Connect this data source on your own, using the Hunters platform.
📘Note
Alibaba cloud storage is not currently supported by Hunters. Integrations are supported using S3 buckets.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Alibaba RDS Logs | ✅ | ✅ | alibaba_rds_logs | NDJSON | S3 | ||
Alibaba ActrionTrail Logs | ✅ | ✅ | alibaba_actiontrail | NDJSON | S3 | ||
Alibaba WAF Logs | ✅ | ✅ | alibaba_waf | NDJSON | S3 | ||
Alibaba SLB Logs | ✅ | ✅ | alibaba_slb | NDJSON | S3 | ||
Alibaba security center alerts | ✅ | alibaba_security_center_alerts | NDJSON | S3 | |||
Alibaba Kubernetes audit Logs | ✅ | ✅ | alibaba_kubernetes_audit_logs | NDJSON | S3 | ||
Alibaba Kubernetes cloud controller manager | ✅ | alibaba_kubernetes_cloud_controller_manager | NDJSON | S3 | |||
Alibaba Kubernetes API server Logs | ✅ | acalvio_shadowplex_decalibaba_kubernetes_apiserver_logs | NDJSON | S3 | |||
Alibaba Kubernetes controller manager | ✅ | alibaba_kubernetes_controller_manager | NDJSON | S3 | |||
Alibaba Bastion Logs | ✅ | ✅ | alibaba_bastion | NDJSON | S3 | ||
Alibaba OSS Logs | ✅ | ✅ | alibaba_oss | NDJSON | S3 |
Overview
Alibaba Cloud logs furnish essential transparency into the operations and resources within an organization's Alibaba Cloud ecosystem. As cloud environments diverge significantly from traditional on-premises environments, many of the conventional security defenses and auditing and logging mechanisms are not directly transferable to the cloud context, emphasizing the importance of Alibaba Cloud's comprehensive logging solutions in safeguarding an organization's cloud infrastructure.
Supported logs
Alibaba RDS logs
Table name: alibaba_rds_logs
Alibaba Cloud Relational Database Service (RDS) logs are records that capture various types of activities and operations occurring within the RDS environment. These logs are crucial for monitoring, troubleshooting, and ensuring the security and compliance of database operations. Alibaba RDS supports several types of databases, including MySQL, SQL Server, PostgreSQL, MariaDB, and Oracle, and each database type may have its own set of log files.
Learn more here.
Send data to Hunters
Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.
To connect Alibaba RDS logs:
To export your logs to an AWS S3 bucket, follow this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in JSON format.
{
"__tag__:__receive_time__": "1234567890",
"__topic__": "rds_audit_log",
"check_rows": "111",
"client_ip": "client_ip1",
"db": "DB1",
"fail": "0",
"hash": "-123456789",
"instance_id": "test-instance1",
"latency": "111111",
"origin_time": "1234567890123456",
"return_rows": "10",
"sql": "test sql query one",
"thread_id": "123",
"update_rows": "15",
"user": "Test_user1"
}
Alibaba Actiontrail
Table name: alibaba_actiontrail
Alibaba Cloud ActionTrail is a service that records and stores account activity within your Alibaba Cloud environment. It captures detailed information about API calls and user actions, offering a comprehensive audit trail that can help in security analysis, compliance audits, and operational troubleshooting. ActionTrail logs can be vital for tracking changes in resources, diagnosing issues, and ensuring that your cloud environment adheres to governance and compliance standards.
Learn more here.
Send data to Hunters
Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.
To connect Alibaba Actiontrail logs:
Export your logs to an Alibaba OSS bucket by following this guide.
Export the logs from an SSO bucket to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in JSON format.
{
"event": {
"acsRegion": "cn-asd",
"additionalEventData": {
"CallerBid": "26842"
},
"apiVersion": "2019-01-01",
"eventCategory": "Management",
"eventId": "asd-12C7C49F4099",
"eventName": "DescribeMetricList",
"eventRW": "Read",
"eventSource": "metrics.cn-hangzhou.aliyuncs.com",
"eventTime": "2024-01-16T01:10:01Z",
"eventType": "ApiCall",
"eventVersion": "1",
"recipientAccountId": "1336501338520301",
"requestId": "asdasd89E8-12C7C49F4099",
"requestParameterJson": {"asd":"asd"},
"requestParameters": {
"AcsProduct": "Cms",
"ClientPort": 8088,
"EndTime": 1705367389328,
"MetricName": "MaxPutObjectE2eLatency",
"Namespace": "asdasd",
"Period": 3600,
"proxy_original_source_tls_cipher_suite": "null",
"proxy_original_source_tls_version": "null",
"RegionId": "cn-hangzhou",
"StartTime": 1705367329328
},
"serviceName": "Cms",
"sourceIpAddress": "1.2.3.4",
"userAgent": "AlibabaCloud (linux; amd64) Golang/1.16.15 Core/0.01 TeaDSL/1",
"userIdentity": {
"accessKeyId": "asdasdasd",
"accountId": "12312412412412",
"principalId": "124124124124",
"sessionContext": {
"attributes": {
"creationDate": "2024-01-16T01:10:01Z",
"mfaAuthenticated": "false"
}
},
"type": "ram-user",
"userName": "asd_user"
}
}
}
Alibaba WAF
Table name: alibaba_waf
Alibaba Cloud Web Application Firewall (WAF) logs are records generated by the Alibaba Cloud WAF service, which is designed to protect web applications from a wide range of online threats, including SQL injection, cross-site scripting (XSS), malicious bots, and other common web attack vectors. WAF logs are crucial for security analysis, incident response, and compliance reporting. They provide detailed information about the traffic reaching your web applications and the actions performed by the WAF based on its configured rules and policies.ba Cloud Web Application Firewall (WAF) logs are records generated by the Alibaba Cloud WAF service, which is designed to protect web applications from a wide range of online threats, including SQL injection, cross-site scripting (XSS), malicious bots, and other common web attack vectors. WAF logs are crucial for security analysis, incident response, and compliance reporting. They provide detailed information about the traffic reaching your web applications and the actions performed by the WAF based on its configured rules and policies.
Learn more here.
Send data to Hunters
Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.
To connect Alibaba WAF logs:
Export your logs to an S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in JSON format.
{
"__topic__": "waf_access_log",
"block_action": "",
"body_bytes_sent": "15",
"content_type": "x-application/an",
"host": "xyz.cn",
"http_cookie": "-",
"http_referer": "-",
"http_user_agent": "Java/1.8.0_241",
"http_x_forwarded_for": "-",
"https": "on",
"matched_host": "abc.cn",
"querystring": "-",
"real_client_ip": "127.10.10.10",
"region": "cn",
"remote_addr": "112.126.93.138",
"remote_port": "16150",
"request_length": "3425",
"request_method": "POST",
"request_path": "/service/remoting/AssetsService",
"request_time_msec": "15",
"request_traceid": "2312553e0f23",
"server_protocol": "HTTP/1.1",
"ssl_cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"ssl_protocol": "TLSv1.2",
"status": "200",
"time": "2023-10-07T00:47:17+08:00",
"upstream_addr": "10.10.10.10:443",
"upstream_response_time": "0.014",
"upstream_status": "200",
"user_id": "20301"
}
Alibaba SLB
Table name: alibaba_slb_logs
Alibaba Cloud Server Load Balancer (SLB) is a traffic distribution control service that distributes incoming traffic among multiple instances to increase the service capabilities of your application. It improves the fault tolerance of your applications by offering high availability and handling failures automatically, ensuring that the traffic is always directed to healthy instances.
Learn more here.
Send data to Hunters
Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.
To connect Alibaba SLB logs:
Export your logs to an S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in JSON format.
{
"__topic__": "slb_layer7_access_log",
"body_bytes_sent": "166",
"client_ip": "1.2.3.4",
"client_port": "1234",
"host": "asd.asd.cn",
"http_host": "asdasd.asd.cn",
"http_referer": "-",
"http_user_agent": "curl",
"http_x_forwarded_for": "1.3.4.5",
"http_x_real_ip": "1.3.5.6",
"read_request_time": "0",
"request_length": "606",
"request_method": "POST",
"request_time": "0.000",
"request_uri": "/asd/asd/asd",
"scheme": "https",
"server_protocol": "HTTP/1.1",
"slb_vport": "443",
"slbid": "lb-0172309ajkosd8921",
"ssl_cipher": "asd-SHA256",
"ssl_protocol": "TLSv1.2",
"status": "502",
"tcpinfo_rtt": "9191",
"time": "2023-10-07T00: 40: 05+08: 00",
"upstream_addr": "1234",
"upstream_response_time": "0.000",
"upstream_status": "502",
"vip_addr": "1.6.7.8",
"write_response_time": "0"
}
Alibaba security center alerts
Table name: alibaba_security_center_alerts
Alibaba Cloud Security Center is a unified security management system that provides real-time monitoring and protection against threats for Alibaba Cloud resources and workloads. It aims to enhance the security of applications and data hosted on Alibaba Cloud by offering a comprehensive suite of security capabilities, including threat detection, vulnerability management, asset discovery, and compliance checks. Security Center alerts are notifications generated by the system to inform users about potential security issues, vulnerabilities, or threats detected within their Alibaba Cloud environment.
Learn more here.
Send data to Hunters
Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.
To connect Alibaba Security Center logs:
Export your logs to an S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in JSON format.
{
"__topic__": "aegis-log-login",
"instance_id": "i-aiojdowihi2e8912",
"ip": "1.2.3.4",
"sas_group_name": "default",
"uuid": "adjoijadw-d2-1e21-42-14124214",
"warn_count": "1",
"warn_ip": "1.2.3.4",
"warn_port": "22",
"warn_type": "SSH",
"warn_user": "test"
}
Alibaba Kubernetes audit logs
Table name: alibaba_kubernetes_audit_logs
Alibaba Kubernetes audit logs are detailed records that track the sequence of activities or operations that occur within an Alibaba Cloud Kubernetes environment. These logs are crucial for security, compliance, and operational monitoring. They help identify any modifications made to the Kubernetes resources, thereby providing insights into the actions of users, applications, and the system within the Kubernetes cluster.
Learn more here.
Send data to Hunters
Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.
To connect Alibaba Kubernetes audit logs:
Activate API audit logging by following this guide.
Export the logs from the log store to an OSS bucket.
Export the logs from an SSO bucket to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in JSON format.
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Request",
"auditID": "asdasdasd-bd49-43ad-afb5-5bab96e9221b",
"stage": "ResponseComplete",
"requestURI": "/api/v1/namespaces/default/endpoints/kubernetes",
"verb": "get",
"user": {
"username": "system:apiserver",
"uid": "asdasdasd-4256-4f33-897b-b0e8df332c90",
"groups": [
"system:masters"
]
},
"sourceIPs": [
"127.0.0.1"
],
"userAgent": "kube-apiserver/v1.22.15 (linux/amd64) kubernetes/44e83eb",
"objectRef": {
"resource": "endpoints",
"namespace": "default",
"name": "kubernetes",
"apiVersion": "v1"
},
"responseStatus": {
"metadata": {},
"code": 200
},
"requestReceivedTimestamp": "2023-12-14T06:48:20.404608Z",
"stageTimestamp": "2023-12-14T06:48:20.407694Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
},
"__topic__": "",
"__tag__:__hostname__": "aiojdoiwajdoi281ueoid",
"__tag__:__path__": "/var/log/kubernetes/kubernetes-asoidoiawjdfoiwhaofialhwoifhawfwaf.audit",
"__tag__:__pack_id__": "71371BE6D8599F8E-1A"
}
Alibaba Kubernetes cloud controller manager
Table name: alibaba_kubernetes_cloud_controller_manager
The Alibaba Cloud Controller Manager is a key component within a Kubernetes cluster that integrates Kubernetes with Alibaba Cloud's infrastructure services, allowing for seamless interaction between your Kubernetes cluster and the underlying cloud resources. It's part of the Kubernetes control plane that abstracts away the specifics of the cloud provider, enabling Kubernetes to work with cloud resources like load balancers, persistent storage, and networking routes in a cloud-agnostic way.
Learn more here.
Send data to Hunters
Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.
To connect Alibaba Kubernetes cloud controller manager logs:
Activate ACK control plane logging by following this guide.
Export the logs from the log store to an OSS bucket.
Export the logs from an SSO bucket to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in JSON format.
{
"__topic__": "k8s_ccm",
"_container_name_": "cloud-controller-manager",
"_source_": "std",
"_time_": "2023-12-14T06:50:19.509630367Z",
"content": "I1214 14:50:19.509537 1 route_controller.go:345] sync route tables successfully, tables [vtb-asdasdawrdfwarhui134]"
}
Alibaba Kubernetes API server logs
Table name: alibaba_kubernetes_apiserver_logs
Alibaba Kubernetes API server logs are records generated by the API server component within an Alibaba Cloud Kubernetes or Alibaba Cloud Container Service for Kubernetes (ACK) environment. The Kubernetes API server acts as the central management entity for the Kubernetes cluster, processing REST requests, validating them, and updating the corresponding objects in the cluster database.
Learn more here.
Send data to Hunters
Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.
To connect Alibaba Kubernetes API server logs:
Activate ACK control plane logging by following this guide.
Export the logs from the log store to an OSS bucket.
Export the logs from an SSO bucket to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in JSON format.
{
"__topic__": "k8s_api_server",
"_container_name_": "kube-apiserver",
"_source_": "stderr",
"_time_": "2023-12-14T06:48:20.13761295Z",
"content": "I1214 14:48:20.137580 1 controlbuf.go:508] transport: loopyWriter.run returning. connection error: desc = "transport is closing""
}
Alibaba Kubernetes controller manager
Table name: alibaba_kubernetes_controller_manager
The Alibaba Kubernetes Controller Manager is a key component in the control plane of a Kubernetes cluster managed by Alibaba Cloud, specifically within its Container Service for Kubernetes (ACK). In a general Kubernetes environment, the Controller Manager is a daemon that embeds core control loops, which are background threads that handle the state of the system.
Learn more here.
Send data to Hunters
Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.
To connect Alibaba Kubernetes controller manager logs:
Activate ACK control plane logging by following this guide.
Export the logs from the log store to an OSS bucket.
Export the logs from an SSO bucket to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in JSON format.
{
"__topic__": "ks_kcm",
"_container_name_": "kube-controller-manager",
"_source_": "src2",
"_time_": "2024-02-12T00:10:02.893217032Z",
"content": "I0321 08:10:02.654321 2 httplog.go:222] "HTTP" verb=\"GET\" URI=\"/testuri2\" latency=\"22.493\u00b5s\" userAgent=\"test-agent/2.22+\" audit-ID=\"\" srcIP=\"2.22.22.2:22222\" resp=200 contentType=\"text/plain; charset=utf-8\" resp=200"
}
Alibaba Bastion
Table name: alibaba_bastion
Alibaba Cloud Bastion Host is a secure, cloud-based service that provides users a unified interface to manage access to their Elastic Compute Service (ECS) instances and other cloud resources. It acts as a critical control point for administrators, allowing them to authenticate, authorize, and audit access to servers without exposing them directly to the internet. This service helps reduce the risk of external attacks while simplifying the management of permissions and credentials for organizations operating in the cloud.
Send data to Hunters
Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.
To connect Alibaba Bastion logs:
Export the logs from Alibaba Cloud Bastion to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in JSON format.
{
"contents": {
"__topic__": "bastionhost",
"content": "test.xlsx",
"event_type": "file.Upload",
"instance_id": "bastionhost-cn-asdasdasd",
"log_level": "0",
"owner_id": "1336501338520301",
"region": "cn-shanghai",
"resource_address": "10.1.1.1",
"resource_name": "AOSKDAJWOD12",
"result": "fail",
"session_id": "918023901232",
"user_client_ip": "1.2.3.4",
"user_id": "156",
"user_name": "li.ke"
},
"source": "log_service",
"timestamp": 1713259550
}
Alibaba OSS
Table name: alibaba_oss
Alibaba Cloud Object Storage Service (OSS) is a secure, cost-effective, and highly scalable cloud storage solution designed to store, back up, and archive large amounts of data. With its flexible storage class options, OSS allows users to optimize storage costs based on their data access patterns. It offers high availability and reliability, ensuring that data is always accessible. Additionally, OSS integrates seamlessly with other Alibaba Cloud services, making it easy to build scalable and resilient applications. Its robust security features, including encryption, access control, and data protection, ensure that data remains secure at all times. Overall, Alibaba OSS is a powerful storage solution that enables businesses to store and manage their data efficiently in the cloud.
Send data to Hunters
Hunters supports the ingestion of these logs using an AWS S3 bucket as an intermediary storage.
To connect Alibaba OSS logs:
Activate Alibaba OSS logging by following the steps in this article (under Procedure).
Export the logs from Alibaba Cloud OSS to an AWS S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in JSON format.
{
"contents": {
"__topic__": "oss_access_log",
"acc_access_region": "-",
"access_id": "asdiasojdiasjdioas",
"archive_direct_read_size": "-",
"bucket": "asdasd-upload",
"bucket_location": "oss-cn-shanghai-109",
"bucket_storage_type": "standard",
"client_ip": "1.2.3.7",
"content_length_in": "-",
"content_length_out": "269376",
"delta_data_size": "-",
"ec": "0048-00000103",
"error_code": "-",
"extend_information": "-",
"host": "asdasd-upload.oss-cn-shanghai.aliyuncs.com",
"http_method": "GET",
"http_status": "200",
"http_type": "https",
"logging_flag": "true",
"object": "asdasdasdasd.png",
"object_size": "269376",
"operation": "GetObject",
"owner_id": "123123123123123",
"referer": "https://asd.com/",
"request_id": "662C3ED537CC3430383E4D37",
"request_length": "899",
"request_uri": "/prod/uri HTTP/1.1",
"requester_id": "295319828821243623",
"response_body_length": "269376",
"response_time": "5",
"restore_priority": "-",
"server_cost_time": "2",
"sign_type": "UriSign",
"sync_request": "-",
"target_storage_class": "-",
"time": "27/Apr/2024:07:55:01",
"user_agent": "Mozilla/5.0 (Linux; Android 11; TYd",
"user_defined_log_fields": "-",
"vpc_addr": "3303203723",
"vpc_id": "0"
},
"source": "log_service",
"timestamp": 1714175701
}