tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Tencent Cloud Firewall
    Documentation
    Download PDF

    Intrusion Defense Logs

    Last updated: 2024-09-06 17:49:46
    Download PDF
    Field Identifier
    Field Type
    Field Name
    Field Description
    Reference Values
    Specific Types
    instance_id
    string
    Victim-related asset ID
    -
    -
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    time
    int64
    Alarm occurrence time
    -
    -
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    src_ip
    string
    Source IP
    -
    192.168.0.1
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    dst_ip
    string
    Destination IP
    -
    192.168.0.1
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    src_port
    int64/int
    Source port
    -
    -
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    dst_port
    int64/int
    Destination port
    -
    -
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    direction
    int64
    Direction
    0: outbound
    1: inbound
    TCP protocol alarm: session direction
    Session protocol: traffic direction
    -
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    protocol
    string
    Protocol
    -
    TCP
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    strategy
    string
    Alarm action
    Handling action for alarms
    0: observe
    1: block
    2: allow
    3: deceive
    0
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    strategy_res
    string
    Alarm action identification ID
    -
    strage_alert
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog
    event_name
    string
    Attack event type
    -
    Log4j2 vulnerability exploitation
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    eventname_res(event_name_res)
    string
    Attack event type identification ID
    -
    log4j2_exploit
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog
    dst_domain
    string
    External domain name
    -
    -
    HoneyPotHost, HoneyPotNetwork, BlockList, TiLog, BaseLineLog
    level
    string
    Alarm level
    Alarm severity level
    Critical
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    level_res
    string
    Alarm level identification ID
    -
    level_serious
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog
    level_int
    int
    Alarm level number
    -
    5
    HoneyPotHost, HoneyPotNetwork
    address
    string
    City where the attack IP is located
    -
    Shenzhen, Guangdong Province, China
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    address_en
    string
    City where the attack IP is located
    -
    Shenzhen, China
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog
    insert_time
    int64
    Alarm storage time
    -
    2023/1/1 0:00:00
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    service_id
    string
    Honeypot ID
    -
    -
    HoneyPotHost, HoneyPotNetwork
    type
    string
    Alarm sub-type identification
    -
    ti
    HoneyPotHost, HoneyPotNetwork, TiLog, BaseLineLog
    sub_source_type
    string
    Alarm sub-type
    Alarm classification, including Virtual Patching, Basic Defense, Ban List, Network Honeypot, etc.
    Virtual Patching
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    sub_source_type_res
    string
    Alarm sub-type identification ID
    Alarm sub-type identification ID, source_virtualpatch Virtual Patching, source_basicrule Basic Defense, etc.
    source_virtualpatch
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog
    payload
    string
    Attack payload
    Payload information of attack traffic
    -
    HoneyPotHost, HoneyPotNetwork, IdsLog, TiLog
    cmdline
    string
    Command
    Network honeypot host event, sensitive command executed in the honeypot
    bash -c ifconfig execve /bin/bash|m=100755|o=0:0
    HoneyPotHost
    template_id
    string
    Network honeypot template ID
    -
    -
    HoneyPotHost
    docker_id
    string
    Unique ID of network honeypot
    -
    -
    HoneyPotHost, HoneyPotNetwork
    proc_chan
    string
    Process tree
    Process tree of the network honeypot host event
    bashP{
    HoneyPotHost
    kill_chain
    string
    Attack chain
    Attack chain, attack phase of the alarm event
    Vulnerability exploitation
    HoneyPotHost, HoneyPotNetwork
    kill_chain_res
    string
    Attack chain identification ID
    -
    kill_chain_exploit
    HoneyPotHost, HoneyPotNetwork
    event_id
    string
    Alarm ID
    -
    -
    HoneyPotHost, HoneyPotNetwork
    exe
    string
    Executable file path
    -
    /sbin/ifconfig
    HoneyPotHost
    probe_id
    string
    Probe ID
    -
    probe-id
    HoneyPotHost, HoneyPotNetwork
    service_type
    string
    Network honeypot type
    Network honeypot type
    SSH Honeypot
    HoneyPotHost, HoneyPotNetwork
    service_type_res
    string
    Network honeypot type identification ID
    -
    ssh_honeypot
    HoneyPotHost, HoneyPotNetwork
    script_name
    string
    Network honeypot script name
    -
    -
    HoneyPotHost, HoneyPotNetwork
    log_source
    string
    Data source
    The alarm values for Inter-VPC Firewalls and intranet honeypots are set to move.
    The alarm value for honeypot hosts is set to host.
    The alarm value for public network honeypots is set to network.
    move
    HoneyPotHost, HoneyPotNetwork, IdsLog
    login_user
    string
    Attack a logged-in user
    -
    [root, 1qaz!QAZ]
    HoneyPotHost, HoneyPotNetwork
    visible_tag
    int
    Visibility
    -
    -
    HoneyPotHost, HoneyPotNetwork
    timestamp
    string
    Alarm timestamp
    -
    2023-01-01T00:00:00+08:00
    HoneyPotHost, HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    ti_type
    string
    Associated intelligence threat type tag (included in the alarm)
    -
    ["SSH Honeypot Attack","Conventional Network Brute Force","Brute Force Attack"]
    HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    ti_type_en
    string
    Associated intelligence threat type tag (included in the alarm)
    -
    ["SSH honeypot attack","General network cracking","Brute force"]
    HoneyPotNetwork, BlockList, IdsLog, TiLog
    ti_white
    string
    Allowlist tag (included in the alarm)
    -
    Intelligence allowlist
    HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    ti_white_res
    string
    Allowlist tag (included in the alarm) identification ID
    -
    intelligence_allowlist
    HoneyPotNetwork, BlockList, IdsLog, TiLog, BaseLineLog
    src_country
    string
    Source country
    The country where the source IP is located
    United States of America
    BlockList, IdsLog, TiLog, BaseLineLog
    src_country_en
    string
    Source country - English
    The country where the Source IP is located - English
    United States of America
    BlockList, IdsLog, TiLog
    dst_country
    string
    Destination country
    The country where the destination IP is located
    United States of America
    BlockList, IdsLog, TiLog, BaseLineLog
    dst_country_en
    string
    Destination country - English
    The country where the destination IP is located - English
    United States of America
    BlockList, IdsLog, TiLog
    attack_vector
    string
    Attack exploitation method
    -
    code-exec
    IdsLog
    attack_count
    int
    Number of alarms
    -
    -
    IdsLog
    nat_ip
    string
    NAT IP
    NAT public IP address
    8.8.8.8
    IdsLog, TiLog, BaseLineLog
    nat_port
    int
    NAT port
    NAT public network port
    -
    IdsLog, TiLog, BaseLineLog
    fws_id
    string
    Firewall ID
    -
    -
    IdsLog
    fw_type
    string
    Firewall type
    Firewall type, including:
    vpc: Inter-VPC Firewall
    nat: NAT Firewall
    sg: enterprise security group
    empty: edge firewall
    nat
    IdsLog
    src_vpc
    string
    ID of the VPC where the attacker asset is located
    -
    -
    IdsLog
    dst_vpc
    string
    ID of the VPC where the victim asset is located
    -
    -
    IdsLog
    src_ins_id
    string
    Attacker-related asset ID
    -
    -
    IdsLog
    dst_ins_id
    string
    Victim-related asset ID
    -
    -
    IdsLog
    nat_ins_id
    string
    NAT instance ID
    -
    -
    TiLog, BaseLineLog
    nat_ins_name
    string
    NAT instance name
    -
    -
    TiLog
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Contact Us
    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    Submit a Ticket
    7x24 Phone Support
    Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
    Privacy PolicyLegalCookie Policy