In ActionTrail, the event alerting feature serves as an automated security monitoring mechanism. The feature monitors and identifies abnormal events in the cloud in real time based on configured parameters and rules, and sends alert notifications to relevant alert contacts by using various methods. This ensures that abnormal events are handled at the earliest opportunity. This topic describes the scenarios and capabilities of the event alerting feature, and how to configure the feature.
Scenarios
Security monitoring: You need to monitor operations that may compromise system security, such as unusual logon attempts and unauthorized access.
Compliance check: You need to ensure that operations comply with relevant compliance requirements.
Configuration management: You need to track changes to environment configurations to prevent security risks caused by improper configurations.
Troubleshooting: You need to analyze the causes of system faults or performance issues based on audit logs and alerts.
Capabilities
Real-time event detection: After you configure alert rules, ActionTrail monitors events in the cloud in real time to detect abnormal events and identify risks at the earliest opportunity.
Built-in and custom alert rules: ActionTrail provides multiple built-in alert rules for account security, permission management, and resource management. ActionTrail also allows you to create custom alert rules. You can enable an alert rule with a few clicks. After you enable an alert rule, ActionTrail performs detection based on the alert rule every 15 minutes to scan the events delivered by a specified trail within the last half hour.
Multiple notification methods: ActionTrail supports multiple notification methods such as text message, email, and DingTalk. One alert notification is sent only once within 1 hour. For example, if ActionTrail sends an alert notification to the specified users or user groups at 10:00, ActionTrail does not re-send the alert notification from 10:00 to 11:00.
User group management: ActionTrail allows you to create users and user groups and configure alert contacts in a flexible manner.
Procedure
Step | Description |
The event alerting feature of ActionTrail allows you to detect abnormal events delivered by a specified trail. Before you can use the feature, you must create a trail. | |
Step 2: Enable the advanced event query feature for the trail | You must enable the event alerting feature to detect abnormal events delivered by a specified trail. |
Before you can specify alert contacts, you must create users and user groups. | |
By default, ActionTrail uses the SLS actiontrail builtin alert template to send alert notifications. You can also create custom alert templates based on your business requirements. | |
By default, ActionTrail uses the SLS actiontrail builtin action policy to send alert notifications. You can also create custom action policies based on your business requirements. | |
Before you enable an alert rule, you must configure alert rule parameters and select an action policy that you created. This ensures that the alert rule works as expected after the alert rule is enabled. Note You can configure alert rule parameters only for built-in alert rules. | |
You must enable an alert rule before ActionTrail can detect abnormal events based on the rule. An alert is triggered when an event meets the condition of the alert rule. | |
If you want to exempt specified Alibaba Cloud accounts, RAM users, RAM roles, and IP addresses from an alert rule, you can create a whitelist. 2 |