All Products
Search
Document Center

ActionTrail:Overview of Insights events

最終更新日:May 24, 2024

ActionTrail provides the Insights feature to help you identify unusual activities from management events. After you enable the Insights feature, ActionTrail analyzes management events, identifies unusual activities that are associated with API call rates, API error rates, IP addresses, AccessKey pair call rates, permission changes, password changes, and trail concealment, and then generates Insights events. You can use the Insights events to identify potential risks to your cloud resources and handle the risks at the earliest opportunity.

Differences between Insights events and management events

Event type

Description

References

Management event

A management event is generated when a management operation is performed on an Alibaba Cloud resource by using an Alibaba Cloud-based entity. Each management event is stored as a log entry.

Management event structure

Insights event

ActionTrail uses mathematical models to analyze management events in the cloud and identify unusual activities that are associated with API call rates, API error rates, IP addresses, AccessKey pair call rates, permission changes, password changes, and trail concealment. For example, if an attacker steals your account and performs a large number of write operations such as deleting operations on a resource by using an external IP address, Insights events on IP address are generated for the IP address, and Insights events on API call rate are generated for the deleting operation.

Insights event structure

Features

ActionTrail analyzes all management events within your Alibaba Cloud account over a historical period of time and generates the following types of Insights events: ApiCallRateInsight, ApiErrorRateInsight, IpInsight, AkInsight, PolicyChangeInsight, PasswordChangeInsight, and TrailConcealmentInsight. ApiCallRateInsight indicates Insights events on API call rate. ApiErrorRateInsight indicates Insights events on API error rate. IpInsight indicates Insights events on IP address. AkInsight indicates Insights events on AccessKey pair call rate. PolicyChangeInsight indicates Insights events on permission change. PasswordChangeInsight indicates Insights events on password change. TrailConcealmentInsight indicates Insights events on trail concealment. Each Insights event contains a start event that indicates the start time of the Insights event and an end event that indicates the end time of the Insights event.

  • Insights events on API call rate (ApiCallRateInsight): ActionTrail uses mathematical models to analyze all write events and normal patterns of API call rates within your Alibaba Cloud account and generates Insights events when the call rates are outside the normal patterns.

  • Insights events on API error rate (ApiErrorRateInsight): ActionTrail uses mathematical models to analyze all API error rate-related management events and normal patterns of API error rates within your Alibaba Cloud account and generates Insights events when the error rates are outside the normal patterns.

  • Insights events on IP address (IpInsight): ActionTrail analyzes normal patterns of IP addresses. ActionTrail generates Insights events when suspicious IP addresses are identified from new IP addresses.

  • Insights events on AccessKey pair call rate (AkInsight): ActionTrail uses mathematical models to analyze normal patterns of AccessKey pair call rates within your Alibaba Cloud account and generates Insights events when the call rates are outside the normal patterns.

  • Insights events on permission change (PolicyChangeInsight): ActionTrail analyzes all cloud services whose permissions can be changed within your Alibaba Cloud account, such as Resource Access Management (RAM), Object Storage Service (OSS), and Resource Management. ActionTrail uses mathematical models to analyze normal patterns of operators and generates Insights events for abnormal operators.

  • Insights events on password change (PasswordChangeInsight): ActionTrail analyzes all cloud services whose passwords can be changed within your Alibaba Cloud account, such as Key Management Service (KMS), Account Logon Service (AasCustomer), and RAM User Logon Service (AasSub). ActionTrail uses mathematical models to analyze normal patterns of operators and generates Insights events for abnormal operators.

  • Insights events on trail concealment (TrailConcealmentInsight): ActionTrail analyzes the actions to disable or delete a trail in ActionTrail within your Alibaba Cloud account. ActionTrail uses mathematical models to analyze normal patterns of operators and generates Insights events for abnormal operators.

How an Insights event works

  • Conditions for generating Insights events: After you enable the Insights feature, ActionTrail continuously analyzes all subsequent management events and generates the first Insights event at least 24 hours after the feature is enabled. Insights events provide information about unusual activities. If no unusual activities are identified within your Alibaba Cloud account, no Insights events are generated.

  • Statistical scope: Insights events are generated by region. ActionTrail analyzes management events in a region to generate Insights events. Therefore, the Insights events and the management events belong to the same region.

  • Rules for generating Insights events:

    • Insights events on API call rate (ApiCallRateInsight) provide information about the difference between the current call rates and the normal patterns. ActionTrail uses mathematical models to analyze the calling behavior, the calling methods, and the normal patterns of call rates of the current API and generates Insights events when the call rates are outside the normal patterns.

      Note

      Insights events on API call rate (ApiCallRateInsight) are generated for write events.

    • Insights events on API error rate (ApiErrorRateInsight) provide information about the difference between the current error rates and the normal patterns. ActionTrail uses mathematical models to analyze the calling behavior, the calling methods, and the normal patterns of error rates of the current API and generates Insights events when the error rates are outside the normal patterns.

      Note

      Insights events on API error rate (ApiErrorRateInsight) are generated for read and write events.

    • Insights events on IP address (IpInsight) provide information about suspicious IP addresses. If you use IP address-heterogeneity algorithms, new IP addresses may be incorrectly identified as suspicious IP addresses. If Insights events on IP address are generated for an IP address, only one Insights event is generated on the current day. The event is generated when the first request is sent from the IP address.

    • Insights events on AccessKey pair call rate (AkInsight) provide information about the difference between the current call rates and the normal patterns. ActionTrail generates Insights events when the call rates are outside the normal patterns.

      Note

      Insights events on AccessKey pair call rate (AkInsight) are generated for write events.

    • Insights events on permission change (PolicyChangeInsight) provide information about permission changes of abnormal operators. ActionTrail uses machine learning algorithms to generate association rules and a frequent item set, and then generates Insights events for abnormal operators.

    • Insights events on password change (PasswordChangeInsight) provide information about password changes of abnormal operators. ActionTrail uses machine learning algorithms to generate association rules and a frequent item set and then generates Insights events for abnormal operators.

    • Insights events on trail concealment (TrailConcealmentInsight) provide information about the operations that delete or disable trails for abnormal operators. ActionTrail uses machine learning algorithms to generate association rules and a frequent item set and then generates Insights events for abnormal operators.

Usage notes

  • You cannot query Insights events in the following regions:

    • China (Heyuan)

    • China (Nanjing - Local Region)

    • China (Guangzhou)

    • China (Fuzhou - Local Region)

    • China (Wuhan - Local Region)

    • South Korea (Seoul)

    • Philippines (Manila)

    • UAE (Dubai)

    Note

    For more information about the regions where Insights events are supported, see Supported regions.

  • You can use the Insights feature free of charge. For more information about the billing of the Insights feature, see Billing.

  • After you enable the Insights feature, ActionTrail continuously analyzes all subsequent management events that are generated in supported regions.

  • An Insights event is generated at least 24 hours after the Insights feature is enabled. ActionTrail generates Insights events when ActionTrail detects unusual activities within your Alibaba Cloud account.

Query Insights events

After you enable the Insights feature, you can query the Insights events that are generated within the last month in a supported region. For more information, see Query Insights events in the ActionTrail console.