Create a custom alert rule - ActionTrail - Alibaba Cloud Documentation Center

You can create a custom alert rule to monitor specific events. This helps you monitor the security of your business. ActionTrail generates alerts based on the query statements, check frequency, and trigger conditions that you configure. ActionTrail denoises alerts and sends notifications based on the alert policy and action policy that you configure. This topic describes how to create a custom alert rule. This topic also provides custom query statements for different scenarios and examples of custom query statements.

Background information

Custom alert rules allow you to use SQL statements to query events. For more information about the SQL syntax, see Log search overview and Log analysis overview.

Procedure

Log on to the ActionTrail console.
In the left-side navigation pane, click Event Alerting.
On the Alert Center page, click the Alert Rules/Incidents tab and then click Create Alert.
In the Alert Monitoring Rule panel, configure custom query statements.
1. Click Create next to the Query Statistics parameter.
2. On the Advanced Settings tab of the Query Statistics dialog box, set the Type parameter to Logstore and the Authorization parameter to Default.
  Note
  The Region and Project parameters are automatically configured based on the trail for which the event alerting feature is enabled.
3. Select a Logstore of the trail from the Logstore drop-down list. The name of the Logstore is in the actiontrail_<Trail name> format.
4. Configure whether to enable Dedicated SQL.
  Note
  - Auto: By default, Dedicated SQL is disabled. If the number of concurrent queries exceeds the upper limit or the query results are inaccurate, Simple Log Service automatically retries the queries by using Dedicated SQL.
  - Enable: Dedicated SQL is enabled.
  - Disable: Dedicated SQL is disabled.
  For more information about how to enable Dedicated SQL, see Enable Dedicated SQL.
5. Configure the Time Range parameter, enter a custom query statement in the Query field, and then click Preview.
  For more information about custom query statements, see Custom query statements.
6. Click Confirm.
In the Alert Monitoring Rule panel, configure the following parameters: Rule Name, Check Frequency, Group Evaluation, Trigger Condition, Add Label, Add Annotation, Recovery Notifications, Advanced Settings, and Destination.
For more information, see Create an alert monitoring rule for logs.
Click OK.
After the custom alert rule is created, the rule is displayed in the alert rule list. Custom Alerts is displayed in the Type column for the custom alert rule. You can manage the created custom alert rule based on your business requirements. For more information, see Manage an alert rule.

Custom query statements

Scenario	Description	Custom query statement
Query specific events of cloud services	You can configure the serviceName and eventName parameters to query specific events of cloud services.	Query an event of a cloud service. For example, you can use the following statement to query the event that is generated when an Elastic Compute Service (ECS) instance is created: `serviceName: Ecs and eventName: RunInstances` Query multiple events of a cloud service. For example, you can use the following statement to query the events that are generated when ApsaraDB RDS instances are released: `event.serviceName: RDS and (event.eventName: DeleteDBInstance or event.eventName: Release or event.eventName: DestroyDBInstance)` Query multiple events of different cloud services. For example, you can use the following statement to query the events on permission changes in Resource Management and Resource Access Management (RAM): `(event.serviceName: ResourceManager and (event.eventName: AttachPolicy or event.eventName: DetachPolicy )) or (event.serviceName: Ram and (event.eventName: AttachPolicyToUser or event.eventName: AttachPolicyToGroup or event.eventName: AttachPolicyToRole or event.eventName: DetachPolicyFromUser or event.eventName: DetachPolicyFromGroup or event.eventName: DetachPolicyFromRole))`
Query the values of specified parameters	Event parameters are stored in the event.requestParameterJson parameter in the JSON format. ActionTrail allows you to create a custom alert rule to generate alerts when the values of event parameters are queried.	Query the event that is generated when the release protection attribute of an ECS instance is changed to false. `event.serviceName: Ecs and event.eventName: ModifyInstanceAttribute \| SELECT * FROM (SELECT cast(json_extract("event.requestParameterJson", '$.DeletionProtection') as varchar) as deletion_protection FROM log) WHERE deletion_protection = 'false'` Query the event that is generated when the IP address 0.0.0.0 is added to the whitelist of an ApsaraDB RDS instance. `event.serviceName: Rds and event.eventName: ModifySecurityIps \| SELECT * FROM (SELECT cast(json_extract("event.requestParameterJson", '$.SecurityIps') as varchar) as security_ips FROM log) WHERE security_ips like '%0.0.0.0%'`
Query resources	You can configure the resourceName and resourceType parameters to query resources that are related to specific events. For more information about the parameters, see Management event structure.	Query a resource. For example, you can use the following statement to query the ID of the ECS instance that is released in an instance release event: `event.serviceName: Ecs and (event.eventName: DeleteInstances or event.eventName: DeleteInstance or event.eventName: Release) \| SELECT resourceArray[num] as instance_id FROM (SELECT split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Instance') as num FROM log) where num > 0`
Query identities	You can query the information about identities in specific events and create a custom alert rule to generate alerts for specific identities. The userIdentity parameter contains multiple fields, such as type, userName, principalId, and accountId. For more information about the parameters, see Management event structure.	Query the type of an identity. `* \| SELECT "event.userIdentity.type" as user_type` Query the name of an identity. `* \| SELECT "event.userIdentity.userName" as user_name` Query the ID of an identity. `* \| SELECT "event.userIdentity.principalId" as principal_id` Query the ID of the Alibaba Cloud account to which an identity belongs. `* \| SELECT "event.userIdentity.accountId" as account_id`
Query statistics	You can query the number of times that an event is generated and create a custom alert rule to generate alerts when the specified threshold is exceeded.	Query the number of times that an ECS instance is restarted. For example, you can use the following statement to query the event that is generated when an ECS instance is restarted more than twice: `event.serviceName: Ecs and (event.eventName: RebootInstances or event.eventName: RebootInstance) \| SELECT account_id, resourceArray[num] as instance_id, count(*) as cnt FROM ( SELECT "event.userIdentity.accountId" as account_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Instance') as num FROM log) where num > 0 group by account_id, instance_id` Query the number of logon failures of an account. For example, you can use the following statement to query the event that is generated when a logon failure occurs more than twice for the same account: `event.eventName: ConsoleSignin and event.userIdentity.type: ram-user and not event.errorMessage: success \| select "event.userIdentity.principalId" as user_id, "event.userIdentity.userName" as user_name, count(1) as cnt group by user_id, user_name`

Examples of custom query statements

The arbitrary function returns a random and non-null value of x. The syntax of the arbitrary function is arbitrary(x). For more information about the arbitrary function, see arbitrary function. The following list provides examples of custom query statements:

Example 1: Query the events that are generated when an ApsaraDB RDS instance is released
event.serviceName: RDS and (event.eventName: DeleteDBInstance or event.eventName: Release or event.eventName: DestroyDBInstance) | SELECT account_id, resourceArray[num] as instance_id, ram_user_id, user_type, user_name FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as num, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log ) where num > 0
Example 2: Query the events that are generated when the configuration of a security group is changed
event.eventName: CreateSecurityGroup OR event.eventName: AuthorizeSecurityGroup OR event.eventName: AuthorizeSecurityGroupEgress OR event.eventName: RevokeSecurityGroup OR event.eventName: RevokeSecurityGroupEgress OR event.eventName: JoinSecurityGroup OR event.eventName: LeaveSecurityGroup OR event.eventName: DeleteSecurityGroup OR event.eventName: ModifySecurityGroupPolicy) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name

References

You can also create custom alert rules in Simple Log Service. For more information, see Create an alert monitoring rule for logs.
After you enable an alert rule, you can view the information about the alert rule in Simple Log Service. For more information, see Manage an alert monitoring rule.