Collector 'Alibaba Cloud-TDS Logs' Configuration Manual¶
Before reading this document, please read:
Tip
Before using this collector, you must install the 'Integration Core Package' and its accompanying third-party dependencies.
1. Configuration Structure¶
This collector does not require any configuration.
2. Data Reporting Format¶
After data is successfully synchronized, you can view the data in the 'LOG' section of TrueWatch.
An example of the reported data is as follows:
Security Alert Handling¶
{
"measurement": "aliyun_susp_events",
"tags": {
"DataSource" : "aegis_suspicious_event",
"Uuid" : "aa7f688e-a0ce-xxxxx-xxxx-e45016921596",
"InstanceName" : "atlassian-worker-01",
"InstanceId" : "i-bp1c0if9xxxxx5bz2zzzm",
"EventStatus" : "1",
"SaleVersion" : "1",
"OperateErrorCode": "",
"Level" : "suspicious",
"Id" : "1747604"
},
"fields": {
"InternetIp" : "114.55.164.217",
"IntranetIp" : "192.168.196.153",
"LastTime" : "2022-05-30 10:43:49",
"OperateMsg" : "",
"CanBeDealOnLine": false,
"Details" : "[{Details of the abnormal event in JSON format},]",
"Name" : "Process Abnormal Behavior-Linux Suspicious Command Sequence",
"message" : "{Instance JSON data}"
}
}
Some parameter descriptions are as follows:
| Field | Type | Description |
|---|---|---|
EventStatus |
str | The status of the abnormal event. Possible values include: 1: PENDING (Pending) 2: IGNORE (Ignored) 4: HANDLED (Confirmed) 8: FAULT (Marked as False Positive) 6: DEALING (Processing) 32: DONE (Completed) 64: EXPIRE (Expired) |
SaleVersion |
str | The product version supported by the abnormal event detection. Possible values include: 0: Basic Version 1: Enterprise Version |
Note
The fields in tags and fields may change with subsequent updates.
Tip
fields.message, fields.Details are JSON serialized strings.
Baseline Check¶
{
"measurement": "aliyun_baseline_detection",
"tags": {
"RiskId" : "92",
"SubTypeAlias": "Alibaba Cloud Standard-Docker Security Baseline Check",
"TypeAlias" : "Container Security",
"RiskName" : "Alibaba Cloud Standard-Docker Security Baseline Check",
"Level" : "high"
},
"fields": {
"LowWarningCount" : 0,
"MediumWarningCount" : 3,
"HighWarningCount" : 3,
"LastFoundTime" : "2022-06-17 03:56:13",
"WarningMachineCount": 4,
"CheckCount" : 17,
"message" : "{Instance JSON data}"
}
}
Note
The fields in tags and fields may change with subsequent updates.
Tip
fields.message is a JSON serialized string.
Vulnerability Management¶
{
"measurement": "aliyun_vulnerability",
"tags": {
"InstanceId" : "i-bp109znurxxxxmy5pcd",
"InstanceName": "invest-staging-node:xxx",
"Level" : "serious",
"Necessity" : "asap",
"RegionId" : "cn-hangzhou",
"Type" : "sca",
"Uuid" : "e44fce33-fc07-xxxx-xxxx-511ed6f89bf4"
},
"fields": {
"PrimaryId" : 1050099807,
"Name" : "SCA:AVD-2022-1243027",
"Tag" : "1fc12eb00e9cf1d28ba415bfcd74b7d9",
"Status" : 1,
"AliasName" : "fastjson <= 1.2.80 Deserialization Arbitrary Code Execution Vulnerability",
"AuthVersion": 3,
"GroupId" : 20553,
"InternetIp" : "",
"IntranetIp" : "10.0.xxx.152",
"message" : "{Instance JSON data}"
}
}
Note
The fields in tags and fields may change with subsequent updates.
Tip
fields.message is a JSON serialized string.
Some parameter descriptions are as follows:
| Field | Type | Description |
|---|---|---|
Status |
integer | The status of the vulnerability. Possible values: 1: Not Fixed 2: Fix Failed 3: Rollback Failed 4: Fixing 5: Rolling Back 6: Verifying 7: Fix Successful 8: Fix Successful, Restart Pending 9: Rollback Successful 10: Ignored 11: Rollback Successful, Restart Pending 12: Vulnerability Not Found 20: Expired |
AuthVersion |
str | The authorized version of the asset. Possible values: 1: Free Version 6: Anti-Virus Version 5: Advanced Version 3: Enterprise Version 7: Ultimate Version 10: Independently Purchased Version |
X. Appendix¶
Aliyun-Cloud Security Center 'Documentation'¶
Please refer to the official Aliyun documentation: