You can create a custom alert rule to monitor specific events. This helps you monitor the security of your business. ActionTrail generates alerts based on the query statements, check frequency, and trigger conditions that you configure. ActionTrail denoises alerts and sends notifications based on the alert policy and action policy that you configure. This topic describes how to create a custom alert rule. This topic also provides custom query statements for different scenarios and examples of custom query statements.
Background information
Custom alert rules allow you to use SQL statements to query events. For more information about the SQL syntax, see Log search overview and Log analysis overview.
Procedure
Log on to the ActionTrail console.
In the left-side navigation pane, click Event Alerting.
On the Alert Rules tab of the Alert Center page, click Create Alert.
In the Create Alert panel, configure custom query statements.
Click Create next to the Query Statistics parameter.
On the Advanced Settings tab of the Query Statistics dialog box, set the Type parameter to Logstore and the Authorization parameter to Default.
NoteThe Region and Project parameters are automatically configured based on the trail for which the event alerting feature is enabled.
Select a Logstore of the trail from the Logstore drop-down list. The name of the Logstore is in the
actiontrail_<Trail name>
format.Configure whether to enable Dedicated SQL.
NoteAuto: By default, Dedicated SQL is disabled. If the number of concurrent queries exceeds the upper limit or the query results are inaccurate, Simple Log Service automatically retries the queries by using Dedicated SQL.
Enable: Dedicated SQL is enabled.
Disable: Dedicated SQL is disabled.
For more information about how to enable Dedicated SQL, see Enable Dedicated SQL.
Configure the Time Range parameter, enter a custom query statement in the Query field, and then click Preview.
For more information about custom query statements, see Custom query statements.
Click Confirm.
In the Alert Monitoring Rule panel, configure the following parameters: Rule Name, Check Frequency, Group Evaluation, Trigger Condition, Add Label, Add Annotation, Recovery Notifications, Advanced Settings, and Destination.
For more information, see Create an alert monitoring rule for logs.
Click OK.
After the custom alert rule is created, the rule is displayed in the alert rule list. You can manage the created custom alert rule based on your business requirements. For more information, see Manage alert rules.
Custom query statements
Scenario | Description | Custom query statement |
Query specific events of cloud services | You can configure the serviceName and eventName parameters to query specific events of cloud services. |
|
Query the values of specified parameters | Event parameters are stored in the event.requestParameterJson parameter in the JSON format. ActionTrail allows you to create a custom alert rule to generate alerts when the values of event parameters are queried. |
|
Query resources | You can configure the resourceName and resourceType parameters to query resources that are related to specific events. For more information about the parameters, see Management event structure. | Query a resource. For example, you can use the following statement to query the ID of the ECS instance that is released in an instance release event:
|
Query identities | You can query the information about identities in specific events and create a custom alert rule to generate alerts for specific identities. The userIdentity parameter contains multiple fields, such as type, userName, principalId, and accountId. For more information about the parameters, see Management event structure. |
|
Query statistics | You can query the number of times that an event is generated and create a custom alert rule to generate alerts when the specified threshold is exceeded. |
|
Examples of custom query statements
The arbitrary function returns a random and non-null value of x. The syntax of the arbitrary function is arbitrary(x)
. For more information about the arbitrary function, see arbitrary function. The following list provides examples of custom query statements:
Example 1: Query the events that are generated when an ApsaraDB RDS instance is released
event.serviceName: RDS and (event.eventName: DeleteDBInstance or event.eventName: Release or event.eventName: DestroyDBInstance) | SELECT account_id, resourceArray[num] as instance_id, ram_user_id, user_type, user_name FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as num, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log ) where num > 0
Example 2: Query the events that are generated when the configuration of a security group is changed
event.eventName: CreateSecurityGroup OR event.eventName: AuthorizeSecurityGroup OR event.eventName: AuthorizeSecurityGroupEgress OR event.eventName: RevokeSecurityGroup OR event.eventName: RevokeSecurityGroupEgress OR event.eventName: JoinSecurityGroup OR event.eventName: LeaveSecurityGroup OR event.eventName: DeleteSecurityGroup OR event.eventName: ModifySecurityGroupPolicy) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name
References
You can also create custom alert rules in Simple Log Service. For more information, see Create an alert rule for logs.
After you enable an alert rule, you can view the information about the alert rule in Simple Log Service. For more information, see Manage an alert rule.