In ActionTrail, the event alerting feature serves as an automated security monitoring mechanism. The feature monitors and identifies abnormal events in the cloud in real time based on configured parameters and rules, and sends alert notifications to relevant alert contacts by using various methods. This ensures that abnormal events are handled at the earliest opportunity. This topic describes the scenarios and capabilities of the event alerting feature, and how to configure the feature.
Scenarios
Security monitoring: You need to monitor operations that may compromise system security, such as unusual logon attempts and unauthorized access.
Compliance check: You need to ensure that operations comply with relevant compliance requirements.
Configuration management: You need to track changes to environment configurations to prevent security risks caused by improper configurations.
Troubleshooting: You need to analyze the causes of system faults or performance issues based on audit logs and alerts.
Capabilities
Real-time event detection: After you configure alert rules, ActionTrail monitors events in the cloud in real time to detect abnormal events and identify risks at the earliest opportunity.
Built-in and custom alert rules: ActionTrail provides multiple built-in alert rules for account security, permission management, and resource management. ActionTrail also allows you to create custom alert rules. You can enable an alert rule with a few clicks. After you enable an alert rule, ActionTrail performs detection based on the alert rule every 15 minutes to scan the events delivered by a specified trail within the last half hour.
Multiple notification methods: ActionTrail supports multiple notification methods such as text message, email, and DingTalk. One alert notification is sent only once within 1 hour. For example, if ActionTrail sends an alert notification to the specified users or user groups at 10:00, ActionTrail does not re-send the alert notification from 10:00 to 11:00.
User group management: ActionTrail allows you to create users and user groups and configure alert contacts in a flexible manner.
Procedure
Step | Description |
The event alerting feature of ActionTrail allows you to detect abnormal events delivered by a specified trail. Before you can use the feature, you must create a trail. | |
In the ActionTrail console, select the created trail. Then, go to the Alert Rules tab of the Alert Center page and select the Logstore that is automatically created for the trail for event monitoring and management. The Logstore is named in the following format: actiontrail_Trail name. | |
Create two users named Alice and Kumer and a user group named ActionTrailOM. Then, add the users to the user group. | |
By default, ActionTrail uses the SLS actiontrail builtin alert template to send alert notifications to users or user groups. You can also create custom alert templates based on your business requirements. | |
By default, ActionTrail uses the SLS actiontrail builtin action policy to send alert notifications to the specified alert contacts. You can also create custom action policies based on your business requirements. When you create a custom action policy, you can specify alert notification conditions, alert notification methods, and alert contacts. | |
ActionTrail allows you to create alert rules by using an alert template and create custom alert rules. You can create alert rules based on your business requirements. |