All Products
Search

This Product

    ActionTrail:Query events related to CIS benchmarks

    Document Center

    ActionTrail:Query events related to CIS benchmarks

    Last Updated:Mar 01, 2024

    You can use the system templates that are provided by the advanced event query feature in ActionTrail to query high-risk access events for monitoring and auditing in the Center for Internet Security (CIS) framework. The system templates include Trail Change Events, Trail Disabling Events, RAM Role Change Events, and Firewall Disabling Events. This topic describes how to query the details of events related to CIS benchmarks by using ActionTrail. In this example, trail change events are queried.

    Prerequisites

    The advanced event query feature is enabled for your trail. For more information, see Enable the advanced event query feature.

    Background information

    The CISComplianceCheck compliance package dynamically and continuously monitors resources to check whether the resources are compliant with the CIS Controls that are stipulated by CIS. For more information about CIS, visit CIS. If your resources are compliant with the CIS benchmarks, network security risks can be reduced.

    Procedure

    1. Log on to the ActionTrail console.

    2. In the left-side navigation pane, choose Events > Advanced Event Query.

    3. In the Query Range section, click the Template Library tab and choose System Template > CIS Benchmark-related Events > Trail Change Events.

    4. On the Trail Change Events tab, specify a time range to query events and click Run.

      Note

      • By default, ActionTrail queries the events within seven days.

      • You can click Event Alert on the right side of the tab to configure an alert for the current event. For more information, see Create a custom alert rule.

      • You can modify the default SQL statement in the system template and click Save to save the template as a custom template for reuse in subsequent tasks.

    5. View the query results.

      • Raw Log

        On the Raw Log tab, find the event that you want to view and click View Event Details in the Actions column. Then, you can view basic information about the event and the event records.

        Note

        In this example, the View Event Details panel shows that a Resource Access Management (RAM) user enabled the trail at 11:06:40 on January 10, 2024 in the China (Zhangjiakou) region.

        image

      • Query Histogram

        On the Query Histogram tab, view the histograms of events.

    References

    You can configure filter conditions or SQL statements to query event details. For more information, see Perform custom event queries.