ActionTrail provides the insight event feature to help you identify exceptional operations based on the recorded management events. After you enable the insight event feature for a trail, ActionTrail identifies exceptional operations based on the management events recorded by the trail and generates insight events. These insight events are delivered to the Log Service Logstore or Object Storage Service (OSS) bucket specified for the trail. Insight events help you identify potential risks of your cloud resources and allow you to take remedial measures at the earliest opportunity
Differences between insight events and management events
|Management event||A record that is generated when a management operation is performed on an Alibaba Cloud resource by using an Alibaba Cloud-based entity. Each management event is stored as a log.||Management event log reference|
|Insight event||A record that indicates an exception that is identified based on the analysis of management
events. Only insight events of the IPInsight type are supported. After you enable
the insight event feature for a trail, ActionTrail determines the usual IP addresses
based on the historical management events recorded by the trail. If an operation is
performed from an unfamiliar IP address that is not in the whitelist, ActionTrail
compares the IP address with the usual IP addresses and determines whether it is unusual.
If an IP address is considered unusual, an IPInsight event is generated to inform
you of the exception.
Insight events are generated based on the analysis of management events. An insight event can be associated with multiple management events. For example, an IPInsight event indicates only one unusual IP address, but the event can be associated with multiple management events that record this IP address.
|Insight event log reference|
- Automatic generation: ActionTrail determines the usual IP addresses based on historical management events and summarizes the usage pattern of these usual IP addresses. When you use Alibaba Cloud, ActionTrail constantly analyzes the unfamiliar IP addresses involved and identifies unusual IP addresses to generate insight events.
- Quick event query: ActionTrail allows you to query the following information about an insight event that was generated in the last 90 days in the console: the source IP address, start time, end time, and total number of operations performed from the unusual IP address recorded by the insight event. You can also query the code of the insight event.
- Long-term storage: ActionTrail delivers insight events to the specified Log Service Logstore or OSS bucket for long-term storage and further analysis.
How an insight event works
- Generation conditions: When you enable the insight event feature for a trail for the first time, ActionTrail analyzes at least 10,000 historical management events recorded by the trail to generate an insight event. Therefore, no insight event is generated if the number of existing management events does not meet the requirement. An insight event helps you gain an insight into the operations that are performed from unusual IP addresses. If all operations performed within your Alibaba Cloud account are considered normal, no insight event is generated.
- Applicable scope: Insight events are generated by region. An insight event analyzes the IP addresses recorded in the management events that reside in the same region. For global events, ActionTrail generates insight events based only on the global events that are generated in the region where you created the associated trail. If you disable the associated trail, insight events are no longer generated.
- Measurement: Only IPInsight events are supported, which allow you to gain an insight into the operations that are performed from unusual IP addresses. An IPInsight event calculates the correlation between an unfamiliar IP address and the usage pattern of usual IP addresses. An unfamiliar IP address may be considered unusual and an IPInsight event may be generated when the IP address is recorded for the first time. In the next seven days, if the IP address is used to access cloud resources in more than two days, the IP address is considered usual. Otherwise, an IPInsight event is generated and delivered to the specified Log Service Logstore or OSS bucket on the eighth day after the first operation performed from the IP address.
- To obtain the permissions to manage insight events, submit a ticket.
- Insight events cannot be generated or querired in the China (Heyuan), China (Guangzhou), and UAE (Dubai) regions. For information about regions supported by insight events, see Supported regions.
- You can use the insight event feature free of charge in the trial period. For information about the subsequent billing policy, see Billing.
- You need to create a single-account trail that delivers events of all types in all regions and enable the insight event feature for the trail. For global events, ActionTrail generates insight events based only on the global events that are generated in the region where you created the associated trail.
- You may enable the insight event feature for only one trail and you disable the feature. In this case, insight events can be generated on the next day after you enable the feature again.
- After an event occurs within your Alibaba Cloud account, you must wait 10 minutes before you can query the details of the associated insight event in the ActionTrail console.
Query insight events
- Query insight events in the ActionTrail console
You can log on to the ActionTrail console and query the insight events that were generated in the last 90 days in the region where you created the associated single-account trail . For information about how to query the details of insight events, see Query details of an insight event.
- Query insight events in the Log Service or OSS console
If you want to query the insight events that were generated more than 90 days ago, use the Log Service or OSS console.
Query details of an insight event
You can query the details of an insight event in the ActionTrail console. The following figure and table show the information that can be displayed in the console.
|1||The time range for the query, which includes the start time and the end time.||13:55:00 to 16:55:00 on August 3, 2021|
|2||The type of the insight event.
The value indicates the type of the exceptional operation involved.
|3||The unusual IP address.
You can click the unusual IP address to go to the Insight page and query all insight events that record this IP address.
|4||The number of exceptional operations.
The value indicates the number of management events that record the unusual IP address in the specified time range.
|5||The IP address heterogeneity, which involves the actual predicted value and standard
Note IP address heterogeneity = (Standard threshold - Actual predicted value)/Standard threshold × 100.
|6||The trend chart for the number of operations from the unusual IP address.||For more information, see the preceding figure.|
|7||The IP address specified as a filter condition and the time range for the query.||
|8||The ID, start time, and duration of the insight event.
Insight events are generated at intervals of 5 minutes.
|9||The details and code of the management event associated with the insight event that you selected.||Sample code of a management event:
For information about the fields of a management event log, see Management event log reference.
|10||The code of the insight event that you selected.||Sample code of an insight event:
For information about the fields of an insight event log, see Insight event log reference.