ActionTrail provides the advanced event query feature, which helps you query events that are generated in multiple regions 90 days ago. This topic describes how to use the advanced event query feature in the ActionTrail console.

Prerequisites

A trail that meets the following conditions is created. For more information, see Create a single-account trail and Create a multi-account trail.
  • The trail delivers the events that are generated in all regions.
  • The trail delivers all types of events.
  • The trail delivers events to Log Service.

Scenarios

You can perform advanced event queries in standard mode or simple mode. In standard mode, you can query events in a visualized manner. In simple mode, you can query events by defining SQL conditions.

Mode Query method Description Example
Standard mode Single-condition query You can filter events by service name, event name, resource name, resource type, read/write type, username, AccessKey ID, source IP, account ID, account type, region, event source, or event ID. To query all KMS-related events that are generated in a specified time range, select Key Management Service(Kms) from the Service Name drop-down list.
Multi-condition query You can specify one or more services and one or more regions to query events. To query KMS-related events that are generated in the China (Hangzhou) and China (Shanghai) regions, select Key Management Service(Kms) from the Service Name drop-down list, and China (Hangzhou) and China (Shanghai) from the Region drop-down list.
Simple mode Keyword-based query You can enter a keyword in the search box based on your business requirements. To query all write events, enter * AND (event.eventRW: Write) in the search box.
Single-condition query You can specify a filter condition in the Who, What, Which, Where, or Other category to query events. To query all KMS-related events that are generated in a specified time range, enter * AND (event.serviceName: Kms) in the search box.
Multi-condition query You can specify multiple filter conditions in the Who, What, Which, Where, and Other categories to query events. To query events of ActionTrail-related operations performed by User Alex, enter * AND (event.serviceName: Actiontrail) AND event.userIdentity.userName: Alex in the search box.
NOT operator-based query You can specify multiple filter conditions and change the operator in front of a filter condition that you want to negate to NOT. To query events of ActionTrail-related operations performed by users excluding User Alex, enter * AND (event.serviceName: Actiontrail) NOT event.userIdentity.userName: Alex in the search box.

Procedure

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Trails.
  3. On the Trails page, click the name of the trail that you want to set as the default trail for the advanced event query feature.
  4. On the trail details page, click Enable next to Enable Advanced Features.
  5. In the left-side navigation pane, click Advanced Event Query.
  6. In the top navigation bar, select the region where the events for which you want to perform advanced event queries are generated.
  7. On the Advanced Event Query page, query events.
    1. Specify filter conditions.
    2. Click Query.
    3. Click the plus icon (+) to the left of the event that you want to query to view the event details.
    4. Optional. Click Event Detail to view the event log.
    1. Click Switch to the simple mode.
    2. Specify filter conditions.
    3. Click Query.
    4. Click the plus icon (+) to the left of the event that you want to query to view the event details.
    5. Optional. Click Event Detail to view the event log.