日志分析页面提供精准、实时的日志审计和高效的分析能力,结合强大的SQL语法分析工具,可灵活定制报表和设置报警,实现深入的数据分析与监控。
本文介绍如何使用日志分析。
前提条件
您的主机资产已经接入云安全中心,关于接入的具体操作,请参见安装客户端。
您已开通日志服务TLS。
操作步骤
- 登录云安全中心控制台。
- 在页面左侧选择安全运营>日志分析。
页面说明
日志分析
日志分析板块可对安全告警日志和漏洞日志进行记录。
告警日志字段
下面是告警的公共字段:
字段 | 类型 | 说明 |
|---|---|---|
rule_name | string | 告警名称 |
hostname | string | 影响资产 |
in_ipv4_list | string | 内网IPv4列表(多个IPv4用','号拼接) |
ex_ipv4_list | string | 外网IPv4列表 |
in_ipv6_list | string | 内网IPv6列表 |
ex_ipv6_list | string | 外网IPv6列表 |
alert_type | string | 告警类型: |
alert_type_us | string | 告警类型(英文) |
harm_level | string | 级别(critical/high/medium/low) |
agent_id | string | 主机agent_id |
tags | string | 主机标签 |
alert_desc | string | 告警描述 |
alert_desc_us | string | 告警描述(英文) |
suggestion | string | 处置建议 |
data_type | string | 数据类型 |
attack_id | string | ATTCK ID |
os_type | string | linux/windows |
timestamp | string | 告警产生时间戳 |
__insert_time | string | 告警插入时间戳 |
下面展示了告警相关的关键字段,根据告警的不同类型,这些字段不一定都存在:
主机告警字段(Linux)
字段 | 类型 | 说明 |
|---|---|---|
pid | string | 进程PID |
exe | string | 进程二进制文件 |
argv | string | 进程命令行 |
ppid | string | 父进程PID |
ppid_argv | string | 父进程命令行 |
pgid | string | 进程组ID |
pgid_argv | string | 进程组命令行 |
username | string | 进程所属用户名 |
target_pid | string | 目标进程ID |
ptrace_request | string | Ptrace 请求 |
target_argv | string | 目标进程命令行 |
path | string | 文件路径 |
sip | string | 源IP |
sport | string | 源端口 |
types | string | 登录类型 & 文件类型 |
user | string | 登录用户名 |
ssh_info | string | 链接信息 |
pid_tree | string | 进程树信息 |
socket_pid | string | 外联进程ID |
socket_argv | string | 外联进程命令行 |
ssh | string | 相关SSH登录信息 |
uid | string | 进程所属用户ID |
connect_info | string | 连接信息 |
ld_preload | string | 运行时链接 |
run_path | string | 执行目录 |
comm | string | 进程名 |
stdin | string | 进程输入 |
stdout | string | 进程输出 |
old_name | string | 原始文件 |
new_name | string | 新文件 |
fd_name | string | 内存文件名 |
flags | string | 创建参数 |
query | string | DNS查询 |
file_path | string | 文件路径 |
ko_file | string | 内核模块名 |
old_uid | string | 提权前用户ID |
old_username | string | 提权前用户名 |
module_name | string | 内核模块名 |
syscall_number | string | 系统调用ID |
interrupt_number | string | 中断ID |
static_file | string | 进程二进制文件 |
file_hash | string | 文件指纹 |
name | string | 样本家族 |
class | string | 样本类型 |
create_at | string | 文件创建时间 |
modify_at | string | 文件修改时间 |
external_conns | string | 对外链接 |
pid_set | string | 进程ID集合 |
probe_hook | string | 探针采集点 |
args_array | string | 参数 |
nspid | string | 命令空间进程ID |
stack_trace_format | string | 调用栈 |
highlight_fields | string | 高亮字段 |
hit_argv_list | string | 敏感命令行列表 |
ioc_source | string | IOC情报来源 |
ioc_severity | string | IOC情报等级 |
ioc_meta | string | IOC情报信息 |
ioc_detail | string | IOC原始情报 |
container_create_timestamp | string | 容器创建的时间戳 |
container_host_name | string | 容器宿主机名称 (仅 Docker) |
container_id | string | 容器ID |
container_ip | string | 容器IP地址 |
container_name | string | 容器名称 |
container_net_mode | string | 容器网络模式 (仅 Docker) |
container_pns | string | 容器的进程ID (Pid) |
container_query_result | string | 是否展示容器相关内容的查询结果 |
container_runtime | string | 容器运行时环境 |
container_state | string | 容器状态 |
image_id | string | 镜像ID |
image_name | string | 镜像名称 |
pod_id | string | Pod的ID (仅 Kubernetes) |
pod_name | string | Pod的名称 (仅 Kubernetes) |
主机告警字段(alert_type=="杀伤链")
字段 | 类型 | 说明 |
|---|---|---|
top_rule_chain | string | 规则链(killchain告警) |
top_chain | string | 进程链(killchain告警) |
node_list | Array | 告警节点列表(列表中包含多个告警,字段与主机告警字段(Linux)相同) |
attack_id_list | string | "T1543,T1571" |
主机告警字段(Windows)
字段 | 类型 | 说明 |
|---|---|---|
AccountExpires | string | 账号过期时间 |
AdditionalActionsString | string | 行为建议 |
CategoryName | string | 类别 |
CommandLine | string | 命令行 |
Configuration | string | 配置文件 |
ConfigurationFileHash | string | 配置文件哈希 |
Contents | string | 内容 |
CurrentDirectory | string | 执行目录 |
Description | string | 二进制描述 |
DestinationHostname | string | 目的机器名 |
DestinationIp | string | 目的IP |
DestinationPort | string | 目的端口 |
DestinationPortName | string | 目的端口名 |
Details | string | 行为细节 |
DetectionUser | string | 发起用户 |
EventType | string | 注册表行为 |
FailureReason | string | 失败原因 |
Hash | string | 二进制哈希 |
Hashes | string | 二进制哈希 |
HomeDirectory | string | 主目录 |
Image | string | 进程文件 |
ImageLoaded | string | 加载的文件 |
IpAddress | string | 网络IP |
LogonType | string | 登陆类型 |
NewThreadId | string | 新线程ID |
OriginalFileName | string | 原始文件名 |
ParentCommandLine | string | 父进程命令行 |
ParentImage | string | 父进程二进制 |
Path | string | 路径 |
PrivilegeList | string | 密码最后一个集 |
ProcessGuid | string | 进程跨域ID |
ProcessId | string | 进程ID |
ProcessName | string | 登陆入口服务 |
Protocol | string | 协议 |
QueryName | string | 解析请求 |
QueryResults | string | 解析结果 |
QueryStatus | string | 解析状态 |
SamAccountName | string | SAM账号名(旧) |
ServiceAccount | string | 服务帐户 |
ServiceFileName | string | 服务文件名 |
ServiceName | string | 服务名 |
ServiceStartType | string | 服务启动类型 |
ServiceType | string | 服务类型 |
SeverityName | string | 严重性 |
Signature | string | 驱动签发者 |
SignatureStatus | string | 驱动签名状态 |
SourceImage | string | 原始进程的二进制 |
SourceIp | string | 源IP |
SourceName | string | 检测来源 |
SourcePort | string | 源端口 |
SourceProcessGuid | string | 原始进程跨域ID |
SourceUser | string | 原始进程的用户 |
StartFunction | string | 启动函数 |
StartModule | string | 启动模块 |
SubjectUserName | string | 操作账号名 |
TargetDomainName | string | 登陆域 |
TargetFilename | string | 创建的文件 |
TargetObject | string | 行为目标 |
TargetUserName | string | 登陆用户名 |
TaskContent | string | 任务内容 |
TaskName | string | 任务名称 |
ThreatName | string | 威胁名 |
User | string | 用户 |
// 示例JSON数据 { "ex_ipv4_list": "-", "alert": true, "rawlog": "Failed password for invalid user admin from 180.184.85.207 port 37478 ssh2", "in_ipv4_list": "10.17.0.128", "SMITH_KEY": "3298534885129", "data_type": "4000", "rule_name_us": "Single source bruteforce", "SMITH_INPUT": "hids", "reason_ip": "180.184.85.207", "attack_id": "T1110", "suggestion": "【处置建议】\n1. 请先确认是否为业务多次失败登录触发\n2. 如果非业务行为,建议通过修改【/etc/ssh/sshd_config】配置文件并重启sshd服务来关闭密码登录\n3. 并如果【连接信息】内目的IP并非业务主要IP,建议封禁对恶意IP的访问请求\n\n【关注字段】\n攻击源IP,登陆用户名", "psm_name": "-", "type": "HIDS_WARN", "rule_version": "2.1.0.1", "sip": "180.184.85.207", "SMITH_ALERT_DATA": { "HIT_DATA": [ "critical_brute_single_login_black sip:[NI]:-", "critical_brute_single_login_black status:[INCL]:false", "critical_brute_single_login_black rawlog:[NI]:receive identification", "critical_brute_single_login_black sip:[CUSTOM]::[NotLocalIP]:180.184.85.207", "critical_brute_single_login_black Frequency:19" ], "RULE_INFO": { "DesignateNode": null, "Action": null, "Threshold": "", "HarmLevel": "medium", "FreqCountType": "", "Desc": "【敏感行为】主机存在被单一外部来源IP发起的爆破,2分钟内登录失败19次", "AffectedTarget": "service", "FreqCountField": "", "RuleType": "Detection", "FreqHitReset": false, "Author": "lez", "RuleID": "critical_brute_single_login_alert", "KillChainID": "init_attack", "RuleName": "单一来源暴力破解", "FreqRange": 0 } }, "timestamp": "2023-09-17T06:13:40Z", "sport": "37478", "os_type": "linux", "in_ipv6_list": "-", "pid": "812179", "psm_path": "-", "highlight_fields": "sip,status,rawlog", "alert_detail": "VolcTest 机器上存在 [单一来源暴力破解] 的中危告警; admin 通过 password 尝试登陆失败,源IP为 180.184.85.207, 关联访问 180.184.85.207", "time": "1694931213", "time_pkg": "1694931213", "types": "password", "ex_ipv6_list": "-", "status": "false", "hostname": "VolcTest", "alert_type": "暴力破解", "version": "1.8.2.1", "enhanced": "false", "user": "admin", "alert_type_us": "bruteforce", "risk": 2, "exposure": "true", "tags": "-", "data_type_str": "SSH登陆", "connect_info": "No Data <- 180.184.85.207:37478", "alert_detail_us": "There is a medium level alert for [Single source bruteforce] on the VolcTest machine. admin successfully logged in to the machine through password, the source IP is 180.184.85.207, correlated network access 180.184.85.207", "alert_desc": "【敏感行为】主机存在被单一外部来源IP发起的爆破,2分钟内登录失败19次", "harm_level": "medium", "ip": "10.17.0.128", "extra": "-", "agent_id": "42bdf78e-d1f7-58a9-adaf-24859999ccf7", "alert_desc_us": "[Sensitive behavior] The host has been attacked by a single-source IP, and the login failed 19 times within 1 minute", "product": "elkeid-agent", "invalid": "false", "SMITH_TIMESTAM": 1694931221261438000, "rule_name": "单一来源暴力破解", "docker": "-" } { "dip":"-", "sid":"825998", "SMITH_INPUT":"hids", "pgid_argv":"nc -e /bin/bash", "container_net_mode":"bridge", "reason_comm":"nc<bash<containerd-shim<systemd", "alert_desc_us":"[Sensitive behavior] There are reverse shells based on common shell commands", "highlight_fields":"argv,exe", "tracing_id":"825998", "run_path":"/", "enhanced":"false", "timestamp":"2023-09-17T07:15:45Z", "username":"root", "sa_family":"-", "ip":"10.17.0.128", "ssh":"-5", "pod_name":"-", "container_host_name":"aced05645b32", "container_id":"aced05645b323b2f3f85dc851456207a622f0ab7d54cfa6c74777acd6ebbe6d9", "rule_name":"反弹shell", "pod_id":"-", "exe":"/bin/nc.openbsd", "exe_hash":"cf9479de201f247a", "alert_detail_us":"There is a critical level alert for [Reverse shell] on the VolcTest machine. Parent Process 825998 created new process /bin/nc.openbsd (pid is 825998, command line is nc -e /bin/bash) with user root, correlated processID 825998", "pid_tree":"826013.nc<825998.bash<825860.containerd-shim<1.systemd", "root_pns":"16903108491974017025", "tty":"pts1", "product":"elkeid-agent", "pns":"16903107783304413926", "uid":"0", "alert":true, "in_ipv4_list":"10.17.0.128", "time":"1694934942", "tgid":"826013", "psm":"-", "sip":"-", "ppid_argv":"/bin/bash", "tags":"-", "time_pkg":"1694934942", "stdin":"/dev/pts/1", "container_create_time":"1694934895", "psm_path":"-", "pgid":"826013", "suggestion":"【处置建议】\n1. 请先确认是否存在已知渗透测试行为\n2. 如果非业务行为请通过root登陆,使用【ps aux | grep $PID】命令(此处$PID为告警内的的进程ID)查看进程是否存活\n3. 清理【rm】启动进程的文件,并关闭反弹shell进程【kill -9 $PID】\n4. 如果【连接信息】内目的IP并非业务主要IP,建议封禁对恶意IP的访问请求\n5.请结合从属事件内的关联告警与当前告警的溯源数据作为上下文来判断入侵入口来源与受影响范围\n\n【关注字段】\n进程命令行,进程组命令行,外链进程命令行,连接信息", "dport":"-", "rule_version":"2.1.0.1", "container_runtime":"docker", "res":"0", "stdout":"/dev/pts/1", "data_type":"59", "is_honeypot":"-", "ppid":"825998", "container_query_result":"success", "risk":4, "container_name":"ypb_test", "reason_sid":"825998|1694934942", "ld_preload":"-5", "alert_type":"代码执行", "data_type_str":"进程启动", "alert_detail":"VolcTest 机器上存在 [反弹shell] 的严重告警; 父进程 825998 使用 root 用户创建了新进程 /bin/nc.openbsd (pid为 825998, 命令行为 nc -e /bin/bash ), 关联进程 825998", "ld_library_path":"-5", "alert_type_us":"execution", "ex_ipv4_list":"-", "hostname":"VolcTest", "psm_name":"-", "comm":"nc", "type":"HIDS_WARN", "argv":"nc -e /bin/bash", "rule_name_us":"Reverse shell", "docker":"true", "pid":"825998", "image_id":"23173282a8d401e153f2991d8edeef1b2fe5d9a11142e002c018dd2318c13d6f", "sport":"-", "nodename":"aced05645b32", "in_ipv6_list":"-", "SMITH_KEY":"4398046595252", "os_type":"linux", "socket_argv":"-", "container_ip":"172.17.0.3", "SMITH_ALERT_DATA":{ "RULE_INFO":{ "DesignateNode":null, "Author":"lez", "AffectedTarget":"host_process", "FreqCountType":"", "HarmLevel":"critical", "FreqRange":0, "Threshold":"", "Desc":"【敏感行为】存在利用常见shell命令的反弹shell", "RuleID":"critical_sensitive_command_alert", "RuleName":"反弹shell", "RuleType":"Detection", "Action":null, "FreqCountField":"", "FreqHitReset":false, "KillChainID":"execution" }, "HIT_DATA":[ "critical_sensitive_command_black2 argv:[INCL]:nc", "critical_sensitive_command_black2 argv:[REGEX]:nc -e", "critical_sensitive_command_black2 exe:[REGEX]:nc" ] }, "agent_id":"42bdf78e-d1f7-58a9-adaf-24859999ccf7", "alert_desc":"【敏感行为】存在利用常见shell命令的反弹shell", "version":"1.8.2.1", "attack_id":"T1059", "SMITH_TIMESTAM":1694934945997967991, "image_name":"tafthorne/netcat-debian", "container_pns":"4026532582", "container_state":"running", "ex_ipv6_list":"-", "harm_level":"critical", "socket_pid":"-", "connect_info":"-" }
漏洞日志字段
原始数据字段 | 含义 | 数据类型 | 说明 |
|---|---|---|---|
account_id | 账户 ID | string | |
agent_id | 主机 ID | string | |
region | 主机所在区域 | string | |
internet_ip | 主机公网 IP | string | |
intranet_ip | 主机主私网 IP | string | |
instance_name | 实例名 | string | |
op | 漏洞操作 | string | add --> 扫描到的漏洞 |
level | 漏洞等级 | string | danger --> 严重 |
vuln_id | 漏洞id | int64 | |
vuln_name | 漏洞名 | string | |
vuln_type | 漏洞类型 | string | linux,windows,app,webcms |
action | 漏洞利用等级 | string | block --> 高可利用漏洞 |
cve_id | 漏洞 CVE 编号 | string | CVE-2023-43804 |
tag | 漏洞标签 | []string | |
create_time | 漏洞创建时间戳 | int64 | |
control_time | 漏洞操作时间戳 | int64 |
{ "Checked": "false", "__package_offset__": "2097152", "__source__": "vuln", "__tag____client_ip__": "192.168.1.67", "__tag____receive_time__": "1710290787041", "__time__": "1710290784000", "account_id": "2100001101", "action": "invisible", "agent_id": "i-ycsf1m0tmor9cxxachs3", "control_time": "1709037809", "create_time": "1709037809", "cve_id": "CVE-2022-42011", "drop_status": "using", "flag_id": "8c6ab9ce-71cf-47c5-a150-404283ab30c0", "instance_name": "shared-4c16g-c-f97lfz", "internet_ip": "", "intranet_ip": "66.3.0.36", "level": "mid", "op": "add", "operate_reason": "", "region": "cn-guilin-boe", "status": "unprocessed", "tag": "["数组索引验证不当","存在EXP"]", "update_time": "1710290770", "vuln_id": "202768", "vuln_name": "D-bus_project d-bus 数组索引验证不当漏洞", "vuln_type": "linux" }