Alibaba

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

📘Note

Alibaba cloud storage is not currently supported by Hunters. Integrations are supported using S3 buckets.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Alibaba RDS Logs

✅

✅

alibaba_rds_logs

NDJSON

S3

Alibaba ActrionTrail Logs

✅

✅

alibaba_actiontrail

NDJSON

S3

Alibaba WAF Logs

✅

✅

alibaba_waf

NDJSON

S3

Alibaba SLB Logs

✅

✅

alibaba_slb

NDJSON

S3

Alibaba security center alerts

✅

alibaba_security_center_alerts

NDJSON

S3

Alibaba Kubernetes audit Logs

✅

✅

alibaba_kubernetes_audit_logs

NDJSON

S3

Alibaba Kubernetes cloud controller manager

✅

alibaba_kubernetes_cloud_controller_manager

NDJSON

S3

Alibaba Kubernetes API server Logs

✅

acalvio_shadowplex_decalibaba_kubernetes_apiserver_logs

NDJSON

S3

Alibaba Kubernetes controller manager

✅

alibaba_kubernetes_controller_manager

NDJSON

S3

Alibaba Bastion Logs

✅

✅

alibaba_bastion

NDJSON

S3

Alibaba OSS Logs

✅

✅

alibaba_oss

NDJSON

S3


Overview

Alibaba Cloud logs furnish essential transparency into the operations and resources within an organization's Alibaba Cloud ecosystem. As cloud environments diverge significantly from traditional on-premises environments, many of the conventional security defenses and auditing and logging mechanisms are not directly transferable to the cloud context, emphasizing the importance of Alibaba Cloud's comprehensive logging solutions in safeguarding an organization's cloud infrastructure.

Supported logs

Alibaba RDS logs

Table name: alibaba_rds_logs

Alibaba Cloud Relational Database Service (RDS) logs are records that capture various types of activities and operations occurring within the RDS environment. These logs are crucial for monitoring, troubleshooting, and ensuring the security and compliance of database operations. Alibaba RDS supports several types of databases, including MySQL, SQL Server, PostgreSQL, MariaDB, and Oracle, and each database type may have its own set of log files.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.

To connect Alibaba RDS logs:

  1. To export your logs to an AWS S3 bucket, follow this guide.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
    "__tag__:__receive_time__": "1234567890",
    "__topic__": "rds_audit_log",
    "check_rows": "111",
    "client_ip": "client_ip1",
    "db": "DB1",
    "fail": "0",
    "hash": "-123456789",
    "instance_id": "test-instance1",
    "latency": "111111",
    "origin_time": "1234567890123456",
    "return_rows": "10",
    "sql": "test sql query one",
    "thread_id": "123",
    "update_rows": "15",
    "user": "Test_user1"
}

Alibaba Actiontrail

Table name: alibaba_actiontrail

Alibaba Cloud ActionTrail is a service that records and stores account activity within your Alibaba Cloud environment. It captures detailed information about API calls and user actions, offering a comprehensive audit trail that can help in security analysis, compliance audits, and operational troubleshooting. ActionTrail logs can be vital for tracking changes in resources, diagnosing issues, and ensuring that your cloud environment adheres to governance and compliance standards.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.

To connect Alibaba Actiontrail logs:

  1. Export your logs to an Alibaba OSS bucket by following this guide.

  2. Export the logs from an SSO bucket to an AWS S3 bucket.

  3. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
    "event": {
        "acsRegion": "cn-asd",
        "additionalEventData": {
            "CallerBid": "26842"
        },
        "apiVersion": "2019-01-01",
        "eventCategory": "Management",
        "eventId": "asd-12C7C49F4099",
        "eventName": "DescribeMetricList",
        "eventRW": "Read",
        "eventSource": "metrics.cn-hangzhou.aliyuncs.com",
        "eventTime": "2024-01-16T01:10:01Z",
        "eventType": "ApiCall",
        "eventVersion": "1",
        "recipientAccountId": "1336501338520301",
        "requestId": "asdasd89E8-12C7C49F4099",
        "requestParameterJson": {"asd":"asd"},
        "requestParameters": {
            "AcsProduct": "Cms",
            "ClientPort": 8088,
            "EndTime": 1705367389328,
            "MetricName": "MaxPutObjectE2eLatency",
            "Namespace": "asdasd",
            "Period": 3600,
            "proxy_original_source_tls_cipher_suite": "null",
            "proxy_original_source_tls_version": "null",
            "RegionId": "cn-hangzhou",
            "StartTime": 1705367329328
        },
        "serviceName": "Cms",
        "sourceIpAddress": "1.2.3.4",
        "userAgent": "AlibabaCloud (linux; amd64) Golang/1.16.15 Core/0.01 TeaDSL/1",
        "userIdentity": {
            "accessKeyId": "asdasdasd",
            "accountId": "12312412412412",
            "principalId": "124124124124",
            "sessionContext": {
                "attributes": {
                    "creationDate": "2024-01-16T01:10:01Z",
                    "mfaAuthenticated": "false"
                }
            },
            "type": "ram-user",
            "userName": "asd_user"
        }
    }
}

Alibaba WAF

Table name: alibaba_waf

Alibaba Cloud Web Application Firewall (WAF) logs are records generated by the Alibaba Cloud WAF service, which is designed to protect web applications from a wide range of online threats, including SQL injection, cross-site scripting (XSS), malicious bots, and other common web attack vectors. WAF logs are crucial for security analysis, incident response, and compliance reporting. They provide detailed information about the traffic reaching your web applications and the actions performed by the WAF based on its configured rules and policies.ba Cloud Web Application Firewall (WAF) logs are records generated by the Alibaba Cloud WAF service, which is designed to protect web applications from a wide range of online threats, including SQL injection, cross-site scripting (XSS), malicious bots, and other common web attack vectors. WAF logs are crucial for security analysis, incident response, and compliance reporting. They provide detailed information about the traffic reaching your web applications and the actions performed by the WAF based on its configured rules and policies.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.

To connect Alibaba WAF logs:

  1. Export your logs to an S3 bucket by following this guide.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
    "__topic__": "waf_access_log",
    "block_action": "",
    "body_bytes_sent": "15",
    "content_type": "x-application/an",
    "host": "xyz.cn",
    "http_cookie": "-",
    "http_referer": "-",
    "http_user_agent": "Java/1.8.0_241",
    "http_x_forwarded_for": "-",
    "https": "on",
    "matched_host": "abc.cn",
    "querystring": "-",
    "real_client_ip": "127.10.10.10",
    "region": "cn",
    "remote_addr": "112.126.93.138",
    "remote_port": "16150",
    "request_length": "3425",
    "request_method": "POST",
    "request_path": "/service/remoting/AssetsService",
    "request_time_msec": "15",
    "request_traceid": "2312553e0f23",
    "server_protocol": "HTTP/1.1",
    "ssl_cipher": "ECDHE-RSA-AES128-GCM-SHA256",
    "ssl_protocol": "TLSv1.2",
    "status": "200",
    "time": "2023-10-07T00:47:17+08:00",
    "upstream_addr": "10.10.10.10:443",
    "upstream_response_time": "0.014",
    "upstream_status": "200",
    "user_id": "20301"
}

Alibaba SLB

Table name: alibaba_slb_logs

Alibaba Cloud Server Load Balancer (SLB) is a traffic distribution control service that distributes incoming traffic among multiple instances to increase the service capabilities of your application. It improves the fault tolerance of your applications by offering high availability and handling failures automatically, ensuring that the traffic is always directed to healthy instances.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.

To connect Alibaba SLB logs:

  1. Export your logs to an S3 bucket by following this guide.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
    "__topic__": "slb_layer7_access_log",
    "body_bytes_sent": "166",
    "client_ip": "1.2.3.4",
    "client_port": "1234",
    "host": "asd.asd.cn",
    "http_host": "asdasd.asd.cn",
    "http_referer": "-",
    "http_user_agent": "curl",
    "http_x_forwarded_for": "1.3.4.5",
    "http_x_real_ip": "1.3.5.6",
    "read_request_time": "0",
    "request_length": "606",
    "request_method": "POST",
    "request_time": "0.000",
    "request_uri": "/asd/asd/asd",
    "scheme": "https",
    "server_protocol": "HTTP/1.1",
    "slb_vport": "443",
    "slbid": "lb-0172309ajkosd8921",
    "ssl_cipher": "asd-SHA256",
    "ssl_protocol": "TLSv1.2",
    "status": "502",
    "tcpinfo_rtt": "9191",
    "time": "2023-10-07T00: 40: 05+08: 00",
    "upstream_addr": "1234",
    "upstream_response_time": "0.000",
    "upstream_status": "502",
    "vip_addr": "1.6.7.8",
    "write_response_time": "0"
}

Alibaba security center alerts

Table name: alibaba_security_center_alerts

Alibaba Cloud Security Center is a unified security management system that provides real-time monitoring and protection against threats for Alibaba Cloud resources and workloads. It aims to enhance the security of applications and data hosted on Alibaba Cloud by offering a comprehensive suite of security capabilities, including threat detection, vulnerability management, asset discovery, and compliance checks. Security Center alerts are notifications generated by the system to inform users about potential security issues, vulnerabilities, or threats detected within their Alibaba Cloud environment.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.

To connect Alibaba Security Center logs:

  1. Export your logs to an S3 bucket by following this guide.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
    "__topic__": "aegis-log-login",
    "instance_id": "i-aiojdowihi2e8912",
    "ip": "1.2.3.4",
    "sas_group_name": "default",
    "uuid": "adjoijadw-d2-1e21-42-14124214",
    "warn_count": "1",
    "warn_ip": "1.2.3.4",
    "warn_port": "22",
    "warn_type": "SSH",
    "warn_user": "test"

}

Alibaba Kubernetes audit logs

Table name: alibaba_kubernetes_audit_logs

Alibaba Kubernetes audit logs are detailed records that track the sequence of activities or operations that occur within an Alibaba Cloud Kubernetes environment. These logs are crucial for security, compliance, and operational monitoring. They help identify any modifications made to the Kubernetes resources, thereby providing insights into the actions of users, applications, and the system within the Kubernetes cluster.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.

To connect Alibaba Kubernetes audit logs:

  1. Activate API audit logging by following this guide.

  2. Export the logs from the log store to an OSS bucket.

  3. Export the logs from an SSO bucket to an AWS S3 bucket.

  4. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
    "kind": "Event",
    "apiVersion": "audit.k8s.io/v1",
    "level": "Request",
    "auditID": "asdasdasd-bd49-43ad-afb5-5bab96e9221b",
    "stage": "ResponseComplete",
    "requestURI": "/api/v1/namespaces/default/endpoints/kubernetes",
    "verb": "get",
    "user": {
        "username": "system:apiserver",
        "uid": "asdasdasd-4256-4f33-897b-b0e8df332c90",
        "groups": [
            "system:masters"
        ]
    },
    "sourceIPs": [
        "127.0.0.1"
    ],
    "userAgent": "kube-apiserver/v1.22.15 (linux/amd64) kubernetes/44e83eb",
    "objectRef": {
        "resource": "endpoints",
        "namespace": "default",
        "name": "kubernetes",
        "apiVersion": "v1"
    },
    "responseStatus": {
        "metadata": {},
        "code": 200
    },
    "requestReceivedTimestamp": "2023-12-14T06:48:20.404608Z",
    "stageTimestamp": "2023-12-14T06:48:20.407694Z",
    "annotations": {
        "authorization.k8s.io/decision": "allow",
        "authorization.k8s.io/reason": ""
    },
    "__topic__": "",
    "__tag__:__hostname__": "aiojdoiwajdoi281ueoid",
    "__tag__:__path__": "/var/log/kubernetes/kubernetes-asoidoiawjdfoiwhaofialhwoifhawfwaf.audit",
    "__tag__:__pack_id__": "71371BE6D8599F8E-1A"
}

Alibaba Kubernetes cloud controller manager

Table name: alibaba_kubernetes_cloud_controller_manager

The Alibaba Cloud Controller Manager is a key component within a Kubernetes cluster that integrates Kubernetes with Alibaba Cloud's infrastructure services, allowing for seamless interaction between your Kubernetes cluster and the underlying cloud resources. It's part of the Kubernetes control plane that abstracts away the specifics of the cloud provider, enabling Kubernetes to work with cloud resources like load balancers, persistent storage, and networking routes in a cloud-agnostic way.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.

To connect Alibaba Kubernetes cloud controller manager logs:

  1. Activate ACK control plane logging by following this guide.

  2. Export the logs from the log store to an OSS bucket.

  3. Export the logs from an SSO bucket to an AWS S3 bucket.

  4. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
    "__topic__": "k8s_ccm",
    "_container_name_": "cloud-controller-manager",
    "_source_": "std",
    "_time_": "2023-12-14T06:50:19.509630367Z",
    "content": "I1214 14:50:19.509537       1 route_controller.go:345] sync route tables successfully, tables [vtb-asdasdawrdfwarhui134]"
}

Alibaba Kubernetes API server logs

Table name: alibaba_kubernetes_apiserver_logs

Alibaba Kubernetes API server logs are records generated by the API server component within an Alibaba Cloud Kubernetes or Alibaba Cloud Container Service for Kubernetes (ACK) environment. The Kubernetes API server acts as the central management entity for the Kubernetes cluster, processing REST requests, validating them, and updating the corresponding objects in the cluster database.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.

To connect Alibaba Kubernetes API server logs:

  1. Activate ACK control plane logging by following this guide.

  2. Export the logs from the log store to an OSS bucket.

  3. Export the logs from an SSO bucket to an AWS S3 bucket.

  4. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
    "__topic__": "k8s_api_server",
    "_container_name_": "kube-apiserver",
    "_source_": "stderr",
    "_time_": "2023-12-14T06:48:20.13761295Z",
    "content": "I1214 14:48:20.137580       1 controlbuf.go:508] transport: loopyWriter.run returning. connection error: desc = "transport is closing""
}

Alibaba Kubernetes controller manager

Table name: alibaba_kubernetes_controller_manager

The Alibaba Kubernetes Controller Manager is a key component in the control plane of a Kubernetes cluster managed by Alibaba Cloud, specifically within its Container Service for Kubernetes (ACK). In a general Kubernetes environment, the Controller Manager is a daemon that embeds core control loops, which are background threads that handle the state of the system.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.

To connect Alibaba Kubernetes controller manager logs:

  1. Activate ACK control plane logging by following this guide.

  2. Export the logs from the log store to an OSS bucket.

  3. Export the logs from an SSO bucket to an AWS S3 bucket.

  4. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
    "__topic__": "ks_kcm",
    "_container_name_": "kube-controller-manager",
    "_source_": "src2",
    "_time_": "2024-02-12T00:10:02.893217032Z",
    "content": "I0321 08:10:02.654321       2 httplog.go:222] "HTTP" verb=\"GET\" URI=\"/testuri2\" latency=\"22.493\u00b5s\" userAgent=\"test-agent/2.22+\" audit-ID=\"\" srcIP=\"2.22.22.2:22222\" resp=200 contentType=\"text/plain; charset=utf-8\" resp=200"
}

Alibaba Bastion

Table name: alibaba_bastion

Alibaba Cloud Bastion Host is a secure, cloud-based service that provides users a unified interface to manage access to their Elastic Compute Service (ECS) instances and other cloud resources. It acts as a critical control point for administrators, allowing them to authenticate, authorize, and audit access to servers without exposing them directly to the internet. This service helps reduce the risk of external attacks while simplifying the management of permissions and credentials for organizations operating in the cloud.

Send data to Hunters

Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.

To connect Alibaba Bastion logs:

  1. Export the logs from Alibaba Cloud Bastion to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
    "contents": {
        "__topic__": "bastionhost",
        "content": "test.xlsx",
        "event_type": "file.Upload",
        "instance_id": "bastionhost-cn-asdasdasd",
        "log_level": "0",
        "owner_id": "1336501338520301",
        "region": "cn-shanghai",
        "resource_address": "10.1.1.1",
        "resource_name": "AOSKDAJWOD12",
        "result": "fail",
        "session_id": "918023901232",
        "user_client_ip": "1.2.3.4",
        "user_id": "156",
        "user_name": "li.ke"
    },
    "source": "log_service",
    "timestamp": 1713259550
}

Alibaba OSS

Table name: alibaba_oss

Alibaba Cloud Object Storage Service (OSS) is a secure, cost-effective, and highly scalable cloud storage solution designed to store, back up, and archive large amounts of data. With its flexible storage class options, OSS allows users to optimize storage costs based on their data access patterns. It offers high availability and reliability, ensuring that data is always accessible. Additionally, OSS integrates seamlessly with other Alibaba Cloud services, making it easy to build scalable and resilient applications. Its robust security features, including encryption, access control, and data protection, ensure that data remains secure at all times. Overall, Alibaba OSS is a powerful storage solution that enables businesses to store and manage their data efficiently in the cloud.

Send data to Hunters

Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.

To connect Alibaba OSS logs:

  1. Activate Alibaba OSS logging by following the steps in this article (under Procedure).

  2. Export the logs from Alibaba Cloud OSS to an AWS S3 bucket by following this guide.

  3. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
    "contents": {
        "__topic__": "oss_access_log",
        "acc_access_region": "-",
        "access_id": "asdiasojdiasjdioas",
        "archive_direct_read_size": "-",
        "bucket": "asdasd-upload",
        "bucket_location": "oss-cn-shanghai-109",
        "bucket_storage_type": "standard",
        "client_ip": "1.2.3.7",
        "content_length_in": "-",
        "content_length_out": "269376",
        "delta_data_size": "-",
        "ec": "0048-00000103",
        "error_code": "-",
        "extend_information": "-",
        "host": "asdasd-upload.oss-cn-shanghai.aliyuncs.com",
        "http_method": "GET",
        "http_status": "200",
        "http_type": "https",
        "logging_flag": "true",
        "object": "asdasdasdasd.png",
        "object_size": "269376",
        "operation": "GetObject",
        "owner_id": "123123123123123",
        "referer": "https://asd.com/",
        "request_id": "662C3ED537CC3430383E4D37",
        "request_length": "899",
        "request_uri": "/prod/uri HTTP/1.1",
        "requester_id": "295319828821243623",
        "response_body_length": "269376",
        "response_time": "5",
        "restore_priority": "-",
        "server_cost_time": "2",
        "sign_type": "UriSign",
        "sync_request": "-",
        "target_storage_class": "-",
        "time": "27/Apr/2024:07:55:01",
        "user_agent": "Mozilla/5.0 (Linux; Android 11; TYd",
        "user_defined_log_fields": "-",
        "vpc_addr": "3303203723",
        "vpc_id": "0"
    },
    "source": "log_service",
    "timestamp": 1714175701
}