Management event structure

更新时间:
复制 MD 格式

This topic describes the key fields of a management event and provides an example.

Key fields

Parameter

Description

acsRegion

The ID of the region where the event occurred.

additionalEventData

Additional information about the event.

apiVersion

If eventType is ApiCall, this field indicates the API version.

eventCategory

The event category. The value is always Management.

eventId

The unique ID of the event.

eventName

The name of the event.

  • If eventType is ApiCall, this field indicates the name of the API operation.

  • If eventType is not ApiCall, this field describes the event.

eventRW

The read/write type of the event. Valid values:

  • Write: a write operation

  • Read: a read operation

eventSource

The source of the event.

eventTime

The time when the event occurred. The time is in UTC.

eventType

The type of event. Valid values:

  • ApiCall: an API call event.

  • ConsoleOperation: a management event from a console page or purchase page.

  • ConsoleSignin: a console sign-in event.

  • ConsoleSignout: a console sign-out event.

  • AliyunServiceEvent: a management event performed by an Alibaba Cloud service on your resources.

Note

For events from MaxCompute, the value of eventType can also be JobEvent, TunnelEvent, TableEvent, AdminEvent, ResourceEvent, FunctionEvent, PrivilegeEvent, RoleEvent, UserEvent, or SchemaEvent. For more information about these event types, see Audit logging.

eventVersion

The version of the management event structure. The value is 1.

errorCode

The error code that is returned if the API call fails.

errorMessage

The error message that is returned if the API call fails.

requestId

The ID of the request.

requestParameters

The request parameters of the API call.

requestParameterJson

The value of the requestParameters field in JSON format.

resourceName

The name or unique identifier of the resource that is associated with the event.

Note

Resource names or IDs of the same type are separated by commas (,) and resource names or IDs of different types are separated by semicolons (;).

resourceType

The type of the resource that is associated with the event.

Note

Multiple resource types are separated by semicolons (;).

responseElements

The data that is returned by the API.

referencedResources

The resources that are affected by the event.

serviceName

The name of the Alibaba Cloud service that generated the event.

sourceIpAddress

The source IP address of the request. Valid values:

  • The IP address of the client that made the request. Both IPv4 and IPv6 addresses are supported.

  • If an Alibaba Cloud service initiates the request, this field indicates the service identifier. Example: ecs.aliyuncs.com.

  • If the source IP address is from an Alibaba Cloud internal network but cannot be identified as belonging to a VPC of a user, the value is Internal.

vpcId

The ID of the source VPC. This field is returned if the source IP address belongs to an identifiable VPC.

userAgent

The user agent of the client that made the request.

isGlobal

Indicates whether the event is a global event. Valid values:

  • true: The event is a global event.

  • false: The event is not a global event.

eventAttributes

The event attributes.

For more information, see Fields in eventAttributes.

userIdentity

The identity information of the requester.

For more information, see Fields in userIdentity.

Table 1. Fields in eventAttributes

Parameter

Description

SensitiveAction

Indicates a sensitive operation. The value is always true.

Table 2. Fields in userIdentity

Parameter

Description

type

The type of identity. Valid values:

  • root-account: an Alibaba Cloud account.

  • ram-user: a RAM user.

  • assumed-role: a RAM role.

  • system: an Alibaba Cloud service.

  • cloudsso-user: a CloudSSO user.

  • saml-user: a corporate identity that is based on SAML.

  • alibaba-cloud-account: an identity that is authorized for cross-account operations.

  • oidc-user: a corporate identity that is based on OIDC.

principalId

The ID of the requester. This field and the type field are used to uniquely identify the requester.

  • If type is root-account, this field indicates the ID of the Alibaba Cloud account.

  • If type is ram-user, this field indicates the ID of the RAM user.

  • If type is assumed-role, this field indicates the ID in the RoleID:RoleSessionName format.

  • If type is cloudsso-user, this field indicates the ID of the CloudSSO user.

  • If type is alibaba-cloud-account:

    • If an Alibaba Cloud account is used for cross-account operations, this field indicates the ID of the Alibaba Cloud account.

    • If a RAM user is used for cross-account operations, this field indicates the ID of the RAM user.

    • If a RAM role is assumed for cross-account operations, this field indicates the ID in the RoleID:RoleSessionName format.

  • If the value of type is saml-user, oidc-user, or system, the principalId field is not populated.

accountId

The ID of the Alibaba Cloud account to which the requester belongs.

accessKeyId

The AccessKey ID of the requester.

  • This field is recorded if the request is made by using an SDK.

  • This field is not recorded for console sign-in events.

  • If the request is made by using a Security Token Service (STS) token, this field indicates the temporary AccessKey ID.

userName

The name of the requester.

  • If type is ram-user, this field indicates the name of the RAM user.

  • If type is assumed-role, this field indicates the name in the RoleName:RoleSessionName format.

  • If type is root-account, the value of userName is root.

  • If type is cloudsso-user, this field indicates the username of the CloudSSO user.

  • If type is saml-user, this field indicates the username of the SAML-based corporate identity.

  • If the value of type is alibaba-cloud-account or system, the userName field is not recorded.

  • If type is oidc-user, this field indicates the username of the OIDC-based corporate identity.

sessionContext

This field is recorded when a user authenticates by using an STS token or logs on to the console. It contains the following information:

  • creationDate: the time when the session was created.

  • mfaAuthenticated: indicates whether multi-factor authentication (MFA) was used for the console session.

Example

{
  "eventId": "92b33345-0cef-47be-821f-fb9914d3****",
  "eventAttributes": {
    "SensitiveAction": "true"
  },
  "eventVersion": 1,
  "sourceIpAddress": "ecs.aliyuncs.com",
  "userAgent": "ecs.aliyuncs.com",
  "eventRW": "Write",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::ECS::Instance": [
      "i-8vb0smn1lf6g77md****"
    ],
    "ACS::ECS::Disk": [
      "d-8vbf8rpv2nn0l1zm****"
    ]
  },
  "userIdentity": {
    "type": "system",
    "userName": "ecs.aliyuncs.com"
  },
  "serviceName": "Ecs",
  "requestId": "32B7EB75-62EE-511E-9449-E19EBF67C2ED",
  "eventTime": "2022-10-22T21:52:00Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "DeleteDisk"
}