_group_name

String

User group name.

user_home_dir

String

User home directory.

login_ip

String

User login IP address.

service_type

String

Login service type.

service_port

Integer

Login service port.

login_mode

String

Login mode.

login_lasttime

Long

Last login time of a user.

login_fail_count

Integer

Failed login attempts.

pwd_hash

String

Password hash.

pwd_with_fuzzing

String

Anonymized password.

pwd_used_days

Integer

Password age (days).

pwd_min_days

Integer

Minimum password validity period.

pwd_max_days

Integer

Maximum password validity period.

pwd_warn_left_days

Integer

Advance warning of password expiration (days).

file_info

file_path

String

File path/name.

file_alias

String

File alias.

file_size

Integer

File size.

file_mtime

Long

Time when the file is last modified.

file_atime

Long

Time when the file is last accessed.

file_ctime

Long

Time when the file status last changes.

file_hash

String

File hash value.

file_md5

String

File MD5 value.

file_sha256

String

File SHA256 value.

file_type

String

File type.

file_content

String

File content.

file_attr

String

File attribute.

file_operation

String

File operation type.

file_change_attr

String

Old/New attribute.

file_new_path

String

New file path.

file_desc

String

File description.

file_key_word

String

File keyword.

is_dir

Boolean

Whether the file is a directory.

fd_info

String

File handle information.

fd_count

Integer

Number of file handles.

forensic_info

monitor_process

String

Monitoring process.

escape_mode

String

Escape mode.

abnormal_port

String

Abnormal port.

geo_info

src_country

String

Source country/region.

src_city

String

Source city.

src_latitude

Long

Source latitude.

src_longitude

Long

Source longitude.

dest_country

String

Destination country/region.

dest_city

String

Destination city.

dest_latitude

Long

Destination latitude.

dest_longitude

Long

Destination longitude.

malware_info

malware_family

String

Malware family.

malware_class

String

Malware classification.

system_info

pwd_valid

Boolean

Whether the password is valid.

pwd_min_len

Integer

Password length.

pwd_digit_credit

Integer

Digits contained in the password.

pwd_uppercase_letter

Integer

Uppercase letters contained in the password.

pwd_lowercase_letter

Integer

Lowercase letters contained in the password.

pwd_special_characters

Integer

Special characters contained in the password.

extend_info

hit_rule

String

Hit rule.

rule_name

String

Rule name.

rulesetname

String

Rule set name.

report_type

String

Reported data type.

ti_info

ti_source

String

Intelligence source.

ti_class

String

Intelligence classification.

ti_threat_type

String

Intelligence threat type.

ti_first_time

Long

First detection time.

ti_last_time

Long

Last detection time.

sec-ddos-attack

Fields in Anti-DDoS attack logs

Table 10 sec-ddos-attack

Field

Type

Description

log_type

String

Log type

time

Date

local time

device_ip

String

Device IP address

device_type

String

Device type (CLEAN: cleaning device; DETECT: detecting device)

direction

String

Log direction (inbound, outbound)

zone_id

String

Protected object ID

zone_name

String

Protected object name

zone_ip

String

IP address

biz_id

String

Business ID

is_deszone

String

Whether the traffic is network segment traffic (true, false)

is_ipLocation

String

Whether the traffic is geographical location traffic (true, false)

ipLocation_id

String

Geographical location ID

total_pps

String

Total pps

total_kbps

String

Total rate in kbps

tcp_pps

String

Rate of TCP packets to the target (in pps)

tcp_kbps

String

Rate of TCP traffic to the target (in kbps)

tcpfrag_pps

String

Rate of TCP fragments to the target (in pps)

tcpfrag_kbps

String

Rate of TCP fragment traffic to the target (in kbps)

udp_pps

String

Rate of UDP packets to the target (in pps)

udp_kbps

String

Rate of UDP traffic to the target (in kbps)

udpfrag_pps

String

Rate of UDP fragments to the target (in pps)

udpfrag_kbps

String

Rate of UDP fragment traffic to the target (in kbps)

icmp_pps

String

Rate of ICMP packets to the target (in pps)

icmp_kbps

String

Total ICMP traffic to the target (in kbps)

other_pps

String

Rate of OTHER packets to the target (in pps)

other_kbps

String

Total OTHER traffic to the target (in kbps)

syn_pps

String

Number of SYN packets to the target (in pps)

synack_pps

String

Number of SYN/ACK packets to the target (in pps)

ack_pps

String

Rate of ACK packets to the target (in pps)

finrst_pps

String

Rate of FIN/Rst packets to the target (in pps)

http_pps

String

Rate of HTTP packets to the target (in pps)

http_kbps

String

Rate of HTTP traffic to the target (in kbps)

http_get_pps

String

Total packet rate of HTTP requests to the target (in pps)

https_pps

String

Rate of HTTPS packets to the target (in pps)

https_kbps

String

Rate of HTTPS traffic to the target (in kbps)

dns_request_pps

String

Rate of DNS Query packets to the target (in pps)

dns_request_kbps

String

Rate of DNS Query traffic to the target (in kbps)

dns_reply_pps

String

Rate of DNS Reply packets to the target (in pps)

dns_reply_kbps

String

Rate of DNS Reply traffic to the target (in kbps)

sip_invite_pps

String

Rate of SIP packets to the target (in pps)

sip_invite_kbps

String

Rate of SIP traffic to the target (in kbps)

tcp_increase_con

String

Number of new TCP connections to the target per second

udp_increase_con

String

Number of new UDP connections to the target per second

icmp_increase_con

String

Number of new ICMP connections to the target per second

other_increase_con

String

Number of OTHER connections to the target per second

tcp_concur_con

String

Number of concurrent TCP connections to the target

udp_concur_con

String

Number of concurrent UDP connections to the target

icmp_concur_con

String

Number of concurrent ICMP connections to the target

other_concur_con

String

Number of concurrent OTHER connections to the target

total_average_pps

String

Average pps of all traffic to the target

total_average_kbps

String

Average Kbps of all traffic to the target

sec-cts-audit

Fields in CTS logs

Table 11 sec-cts-audit

Field

Type

Description

time

Date

Time when an incident occurs. The value is the local standard time (GMT+local time zone), for example, 2022/11/08 11:24:04 GMT+08:00.

user

Object

Cloud account used to perform the recorded operation.

request

Object

Requested operation.

response

Object

Response to the request.

service_type

String

Operation source.

resource_type

String

Resource type.

resource_name

String

Resource name.

resource_id

String

Unique resource ID.

source_ip

String

IP address of the user who performs an operation. The value of this parameter is empty if the operation is triggered by the system.

trace_name

String

Operation name.

trace_rating

String

Level of an operation incident. The options are as follows:

  • normal: The operation succeeded.
  • warning: The operation failed.
  • incident: The operation caused a serious consequence, for example, a node failure or service interruption.

trace_type

String

Operation type. The options are as follows:

  • ConsoleAction: operations performed on the management console
  • SystemAction: operations triggered by system
  • ApiCall: operations triggered by invoking API Gateway
  • ObsSDK: operations on OBS buckets, which were triggered by calling OBS SDKs
  • Others: operations on OBS buckets except those triggered by calling OBS SDKs

api_version

String

API version of the cloud service on which an operation was performed.

message

Object

Supplementary information.

record_time

Long

Time when the operation was recorded, in the form of a timestamp.

trace_id

String

Unique operation ID.

code

Integer

HTTP return code, for example, 200 or 400.

request_id

String

Request ID.

location_info

String

Additional information required for fault locating after a request error.

endpoint

String

Endpoint of the page that displays details of cloud resources involved in this operation.

resource_url

String

Access link (excluding the endpoint) of the page that displays details of cloud resources involved in this operation.

user_agent

String

Type of OBS bucket-related operations that are not invoked using OBS SDKs.

content_length

Long

Length of the request body for performing operations on OBS buckets.

total_time

Long

Response time of the request in OBS bucket-related operations.

sec-cfw-risk

Fields in CFW attack event logs

Table 12 sec-cfw-risk

Field

Type

Description

event_time

Date

Attack time

action

String

Response action of CFW

  • permit
  • deny

app

String

Application type

attack_rule

String

Defense rule that works for the detected attack

attack_rule_id

String

ID of the defense rule that works for the detected attack

attack_type

String

Type of the attack

  • Vulnerability exploit
  • Vulnerability scan
  • Trojan
  • Worms
  • Phishing
  • Web attacks
  • Application DDoS
  • Buffer overflow
  • Password attacks
  • Mail
  • Access control
  • Hacking tools
  • Hijacking
  • Protocol exception
  • Spam
  • Spyware
  • DDoS flood
  • Suspicious DNS activities
  • Other suspicious behaviors

dst_ip

String

Destination IP address

dst_port

String

Destination port number

packet

String

Original data packet of the attack log

protocol

String

Protocol type

level

String

Level of detected threats

  • CRITICAL
  • HIGH
  • MIDDLE
  • LOW

source

String

Defense for the detected attack

  • 0: basic defense
  • 1: virtual patch

src_ip

String

Source IP address

src_port

String

Source port number

direction

String

Flow direction

  • out2in: inbound
  • in2out: outbound

sec-cfw-flow

Fields in CFW traffic logs

Table 13 sec-cfw-flow

Field

Type

Description

app

String

Application type

dst_ip

String

Destination IP address

dst_port

String

Destination port number

end_time

Date

Flow end time

protocol

String

Protocol type

to_c_bytes

String

Number of bytes sent from the server to the client

to_c_pkts

String

Number of packets sent from the server to the client

to_s_bytes

String

Number of bytes sent from the client to the server

to_s_pkts

String

Number of packets sent from the server to the client

src_ip

String

Source IP address

src_port

String

Source port number

start_time

Date

Flow start time

sec-cfw-block

Fields in CFW access control logs

Table 14 sec-cfw-block

Field

Type

Description

hit_time

Date

Time of access

action

String

Response action of CFW

  • permit
  • deny

app

String

Application type

dst_ip

String

Destination IP address

dst_port

String

Destination port number

protocol

String

Protocol type

rule_id

String

ID of the triggering rule

src_ip

String

Source IP address

src_port

String

Source port number

sec-apig-access

Fields in API Gateway access logs

Table 15 sec-apig-access

Field

Type

Description

region_id

String

Site.

api_id

String

API ID.

body_bytes_sent

String

Response body size.

bytes_sent

String

Size of the entire response.

domain

String

Public network domain name.

errorType

String

Status of request throttling. Value 1 indicates that request throttling is enabled.

http_user_agent

String

User agent ID.

http_x_forwarded_for

String

X-Forwarded-For header.

opsuba_api_url

String

Request URI.

out_times

String

Time required for interaction between the gateway and peripheral components.

remote_addr

String

Remote IP address.

request_id

String

Request ID.

request_length

String

Size of the entire request.

request_method

String

HTTP request method.

request_time

String

Time required for access.

scheme

String

Protocol.

server_protocol

String

Request protocol.

status

String

Status.

time_local

Date

Time.

upstream_addr

String

Remote IP address.

upstream_connect_time

String

Time required for a remote connection.

upstream_header_time

String

Time required for receiving the header at the remote end.

upstream_response_time

String

Time required for returning a response from the remote end.

upstream_status

String

Remote status.

upstream_uri

String

Request backend URI.

user_name

String

Project ID or app ID of the user.

sec-dbss-alarm

Fields in DBSS alert logs

Table 16 dbss-alarm

Field

Type

Description

domain_id

String

Account ID.

project_id

String

Project ID

region

String

Region

tenant_vpc_id

String

VPC ID of the tenant

tenant_subnet_id

String

Subnet ID of the tenant

instance_id

String

Instance ID

instance_name

String

Instance name

alarm

Object

Alert object

source_type

String

DBSS

alarm

alarm_risk

String

Severity

client_ip

String

Connection IP address

database_ip

String

IP address for accessing the database

count

Long

Number of alerts

user_name

String

Database username

schema

String

Oracle schema

rule_name

String

Rule name

rule_id

String

Rule ID

sql_type

String

SQL execution type

sql_result

String

SQL execution result

db_type

String

Database type

sec-dsc-alarm

The reserved fields in DSC alert logs vary depending on the log types.

Table 17 AK SK leakage (aksk_leakage)

Field

Type

Description

log_type

String

Alert type

region_id

String

Region

domain_id

String

Account ID.

project_id

String

Project ID

leakage_ak

String

AK

source

String

Leakage source

find_time

String

Discovery time

account

String

Account name.

file_name

String

File name

file_suffix

String

File name extension

leakage_user_id

String

Sub-user ID of the leakage

leakage_user_name

String

Sub-username of the leakage

leakage_domain_id

String

Leaked account ID.

leakage_domain_name

String

Leaked account name.

url

String

Website URL of the leakage
Table 18 Risky OBS bucket files (obs_risk)

Field

Type

Description

log_type

String

Alert type

region_id

String

Region

domain_id

String

Account ID.

project_id

String

Project ID

bucket_policy

String

Public bucket/Private bucket

bucket_domain_id

String

ID of the account that the bucket belongs to.

bucket_project_id

String

ID of the project to which the bucket belongs

bucket_name

String

Bucket name

file_name

String

File name

file_path

String

File path

risk_level

Integer

Sensitive risk level

sensitive_data_type

String[]

Sensitive data type

privacy_detail

String

Personal privacy data details

file_type

String

File type

mimetypes

String

File type

rule_list

List<Map<String,String>>

List of matched rules

keyword

String

Keyword for matching sensitive data rules

available_zone

String

AZ

encrypted

String

Whether to encrypt data
Table 19 Sensitive data fields (db_risk)

Field

Type

Description

log_type

String

Alert type

region_id

String

Region

domain_id

String

Account ID.

project_id

String

Project ID

vpc_id

String

VPC ID

db_instance_type

String

RDS PUB

db_instance_id

String

Database instance ID

db_instance_type

String

Database instance type

db_instance_ip

String

IP address of the database instance

db_instance_domain_id

String

ID of the account that the database instance belongs to.

db_instance_project_id

String

ID of the project to which the database instance belongs

db_instance_name

String

Database instance name

db_name

String

Database name

table_name

String

Table name

field_name

String

Field name

data_type

String

Field data type

risk_level

Integer

Sensitive risk level

sensitive_data_type

String[]

Sensitive data type

privacy_detail

String

Personal privacy data details

rule_list

List<Map<String,String>>

List of matched rules

keyword

String

Keyword for matching sensitive data rules
Parent topic: Security Analysis