Insight events help you identify unusual operations that are recorded in management events. After you enable the insight event feature for a trail, ActionTrail identifies API calls from unusual IP addresses recorded in management events and generates insight events. Insight events help you identify potential risks of your cloud resources and allow you to take remedial measures at the earliest opportunity. This topic describes how to query insight events in the ActionTrail console.

Prerequisites

  • The permissions to manage insight events are granted to you after you request the permissions by submitting a ticket.
  • A single-account trail that meets the following conditions is created.
    • The trail delivers the events that are generated in all regions.
    • The trail delivers all types of events.
    For more information, see Create a single-account trail.

Step 1: Enable the insight event feature for a trail

You can enable the insight event feature when you create a trail or for an existing trail. The following steps show how to enable the insight event feature for an existing trail.

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Trails.
  3. On the Trails page, click the name of the trail that you want to set as the default trail for the insight event feature.
  4. In the Log Event section of the trail details page, turn on the switch next to Operations from Unusual IP Addresses.

Step 2: Query insight events

  1. In the left-side navigation pane, click Insight.
  2. In the top navigation bar, select the region where the insight event that you want to query is generated from the drop-down list.
  3. On the Insight page, enter a keyword such as an unusual IP address in the search box, set the time range to query, and then click the Search icon.
    Note
    • You can use IP addresses, types of insight events, and event IDs to filter insight events.
    • Insight events that are generated based on global events can be queried only in the home region of the relevant trail.
  4. Click the unusual IP address that you entered in the IP column. In the trend chart, view the trend in the number of API calls from the unusual IP address in the specified time range and the heterogeneity value of the unusual IP address.
  5. Click an event in the event list. In the trend chart, view each point in time when the event was generated and the total number of times when the event was generated in the specified time range.
    Query insight events
  6. Optional:View the details of an event that is related to the unusual IP address on the ActionTrail Events tab. Alternatively, click the Original Insight Event tab to view the code of the relevant insight event.