Alert monitoring rule ID | Alert monitoring rule name | Description | Query statement | Trigger condition | Group evaluation | Alert information |
sls_app_actiontrail_cis_at_ak_abn_use | Alert of Frequency of AK Abnormal Usage | Check every 15 minutes. In the past 30 minutes, if the abnormal frequency of using AK exceeds the specified threshold, the alert will be triggered. The trigger threshold can be configured in rule parameters. | __topic__: actiontrail_audit_event and event.errorCode is not NULL and event.errorCode != '' and event.userIdentity.accessKeyId: * | select date_format(min(__time__), '%Y-%m-%d %H:%i:%S') as min_time, date_format(max(__time__), '%Y-%m-%d %H:%i:%S') as latest_time, "event.userIdentity.accountId" as account_id, "event.userIdentity.accessKeyId" as access_key_id, sum(case when "event.errorCode" is NULL or "event.errorCode" = '' then 0 else 1 end) as fail_cnt group by account_id, access_key_id limit 10000
| Data matches the expression fail_cnt > {{threshold}} | Custom labels: account_id and access_key_id | Title: Alert of Frequency of AK Abnormal Usage
Desc: In the past 30 minutes, the frequency of abnormal usage of AccessKeyID ${access_key_id} under account ${account_id} was too high (${fail_cnt} times).
|
sls_app_actiontrail_cis_at_abnormal_login_count | Account Continuous Login Failure Alert | Check every 15 minutes. The alert will be triggered if the number of failed logins is too many within 30 minutes. The trigger threshold can be configured in the rule parameters, and the default is 5 times. | __topic__: actiontrail_audit_event and event.eventName: ConsoleSignin and event.errorMessage: * and not event.errorMessage: success | select "event.userIdentity.principalId" as user_id, "event.userIdentity.userName" as user_name, count(1) as cnt group by user_id, user_name limit 10000
| Data matches the expression cnt > {{max_login_attemps}} | Custom labels: user_id and user_name | Title: User ${user_name}(id:${user_id}) fails to login a lot within 30 minutes
Desc: User ${user_name}(id:${user_id}) fails to login ${cnt} times in the past 30 minutes, exceeds default threshold {{max_login_attemps}}.
|
sls_app_actiontrail_cis_at_pwd_change_cnt | Alert of Abnormal Password Modification Frequency | Checking every 15 minutes. The trigger condition is that the number of password modification operations exceeds the specified threshold in the past half hour (the default threshold is 1), which can be configured in the rule parameters. | __topic__: actiontrail_audit_event and (((event.serviceName: Ram or event.serviceName: Ims) and event.eventName: ChangePassword) or (event.serviceName: AasCustomer and event.eventName: PasswordReset)) | select count(1) as cnt, "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id limit 10000
| Data matches the expression cnt > {{threshold}} | Custom labels: account_id and ram_user_id | Title: Alert of Abnormal Password Modification Frequency
Desc: Account ${account_id} has an abnormal password modification operation frequency in the past half hour (${cnt} times), with operating account id: ${ram_user_id}, operating account name: ${user_name} and operating account type: ${user_type}.
|
sls_app_actiontrail_cis_at_ak_conf_change | KMS Key Configuration Change Alert | Check every 15 minutes, and the trigger condition is: in the past 30 minutes, there exists an operation of changing the KMS key configuration (such as deleting or disabling, etc.). | event.serviceName: Kms and (event.eventName: DisableKey or event.eventName: ScheduleKeyDeletion or event.eventName: DeleteKeyMaterial) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary(case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end) as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name limit 10000\n
| Data is returned | Custom labels: account_id, ram_user_id, and event_name | Title: The KMS key configuration under account ${account_id} has changed
Desc: The KMS key configuration under account ${account_id} changed. Change type: ${event_name}. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_api_err | Alert of Frequency of API Error | Check every 15 minutes, the trigger condition is that the number of API call errors in the past 30 minutes exceeds the specified threshold, which can be configured in the rule parameters. | __topic__: actiontrail_audit_event and event.errorCode: * | select "event.userIdentity.accountId" as account_id, arbitrary("event.userIdentity.principalId") as ram_user_id, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name, count(1) as cnt group by account_id
| Data matches the expression cnt > {{threshold}} | Custom label: account_id | Title: Alert of Frequency of API Error
Desc: In the past 30 minutes, the frequency of API call error under account ${account_id} was too high (${cnt} times), which exceeded the preset threshold ({{threshold}} times).
|
sls_app_actiontrail_cis_at_cfw_ai_off | Alert of Turning off of Cloudfirewall Intelligent Defense | After the intelligent defense of the cloudfirewall is turned off, an alert will be triggered. Check at every 15 minutes, and check the events of the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifyDefaultIPSConfig | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.AiRules') as varchar) as aiRules, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE aiRules = '0' group by account_id, ram_user_id limit 10000
| Data is returned | Custom labels: account_id and ram_user_id | Title: Alert of Turning off of Cloudfirewall Intelligent Defense
Desc: The intelligent defense of cloudfirewall under account ${account_id} has been turned off. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_cfw_auto_pt_off | Alert of Turning off of Automatic Protection of New Assets in Cloudfirewall | After the automatic protection of new assets in cloudfirewall is turned off, an alert will be triggered. Check at every 15 minutes, and check the events of the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: SetAutoProtectNewAssets | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.AutoProtect') as boolean) as autoProtect, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE autoProtect = false group by account_id, ram_user_id limit 10000
| Data is returned | Custom labels: account_id and ram_user_id | Title: Alert of Turning off of Automatic Protection of New Assets in Cloudfirewall
Desc: The automatic protection of new assets in cloudfirewall under account ${account_id} has been turned off. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_cfw_pt_off | Alert of Turning off of Cloudfirewall Protection for Assets | An alert will be triggered when the cloudfirewall protection of specified asset is turned off. Check at every 15 minutes, and check the events of the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: PutDisableFwSwitch | SELECT account_id, ram_user_id, resourceArray[num] as asset_ip, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::CloudFirewall::Asset') as num, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE num > 0 group by account_id, ram_user_id, asset_ip limit 10000
| Data is returned | Custom labels: account_id, ram_user_id, and asset_ip | Title: Alert of Turning off of Cloudfirewall Protection for Assets
Desc: The cloudfirewall protection of the asset (instance IP: ${asset_ip}) under the account ${account_id} has been turned off. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_cfw_baisc_off | Alert of Turning off of Cloudfirewall Basic Defense | After the basic defense rules of the cloudfirewall is turned off, an alert will be triggered. Check at every 15 minutes, and check the events of the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifyDefaultIPSConfig | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.BasicRules') as varchar) as basicRules, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE basicRules = '0' group by account_id, ram_user_id limit 10000
| Data is returned | Custom labels: account_id and ram_user_id | Title: Alert of Turning off of Cloudfirewall Basic Defense
Desc: The basic defense rules of cloudfirewall under account ${account_id} has been turned off. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_cfw_log_off | Alert of Turning off of Cloudfirewall Log Analysis | After the log analysis of the cloudfirewall is turned off, an alert will be triggered. Check at every 15 minutes, and check the events of the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifySlsDispatchStatus | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.EnableStatus') as boolean) as enableStatus, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE enableStatus = false group by account_id, ram_user_id limit 10000
| Data is returned | Custom labels: account_id and ram_user_id | Title: Alert of Turning off of Cloudfirewall Log Analysis
Desc: The log analysis of cloudfirewall under account ${account_id} has been turned off. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_cfw_loose_block | Alert of Cloudfirewall Threat Engine Switched to Loose Interception Mode | After the threat engine of the cloudfirewall is switched to loose interception mode, an alert is triggered. Check every 15 minutes, and check the events of the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifyDefaultIPSConfig | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.RuleClass') as varchar) as ruleClass, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE ruleClass = '2' group by account_id, ram_user_id limit 10000
| Data is returned | Custom labels: account_id and ram_user_id | Title: Alert of Cloudfirewall Threat Engine Switched to Loose Interception Mode
Desc: The threat engine of cloudfirewall under account ${account_id} has been switched to loose interception mode. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_cfw_obs_mode | Alert of Cloudfirewall Threat Engine Switched to Observation Mode | After the threat engine of the cloudfirewall is switched to the observation mode, an alert is triggered. Check every 15 minutes, and check the events of the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifyDefaultIPSConfig | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.RunMode') as varchar) as runMode, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE runMode = '0' group by account_id, ram_user_id limit 10000
| Data is returned | Custom labels: account_id and ram_user_id | Title: Alert of Cloudfirewall Threat Engine Switched to Observation Mode
Desc: The threat engine of cloudfirewall under account ${account_id} has been switched to observation mode. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_cfw_patch_off | Alert of Turning off of Cloudfirewall Virtual Patch | After the virtual patch of the cloudfirewall is turned off, an alert will be triggered. Check at every 15 minutes, and check the events of the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifyDefaultIPSConfig | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.PatchRules') as varchar) as patchRules, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE patchRules = '0' group by account_id, ram_user_id limit 10000
| Data is returned | Custom labels: account_id and ram_user_id | Title: Alert of Turning off of Cloudfirewall Virtual Patch
Desc: The virtual patch of cloudfirewall under account ${account_id} has been turned off. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_cfw_ti_off | Alert of Turning off of Cloudfirewall Threat Intelligence | After the threat intelligence of the cloudfirewall is turned off, an alert will be triggered. Check at every 15 minutes, and check the events of the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifyDefaultIPSConfig | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.CtiRules') as varchar) as ctiRules, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE ctiRules = '0' group by account_id, ram_user_id limit 10000
| Data is returned | Custom labels: account_id and ram_user_id | Title: Alert of Turning off of Cloudfirewall Threat Intelligence
Desc: Threat intelligence of cloudfirewall under account ${account_id} has been turned off. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_cfw_conf_change | VPC Firewall Control Policy Change Alert | It is checked every 15 minutes, and the trigger condition is: in the past 30 minutes, there has been one or more changes in the control policy of VPC Firewall. | event.serviceName: Cloudfw and (event.eventName: CreateVpcFirewallControlPolicy or event.eventName:DeleteVpcFirewallControlPolicy or event.eventName: ModifyVpcFirewallControlPolicy) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary(case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aiyun_Service' else "event.userIdentity.type" end) as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name limit 10000\n
| Data is returned | Custom labels: account_id, ram_user_id, and event_name | Title: The control policy for the VPC firewall under account ${account_id} has changed
Desc: The control policy for VPC firewall under account ${account_id} has changed. Change type: ${event_name}. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_ecs_snp_off | ECS Automatic Snapshot Policy Shutdown Alert | Check every 15 minutes, the trigger condition is that there was an operation to close the ECS automatic snapshot policy in the past 30 minutes. ECS disks are recommended to use the automatic snapshot policy for automatic backups. Turning off the automatic snapshot policy will trigger an alert. | event.serviceName: Ecs and event.eventName: CancelAutoSnapshotPolicy | SELECT account_id, ram_user_id, resourceArray[num] as disk_ids, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Disk') as num, case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name, "event.acsRegion" as region_id FROM log) where num > 0 group by account_id, ram_user_id, disk_ids limit 10000\n
| Data is returned | Custom labels: account_id, ram_user_id, and disk_ids | Title: ECS disk automatic snapshot policy shutdown alert
Desc: The automatic snapshot policy for disk ${disk_ids} under account ${account_id} has been turned off. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_disk_encry_detc | Alert of ECS Cloud Disk Encryption Not Enabled | When creating ECS cloud disk, you should enable disk encryption, otherwise an alert will be triggered. Check every 15 minutes, the trigger condition is: in the past 30 minutes, an ECS cloud disk has been created without enabling encryption. | __topic__: actiontrail_audit_event and event.serviceName: Ecs and (event.eventName: CreateDisks or event.eventName: CreateDisk)| SELECT account_id, ram_user_id, resourceArray[num] as disk_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Disk') as num, cast(json_extract("event.requestParameterJson", '$.Encrypted') as boolean) as encrypted, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE num > 0 and encrypted = false group by account_id, ram_user_id, disk_id limit 10000
| Data is returned | Custom labels: account_id, ram_user_id, and disk_id | Title: Alert of ECS Cloud Disk Encryption Not Enabled
Desc: When creating cloud disk ${disk_id} under account ${account_id}, the encryption of the disk was not enabled. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_ecs_disk_reinit | ECS Cloud Disk Reinit Alert | Check every 15 minutes, the trigger condition is that there is an ECS cloud disk reinitialization event in the past 30 minutes. | event.serviceName: Ecs and event.eventName: ReInitDisk and event.eventRW: Write and event.resourceType : "ACS::ECS::Disk" | SELECT account_id, ram_user_id , resourceArray[num] as disk_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Disk') as num, case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name, "event.acsRegion" as region_id FROM log) where num > 0 group by account_id, ram_user_id, disk_id limit 10000
| Data is returned | Custom labels: account_id, ram_user_id, and disk_id | Title: ECS cloud disk reinit alert
Desc: ECS cloud disk ${disk_id} (region: ${region_id}) under account ${account_id} has been reinitialized, please check if there is any risk. Operation account ID :${ram_user_id}, account name :${user_name}, account type :${user_type}.
|
sls_app_actiontrail_cis_at_ecs_disk_release | ECS Cloud Disk Released Alert | Check every 15 minutes, the trigger condition is: the ECS cloud disk was released in the past 30 minutes. | event.serviceName: Ecs and event.eventName: DeleteDisk and event.eventRW: Write and event.resourceType : "ACS::ECS::Disk" | SELECT account_id, ram_user_id, resourceArray[num] as disk_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Disk') as num, case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name, "event.acsRegion" as region_id FROM log) where num > 0 group by account_id, ram_user_id, disk_id limit 10000
| Data is returned | Custom labels: account_id, ram_user_id, and disk_id | Title: ECS cloud disk released alert
Desc: ECS cloud disk ${disk_id} (region: ${region_id}) under account ${account_id} has been released, please check if there is any risk. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_ecs_force_reboot | Alert of ECS Instance Forced Reboot | After the ECS instance is forcibly rebooted, an alert is triggered. Check at every 15 minutes, the trigger condition is: in the past 30 minutes, there is an event of forced reboot of ECS instance. | __topic__: actiontrail_audit_event and event.serviceName: Ecs and (event.eventName: RebootInstances or event.eventName: RebootInstance) | SELECT account_id, ram_user_id, resourceArray[num] as instance_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id FROM ( SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Instance') as num, cast(json_extract("event.requestParameterJson", '$.ForceReboot') as boolean) as force_reboot, cast(json_extract("event.requestParameterJson", '$.ForceStop') as boolean) as force_stop, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name, "event.acsRegion" as region_id FROM log) WHERE num > 0 and (force_reboot = true or force_stop =true) group by account_id, ram_user_id, instance_id limit 10000
| Data is returned | Custom labels: account_id, ram_user_id, and instance_id | Title: Alert of ECS Instance Forced Reboot
Desc: The ECS instance ${instance_id} (region: ${region_id}) under account ${account_id} has been forcibly rebooted. Please check whether there is any risk. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_ecs_reboot_alot | Excessive Restart of ECS instance | Check every 15 minutes, the trigger condition is that the ECS instance has been restarted too many times in the past 30 minutes. The trigger threshold can be configured in rule parameters. | event.serviceName: Ecs and (event.eventName: RebootInstances or event.eventName: RebootInstance) | SELECT account_id, resourceArray[num] as instance_id, arbitrary(region_id) as region_id, count(*) as cnt FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Instance') as num, "event.acsRegion" as region_id FROM log) where num > 0 group by account_id, instance_id limit 10000\n
| Data matches the expression cnt > {{threshold}} | Custom labels: account_id and instance_id | Title: Excessive restart of an ECS instance
Desc: ECS instance ${instance_id} (region: ${region_id}) under account ${account_id} has been restarted ${cnt} times in the last 30 minutes. Please check if there is any risk.
|
sls_app_actiontrail_cis_at_ecs_rpo | Alert of ECS Instance Release Protection Close | Check every 15 minutes, the trigger condition is: in the past 30 minutes, there is an operation to close the ECS instance release protection. | __topic__: actiontrail_audit_event and event.serviceName: Ecs and event.eventName: ModifyInstanceAttribute | SELECT account_id, ram_user_id, resourceArray[num] as instance_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id,split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Instance') as num, "event.userIdentity.type" as user_type,"event.userIdentity.userName" as user_name,"event.acsRegion" as region_id,cast(json_extract("event.requestParameterJson", '$.DeletionProtection') as varchar) as deletion_protection FROM log) WHERE num > 0 and deletion_protection = 'false' group by account_id, ram_user_id, instance_id limit 10000\n
| Data is returned | Custom labels: account_id, ram_user_id, and instance_id | ECS Instance Release Protection Closed Alert
Desc: The release protection of ECS instance ${instance_id} (region: ${region_id}) under account ${account_id} has been closed. Please check whether there is any risk. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_ecs_release | ECS Instance released Alert | Check every 15 minutes, the trigger condition is that there was an event that ECS instance was released in the past 30 minutes. | event.serviceName: Ecs and (event.eventName: DeleteInstances or event.eventName: DeleteInstance or event.eventName: Release) and event.eventRW: Write and event.resourceType : "ACS::ECS::Instance" | SELECT account_id, ram_user_id, resourceArray[num] as instance_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Instance') as num, case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_Role' when "event.userIdentity.type"='assumed-role' then 'RAM_User' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name, "event.acsRegion" as region_id FROM log) where num > 0 group by account_id, ram_user_id, instance_id limit 10000
| Data is returned | Custom labels: account_id, ram_user_id, and instance_id | Title: ECS instance released alert
Desc: ECS instance ${instance_id} (region: ${region_id}) under account ${account_id} has been released. Please check if there is a risk. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_off_duty_login | Alert of Login During Non-working Time | Check every 1 minutes, and the trigger condition is: during the past 1 minutes, there is a non-working time login behavior. Working time/non-working time range can be set in the Global Calendar component. | __topic__: actiontrail_audit_event and event.eventName: ConsoleSignin and (not event.errorMessage: * or event.errorMessage: success) | select "event.userIdentity.principalId" as user_id, array_agg(DISTINCT "event.sourceIpAddress") as ip, arbitrary("event.userIdentity.accountId") as account_id, arbitrary("event.userIdentity.userName") as user_name, arbitrary("event.userIdentity.type") as user_type, count(DISTINCT __time__) as cnt group by user_id limit 10000\n
| Data is returned | Custom label: user_id | Title: Alert of Login During Non-working Time
Desc: User ${user_name} (user_id: ${user_id}, user_type: ${user_type} under account ${account_id} has ${cnt} logins in the past one minute. Login ip: ${ip}.
|
sls_app_actiontrail_cis_at_oss_policy_change | OSS Bucket Policy Change Alert | Check every 15 minutes, the trigger condition is: in the past 30 minutes, there is an operation to change the permission of OSS Bucket. | event.serviceName: Oss and event.eventName: PutBucketLifecycle OR event.eventName: PutBucketPolicy OR event.eventName: PutBucketCors OR event.eventName: PutBucketEncryption OR event.eventName: PutBucketReplication OR event.eventName: DeleteBucketPolicy OR event.eventName: DeleteBucketCors OR event.eventName: DeleteBucketLifecycle OR event.eventName: DeleteBucketEncryption OR event.eventName: DeleteBucketReplication | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary(case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end) as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name limit 1000\n
| Data is returned | Custom labels: account_id, ram_user_id, and event_name | Title: The OSS Bucket permissions under account ${account_id} have changed
Desc: The OSS Bucket permissions under account ${account_id} changed. Change type: ${event_name}. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_pwd_policy_chang | Alert of Attempt to Modify Password Policy | Check every 15 minutes, the trigger condition is: in the past 30 minutes, there has been an operation to try to modify the password policy. | __topic__: actiontrail_audit_event and (event.serviceName: Ram or event.serviceName: Ims) and event.eventName: SetPasswordPolicy | select "event.userIdentity.accountId" as account_id, arbitrary("event.userIdentity.principalId") as ram_user_id, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id
| Data is returned | Custom label: account_id | Title: Alert of Attempt to Modify Password Policy
Desc: Event of attempt to modify password policy occurred under account ${account_id}. Operating user name: {user_name}, user type: {user_type}, user id: ${ram_user_id}.
|
sls_app_actiontrail_cis_at_pwd_reset | Alert of Password Reset Event | Check every 15 minutes, the trigger condition is that there is a password reset event in the past 30 minutes. | __topic__: actiontrail_audit_event and (event.serviceName: Ram or event.serviceName: Ims) and event.eventName: ChangePassword | select "event.userIdentity.accountId" as account_id, arbitrary("event.userIdentity.principalId") as ram_user_id, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id
| Data is returned | Custom label: account_id | Title: Alert of Password Reset Event
Desc: Password reset event occurred under account ${account_id}. Operating user name: {user_name}, user type: {user_type}, user id: ${ram_user_id}.
|
sls_app_audit_cis_at_pwd_expire_policy | Alert of Abnormal Setting of RAM Password Expire Policy | According to Alibaba Cloud CIS rules, in RAM password policy, the validity period of RAM password should be set to 90 days or less (configurable in the parameter of alert rule). This rule is checked every 15 minutes, and the trigger condition is: in the past 30 minutes, some actions have set too long password validity period in RAM password policy. | __topic__: actiontrail_audit_event and event.eventName: SetPasswordPolicy | SELECT arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id, account_id, ram_user_id, count(1) as cnt FROM ( SELECT cast(json_extract("event.requestParameterJson", '$.MaxPasswordAge') as bigint) as user_max_pwd_age, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name, "event.userIdentity.principalId" as ram_user_id, "event.acsRegion" as region_id, "event.userIdentity.accountId" as account_id FROM log ) WHERE user_max_pwd_age > {{max_pwd_age}} or user_max_pwd_age = 0 group by account_id, ram_user_id limit 10000
| Data is returned | Custom labels: account_id and ram_user_id | Title: Alert of Abnormal Setting of RAM Password Expire Policy
Desc: The RAM password expiration policy of account ${account_id} is set abnormally. The operation account ID: ${ram_user_id}, account name: ${user_name}, and account type: ${user_type}. Abnormal modification times: ${cnt}, abnormal modification content: the password validity period in the password policy is too large, which is greater than the preset threshold of {{max_pwd_age}} days.
|
sls_app_audit_cis_at_pwd_length_policy | Alert of Abnormal Setting of RAM Password Length Policy | In the RAM password policy, the minimum length of RAM password cannot be less than 14 (which can be configured in the alert rule parameters), otherwise an alert will be triggered. This rule is checked every 15 minutes to check the log of the past 30 minutes. | __topic__: actiontrail_audit_event and event.eventName: SetPasswordPolicy | SELECT arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id, account_id, ram_user_id, count(1) as cnt FROM ( SELECT cast(json_extract("event.requestParameterJson", '$.MinimumPasswordLength') as bigint) as user_min_pwd_len, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name, "event.userIdentity.principalId" as ram_user_id, "event.acsRegion" as region_id, "event.userIdentity.accountId" as account_id FROM log ) WHERE user_min_pwd_len > {{min_pwd_len}} or user_min_pwd_len = 0 group by account_id, ram_user_id limit 10000
| Data is returned | Custom labels: account_id and ram_user_id | Title: Alert of Abnormal Setting of RAM Password Length Policy
Desc: The RAM password length policy setting of account ${account_id} is abnormal. The operation account ID: ${ram_user_id}, account name: ${user_name}, and account type: ${user_type}. Abnormal modification times: ${cnt}, abnormal modification content: the minimum password length in RAM password policy is too short, which is less than the preset threshold {{min_pwd_len}}.
|
sls_app_actiontrail_cis_at_pwd_login_policy | Alert of Abnoraml Settings for RAM Password Login Retry Policy | According to Alibaba Cloud CIS rules, in RAM password login retry policy, the number of login attempts with wrong password within one hour cannot be more than 5 times (the threshold can be configured in the parameters of alert rule). This rule is checked every 15 minutes, and the trigger condition is: in the past 30 minutes, some operations have set the non-compliant RAM password login retry policy. | __topic__: actiontrail_audit_event and event.eventName: SetPasswordPolicy | SELECT arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id, account_id, ram_user_id, count(1) as cnt FROM ( SELECT cast(json_extract("event.requestParameterJson", '$.MaxLoginAttemps') as bigint) as user_max_login_attemps, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name, "event.userIdentity.principalId" as ram_user_id, "event.acsRegion" as region_id, "event.userIdentity.accountId" as account_id FROM log ) WHERE user_max_login_attemps > {{max_login_attemps}} or user_max_login_attemps = 0 group by account_id, ram_user_id limit 10000
| Data is returned | Custom labels: account_id and ram_user_id | Title: Alert of Abnoraml Settings for RAM Password Login Retry Policy
Desc: The RAM password login retry policy setting of account ${account_id} is abnormal. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}. Abnormal modification times: ${cnt}, abnormal modification content: The count allowed to try to login with wrong password within one hour in RAM password retry policy is too large, exceeding the preset threshold: {{max_login_attemps}}.
|
sls_app_audit_cis_at_pwd_reuse_policy | Alert of Abnormal Setting of RAM Historical Passwords Check Policy | In the RAM history password check policy, it is forbidden to use the previous N passwords. The minimum value of n can be configured in the parameters of alert rules. If the value is less than this value, the alert will be triggered. This rule is checked every 15 minutes, and check the log of the past 30 minutes. | __topic__: actiontrail_audit_event and event.eventName: SetPasswordPolicy | SELECT arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id, account_id, ram_user_id, count(1) as cnt FROM ( SELECT cast(json_extract("event.requestParameterJson", '$.PasswordReusePrevention') as bigint) as user_max_reuse_prevention, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name, "event.userIdentity.principalId" as ram_user_id, "event.acsRegion" as region_id, "event.userIdentity.accountId" as account_id FROM log ) WHERE user_max_reuse_prevention > {{max_reuse_prevention}} or user_max_reuse_prevention = 0 group by account_id, ram_user_id limit 10000
| Data is returned | Custom labels: account_id and ram_user_id | Title: Alert of Abnormal Setting of RAM Historical Passwords Check Policy
Desc: The setting of RAM historical passwords check policy under account ${account_id} is abnormal. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}. Abnormal operation count: ${cnt}, abnormal operation contents: In RAM historical passwords check policy, the value of n in "Never use the previous n passwords" is too small, which is less than the preset threshold {{max_reuse_prevention}}.
|
sls_app_actiontrail_cis_at_ram_auth_change | Alert of RAM Auth Change | Check every 15 minutes and scan logs in the past 30 minutes. When there exit logs of RAM auth change, an alert will be triggered. | __topic__: actiontrail_audit_event and ((event.serviceName: ResourceManager and (event.eventName: AttachPolicy or event.eventName: DetachPolicy )) or event.serviceName: Ram and (event.eventName: AttachPolicyToUser or event.eventName: AttachPolicyToGroup or event.eventName: AttachPolicyToRole or event.eventName: DetachPolicyFromUser or event.eventName: DetachPolicyFromGroup or event.eventName: DetachPolicyFromRole)) | SELECT array_agg(distinct event_name) as event_name, count(1) as cnt, json_extract(requestParameterJson, '$.PolicyName') as policy_name, principal_type, account_id, json_extract(requestParameterJson, concat('$.', principal_name_field)) as principal_name from (SELECT "event.requestParameterJson" as requestParameterJson, "event.userIdentity.accountId" as account_id, "event.eventName" as event_name, CASE WHEN "event.eventName" like '%PolicyToRole' THEN 'RoleName' WHEN "event.eventName" like '%PolicyFromGroup' THEN 'GroupName' WHEN "event.eventName" like '%PolicyToUser' THEN 'UserName' ELSE 'PrincipalName' END AS principal_name_field, CASE WHEN "event.eventName" like '%PolicyToRole' THEN 'ServiceRole' WHEN "event.eventName" like '%PolicyFromGroup' THEN 'IMSGroup' WHEN "event.eventName" like '%PolicyToUser' THEN 'IMSUser' ELSE cast(json_extract("event.requestParameterJson", '$.PrincipalType') as varchar) END AS principal_type FROM log) group by policy_name, principal_name, account_id,principal_type limit 1000
| Data matches the expression cnt > 0 | Custom labels: account_id, principal_name, principal_type, and policy_name | Title: Alert of RAM Auth Change
Desc: Aliuid: ${account_id}, RAM user type: ${principal_type}, RAM account/role name: ${principal_name}, RAM policy name: ${policy_name}, change operations: ${event_name}, change count: ${cnt}.
|
sls_app_actiontrail_cis_at_mfa_login | Alert of RAM User Login without MFA | Check every 15 minutes and scan logs in the past 30 minutes. When there exist logs of RAM user logins without MFA check, an alert will be triggered. | __topic__: actiontrail_audit_event and event.eventName: ConsoleSignin and event.userIdentity.type: ram-user and event.additionalEventData.mfaChecked: false and (event.errorCode: null or not event.errorCode : *) | select "event.userIdentity.accountId" as root_account_id, "event.userIdentity.principalId" as ram_account_id, arbitrary("event.userIdentity.userName") as ram_account_name, count(1) as cnt group by root_account_id, ram_account_id limit 1000
| Data matches the expression cnt > 0 | Custom labels: root_account_id and ram_account_id | Title: Alert of RAM User Login without MFA
Desc: RAM User ${ram_account_id}. Username: ${ram_account_name} under account ${root_account_id} has login without MFA check for ${cnt} times in the past 30 minutes.
|
sls_app_actiontrail_cis_at_ram_policy_change | RAM policy Change Alert | Check every 15 minutes, check the log of the past 30 minutes. Alerts are triggered when the RAM policy changes. | (event.serviceName: ResourceManager or event.serviceName: Ram) and (event.eventName: CreatePolicy or event.eventName: DeletePolicy or event.eventName: CreatePolicyVersion or event.eventName: UpdatePolicyVersion or event.eventName: SetDefaultPolicyVersion or event.eventName: DeletePolicyVersion) | select account_id, ram_user_id, event_name, resourceArray[num] as policy_name, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM (SELECT "event.userIdentity.accountId" as account_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RAM::Policy') as num, "event.eventName" as event_name, "event.userIdentity.principalId" as ram_user_id, case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name FROM log) where num > 0 group by account_id, ram_user_id, event_name, policy_name limit 5000\n
| Data is returned | Custom labels: account_id, ram_user_id, event_name, and policy_name | Title: Account ${account_id} RAM policy change
Desc: Account ${account_id} RAM policy change. RAM policy name: ${policy_name}, change type: ${event_name}. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_rds_whitelist | Alert of Abnormal Setting for RDS Instance Access Whitelist | The access whitelist of RDS instance should not be set to 0.0.0.0, otherwise an alert will be triggered. It is checked every 15 minutes, and the trigger condition is: in the past 30 minutes, there is an RDS instance whitelist setting operation related to the above abnormality. | __topic__: actiontrail_audit_event and event.serviceName: Rds and event.eventName: ModifySecurityIps | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, resourceArray[db_num] as db_instance_id, arbitrary(security_ips) as security_ips FROM ( SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name, split("event.resourceName", ';') as resourceArray, cast(json_extract("event.requestParameterJson", '$.SecurityIps') as varchar) as security_ips, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as db_num FROM log ) WHERE security_ips like '%0.0.0.0%' and db_num > 0 group by account_id, ram_user_id, db_instance_id limit 10000\n
| Data is returned | Custom labels: account_id, ram_user_id, and db_instance_id | Title: Alert of Abnormal Setting for RDS Instance Access Whitelist
Desc: The access whitelist of RDS instance ${db_instance_id} under account ${account_id} is opened to ${security_ips}. Please check whether there is any risk. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_rds_conf_change | RDS instance Configurations Change Alert | Check every 15 minutes, the trigger condition is that there are RDS instance configuration change events in the past 30 minutes. | event.serviceName: Rds AND (event.eventName: ModifyHASwitchConfig OR event.eventName: ModifyDBInstanceHAConfig OR event.eventName: SwitchDBInstanceHA OR event.eventName: ModifyDBInstanceSpec OR event.eventName: MigrateSecurityIPMode OR event.eventName: ModifySecurityIps OR event.eventName: ModifyDBInstanceSSL OR event.eventName: MigrateToOtherZone OR event.eventName: UpgradeDBInstanceKernelVersion OR event.eventName: UpgradeDBInstanceEngineVersion OR event.eventName: ModifyDBInstanceMaintainTime OR event.eventName: ModifyDBInstanceAutoUpgradeMinorVersion OR event.eventName: AllocateInstancePublicConnection OR event.eventName: ModifyDBInstanceConnectionString OR event.eventName: ModifyDBInstanceNetworkExpireTime OR event.eventName: ReleaseInstancePublicConnection OR event.eventName: SwitchDBInstanceNetType OR event.eventName: ModifyDBInstanceNetworkType OR event.eventName: ModifyDBInstanceSSL OR event.eventName: ModifyDTCSecurityIpHostsForSQLServer OR event.eventName: ModifySecurityGroupConfiguration OR event.eventName: CreateBackup OR event.eventName: ModifyBackupPolicy OR event.eventName: DeleteBackup OR event.eventName: CreateDdrInstance OR event.eventName: ModifyInstanceCrossBackupPolicy OR event.eventName :ModifySQLCollectorPolicy OR event.eventName:ModifyDBInstanceTDE ) | SELECT account_id, resourceArray[num] as db_instance_id, event_name, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM (SELECT "event.userIdentity.accountId" as account_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as num, "event.eventName" as event_name, "event.userIdentity.principalId" as ram_user_id, case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name FROM log) where num > 0 group by account_id,ram_user_id, db_instance_id, event_name limit 10000\n
| Data is returned | Custom labels: account_id, ram_user_id, db_instance_id, and event_name | Title: RDS instance configuration change alert
Desc: The configuration of the RDS instance ${db_instance_id} under account ${account_id} has changed. Change type: ${event_name}. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_rds_sql_audit | Alert of Turning off RDS SQL Insight | The SQL insight of RDS instance should remain on, the turning off of which will trigger an alert. Check at every 15 minutes, the trigger condition is: in the past 30 minutes, there is an operation to turn off RDS SQL insight. | __topic__: actiontrail_audit_event and event.serviceName: Rds and event.eventName: ModifySQLCollectorPolicy | SELECT account_id, resourceArray[db_num] as db_instance_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as db_num, cast(json_extract("event.requestParameterJson", '$.SQLCollectorStatus') as varchar) as status, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE db_num > 0 and status = 'Disabled' group by account_id, ram_user_id, db_instance_id limit 10000\n
| Data is returned | Custom labels: account_id, ram_user_id, and db_instance_id | Title: Alert of Turning off RDS SQL Insight
Desc: The SQL insight of RDS instance ${db_instance_id} under account ${account_id} has been turned off. Please check whether there is any risk. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_rds_ssl_config | Alert of Turning off RDS Instance SSL | SSL of RDS instance should remain on, the turning off of which will trigger an alert. Check at every 15 minutes, and the trigger condition is: in the past 30 minutes, there has been an operation to turn off the SSL of RDS instance. | __topic__: actiontrail_audit_event and event.serviceName: Rds and event.eventName: ModifyDBInstanceSSL | SELECT account_id, resourceArray[db_num] as db_instance_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( SELECT "event.userIdentity.accountId" as account_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as db_num, cast(json_extract("event.requestParameterJson", '$.SSLEnabled') as varchar) as sslEnabled, "event.userIdentity.principalId" as ram_user_id, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE db_num > 0 and sslEnabled = '0' group by account_id, ram_user_id, db_instance_id limit 10000\n
| Data is returned | Custom labels: account_id, ram_user_id, and db_instance_id | Title: Alert of Turning off RDS Instance SSL
Desc: SSL of RDS instance ${db_instance_id} under account ${account_id} has been turning off. Please check whether there is any risk. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_root_ak_usage | Root Account AK Usage Detection | Check every 15 minutes, the trigger condition is that there is a usage record of Root account AK in the past 30 minutes. The Root account should not create and use the Access Key, otherwise an alert will be triggered. | __topic__: actiontrail_audit_event and event.userIdentity.type: root-account and event.userIdentity.accessKeyId: * and not event.userIdentity.accessKeyId: NULL | select date_format(min(__time__), '%Y-%m-%d %H:%i:%S') as min_time, date_format(max(__time__), '%Y-%m-%d %H:%i:%S') as latest_time, "event.userIdentity.accountId" as account_id, "event.userIdentity.accessKeyId" as access_key_id, sum(case when "event.errorCode" is NULL or "event.errorCode" = '' then 1 else 0 end) as success_cnt, sum(case when "event.errorCode" is NULL or "event.errorCode" = '' then 0 else 1 end) as fail_cnt group by account_id, access_key_id limit 10000\n
| Data matches the expression success_cnt > 0 | Custom labels: account_id and access_key_id | Title: ${account_id} using the Root AccessKey ${access_key_id}
Desc: ${account_id} uses Root AccessKey ${access_key_id}, success count:${success_cnt}, fail count:${fail_cnt}, last usage time:${latest_time}, earliest usage time ${min_time}.
|
sls_app_actiontrail_cis_at_root_login | Alert for Continuous Login of Root Account | Root users should not login too frequently. Check every 15 minutes, the trigger condition is: root account has more than 5 times of login (configurable in rule parameters) within 30 minutes. | __topic__: actiontrail_audit_event and event.eventName: ConsoleSignin and event.userIdentity.type: root-account | select "event.userIdentity.accountId" as account_id, count(1) as cnt group by account_id limit 10000\n
| Data matches the expression cnt > {{root_login_times_per_day}} | Custom label: account_id | Title: The Root user ${account_id} logged in too frequently in the last 30 minutes
Desc: Account ${account_id} login ${cnt} times in the last 30 minutes, exceed the specified threshold {{root_login_times_per_day}}.
|
sls_app_actiontrail_cis_at_sas_webshell_detec | SAS Webpage Anti-tampering Protection Status Disabled Alert | The protection status of Cloud Security Center (SAS) webpage anti-tampering on your servers should be kept enabled, and an alert will be triggered when it is disabled. Check at every 15 minutes, and check the events in the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: aegis and event.eventName: ModifyWebLockStatus | SELECT account_id, ram_user_id, uuid, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( SELECT "event.userIdentity.accountId" as account_id, cast(json_extract("event.requestParameterJson", '$.Uuid') as varchar) as uuid, cast(json_extract("event.requestParameterJson", '$.Status') as varchar) as status, "event.userIdentity.principalId" as ram_user_id, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE status = 'off' group by account_id, ram_user_id, uuid limit 10000
| Data is returned | Custom labels: account_id, ram_user_id, and uuid | Title: SAS Webpage Anti-tampering Protection Status Disabled Alert
Desc: The webpage tamper protection of the server (uuid: ${uuid}) in Cloud Security Center (SAS) under account ${account_id} has been disabled. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_sas_webshell_unbind | SAS Webpage Anti-tampering Protection Unbinding Alert | The webpage anti-tampering of the Cloud Security Center (SAS) will trigger an alert after unbinding the protection of the server. Check at every 15 minutes, and check the events in the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: aegis and event.eventName: ModifyWebLockUnbind | SELECT account_id, ram_user_id, uuid, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( SELECT "event.userIdentity.accountId" as account_id, cast(json_extract("event.requestParameterJson", '$.Uuid') as varchar) as uuid, "event.userIdentity.principalId" as ram_user_id, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) group by account_id, ram_user_id, uuid limit 10000
| Data is returned | Custom labels: account_id, ram_user_id, and uuid | Title: SAS Webpage Anti-tampering Protection Unbinding Alert
Desc: The server (uuid: ${uuid}) under the account ${account_id} has been unbound from the webpage anti-tampering protection of the Cloud Security Center (SAS). Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_securitygroup_change | Security Group Configurations Change alert | Check every 15 minutes, the trigger condition is that there is an event of security group configuration change in the past 30 minutes. | event.serviceName: Ecs and (event.eventName: CreateSecurityGroup OR event.eventName: AuthorizeSecurityGroup OR event.eventName: AuthorizeSecurityGroupEgress OR event.eventName: RevokeSecurityGroup OR event.eventName: RevokeSecurityGroupEgress OR event.eventName: JoinSecurityGroup OR event.eventName: LeaveSecurityGroup OR event.eventName: DeleteSecurityGroup OR event.eventName: ModifySecurityGroupPolicy OR event.eventName: ConfigureSecurityGroupPermissions) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary(case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end) as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name limit 5000\n
| Data is returned | Custom labels: account_id, ram_user_id, and event_name | Title: The security group configuration has changed under account ${account_id}
Desc: The security group configuration under account ${account_id} has changed. Change type: ${event_name}. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_trail_off | Alert of Attempt to Turn off Trails | Check every 15 minutes, and the trigger condition is that there is an attempt to turn off trails in the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: Actiontrail and (event.eventName: DeleteTrail or event.eventName: StopLogging) | select "event.userIdentity.accountId" as account_id, arbitrary("event.userIdentity.principalId") as ram_user_id, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id
| Data is returned | Custom label: account_id | Title: Alert of Attempt to Turn off Trails
Desc: The trails under account ${account_id} was attempt to close. Operating Account name: ${user_name}, account type: ${user_type}, and account ID: ${ram_user_id}.
|
sls_app_actiontrail_cis_at_unauth_apicall | Alert for Unauthorized API calls | Check every 15 minutes, the trigger condition is that the number of unauthorized API calls within 30 minutes exceeds the specified threshold. The trigger threshold can be configured in rule parameters. | event.eventType: ApiCall and (event.errorCode: NoPermission or event.errorCode: NoPermission.* or event.errorCode: Forbidden or event.errorCode: Forbbiden or event.errorCode: Forbidden.* or event.errorCode: InvalidAccessKeyId or event.errorCode: InvalidAccessKeyId.* or event.errorCode: InvalidSecurityToken or event.errorCode: InvalidSecurityToken.* or event.errorCode: SignatureDoesNotMatch or event.errorCode: InvalidAuthorization or event.errorCode: AccessForbidden or event.errorCode: NotAuthorized) | select "event.userIdentity.accountId" as account_id, "event.serviceName" as service_name, "event.sourceIpAddress" as source_ip,count(1) as cnt group by account_id, service_name,source_ip order by cnt desc limit 10000\n
| Data matches the expression cnt > {{unauth_apicall_times}} | Custom labels: account_id, service_name, and source_ip | Title: Too many unauthorized API calls in the past 30 minutes
Desc: ${source_ip} has made too many unauthorized API calls (${cnt} times) to the ${service_name} service under account ${account_id} in the past 30 minutes.
|
sls_app_actiontrail_cis_at_unauth_login | Unauthorized IP Login Alert | Check every 15 minutes, and check the log of the past 30 minutes. IP login outside the scope of white list triggers alert. | __topic__: actiontrail_audit_event and event.eventName: ConsoleSignin and (not event.errorMessage: * or event.errorMessage: success) | select "event.userIdentity.principalId" as user_id, "event.sourceIpAddress" as ip, arbitrary("event.userIdentity.userName") as user_name, arbitrary("event.userIdentity.type") as user_type, count(DISTINCT __time__) as cnt group by user_id, ip limit 10000\n
| Data is returned | Custom label: user_id and ip | Title: Unauthorized IP Login Alert
Desc: Source IP ${ip}, which is not in the IP whitelist, has logged into this account ${cnt} times in the past 30 minutes, and the login user name is '${user_name}'(id:${user_id}).
|
sls_app_actiontrail_cis_at_vpc_conf_change | VPC Configuration Change Alert | Check every 15 minutes, the trigger condition is that there are VPC configuration change events in the past 30 minutes. | (event.serviceName: Ecs or event.serviceName: Vpc) and (event.eventName: CreateVpc or event.eventName: DeleteVpc or event.eventName: DisableVpcClassicLink or event.eventName: EnableVpcClassicLink or event.eventName: DeletionProtection or event.eventName: AssociateVpcCidrBlock or event.eventName: UnassociateVpcCidrBlock or event.eventName: RevokeInstanceFromCen or event.eventName: CreateVSwitch or event.eventName: DeleteVSwitch or event.eventName: CreateVSwitch) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary(case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end) as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name limit 5000\n
| Data is returned | Custom labels: account_id, ram_user_id, and event_name | Title: The VPC configuration under account ${account_id} has changed
Desc: The VPC configuration under account ${account_id} changed. Change type: ${event_name}. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_vpc_flowlog_off | Alert of Abnormal Change of VPC Flowlog Configuration | All VPCs should open the flow log, and closing or deleting the flow log will trigger an alert. Check at every 15 minutes, and check the events of the past 30 minutes. | __topic__: actiontrail_audit_event and event.serviceName: Vpc and (event.eventName: DeactiveFlowLog or event.eventName: DeleteFlowLog) | SELECT "event.userIdentity.accountId" as account_id, cast(json_extract("event.requestParameterJson", '$.FlowLogId') as varchar) as flow_log_id, "event.userIdentity.principalId" as ram_user_id, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, flow_log_id limit 10000
| Data is returned | Custom labels: account_id, ram_user_id, and flow_log_id | Title: Alert of Abnormal Change of VPC Flowlog Configuration
Desc: The flowlog ${flow_log_id} under account ${account_id} has been deactivated or deleted. Operation account id: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_vpc_route_change | VPC Network Route Change Alert | Check every 15 minutes, the trigger condition is that there is a change event of VPC network route configuration in the past 30 minutes. | (event.serviceName: Ecs or event.serviceName: Vpc) and (event.eventName: CreateRouteEntry or event.eventName: DeleteRouteEntry or event.eventName: ModifyRouteEntry or event.eventName: AssociateRouteTable or event.eventName: UnassociateRouteTable) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary(case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end) as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name limit 5000\n
| Data is returned | Custom labels: account_id, ram_user_id, and event_name | Title: The VPC network route configuration has changed under account ${account_id}
Desc: The VPC network route configuration has changed under account ${account_id}. Change type: ${event_name}. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_slb_http | LoadBalancer (SLB) HTTP Access Protocol Enabled Alert | LoadBalancer (SLB) should disable access over the HTTP protocol and only allow access over the HTTPS protocol. Check every 15 minutes, the trigger condition is that there was an event to open the LoadBalancer HTTP access protocol in the past 30 minutes. | event.serviceName: Slb and event.eventName: CreateLoadBalancerHTTPListener | SELECT resourceArray[num] as instance_id, account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::SLB::LoadBalancer') as num FROM log) where num > 0 group by account_id, ram_user_id, instance_id\n
| Data is returned | Custom labels: instance_id, account_id, and ram_user_id | Title: LoadBalancer (SLB) HTTP Access Protocol Enabled Alert
Desc: The HTTP access protocol for the LoadBalnacer (SLB) instance ${instance_id} under account ${account_id} has been enabled. SLB should disallow access over HTTP and only allow access over HTTPS. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}.
|
sls_app_actiontrail_cis_at_rds_instance_del | RDS Instance Released Alert | Check every 15 minutes, the trigger condition is: there exist RDS instance release events in the past 30 minutes. | event.serviceName: RDS and (event.eventName: DeleteDBInstance or event.eventName: Release or event.eventName: DestroyDBInstance) | SELECT account_id, resourceArray[num] as instance_id, ram_user_id, user_type, user_name FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as num, case when "event.userIdentity.type"='root-account' then 'Aliuid' when "event.userIdentity.type"='ram-user' then 'RAM_User' when "event.userIdentity.type"='assumed-role' then 'RAM_Role' when "event.userIdentity.type"='system' then 'Aliyun_Service' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name FROM log ) where num > 0
| Data is returned | Custom labels: account_id and instance_id | Title: RDS Instance Released Alert
Desc: The RDS instance ${instance_id} under account ${account_id} has been released. Operation account type: ${user_type}, operation account ID: ${ram_user_id}, operation account username: ${user_name}.
|
sls_app_actiontrail_ipsight | IpInsight Alert | Check at every 15 minutes, trigger condition is: there exists events of IpInsight in the past 30 minutes. | event.insightDetails.insightType: IpInsight | select array_agg(distinct "event.acsRegion") as regions, array_agg(distinct "event.insightDetails.sourceIpAddress") as ips, count(1) as cnt from log
| Data matches the expression cnt > 0 | No Grouping | Title: IpInsight Alert
Desc: Regions ${regions} have IpInsight alerts. Source ips are ${ips}, please check as soon as possible. Detailed logs can be checked on the console of Actiontrail Insight.
|