ActionTrail provides the insight event feature to help you identify exceptional operations based on the recorded management events. After you enable the insight event feature for a trail, ActionTrail identifies exceptional operations based on the management events recorded by the trail and generates insight events. These insight events are delivered to the Log Service Logstore or Object Storage Service (OSS) bucket specified for the trail. Insight events help you identify potential risks of your cloud resources and allow you to take remedial measures at the earliest opportunity

Differences between insight events and management events

Event type Description Reference
Management event A record that is generated when a management operation is performed on an Alibaba Cloud resource by using an Alibaba Cloud-based entity. Each management event is stored as a log. Management event log reference
Insight event A record that indicates an exception that is identified based on the analysis of management events. Only insight events of the IPInsight type are supported. After you enable the insight event feature for a trail, ActionTrail determines the usual IP addresses based on the historical management events recorded by the trail. If an operation is performed from an unfamiliar IP address that is not in the whitelist, ActionTrail compares the IP address with the usual IP addresses and determines whether it is unusual. If an IP address is considered unusual, an IPInsight event is generated to inform you of the exception.

Insight events are generated based on the analysis of management events. An insight event can be associated with multiple management events. For example, an IPInsight event indicates only one unusual IP address, but the event can be associated with multiple management events that record this IP address.

Insight event log reference

Benefits

  • Automatic generation: ActionTrail determines the usual IP addresses based on historical management events and summarizes the usage pattern of these usual IP addresses. When you use Alibaba Cloud, ActionTrail constantly analyzes the unfamiliar IP addresses involved and identifies unusual IP addresses to generate insight events.
  • Quick event query: ActionTrail allows you to query the following information about an insight event that was generated in the last 90 days in the console: the source IP address, start time, end time, and total number of operations performed from the unusual IP address recorded by the insight event. You can also query the code of the insight event.
  • Long-term storage: ActionTrail delivers insight events to the specified Log Service Logstore or OSS bucket for long-term storage and further analysis.

How an insight event works

  • Generation conditions: When you enable the insight event feature for a trail for the first time, ActionTrail analyzes at least 10,000 historical management events recorded by the trail to generate an insight event. Therefore, no insight event is generated if the number of existing management events does not meet the requirement. An insight event helps you gain an insight into the operations that are performed from unusual IP addresses. If all operations performed within your Alibaba Cloud account are considered normal, no insight event is generated.
  • Applicable scope: Insight events are generated by region. An insight event analyzes the IP addresses recorded in the management events that reside in the same region. For global events, ActionTrail generates insight events based only on the global events that are generated in the region where you created the associated trail. If you disable the associated trail, insight events are no longer generated.
  • Measurement: Only IPInsight events are supported, which allow you to gain an insight into the operations that are performed from unusual IP addresses. An IPInsight event calculates the correlation between an unfamiliar IP address and the usage pattern of usual IP addresses. An unfamiliar IP address may be considered unusual and an IPInsight event may be generated when the IP address is recorded for the first time. In the next seven days, if the IP address is used to access cloud resources in more than two days, the IP address is considered usual. Otherwise, an IPInsight event is generated and delivered to the specified Log Service Logstore or OSS bucket on the eighth day after the first operation performed from the IP address.

Usage notes

  • To obtain the permissions to manage insight events, submit a ticket.
  • Insight events cannot be generated or querired in the China (Heyuan), China (Guangzhou), and UAE (Dubai) regions. For information about regions supported by insight events, see Supported regions.
  • You can use the insight event feature free of charge in the trial period. For information about the subsequent billing policy, see Billing.
  • You need to create a single-account trail that delivers events of all types in all regions and enable the insight event feature for the trail. For global events, ActionTrail generates insight events based only on the global events that are generated in the region where you created the associated trail.
  • You may enable the insight event feature for only one trail and you disable the feature. In this case, insight events can be generated on the next day after you enable the feature again.
  • After an event occurs within your Alibaba Cloud account, you must wait 10 minutes before you can query the details of the associated insight event in the ActionTrail console.

Query insight events

Query details of an insight event

You can query the details of an insight event in the ActionTrail console. The following figure and table show the information that can be displayed in the console.

Insight event
Number Description Example
1 The time range for the query, which includes the start time and the end time. 13:55:00 to 16:55:00 on August 3, 2021
2 The type of the insight event.

The value indicates the type of the exceptional operation involved.

IPInsight
3 The unusual IP address.

You can click the unusual IP address to go to the Insight page and query all insight events that record this IP address.

42.120.XX.XX
4 The number of exceptional operations.

The value indicates the number of management events that record the unusual IP address in the specified time range.

115
5 The IP address heterogeneity, which involves the actual predicted value and standard threshold.
Note IP address heterogeneity = (Standard threshold - Actual predicted value)/Standard threshold × 100.
  • Baseline for IP Address Heterogeneity: the correlation between the IP address and the usage pattern of usual IP addresses. The higher the heterogeneity value is, the more unusual the IP address is, and the higher risks your resources may encounter.
  • Insight Event Average: the average of the actual predicted values of the IP address in the specified time range. If the actual predicted value at a point in time exceeds the standard threshold, the IP address is considered usual. Otherwise, it is considered unusual.
  • Baseline Threshold: the standard threshold used to measure the IP address. If the actual predicted value at a point in time exceeds the standard threshold, the IP address is considered usual. Otherwise, it is considered unusual.
  • 0.0121 - Insight Event Average
  • 0.6 - Baseline Threshold
6 The trend chart for the number of operations from the unusual IP address. For more information, see the preceding figure.
7 The IP address specified as a filter condition and the time range for the query.
  • Filter: 42.120.XX.XX
  • Time Range in Chart:
    • Started At: Aug 3, 2021, 14:00:00
    • Ended At: Aug 3, 2021, 17:00:00
8 The ID, start time, and duration of the insight event.

Insight events are generated at intervals of 5 minutes.

  • ID: 2D30****
  • Started At:Aug 3, 2021, 15:30:00
  • Duration:5Minutes
9 The details and code of the management event associated with the insight event that you selected. Sample code of a management event:
{
  "eventId": "DFB8EB15-8F65-1B88-8F9E-6D8A5865****",
  "eventVersion": 1,
  "eventSource": "actiontrail.cn-hangzhou.aliyuncs.com",
  "requestParameters": { // The input parameters of the API request.
    "AcsProduct": "Actiontrail",
    "EndTime": "2021-08-03T07:35:00Z",
    "NextToken": "eyJhY2NvdW50IjoiMTU5NDk4NjkzODI2ODg5OCIsImV2ZW50SWQiOiIwRDMwMjYxNS03NDJFLTEyRjQtODM1Ri0xNDMzNUUyM0RFRDkiLCJpcCI6IjQyLjEyMC43NS4xNTQiLCJsb2dJZCI6IjYyLTE1OTQ5ODY5MzgyNjg4OTgiLCJ0aW1lIjoxNjI3OTc1ODQwMD****",
    "MaxResults": 20,
    "StartTime": "2021-08-03T07:30:00Z",
    "AcceptLanguage": "zh-CN"
    "Region": "cn-hangzhou",
    "LookupAttribute. 1.Value": "42.120.XX.XX",
    "RegionId": "cn-hangzhou",
    "LookupAttribute. 1.Key": "SourceIpAddress"
  },
  "sourceIpAddress": "42.120.XX.XX", // The source IP address that is recorded in the management event.
  "userAgent": "actiontrail.console.aliyun.com",
  "eventType": "ApiCall",
  "userIdentity": { // The information about the identity of the requester.
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false"
      }
    },
    "accountId": "159498693826****", // The ID of the Alibaba Cloud account.
    "principalId": "159498693826****", // The ID of the requester.
    "type": "root-account" ,// Indicates an Alibaba Cloud account.
    "userName": "root"
  },
  "serviceName": "Actiontrail", // The name of the Alibaba Cloud service associated with the management event.
  "apiVersion": "2020-07-06",
  "requestId": "DFB8EB15-8F65-1B88-8F9E-6D8A586580A7",
  "eventTime": "2021-08-03T07:58:56Z", // The time when the management event was generated, in UTC.
  "isGlobal": false,
  "acsRegion": "cn-hangzhou", //The ID of the region.
  "eventName": "LookupEvents" // The management event name.
}

For information about the fields of a management event log, see Management event log reference.

10 The code of the insight event that you selected. Sample code of an insight event:
{
  "event": {
    "eventVersion": "1",
    "eventTime": "2021-03-10T21:00:00Z",
    "acsRegion": "cn-hangzhou",
    "eventID": "F23A3DD5-7842-4EF9-9DA1-3776396A****",
    "eventType": "ActionTrailInsight",
    "recipient": "116214297662****",
    "insightDetails": {
      "sourceIpAddress": "42.120.XX.XX",
      "insightType": "IpInsight",
      "insightContext": {
        "statistics": {
          "baseline": {
            "threshold": 0.6
          },
          "insight": {
            "predict": 0.12
          },
          "insightDuration": 300,
          "insightCount": 10
        }
      }
    },
    "userIdentity": {
      "accountId": "112432432434****",
      "principalId": "231321312321****"
    },
    "eventCategory": "Insight"
  }
}
For information about the fields of an insight event log, see Insight event log reference.