After business data is migrated to the cloud, a large number of events are generated. This makes it difficult for O&M personnel to manually identify unusual activities from logs across various fields and analyze each event and API operation. In this case, you can use the Insights feature.
Background information
After you enable the Insights feature, you can receive the first Insights event after a minimum of 24 hours. The Insights feature becomes stable seven days after you enable the feature. ActionTrail analyzes the management events that are generated in the last seven days within your Alibaba Cloud account. Within seven days after you enable the Insights feature, ActionTrail analyzes the management events that are generated from the time when you enable the feature to the day before the current day.
Management events include read events and write events. A write event indicates a change operation on a resource. After business becomes stable, calls to write events tend to demonstrate consistent patterns. If calls to write events fall outside normal patterns, risks may exist.
Best practices
Stability
Case 1: Insight into a sharp increase in the total number of write events
Before an employee of Company A resigns, the employee has the permissions on cloud resources and deletes specific resources. The employee believes that O&M personnel cannot detect the delete operation because Company A deletes resources on a regular basis. If the call rate of the delete operation is abnormal, an Insights event on API call rate (ApiCallRateInsight) is generated.
Case 2: Insight into a sharp increase in the error rate of read and write events
An employee of Company A deletes resources, such as Object Storage Service (OSS) and Simple Log Service resources, during O&M because the employee believes that the resources are no longer required. However, several services depend on the resources in an implicit manner. After these resources are deleted, the services are affected. For example, Service B depends on Resource A. After Resource A is deleted, Service B is affected. As a result, a large number of errors occur during API calls to Service B, and an Insights event on API error rate (ApiErrorRateInsight) is generated.
Case 3: Insight into abnormal calls to write events
ActionTrail automatically analyzes management events of the write type and generates an Insights event when an exception occurs in write events. For example, when the call rate of the DeleteInstance event falls outside the normal pattern, an Insights event is generated. Insights events allow you to gain insight into unusual API activities.
Security
Case 1: Insight into AccessKey pair leaks based on unusual regions of IP addresses
Attackers steal an AccessKey pair from an employee of Company A, access the cloud of the company, and perform unauthorized operations. In this case, an Insights event on IP address (IpInsight) may be generated. After the Insights feature is enabled, ActionTrail learns all IP addresses that are recorded for all supported regions and uses mathematical models to check whether unusual regions are detected for the IP addresses. If an unusual region is detected for an IP address, an Insights event on IP address (IpInsight) is generated.
Case 2: Insight into AccessKey pair leaks based on abnormal changes in the number of requests
Attackers steal an AccessKey pair from an employee of Company A and use the cloud resources of the company. The total number of events that are generated within the account is increased, especially the events for Elastic Compute Service (ECS) and Simple Log Service resources. In this case, Insights events on API call rate (ApiCallRateInsight) are generated.
Case 3: Insight into unauthorized permission changes and password changes
You have permission or password change requirements on the cloud and want dedicated O&M personnel to handle the high-risk operations. To detect unauthorized permission changes or password changes, you can use Insights events on permission change and Insights events on password change. The events provide information such as operator identities, IP addresses associated with operators, and User-Agent.
Employee A is an O&M personnel of a company and discloses the AccessKey ID and AccessKey secret. If an unauthorized user utilizes the AccessKey pair, an Insights event on IP address (IpInsight) is generated and provides information about the IP address that is associated with the unauthorized access. If the unauthorized user changes the permissions or passwords, an Insights event on permission change or an Insights event on password change is generated. Insights events help you quickly detect account leaks, unauthorized permission changes, and unauthorized password changes.