You can configure alert rules in ActionTrail to automatically monitor for specific events and send notifications when those events occur. This helps you respond quickly to potential security, threats or non-compliant activities in your Alibaba Cloud account.
Prerequisites
Before you can create alert rules, you must complete the following:
Activate Simple Log Service (SLS). The alerting feature relies on SLS. If you have not used it before, log on to the SLS console and follow the prompts to activate the service.
Create a trail that delivers events to SLS. You must have an ActionTrail trail that delivers events to an SLS Logstore. This trail should be configured to log all management events. For instructions, see Create a single-account trail and Create a multi-account trail.
The alerting feature uses SLS, which incurs costs for data storage, queries, and notifications. For more information, see SLS billing overview.
Step 1: Create an alert rule
You can create an alert rule from a predefined template for common use cases or create a custom rule for specific needs.
Create an alert rule from a template
ActionTrail provides templates for common security events, such as a change to a VPC network route.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
On the Alert Rules tab, click the arrow next to Create Alert and choose Create from Template.
Find the template you want to use (such as
VPC Network Route Change Alert) and click it.In the panel that appears, click OK.
The alert rule is created and enabled automatically. You can see its status is Running on the Alert Rules tab.
Create a custom alert rule
For advanced use cases, you can create a custom alert rule with your own query and conditions. On the Alert Rules tab, click Create Alert. For detailed instructions, see Create a custom alert rule.
Step 2: Configuring notification settings (Optional)
You can customize how you receive alert notifications by creating contacts, notification templates, and action policies.
Creating contacts and contact groups
You can add individual users as contacts and organize them into contact groups to receive notifications.
To create a contact:
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
Navigate to Notification Objects > User Management and click Create.
In the Create User dialog box, enter the user's details, such as ID, name, phone number, and email address, then click OK.
To create a contact group:
Navigate to Alerts > Notification Objects > User Group Management and click Create.
In the Add User Group dialog box, enter an ID and name, select the users to add to the group, and click OK.
Creating notification templates
ActionTrail uses a default template for alert notifications. You can create custom templates to control the format and content of notifications sent via different channels, such as email, SMS, or Slack.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
Navigate to Notification Management > Alert Template and click Create.
In the Add Alert Template dialog box, enter an ID and name.
For each notification method (such as email, Slack, and Webhook), define the language, subject/title, and content. You can use template variables to include dynamic data from the alert.
Click Confirm.
Creating action policies
Action policies control how notifications for an alert rule are routed and throttled. ActionTrail provides several built-in action policies. You can create custom ones. You can define conditions to send different notifications to different contact groups based on the alert's content.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
Navigate to Notification Management > Action Policy and click Create.
In the Add Action Policy dialog box, enter an ID and name.
Configure the policy logic by adding Condition and Action Group nodes.
Define one or more conditions to match specific alerts. For example, create a condition that matches alerts where the
Alibaba Cloud Account IDis123456789012****.Define an action group that specifies the notification method (such as email), the notification template, and the contact group to notify when the conditions are met.
Click Confirm.