You can create custom alert rules to monitor specified events. This allows you to flexibly monitor the security of your business. You can configure custom query statements that apply to different scenarios in custom alert rules to generate alerts for specified events. This topic describes how to create a custom alert rule. This topic also describes the custom query statements that apply to different scenarios and provides sample query statements.

Background information

In custom alert rules, you can use SQL statements to query events. For more information about the syntax, see Log search overview and Log analysis overview.

Procedure

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Event Alerting.
  3. On the Event Alerting page, click Create Alert.
  4. In the Alert Monitoring Rule panel, configure custom query statements.
    1. Click Create next to the Query Statistics parameter.
    2. On the Advanced Settings tab of the Query Statistics dialog box, set the Type parameter to Logstore and the Authorization parameter to Default.
      Note The Region and Project parameters are automatically set based on the settings of the trail and cannot be changed.
    3. Select a Log Service Logstore in which you want to query events from the Logstore drop-down list. The name of the Logstore is in the format of actiontrail_<Trail name>.
    4. In the Query field, enter a custom query statement and click Preview.
      For more information about custom query statements, see Custom query statements.
    5. Click OK.
  5. In the Alert Monitoring Rule panel, select an action policy.
    1. Set the Alert Policy parameter to Normal Mode.
    2. Select an action policy from the Action Policy drop-down list.
  6. In the Alert Monitoring Rule panel, set the Rule Name, Check Frequency, Group Evaluation, Trigger Condition, Add Label, Add Annotation, Recovery Notifications, Threshold of Continuous Triggers, No Data Alert, and Cycle parameters.
    For more information, see Create an alert monitoring rule for logs.
  7. Click OK.
    After the custom alert rule is created, it is displayed in the alert rule list. The value in the Type column is Custom Alerts for the custom alert rule. You can manage the created custom alert rule as needed. For more information, see Manage an alert rule.

Custom query statements

Scenario Description Sample statement
Query specific events of cloud services You can query specific events of cloud services by specifying the serviceName and the eventName parameters.
  • Query a specified event of a cloud service. For example, you can use the following statement to query the event of creating an Elastic Compute Service (ECS) instance:

    serviceName: Ecs and eventName: RunInstances

  • Query multiple events of a cloud service. For example, you can use the following statement to query the events of releasing ApsaraDB RDS instances:

    event.serviceName: RDS and (event.eventName: DeleteDBInstance or event.eventName: Release or event.eventName: DestroyDBInstance)

  • Query multiple events of different cloud services. For example, you can use the following statement to query the events of changing access permissions of users in Resource Management and Resource Access Management (RAM):

    (event.serviceName: ResourceManager and (event.eventName: AttachPolicy or event.eventName: DetachPolicy )) or (event.serviceName: Ram and (event.eventName: AttachPolicyToUser or event.eventName: AttachPolicyToGroup or event.eventName: AttachPolicyToRole or event.eventName: DetachPolicyFromUser or event.eventName: DetachPolicyFromGroup or event.eventName: DetachPolicyFromRole))

Query values of specified parameters Event parameters and values are stored in the event.requestParameterJson parameter in the JSON format. ActionTrail allows you to create a custom alert rule to generate alerts for the specified values of event parameters.
  • Query the event in which the release protection attribute of an ECS instance is changed to false.

    event.serviceName: Ecs and event.eventName: ModifyInstanceAttribute | SELECT * FROM (SELECT cast(json_extract("event.requestParameterJson", '$.DeletionProtection') as varchar) as deletion_protection FROM log) WHERE deletion_protection = 'false'

  • Query the event in which the IP address 0.0.0.0 is added to the whitelist of an ApsaraDB RDS instance.

    event.serviceName: Rds and event.eventName: ModifySecurityIps | SELECT * FROM (SELECT cast(json_extract("event.requestParameterJson", '$.SecurityIps') as varchar) as security_ips FROM log) WHERE security_ips like '%0.0.0.0%'

Query resources that are related to specified events You can query resources that are related to specified events by specifying the resourceName and the resourceType parameters.

For more information, see Management event log reference.

Query a specified type of resource that is related to an event. For example, you can use the following statement to query the ID of the ECS instance that is released in an instance release event:

event.serviceName: Ecs and (event.eventName: DeleteInstances or event.eventName: DeleteInstance or event.eventName: Release) | SELECT resourceArray[num] as instance_id FROM (SELECT split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Instance') as num FROM log) where num > 0

Query identities that are related to specified events You can query the information about identities in specified events and configure ActionTrail to generate alerts for specified identities.

The userIdentity parameter contains multiple fields, such as type, userName, principalId, and accountId. For more information, see Table 1.

  • Query the type of the identity.

    * | SELECT "event.userIdentity.type" as user_type

  • Query the name of the identity.

    * | SELECT "event.userIdentity.userName" as user_name

  • Query the ID of the identity.

    * | SELECT "event.userIdentity.principalId" as principal_id

  • Query the ID of the Alibaba Cloud account to which the identity belongs.

    * | SELECT "event.userIdentity.accountId" as account_id

Query statistics of specified events You can query the number of times that an event occurs and configure ActionTrail to generate alerts when the specified threshold is exceeded.
  • Query the number of times that an ECS instance restarts. For example, you can use the following statement to query the event in which an ECS instance restarts for the third time:

    event.serviceName: Ecs and (event.eventName: RebootInstances or event.eventName: RebootInstance) | SELECT account_id, resourceArray[num] as instance_id, count(*) as cnt FROM ( SELECT "event.userIdentity.accountId" as account_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Instance') as num FROM log) where num > 0 group by account_id, instance_id

  • Query the number of logon failures of an account. For example, you can use the following statement to query the event in which a logon failure occurs for the third time for the same account:

    event.eventName: ConsoleSignin and event.userIdentity.type: ram-user and not event.errorMessage: success | select "event.userIdentity.principalId" as user_id, "event.userIdentity.userName" as user_name, count(1) as cnt group by user_id, user_name

Sample custom query statements

The arbitrary function returns a random and non-null value of x. The syntax of the arbitrary function is arbitrary(x). For more information about the arbitrary function, see arbitrary function. The following two sample statements are provided:

  • Sample 1: Query the event in which an ApsaraDB RDS instance is released

    event.serviceName: RDS and (event.eventName: DeleteDBInstance or event.eventName: Release or event.eventName: DestroyDBInstance) | SELECT account_id, resourceArray[num] as instance_id, ram_user_id, user_type, user_name FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as num, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log ) where num > 0

  • Sample 2: Query the event in which the configuration of a security group is changed

    event.eventName: CreateSecurityGroup OR event.eventName: AuthorizeSecurityGroup OR event.eventName: AuthorizeSecurityGroupEgress OR event.eventName: RevokeSecurityGroup OR event.eventName: RevokeSecurityGroupEgress OR event.eventName: JoinSecurityGroup OR event.eventName: LeaveSecurityGroup OR event.eventName: DeleteSecurityGroup OR event.eventName: ModifySecurityGroupPolicy) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name