Skip to content

Configuration Manual for the "Alibaba Cloud-TDS Logs" Collector

Before reading this, please first read:

Before using this collector, you must install the 'Integration Core Package' and its corresponding third-party dependency packages

1. Configuration Structure

No configuration is required for this collector.

2. Data Reporting Format

After data synchronization is successful, the data can be viewed in the "LOG" section of TrueWatch.

An example of reported data is as follows:

Security Alert Processing

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{
  "measurement": "aliyun_susp_events",
  "tags": {
    "DataSource"      : "aegis_suspicious_event",
    "Uuid"            : "aa7f688e-a0ce-xxxxx-xxxx-e45016921596",
    "InstanceName"    : "atlassian-worker-01",
    "InstanceId"      : "i-bp1c0if9xxxxx5bz2zzzm",
    "EventStatus"     : "1",
    "SaleVersion"     : "1",
    "OperateErrorCode": "",
    "Level"           : "suspicious",
    "Id"              : "1747604"
  },
  "fields": {
    "InternetIp"     : "114.55.164.217",
    "IntranetIp"     : "192.168.196.153",
    "LastTime"       : "2022-05-30 10:43:49",
    "OperateMsg"     : "",
    "CanBeDealOnLine": false,
    "Details"        : "[{JSON data of suspicious event details},]",
    "Name"           : "Process abnormal behavior - Suspicious Linux command sequence",
    "message"        : "{JSON instance data}"
  }
}

Descriptions of some parameters are as follows:

Field Type Description
EventStatus str Status of the suspicious event. Values include:
1: PENDING (pending)
2: IGNORE (ignored)
4: HANDLED (confirmed)
8: FAULT (marked as false alarm)
6: DEALING (in progress)
32: DONE (completed)
64: EXPIRE (expired)
SaleVersion str Product selling version supported by the suspicious event detection. Values include:
0: Basic version
1: Enterprise version

Fields in tags and fields may change with subsequent updates

fields.message, fields.Details are strings serialized in JSON format

Baseline Check

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
{
  "measurement": "aliyun_baseline_detection",
  "tags": {
    "RiskId"      : "92",
    "SubTypeAlias": "Alibaba Cloud Standard - Docker Security Baseline Check",
    "TypeAlias"   : "Container Security",
    "RiskName"    : "Alibaba Cloud Standard - Docker Security Baseline Check",
    "Level"       : "high"
  },
  "fields": {
    "LowWarningCount"    : 0,
    "MediumWarningCount" : 3,
    "HighWarningCount"   : 3,
    "LastFoundTime"      : "2022-06-17 03:56:13",
    "WarningMachineCount": 4,
    "CheckCount"         : 17,
    "message"            : "{JSON instance data}"
  }
}

Fields in tags and fields may change with subsequent updates

fields.message is a string serialized in JSON format

Vulnerability Management

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{
  "measurement": "aliyun_vulnerability",
  "tags": {
    "InstanceId"  : "i-bp109znurxxxxmy5pcd",
    "InstanceName": "invest-staging-node:xxx",
    "Level"       : "serious",
    "Necessity"   : "asap",
    "RegionId"    : "cn-hangzhou",
    "Type"        : "sca",
    "Uuid"        : "e44fce33-fc07-xxxx-xxxx-511ed6f89bf4"
  },
  "fields": {
    "PrimaryId"  : 1050099807,
    "Name"       : "SCA:AVD-2022-1243027",
    "Tag"        : "1fc12eb00e9cf1d28ba415bfcd74b7d9",
    "Status"     : 1,
    "AliasName"  : "fastjson <= 1.2.80 Deserialization Arbitrary Code Execution Vulnerability",
    "AuthVersion": 3,
    "GroupId"    : 20553,
    "InternetIp" : "",
    "IntranetIp" : "10.0.xxx.152",
    "message"    : "{JSON instance data}"
  }
}

Fields in tags and fields may change with subsequent updates

fields.message is a string serialized in JSON format

Descriptions of some parameters are as follows:

Field Type Description
Status integer Vulnerability status. Values:
1: Not fixed
2: Fix failed
3: Rollback failed
4: Fixing
5: Rolling back
6: Verifying
7: Fixed successfully
8: Fixed successfully awaiting restart
9: Rollback successful
10: Ignored
11: Rollback successful awaiting restart
12: Vulnerability not exist
20: Expired
AuthVersion str Authorization version of assets. Values:
1: Free version
6: Antivirus version
5: Advanced version
3: Enterprise version
7: Flagship version
10: Independent purchase version

X. Appendix

Alibaba Cloud - Cloud Security Center «Documentation»

Please refer to the official Alibaba Cloud documentation: