You can create custom alert rules to monitor specified events. This allows you to flexibly monitor the security of your business. You can configure custom query statements that apply to different scenarios in custom alert rules to generate alerts for specified events. This topic describes how to create a custom alert rule. This topic also describes the custom query statements that apply to different scenarios and provides sample query statements.
Background information
In custom alert rules, you can use SQL statements to query events. For more information about the syntax, see Log search overview and Log analysis overview.
Procedure
Custom query statements
Scenario | Description | Sample statement |
---|---|---|
Query specific events of cloud services | You can query specific events of cloud services by specifying the serviceName and the eventName parameters. |
|
Query values of specified parameters | Event parameters and values are stored in the event.requestParameterJson parameter in the JSON format. ActionTrail allows you to create a custom alert rule to generate alerts for the specified values of event parameters. |
|
Query resources that are related to specified events | You can query resources that are related to specified events by specifying the resourceName
and the resourceType parameters.
For more information, see Management event log reference. |
Query a specified type of resource that is related to an event. For example, you can
use the following statement to query the ID of the ECS instance that is released in
an instance release event:
|
Query identities that are related to specified events | You can query the information about identities in specified events and configure ActionTrail
to generate alerts for specified identities.
The userIdentity parameter contains multiple fields, such as type, userName, principalId, and accountId. For more information, see Table 1. |
|
Query statistics of specified events | You can query the number of times that an event occurs and configure ActionTrail to generate alerts when the specified threshold is exceeded. |
|
Sample custom query statements
The arbitrary function returns a random and non-null value of x. The syntax of the
arbitrary function is arbitrary(x)
. For more information about the arbitrary function, see arbitrary function. The following two sample statements are provided:
- Sample 1: Query the event in which an ApsaraDB RDS instance is released
event.serviceName: RDS and (event.eventName: DeleteDBInstance or event.eventName: Release or event.eventName: DestroyDBInstance) | SELECT account_id, resourceArray[num] as instance_id, ram_user_id, user_type, user_name FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as num, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log ) where num > 0
- Sample 2: Query the event in which the configuration of a security group is changed
event.eventName: CreateSecurityGroup OR event.eventName: AuthorizeSecurityGroup OR event.eventName: AuthorizeSecurityGroupEgress OR event.eventName: RevokeSecurityGroup OR event.eventName: RevokeSecurityGroupEgress OR event.eventName: JoinSecurityGroup OR event.eventName: LeaveSecurityGroup OR event.eventName: DeleteSecurityGroup OR event.eventName: ModifySecurityGroupPolicy) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name