You can create custom alert rules to monitor specified events. This allows you to flexibly monitor the security of your business. You can configure custom query statements that apply to different scenarios in custom alert rules to generate alerts for specified events. This topic describes how to create a custom alert rule. This topic also describes the custom query statements that apply to different scenarios and provides sample query statements.
- Log on to the ActionTrail console.
- In the left-side navigation pane, click Event Alerting.
- On the Event Alerting page, click Create Alert.
- In the Alert Monitoring Rule panel, configure custom query statements.
- Click Create next to the Query Statistics parameter.
- On the Advanced Settings tab of the Query Statistics dialog box, set the Type parameter to Logstore and the Authorization parameter to Default. Note The Region and Project parameters are automatically set based on the settings of the trail and cannot be changed.
- Select a Log Service Logstore in which you want to query events from the Logstore
drop-down list. The name of the Logstore is in the format of
- In the Query field, enter a custom query statement and click Preview. For more information about custom query statements, see Custom query statements.
- Click OK.
- In the Alert Monitoring Rule panel, select an action policy.
- Set the Alert Policy parameter to Normal Mode.
- Select an action policy from the Action Policy drop-down list.
- In the Alert Monitoring Rule panel, set the Rule Name, Check Frequency, Group Evaluation, Trigger Condition, Add Label, Add Annotation, Recovery Notifications, Threshold of Continuous Triggers, No Data Alert, and Cycle parameters. For more information, see Create an alert monitoring rule for logs.
- Click OK. After the custom alert rule is created, it is displayed in the alert rule list. The value in the Type column is Custom Alerts for the custom alert rule. You can manage the created custom alert rule as needed. For more information, see Manage an alert rule.
Custom query statements
|Query specific events of cloud services||You can query specific events of cloud services by specifying the serviceName and the eventName parameters.||
|Query values of specified parameters||Event parameters and values are stored in the event.requestParameterJson parameter in the JSON format. ActionTrail allows you to create a custom alert rule to generate alerts for the specified values of event parameters.||
|Query resources that are related to specified events||You can query resources that are related to specified events by specifying the resourceName
and the resourceType parameters.
For more information, see Management event log reference.
|Query a specified type of resource that is related to an event. For example, you can
use the following statement to query the ID of the ECS instance that is released in
an instance release event:
|Query identities that are related to specified events||You can query the information about identities in specified events and configure ActionTrail
to generate alerts for specified identities.
The userIdentity parameter contains multiple fields, such as type, userName, principalId, and accountId. For more information, see Table 1.
|Query statistics of specified events||You can query the number of times that an event occurs and configure ActionTrail to generate alerts when the specified threshold is exceeded.||
Sample custom query statements
The arbitrary function returns a random and non-null value of x. The syntax of the
arbitrary function is
arbitrary(x). For more information about the arbitrary function, see arbitrary function. The following two sample statements are provided:
- Sample 1: Query the event in which an ApsaraDB RDS instance is released
event.serviceName: RDS and (event.eventName: DeleteDBInstance or event.eventName: Release or event.eventName: DestroyDBInstance) | SELECT account_id, resourceArray[num] as instance_id, ram_user_id, user_type, user_name FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as num, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log ) where num > 0
- Sample 2: Query the event in which the configuration of a security group is changed
event.eventName: CreateSecurityGroup OR event.eventName: AuthorizeSecurityGroup OR event.eventName: AuthorizeSecurityGroupEgress OR event.eventName: RevokeSecurityGroup OR event.eventName: RevokeSecurityGroupEgress OR event.eventName: JoinSecurityGroup OR event.eventName: LeaveSecurityGroup OR event.eventName: DeleteSecurityGroup OR event.eventName: ModifySecurityGroupPolicy) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name