ActionTrail provides the Insights feature to help you identify unusual activities from management events. After the Insights feature is enabled, ActionTrail analyzes management events, identifies unusual activities that are associated with API call rates, API error rates, and IP addresses, and generates Insights events. You can use the Insights events to identify potential risks to your cloud resources and handle the risks at the earliest opportunity.
Differences between Insights events and management events
| Event type | Description | Reference |
|---|---|---|
| Management event | A record that is generated when a management operation is performed on an Alibaba Cloud resource by using an Alibaba Cloud-based entity. Each management event is stored as a log. | Management event structure |
| Insights event | ActionTrail uses mathematical models to analyze management events in the cloud and identify unusual activities that are associated with API call rates, API error rates, and IP addresses. For example, if an attacker steals your account and performs a large number of write operations such as delete operations on a resource by using an external IP address, Insights events on IP address are generated for the IP address and Insights events on API call rate are generated for the delete operation. | Insights event structure |
Benefits
ActionTrail analyzes all management events within your Alibaba Cloud account over a historical period of time and generates the following types of Insights events: ApiCallRateInsight, ApiErrorRateInsight, and IpInsight. ApiCallRateInsight indicates Insights events on API call rate. ApiErrorRateInsight indicates Insights events on API error rate. IpInsight indicates Insights events on IP address. Each Insights event contains a start event that indicates the start time of the Insights event and an end event that indicates the end time of the Insights event.
- Insights events on API call rate (ApiCallRateInsight): ActionTrail uses mathematical models to analyze all management events and normal patterns of API call rates within your Alibaba Cloud account and generates Insights events when the call rates are outside normal patterns.
- Insights events on API error rate (ApiErrorRateInsight): ActionTrail uses mathematical models to analyze API error rate-related management events and normal patterns of API error rates within your Alibaba Cloud account and generates Insights events when the error rates are outside normal patterns.
- Insights events on IP address (IpInsight): ActionTrail analyzes normal patterns of IP addresses. ActionTrail generates Insights events when suspicious IP addresses are identified from new IP addresses.
How an Insights event works
- Conditions for generating Insights events: After the Insights feature is enabled, ActionTrail continuously analyzes all subsequent management events and generates the first Insights event at least 24 hours after the feature is enabled. Insights events provide information about unusual activities. If no unusual activities are identified within your Alibaba Cloud account, no Insights events are generated.
- Statistical scope: Insights events are generated by region. ActionTrail analyzes management events in a region to generate Insights events. Therefore, the Insights events and the management events belong to the same region.
- Rules for generating Insights events:
- Insights events on API call rate (ApiCallRateInsight) provide information about the difference between the current call rates and normal patterns. ActionTrail uses mathematical models to analyze the calling behavior, calling methods, and the normal patterns of call rates of the current API and generates Insights events when the call rates are outside normal patterns. Note Insights events on API call rate (ApiCallRateInsight) are generated for write events.
- Insights events on API error rate (ApiCallRateInsight) provide information about the difference between the current error rates and normal patterns. ActionTrail uses mathematical models to analyze the calling behavior, calling methods, and the normal patterns of error rates of the current API and generates Insights events when the error rates are outside normal patterns. Note Insights events on API error rate (ApiErrorRateInsight) are generated for read and write events.
- Insights events on IP address (IpInsight) provide information about suspicious IP addresses. If you use IP address-heterogeneity algorithms, new IP addresses may be incorrectly identified as suspicious IP addresses. One Insights event on IP address is generated only for the first access activity from a suspicious IP address on the current day.
- Insights events on API call rate (ApiCallRateInsight) provide information about the difference between the current call rates and normal patterns. ActionTrail uses mathematical models to analyze the calling behavior, calling methods, and the normal patterns of call rates of the current API and generates Insights events when the call rates are outside normal patterns.
Usage notes
- Insights events cannot be queried in the China (Heyuan), China (Guangzhou), or UAE (Dubai) region. For more information about regions supported by Insights events, see Supported regions.
- You can use the Insights feature free of charge during the trial period. For information about the subsequent billing policy, see Billing.
- After the Insights feature is enabled, ActionTrail analyzes all subsequent management events that are generated in supported regions.
- After an Insights event occurs within your Alibaba Cloud account, you must wait 10 minutes before you can query the details of the Insights event in the ActionTrail console.
Query Insights events
After you enable the Insights feature, you can query the Insights events that are generated within the last month in the ActionTrail console in your supported region. For more information, see Query Insights events in the ActionTrail console.