告警监控规则ID | 告警监控规则名称 | 说明 | 查询和分析语句 | 触发条件 | 分组评估 | 告警信息 |
sls_app_actiontrail_cis_at_ak_abn_use | AK使用的异常频率告警 | 每15分钟检查一次,过去30分钟内使用AK异常的次数超过指定阈值后,告警触发。您可在告警监控规则参数中设置触发阈值。 | __topic__: actiontrail_audit_event and event.errorCode is not NULL and event.errorCode != '' and event.userIdentity.accessKeyId: * | select date_format(min(__time__), '%Y-%m-%d %H:%i:%S') as min_time, date_format(max(__time__), '%Y-%m-%d %H:%i:%S') as latest_time, "event.userIdentity.accountId" as account_id, "event.userIdentity.accessKeyId" as access_key_id, sum(case when "event.errorCode" is NULL or "event.errorCode" = '' then 0 else 1 end) as fail_cnt group by account_id, access_key_id limit 10000
| 有数据匹配,fail_cnt > {{threshold}} | 标签自定义:account_id,access_key_id | 标题:AK使用的异常频率告警
描述:过去30分钟内,账号${account_id}下AccessKeyID ${access_key_id}使用的异常频率过高(${fail_cnt}次)
|
sls_app_actiontrail_cis_at_abnormal_login_count | 账号连续登录失败告警 | 每15分钟检查一次,过去三十分钟内连续失败登录次数过多后触发告警。您可在告警监控规则参数中设置触发阈值。默认为5次。 | __topic__: actiontrail_audit_event and event.eventName: ConsoleSignin and event.errorMessage: * and not event.errorMessage: success | select "event.userIdentity.principalId" as user_id, "event.userIdentity.userName" as user_name, count(1) as cnt group by user_id, user_name limit 10000
| 有数据匹配,cnt > {{max_login_attemps}} | 标签自定义:user_id,user_name | 标题:用户${user_name}(id:${user_id})30分钟内登录失败次数过多
描述:用户${user_name}(id:${user_id})过去30分钟内失败登录${cnt}次,超过预设阈值{{max_login_attemps}}
|
sls_app_actiontrail_cis_at_pwd_change_cnt | 密码修改操作频率异常告警 | 每15分钟检查一次,触发条件为过去半小时内,密码修改操作次数超过指定阈值(默认为超过1次触发告警)。您可在告警监控规则参数中设置触发阈值。 | __topic__: actiontrail_audit_event and (((event.serviceName: Ram or event.serviceName: Ims) and event.eventName: ChangePassword) or (event.serviceName: AasCustomer and event.eventName: PasswordReset)) | select count(1) as cnt, "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id limit 10000
| 有数据匹配,cnt > {{threshold}} | 标签自定义:account_id,ram_user_id | 标题:密码修改操作频率异常告警
描述:账号${account_id}过去半小时内密码修改操作频率异常(${cnt}次密码修改操作),操作账号ID:${ram_user_id},操作账号名:${user_name},操作账号类型:${user_type}
|
sls_app_actiontrail_cis_at_ak_conf_change | KMS密钥配置变更告警 | 每15分钟检查一次,触发条件为过去30分钟内,存在KMS密钥配置发生变更(如删除或禁用等)的操作。 | event.serviceName: Kms and (event.eventName: DisableKey or event.eventName: ScheduleKeyDeletion or event.eventName: DeleteKeyMaterial) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary(case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end) as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name limit 10000\n
| 有数据 | 标签自定义:account_id,ram_user_id,event_name | 标题:账号${account_id}下的KMS密钥配置发生变更
描述:账号${account_id}下的KMS密钥配置发生变更,变更类型:${event_name}。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_api_err | API错误频率告警 | 每15分钟检测一次,触发条件为过去30分钟内的API调用错误次数超过指定阈值。您可在告警监控规则参数中设置触发阈值。 | __topic__: actiontrail_audit_event and event.errorCode: * | select "event.userIdentity.accountId" as account_id, arbitrary("event.userIdentity.principalId") as ram_user_id, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name, count(1) as cnt group by account_id
| 有数据匹配, cnt > {{threshold}} | 标签自定义:account_id | 标题:API错误频率告警
描述:过去30分钟内,账号${account_id}下的API调用错误频率过高(${cnt}次),超过预设阈值({{threshold}}次)。
|
sls_app_actiontrail_cis_at_cfw_ai_off | 云防火墙智能防御关闭告警 | 云防火墙的智能防御被关闭后,触发告警。每15分钟检查一次,检查过去30分钟的事件。 | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifyDefaultIPSConfig | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.AiRules') as varchar) as aiRules, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE aiRules = '0' group by account_id, ram_user_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id | 标题:云防火墙智能防御关闭告警
描述:账号${account_id}下的云防火墙的智能防御被关闭。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_cfw_auto_pt_off | 云防火墙新增资产自动保护关闭告警 | 云防火墙的新增资产自动保护开关被关闭后,触发告警。每15分钟检查一次,检查过去30分钟的事件。 | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: SetAutoProtectNewAssets | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.AutoProtect') as boolean) as autoProtect, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE autoProtect = false group by account_id, ram_user_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id | 标题:云防火墙新增资产自动保护关闭告警
描述:账号${account_id}下的云防火墙的新增资产自动保护开关被关闭。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_cfw_pt_off | 资产的云防火墙防护关闭告警 | 指定资产的云防火墙防护被关闭后,触发告警。每15分钟检查一次,检查过去30分钟的事件。 | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: PutDisableFwSwitch | SELECT account_id, ram_user_id, resourceArray[num] as asset_ip, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::CloudFirewall::Asset') as num, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE num > 0 group by account_id, ram_user_id, asset_ip limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id,asset_ip | 标题:资产的云防火墙防护关闭告警
描述:账号${account_id}下的资产(实例IP:${asset_ip})的云防火墙防护被关闭。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_cfw_baisc_off | 云防火墙基础防御关闭告警 | 云防火墙的基础防御规则被关闭后,触发告警。每15分钟检查一次,检查过去30分钟的事件。 | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifyDefaultIPSConfig | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.BasicRules') as varchar) as basicRules, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE basicRules = '0' group by account_id, ram_user_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id | 标题:云防火墙基础防御关闭告警
描述:账号${account_id}下的云防火墙的基础防御规则被关闭。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_cfw_log_off | 云防火墙日志分析功能关闭告警 | 云防火墙的日志分析功能被关闭后会触发告警。每15分钟检查一次,检查过去30分钟的事件。 | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifySlsDispatchStatus | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.EnableStatus') as boolean) as enableStatus, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE enableStatus = false group by account_id, ram_user_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id | 标题:云防火墙日志分析功能关闭告警
描述:账号${account_id}下的云防火墙的日志分析功能被关闭。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_cfw_loose_block | 云防火墙威胁引擎切换至宽松拦截模式告警 | 云防火墙的威胁引擎被切换为宽松拦截模式后,触发告警。每15分钟检查一次,检查过去30分钟的事件。 | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifyDefaultIPSConfig | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.RuleClass') as varchar) as ruleClass, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE ruleClass = '2' group by account_id, ram_user_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id | 标题:云防火墙威胁引擎切换至宽松拦截模式告警
描述:账号${account_id}下的云防火墙的威胁引擎被切换为宽松拦截模式。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_cfw_obs_mode | 云防火墙威胁引擎切换至观察模式告警 | 云防火墙的威胁引擎被切换为观察模式后,触发告警。每15分钟检查一次,检查过去30分钟的事件。 | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifyDefaultIPSConfig | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.RunMode') as varchar) as runMode, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE runMode = '0' group by account_id, ram_user_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id | 标题:云防火墙威胁引擎切换至观察模式告警
描述:账号${account_id}下的云防火墙的威胁引擎被切换为观察模式。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_cfw_patch_off | 云防火墙虚拟补丁关闭告警 | 云防火墙的虚拟补丁被关闭后,触发告警。每15分钟检查一次,检查过去30分钟的事件。 | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifyDefaultIPSConfig | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.PatchRules') as varchar) as patchRules, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE patchRules = '0' group by account_id, ram_user_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id | 标题:云防火墙虚拟补丁关闭告警
描述:账号${account_id}下的云防火墙的虚拟补丁被关闭。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_cfw_ti_off | 云防火墙威胁情报关闭告警 | 云防火墙的威胁情报被关闭后,触发告警。每15分钟检查一次,检查过去30分钟的事件。 | __topic__: actiontrail_audit_event and event.serviceName: Cloudfw and event.eventName: ModifyDefaultIPSConfig | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, cast(json_extract("event.requestParameterJson", '$.CtiRules') as varchar) as ctiRules, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE ctiRules = '0' group by account_id, ram_user_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id | 标题:云防火墙威胁情报关闭告警
描述:账号${account_id}下的云防火墙的威胁情报被关闭。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_cfw_conf_change | VPC边界防火墙控制策略变更告警 | 每15分钟检查一次,触发条件为过去30分钟内,存在VPC边界防火墙控制策略发生变更的行为。 | event.serviceName: Cloudfw and (event.eventName: CreateVpcFirewallControlPolicy or event.eventName:DeleteVpcFirewallControlPolicy or event.eventName: ModifyVpcFirewallControlPolicy) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary(case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end) as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name limit 10000\n
| 有数据 | 标签自定义:account_id,ram_user_id,event_name | 标题:账号${account_id}下的VPC边界防火墙的控制策略发生变更
描述:账号${account_id}下的VPC边界防火墙的控制策略发生变更,变更类型:${event_name}。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_ecs_snp_off | ECS自动快照策略关闭告警 | 每15分钟检测一次,触发条件为过去30分钟内存在关闭自动快照策略的操作。ECS磁盘建议使用自动快照策略进行自动备份,关闭自动快照策略会触发告警。 | event.serviceName: Ecs and event.eventName: CancelAutoSnapshotPolicy | SELECT account_id, ram_user_id, resourceArray[num] as disk_ids, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Disk') as num, case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name, "event.acsRegion" as region_id FROM log) where num > 0 group by account_id, ram_user_id, disk_ids limit 10000\n
| 有数据 | 标签自定义:account_id,ram_user_id,disk_ids | 标题:ECS磁盘自动快照策略关闭告警
描述:账号${account_id}下的磁盘${disk_ids}的自动快照策略已被关闭。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_disk_encry_detc | ECS云盘加密未开启告警 | 创建ECS云盘时,应该勾选开启加密,否则会触发告警。每15分钟检查一次,触发条件为过去30分钟内,创建了未开启加密的ECS云盘。 | __topic__: actiontrail_audit_event and event.serviceName: Ecs and (event.eventName: CreateDisks or event.eventName: CreateDisk)| SELECT account_id, ram_user_id, resourceArray[num] as disk_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Disk') as num, cast(json_extract("event.requestParameterJson", '$.Encrypted') as boolean) as encrypted, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE num > 0 and encrypted = false group by account_id, ram_user_id, disk_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id,disk_id | 标题:ECS云盘加密未开启告警
描述:账号${account_id}下的云盘${disk_id}在创建时,未开启加密。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_ecs_disk_reinit | ECS云盘重新初始化告警 | 每15分钟检测一次,触发条件为过去30分钟内存在ECS云盘重新初始化事件。 | event.serviceName: Ecs and event.eventName: ReInitDisk and event.eventRW: Write and event.resourceType : "ACS::ECS::Disk" | SELECT account_id, ram_user_id , resourceArray[num] as disk_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Disk') as num, case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name, "event.acsRegion" as region_id FROM log) where num > 0 group by account_id, ram_user_id, disk_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id,disk_id | 标题:ECS云盘重新初始化告警
描述:账号${account_id}下的ECS云盘${disk_id}(区域:${region_id})已被重新初始化,请检查是否存在风险。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_ecs_disk_release | ECS云盘释放告警 | 每15分钟检测一次,触发条件为过去30分钟内存在ECS云盘被释放事件。 | event.serviceName: Ecs and event.eventName: DeleteDisk and event.eventRW: Write and event.resourceType : "ACS::ECS::Disk" | SELECT account_id, ram_user_id, resourceArray[num] as disk_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Disk') as num, case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name, "event.acsRegion" as region_id FROM log) where num > 0 group by account_id, ram_user_id, disk_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id,disk_id | 标题:ECS云盘释放告警
描述:账号${account_id}下的ECS云盘${disk_id}(区域:${region_id})已被释放,请检查是否存在风险。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_ecs_force_reboot | ECS实例强制重启告警 | ECS实例被强制重启后,触发告警。每15分钟检查一次,触发条件为过去30分钟内,存在ECS实例强制重启的事件。 | __topic__: actiontrail_audit_event and event.serviceName: Ecs and (event.eventName: RebootInstances or event.eventName: RebootInstance) | SELECT account_id, ram_user_id, resourceArray[num] as instance_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id FROM ( SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Instance') as num, cast(json_extract("event.requestParameterJson", '$.ForceReboot') as boolean) as force_reboot, cast(json_extract("event.requestParameterJson", '$.ForceStop') as boolean) as force_stop, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name, "event.acsRegion" as region_id FROM log) WHERE num > 0 and (force_reboot = true or force_stop =true) group by account_id, ram_user_id, instance_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id,instance_id | 标题:ECS实例强制重启告警
描述:账号${account_id}下的ECS实例${instance_id}(区域:${region_id})被强制重启,请检查是否存在风险。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_ecs_reboot_alot | ECS实例重启次数过多告警 | 每15分钟检测一次,触发条件为过去30分钟内,ECS实例被重启的次数过多。您可在告警监控规则参数中设置触发阈值。 | event.serviceName: Ecs and (event.eventName: RebootInstances or event.eventName: RebootInstance) | SELECT account_id, resourceArray[num] as instance_id, arbitrary(region_id) as region_id, count(*) as cnt FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Instance') as num, "event.acsRegion" as region_id FROM log) where num > 0 group by account_id, instance_id limit 10000\n
| 有数据匹配,cnt > {{threshold}} | 标签自定义:account_id,instance_id | 标题:ECS实例重启次数过多告警
描述:账号${account_id}下的ECS实例${instance_id}(区域:${region_id})过去30分钟内被重启${cnt}次,请检查是否存在异常。
|
sls_app_actiontrail_cis_at_ecs_rpo | ECS实例释放保护关闭告警 | 每15分钟检查一次,触发条件为在过去30分钟内,存在关闭ECS实例释放保护的操作。 | __topic__: actiontrail_audit_event and event.serviceName: Ecs and event.eventName: ModifyInstanceAttribute | SELECT account_id, ram_user_id, resourceArray[num] as instance_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id,split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Instance') as num, "event.userIdentity.type" as user_type,"event.userIdentity.userName" as user_name,"event.acsRegion" as region_id,cast(json_extract("event.requestParameterJson", '$.DeletionProtection') as varchar) as deletion_protection FROM log) WHERE num > 0 and deletion_protection = 'false' group by account_id, ram_user_id, instance_id limit 10000\n
| 有数据 | 标签自定义:account_id,ram_user_id,instance_id | 标题:ECS实例释放保护关闭告警
描述:账号${account_id}下的ECS实例${instance_id}(区域:${region_id})的释放保护已被关闭,请检查是否存在风险。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_ecs_release | ECS实例释放告警 | 每15分钟检测一次,触发条件为过去30分钟内存在ECS实例被释放的事件。 | event.serviceName: Ecs and (event.eventName: DeleteInstances or event.eventName: DeleteInstance or event.eventName: Release) and event.eventRW: Write and event.resourceType : "ACS::ECS::Instance" | SELECT account_id, ram_user_id, resourceArray[num] as instance_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::ECS::Instance') as num, case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name, "event.acsRegion" as region_id FROM log) where num > 0 group by account_id, ram_user_id, instance_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id,instance_id | 标题:ECS实例释放告警
描述:账号${account_id}下的ECS实例${instance_id}(区域:${region_id})已被释放,请检查是否存在风险。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_off_duty_login | 非工作时间登录告警 | 每分钟检查一次,触发条件为在过去1分钟内,存在非工作时间的登录行为。您可在全局日历中设置工作时间、非工作时间范围。 | __topic__: actiontrail_audit_event and event.eventName: ConsoleSignin and (not event.errorMessage: * or event.errorMessage: success) | select "event.userIdentity.principalId" as user_id, array_agg(DISTINCT "event.sourceIpAddress") as ip, arbitrary("event.userIdentity.accountId") as account_id, arbitrary("event.userIdentity.userName") as user_name, arbitrary("event.userIdentity.type") as user_type, count(DISTINCT __time__) as cnt group by user_id limit 10000\n
| 有数据 | 标签自定义: user_id | 标题:非工作时间登录告警
描述:阿里云账号${account_id}下的用户${user_name}(账号ID:${user_id},账号类型:${user_type})过去1分钟内登录本账号${cnt}次,登录IP: ${ip}。
|
sls_app_actiontrail_cis_at_oss_policy_change | OSS Bucket权限变更告警 | 每15分钟检查一次,触发条件为在过去30分钟内,存在OSS Bucket权限变更的操作。 | event.serviceName: Oss and event.eventName: PutBucketLifecycle OR event.eventName: PutBucketPolicy OR event.eventName: PutBucketCors OR event.eventName: PutBucketEncryption OR event.eventName: PutBucketReplication OR event.eventName: DeleteBucketPolicy OR event.eventName: DeleteBucketCors OR event.eventName: DeleteBucketLifecycle OR event.eventName: DeleteBucketEncryption OR event.eventName: DeleteBucketReplication | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary(case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end) as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name limit 1000\n
| 有数据 | 标签自定义:account_id,ram_user_id,event_name | 标题:账号${account_id}下的OSS Bucket权限发生变更
描述:账号${account_id}下的OSS Bucket权限发生变更,变更类型:${event_name}。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_pwd_policy_chang | 尝试修改密码策略的事件告警 | 每15分钟检查一次,触发条件为在过去30分钟内,存在尝试修改密码策略的操作。 | __topic__: actiontrail_audit_event and (event.serviceName: Ram or event.serviceName: Ims) and event.eventName: SetPasswordPolicy | select "event.userIdentity.accountId" as account_id, arbitrary("event.userIdentity.principalId") as ram_user_id, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id
| 有数据 | 标签自定义:account_id | 标题:尝试修改密码策略的事件告警
描述:账号${account_id}下发生尝试修改密码策略事件,操作的账号名:${user_name},账号类型:${user_type}, 账号ID: ${ram_user_id}
|
sls_app_actiontrail_cis_at_pwd_reset | 密码重置事件的发生告警 | 每15分钟检查一次,触发条件为:在过去30分钟内,存在密码重置事件。 | __topic__: actiontrail_audit_event and (event.serviceName: Ram or event.serviceName: Ims) and event.eventName: ChangePassword | select "event.userIdentity.accountId" as account_id, arbitrary("event.userIdentity.principalId") as ram_user_id, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id
| 有数据 | 标签自定义:account_id | 标题:密码重置事件的发生告警
描述:账号${account_id}下发生密码重置事件,重置操作的账号名:${user_name},账号类型:${user_type}, 账号ID: ${ram_user_id}
|
sls_app_audit_cis_at_pwd_expire_policy | RAM密码过期策略异常设置告警 | 根据阿里云CIS规范,RAM密码策略中,RAM密码的有效期应该设置为小于等于90(可在告警规则参数中配置)天。该规则每15分钟检查一次,触发条件为在过去30分钟内,在RAM密码策略中设置了过长的密码有效期的操作。 | __topic__: actiontrail_audit_event and event.eventName: SetPasswordPolicy | SELECT arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id, account_id, ram_user_id, count(1) as cnt FROM ( SELECT cast(json_extract("event.requestParameterJson", '$.MaxPasswordAge') as bigint) as user_max_pwd_age, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name, "event.userIdentity.principalId" as ram_user_id, "event.acsRegion" as region_id, "event.userIdentity.accountId" as account_id FROM log ) WHERE user_max_pwd_age > {{max_pwd_age}} or user_max_pwd_age = 0 group by account_id, ram_user_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id | 标题:阿里云账号${account_id}的RAM密码过期策略设置异常
描述:账号${account_id}的RAM密码过期策略设置异常, 操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。异常修改次数:${cnt}, 异常修改内容:密码策略中的密码有效期设置过大, 大于预设阈值{{max_pwd_age}}天
|
sls_app_audit_cis_at_pwd_length_policy | RAM密码长度策略异常设置告警 | RAM密码策略中,RAM密码的最小长度不能小于14(可在告警监控规则参数中设置),否则会触发告警。该规则每15分钟检查一次,检查过去30分钟的数据。 | __topic__: actiontrail_audit_event and event.eventName: SetPasswordPolicy | SELECT arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id, account_id, ram_user_id, count(1) as cnt FROM ( SELECT cast(json_extract("event.requestParameterJson", '$.MinimumPasswordLength') as bigint) as user_min_pwd_len, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name, "event.userIdentity.principalId" as ram_user_id, "event.acsRegion" as region_id, "event.userIdentity.accountId" as account_id FROM log ) WHERE user_min_pwd_len > {{min_pwd_len}} or user_min_pwd_len = 0 group by account_id, ram_user_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id | 标题:RAM密码长度策略异常设置告警
描述:账号${account_id}的RAM密码长度策略设置异常, 操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。异常修改次数:${cnt}, 异常修改内容:RAM密码策略中密码最小长度设置过短,小于预设阈值{{min_pwd_len}}。
|
sls_app_actiontrail_cis_at_pwd_login_policy | RAM密码登录重试策略异常设置告警 | 根据阿里云CIS规范,RAM密码登录重试策略中,允许一小时内使用错误密码尝试登录次数不能大于5次(该阈值可在告警规则参数中配置)。该规则每15分钟检查一次,触发条件为在过去30分钟内,在RAM密码策略中设置允许了过大的登录重试次数的操作。 | __topic__: actiontrail_audit_event and event.eventName: SetPasswordPolicy | SELECT arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id, account_id, ram_user_id, count(1) as cnt FROM ( SELECT cast(json_extract("event.requestParameterJson", '$.MaxLoginAttemps') as bigint) as user_max_login_attemps, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name, "event.userIdentity.principalId" as ram_user_id, "event.acsRegion" as region_id, "event.userIdentity.accountId" as account_id FROM log ) WHERE user_max_login_attemps > {{max_login_attemps}} or user_max_login_attemps = 0 group by account_id, ram_user_id limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id | 标题:阿里云账号${account_id}的RAM密码登录重试策略设置异常
描述:账号${account_id}的RAM密码登录重试策略设置异常, 操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。异常修改次数:${cnt}, 异常修改内容:RAM密码登录重试策略中允许一小时内使用错误密码尝试登录的次数设置过大, 超过预设阈值:{{max_login_attemps}}次。
|
sls_app_audit_cis_at_pwd_reuse_policy | RAM历史密码检查策略异常设置告警 | RAM历史密码检查策略中,禁止使用前N次密码。您可在告警监控规则参数中设置N的最小值。当设置小于该值会触发告警。该规则每15分钟检查一次,检查过去30分钟的数据。 | __topic__: actiontrail_audit_event and event.eventName: SetPasswordPolicy | SELECT arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, arbitrary(region_id) as region_id, account_id, ram_user_id, count(1) as cnt FROM ( SELECT cast(json_extract("event.requestParameterJson", '$.PasswordReusePrevention') as bigint) as user_max_reuse_prevention, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name, "event.userIdentity.principalId" as ram_user_id, "event.acsRegion" as region_id, "event.userIdentity.accountId" as account_id FROM log ) WHERE user_max_reuse_prevention > {{max_reuse_prevention}} or user_max_reuse_prevention = 0 group by account_id, ram_user_id limit 10000
| 有数据 | 标签自定义: account_id,ram_user_id | 标题:RAM历史密码检查策略异常设置告警
描述:账号${account_id}的RAM历史密码检查策略设置异常, 操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。异常修改次数:${cnt}, 异常修改内容:历史密码检查策略,"禁止使用前N次密码"中N的值设置过小, 小于预设阈值{{max_reuse_prevention}}。
|
sls_app_actiontrail_cis_at_ram_auth_change | RAM权限变更告警 | 每15分钟检查一次,检查过去30分钟的数据。当RAM权限发生变更时,告警触发。 | __topic__: actiontrail_audit_event and ((event.serviceName: ResourceManager and (event.eventName: AttachPolicy or event.eventName: DetachPolicy )) or event.serviceName: Ram and (event.eventName: AttachPolicyToUser or event.eventName: AttachPolicyToGroup or event.eventName: AttachPolicyToRole or event.eventName: DetachPolicyFromUser or event.eventName: DetachPolicyFromGroup or event.eventName: DetachPolicyFromRole)) | SELECT array_agg(distinct event_name) as event_name, count(1) as cnt, json_extract(requestParameterJson, '$.PolicyName') as policy_name, principal_type, account_id, json_extract(requestParameterJson, concat('$.', principal_name_field)) as principal_name from (SELECT "event.requestParameterJson" as requestParameterJson, "event.userIdentity.accountId" as account_id, "event.eventName" as event_name, CASE WHEN "event.eventName" like '%PolicyToRole' THEN 'RoleName' WHEN "event.eventName" like '%PolicyFromGroup' THEN 'GroupName' WHEN "event.eventName" like '%PolicyToUser' THEN 'UserName' ELSE 'PrincipalName' END AS principal_name_field, CASE WHEN "event.eventName" like '%PolicyToRole' THEN 'ServiceRole' WHEN "event.eventName" like '%PolicyFromGroup' THEN 'IMSGroup' WHEN "event.eventName" like '%PolicyToUser' THEN 'IMSUser' ELSE cast(json_extract("event.requestParameterJson", '$.PrincipalType') as varchar) END AS principal_type FROM log) group by policy_name, principal_name, account_id,principal_type limit 1000
| 有数据匹配,cnt > 0 | 标签自定义:account_id,principal_name,principal_type,policy_name | 标题:RAM权限变更告警
描述:阿里云账号ID:${account_id}, RAM用户类型:${principal_type}, RAM账号/角色名:${principal_name}, RAM权限策略名:${policy_name}, 变更操作:${event_name}, 变更次数:${cnt}。
|
sls_app_actiontrail_cis_at_mfa_login | RAM子账号无MFA登录告警 | 每15分钟检查一次,检查过去30分钟的数据。存在RAM用户无MFA登录事件时,告警触发。 | __topic__: actiontrail_audit_event and event.eventName: ConsoleSignin and event.userIdentity.type: ram-user and event.additionalEventData.mfaChecked: false and (event.errorCode: null or not event.errorCode : *) | select "event.userIdentity.accountId" as root_account_id, "event.userIdentity.principalId" as ram_account_id, arbitrary("event.userIdentity.userName") as ram_account_name, count(1) as cnt group by root_account_id, ram_account_id limit 1000
| 有数据匹配,cnt > 0 | 标签自定义:root_account_id,ram_account_id | 标题:RAM子账号无MFA登录告警
描述:阿里云账号${root_account_id}下的RAM子账号${ram_account_id}(用户名:${ram_account_name})过去30分钟内,控制台无MFA登录${cnt}次。
|
sls_app_actiontrail_cis_at_ram_policy_change | RAM策略变更告警 | 每15分钟检查一次,检查过去30分钟的数据。RAM策略发生变更后会触发告警。 | (event.serviceName: ResourceManager or event.serviceName: Ram) and (event.eventName: CreatePolicy or event.eventName: DeletePolicy or event.eventName: CreatePolicyVersion or event.eventName: UpdatePolicyVersion or event.eventName: SetDefaultPolicyVersion or event.eventName: DeletePolicyVersion) | select account_id, ram_user_id, event_name, resourceArray[num] as policy_name, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM (SELECT "event.userIdentity.accountId" as account_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RAM::Policy') as num, "event.eventName" as event_name, "event.userIdentity.principalId" as ram_user_id, case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name FROM log) where num > 0 group by account_id, ram_user_id, event_name, policy_name limit 5000\n
| 有数据 | 标签自定义:account_id,ram_user_id,event_name,policy_name | 标题:账号${account_id}发生RAM策略变更
描述:账号${account_id}发生RAM策略变更。RAM策略名称:${policy_name}, 变更类型:${event_name}。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_rds_whitelist | RDS实例访问白名单异常设置告警 | RDS实例的访问白名单不应该设置为0.0.0.0,否则会触发告警。每15分钟检查一次,触发条件为在过去30分钟内,存在上述异常的RDS实例白名单设置操作。 | __topic__: actiontrail_audit_event and event.serviceName: Rds and event.eventName: ModifySecurityIps | SELECT account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name, resourceArray[db_num] as db_instance_id, arbitrary(security_ips) as security_ips FROM ( SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name, split("event.resourceName", ';') as resourceArray, cast(json_extract("event.requestParameterJson", '$.SecurityIps') as varchar) as security_ips, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as db_num FROM log ) WHERE security_ips like '%0.0.0.0%' and db_num > 0 group by account_id, ram_user_id, db_instance_id limit 10000\n
| 有数据 | 标签自定义:account_id,ram_user_id,db_instance_id | 标题:RDS实例访问白名单异常设置告警
描述:账号${account_id}下的RDS实例${db_instance_id}的访问白名单被开放为${security_ips},请检查是否存在风险。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_rds_conf_change | RDS实例配置变更告警 | 每15分钟检测一次,触发条件为过去30分钟内,存在RDS实例配置变更事件。 | event.serviceName: Rds AND (event.eventName: ModifyHASwitchConfig OR event.eventName: ModifyDBInstanceHAConfig OR event.eventName: SwitchDBInstanceHA OR event.eventName: ModifyDBInstanceSpec OR event.eventName: MigrateSecurityIPMode OR event.eventName: ModifySecurityIps OR event.eventName: ModifyDBInstanceSSL OR event.eventName: MigrateToOtherZone OR event.eventName: UpgradeDBInstanceKernelVersion OR event.eventName: UpgradeDBInstanceEngineVersion OR event.eventName: ModifyDBInstanceMaintainTime OR event.eventName: ModifyDBInstanceAutoUpgradeMinorVersion OR event.eventName: AllocateInstancePublicConnection OR event.eventName: ModifyDBInstanceConnectionString OR event.eventName: ModifyDBInstanceNetworkExpireTime OR event.eventName: ReleaseInstancePublicConnection OR event.eventName: SwitchDBInstanceNetType OR event.eventName: ModifyDBInstanceNetworkType OR event.eventName: ModifyDBInstanceSSL OR event.eventName: ModifyDTCSecurityIpHostsForSQLServer OR event.eventName: ModifySecurityGroupConfiguration OR event.eventName: CreateBackup OR event.eventName: ModifyBackupPolicy OR event.eventName: DeleteBackup OR event.eventName: CreateDdrInstance OR event.eventName: ModifyInstanceCrossBackupPolicy OR event.eventName :ModifySQLCollectorPolicy OR event.eventName:ModifyDBInstanceTDE ) | SELECT account_id, resourceArray[num] as db_instance_id, event_name, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM (SELECT "event.userIdentity.accountId" as account_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as num, "event.eventName" as event_name, "event.userIdentity.principalId" as ram_user_id, case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name FROM log) where num > 0 group by account_id,ram_user_id, db_instance_id, event_name limit 10000\n
| 有数据 | 标签自定义:account_id,ram_user_id,db_instance_id,event_name | 标题:RDS实例配置变更告警
描述:账号${account_id}下的RDS实例${db_instance_id}的配置发生变更,变更类型:${event_name}。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_rds_sql_audit | RDS实例SQL洞察关闭告警 | RDS实例的SQL洞察功能应该保持开启,关闭后会触发告警。每15分钟检查一次,触发条件为在过去30分钟内,存在关闭RDS SQL洞察的操作。 | __topic__: actiontrail_audit_event and event.serviceName: Rds and event.eventName: ModifySQLCollectorPolicy | SELECT account_id, resourceArray[db_num] as db_instance_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as db_num, cast(json_extract("event.requestParameterJson", '$.SQLCollectorStatus') as varchar) as status, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE db_num > 0 and status = 'Disabled' group by account_id, ram_user_id, db_instance_id limit 10000\n
| 有数据 | 标签自定义:account_id,ram_user_id,db_instance_id | 标题:RDS实例SQL洞察关闭告警
描述:账号${account_id}下的RDS实例${db_instance_id}的SQL洞察功能被关闭,请检查是否存在风险。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_rds_ssl_config | RDS实例SSL关闭告警 | RDS实例的SSL应该保持开启,关闭后会触发告警。每15分钟检查一次,触发条件为:在过去30分钟内,存在关闭RDS实例SSL的操作。 | __topic__: actiontrail_audit_event and event.serviceName: Rds and event.eventName: ModifyDBInstanceSSL | SELECT account_id, resourceArray[db_num] as db_instance_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( SELECT "event.userIdentity.accountId" as account_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as db_num, cast(json_extract("event.requestParameterJson", '$.SSLEnabled') as varchar) as sslEnabled, "event.userIdentity.principalId" as ram_user_id, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE db_num > 0 and sslEnabled = '0' group by account_id, ram_user_id, db_instance_id limit 10000\n
| 有数据 | 标签自定义:account_id,ram_user_id,db_instance_id | 标题:RDS实例SSL关闭告警
描述:账号${account_id}下的RDS实例${db_instance_id}的SSL被关闭,请检查是否存在风险。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_root_ak_usage | Root AK使用检测 | 每15分钟检测一次,触发条件为过去30分钟内存在Root账号AK的使用记录。Root账号不应该创建和使用AccessKey,否则会触发告警。 | __topic__: actiontrail_audit_event and event.userIdentity.type: root-account and event.userIdentity.accessKeyId: * and not event.userIdentity.accessKeyId: NULL | select date_format(min(__time__), '%Y-%m-%d %H:%i:%S') as min_time, date_format(max(__time__), '%Y-%m-%d %H:%i:%S') as latest_time, "event.userIdentity.accountId" as account_id, "event.userIdentity.accessKeyId" as access_key_id, sum(case when "event.errorCode" is NULL or "event.errorCode" = '' then 1 else 0 end) as success_cnt, sum(case when "event.errorCode" is NULL or "event.errorCode" = '' then 0 else 1 end) as fail_cnt group by account_id, access_key_id limit 10000\n
| 有数据匹配,success_cnt > 0 | 标签自定义:account_id,access_key_id | 标题:Root用户${account_id}使用了Root密钥${access_key_id}
描述:Root用户${account_id}使用了根密钥${access_key_id},成功次数${success_cnt},失败次数:${fail_cnt},最近时间${latest_time}, 最早时间${min_time}
|
sls_app_actiontrail_cis_at_root_login | Root用户控制台登录次数控制 | Root用户登录不能过于频繁。每15分钟检测一次,触发条件为30分钟内登录超过5(可在规则参数中配置)次。 | __topic__: actiontrail_audit_event and event.eventName: ConsoleSignin and event.userIdentity.type: root-account | select "event.userIdentity.accountId" as account_id, count(1) as cnt group by account_id limit 10000\n
| 有数据匹配,cnt > {{root_login_times_per_day}} | 标签自定义:account_id | 标题:账号${account_id}Root用户过去30分钟登录过于频繁
描述:账号${account_id}过去30分钟使用Root用户登录${cnt}次,大于指定阈值{{root_login_times_per_day}}
|
sls_app_actiontrail_cis_at_sas_webshell_detec | 云安全中心网页防篡改防护关闭告警 | 云安全中心网页防篡改功能对服务器的防护状态应该保持开启,将防护关闭后会触发告警。每15分钟检查一次,检查过去30分钟的事件。 | __topic__: actiontrail_audit_event and event.serviceName: aegis and event.eventName: ModifyWebLockStatus | SELECT account_id, ram_user_id, uuid, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( SELECT "event.userIdentity.accountId" as account_id, cast(json_extract("event.requestParameterJson", '$.Uuid') as varchar) as uuid, cast(json_extract("event.requestParameterJson", '$.Status') as varchar) as status, "event.userIdentity.principalId" as ram_user_id, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) WHERE status = 'off' group by account_id, ram_user_id, uuid limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id,uuid | 标题:云安全中心网页防篡改防护关闭告警
描述:账号${account_id}下的服务器(uuid: ${uuid})的云安全中心网页防篡改防护已被关闭。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_sas_webshell_unbind | 云安全中心网页防篡改防护解绑告警 | 云安全中心网页防篡改功能解除对服务器的防护绑定后应会触发告警。每15分钟检查一次,检查过去30分钟的事件。 | __topic__: actiontrail_audit_event and event.serviceName: aegis and event.eventName: ModifyWebLockUnbind | SELECT account_id, ram_user_id, uuid, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM ( SELECT "event.userIdentity.accountId" as account_id, cast(json_extract("event.requestParameterJson", '$.Uuid') as varchar) as uuid, "event.userIdentity.principalId" as ram_user_id, "event.userIdentity.type" as user_type, "event.userIdentity.userName" as user_name FROM log) group by account_id, ram_user_id, uuid limit 10000
| 有数据 | 标签自定义:account_id,ram_user_id,uuid | 标题:云安全中心网页防篡改防护解绑告警
描述:账号${account_id}下的服务器(uuid: ${uuid})已被解除云安全中心网页防篡改功能的防护绑定。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_securitygroup_change | 安全组配置变更告警 | 每15分钟检测一次,触发条件为过去30分钟内存在安全组配置发生变更的事件。 | event.serviceName: Ecs and (event.eventName: CreateSecurityGroup OR event.eventName: AuthorizeSecurityGroup OR event.eventName: AuthorizeSecurityGroupEgress OR event.eventName: RevokeSecurityGroup OR event.eventName: RevokeSecurityGroupEgress OR event.eventName: JoinSecurityGroup OR event.eventName: LeaveSecurityGroup OR event.eventName: DeleteSecurityGroup OR event.eventName: ModifySecurityGroupPolicy OR event.eventName: ConfigureSecurityGroupPermissions) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary(case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end) as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name limit 5000\n
| 有数据 | 标签自定义:account_id,ram_user_id,event_name | 标题:账号${account_id}下的安全组配置发生变更
描述:账号${account_id}下的安全组配置发生变更,变更类型:${event_name}。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_trail_off | 尝试关闭跟踪的操作告警 | 每15分钟检测一次,触发条件为过去30分钟内存在尝试关闭跟踪的操作。 | __topic__: actiontrail_audit_event and event.serviceName: Actiontrail and (event.eventName: DeleteTrail or event.eventName: StopLogging) | select "event.userIdentity.accountId" as account_id, arbitrary("event.userIdentity.principalId") as ram_user_id, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id
| 有数据 | 标签自定义:account_id | 标题:尝试关闭跟踪的操作告警
描述:账号${account_id}下的Aciontrial跟踪被尝试关闭,尝试进行关闭操作的账号名:${user_name},账号类型:${user_type}, 账号ID: ${ram_user_id}
|
sls_app_actiontrail_cis_at_unauth_apicall | 未授权的API调用告警 | 每15分钟检测一次,触发条件为30分钟内未授权的API调用次数超过指定阈值。您可在告警监控规则参数中设置触发阈值。 | event.eventType: ApiCall and (event.errorCode: NoPermission or event.errorCode: NoPermission.* or event.errorCode: Forbidden or event.errorCode: Forbbiden or event.errorCode: Forbidden.* or event.errorCode: InvalidAccessKeyId or event.errorCode: InvalidAccessKeyId.* or event.errorCode: InvalidSecurityToken or event.errorCode: InvalidSecurityToken.* or event.errorCode: SignatureDoesNotMatch or event.errorCode: InvalidAuthorization or event.errorCode: AccessForbidden or event.errorCode: NotAuthorized) | select "event.userIdentity.accountId" as account_id, "event.serviceName" as service_name, "event.sourceIpAddress" as source_ip,count(1) as cnt group by account_id, service_name,source_ip order by cnt desc limit 10000\n
| 有数据匹配,cnt > {{unauth_apicall_times}} | 标签自定义:account_id,service_name,source_ip | 标题:过去30分钟内未授权API调用次数过多
描述:源IP:${source_ip}对账号${account_id}下的${service_name}服务过去30分钟内未授权API调用次数过多(${cnt}次)。
|
sls_app_actiontrail_cis_at_unauth_login | 未授权的IP登录告警 | 每15分钟检测一次,检测过去30分钟的数据,不在白名单范围内的IP地址登录触发告警。 | __topic__: actiontrail_audit_event and event.eventName: ConsoleSignin and (not event.errorMessage: * or event.errorMessage: success) | select "event.userIdentity.principalId" as user_id, "event.sourceIpAddress" as ip, arbitrary("event.userIdentity.userName") as user_name, arbitrary("event.userIdentity.type") as user_type, count(DISTINCT __time__) as cnt group by user_id, ip limit 10000\n
| 有数据 | 标签自定义:user_id,ip | 标题:未授权的IP登录告警
描述:不在IP白名单内的源IP${ip}过去30分钟内登录本账号${cnt}次,登录用户名${user_name}(id:${user_id})。
|
sls_app_actiontrail_cis_at_vpc_conf_change | VPC通用配置变更告警 | 每15分钟检测一次,触发条件为过去30分钟内存在VPC配置变更事件。 | (event.serviceName: Ecs or event.serviceName: Vpc) and (event.eventName: CreateVpc or event.eventName: DeleteVpc or event.eventName: DisableVpcClassicLink or event.eventName: EnableVpcClassicLink or event.eventName: DeletionProtection or event.eventName: AssociateVpcCidrBlock or event.eventName: UnassociateVpcCidrBlock or event.eventName: RevokeInstanceFromCen or event.eventName: CreateVSwitch or event.eventName: DeleteVSwitch or event.eventName: CreateVSwitch) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary(case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end) as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name limit 5000\n
| 有数据 | 标签自定义:account_id,ram_user_id,event_name | 标题:账号${account_id}下的VPC配置发生变更
描述:账号${account_id}下的VPC配置发生变更,变更类型:${event_name}。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_vpc_flowlog_off | VPC流日志配置异常变更告警 | 所有VPC都应该开启流日志,关闭或者删除流日志会触发告警。每15分钟检查一次,检查过去30分钟的事件。 | __topic__: actiontrail_audit_event and event.serviceName: Vpc and (event.eventName: DeactiveFlowLog or event.eventName: DeleteFlowLog) | SELECT "event.userIdentity.accountId" as account_id, cast(json_extract("event.requestParameterJson", '$.FlowLogId') as varchar) as flow_log_id, "event.userIdentity.principalId" as ram_user_id, arbitrary("event.userIdentity.type") as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, flow_log_id limit 10000
| 有数据 | 标签自定义: account_id,ram_user_id,flow_log_id | 标题:VPC流日志配置异常变更告警
描述:账号${account_id}下的流日志${flow_log_id}已被取消或删除。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_vpc_route_change | VPC网络路由变更告警 | 每15分钟检测一次,触发条件为过去30分钟内存在VPC网络路由配置变更事件。 | (event.serviceName: Ecs or event.serviceName: Vpc) and (event.eventName: CreateRouteEntry or event.eventName: DeleteRouteEntry or event.eventName: ModifyRouteEntry or event.eventName: AssociateRouteTable or event.eventName: UnassociateRouteTable) | select "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, "event.eventName" as event_name, arbitrary(case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end) as user_type, arbitrary("event.userIdentity.userName") as user_name group by account_id, ram_user_id, event_name limit 5000\n
| 有数据 | 标签自定义:account_id,ram_user_id,event_name | 标题:账号${account_id}下的VPC网络路由配置发生变更
描述:账号${account_id}下的VPC网络路由配置发生变更,变更类型:${event_name}。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_slb_http | 负载均衡HTTP访问协议开启告警 | 负载均衡(SLB)应该禁止通过HTTP协议访问,只允许通过HTTPS协议访问。每15分钟检测一次,触发条件为过去30分钟内存在开启负载均衡HTTP访问协议的事件。 | event.serviceName: Slb and event.eventName: CreateLoadBalancerHTTPListener | SELECT resourceArray[num] as instance_id, account_id, ram_user_id, arbitrary(user_type) as user_type, arbitrary(user_name) as user_name FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::SLB::LoadBalancer') as num FROM log) where num > 0 group by account_id, ram_user_id, instance_id\n
| 有数据 | 标签自定义:instance_id,account_id,ram_user_id | 标题:负载均衡HTTP访问协议开启告警
描述:账号${account_id}下的负载均衡(SLB)实例${instance_id}的HTTP访问协议已被开启。负载均衡应该禁止通过HTTP协议访问,只允许通过HTTPS协议访问。操作账号ID:${ram_user_id},账号名:${user_name},账号类型:${user_type}。
|
sls_app_actiontrail_cis_at_rds_instance_del | RDS实例释放告警 | 每15分钟检测一次,触发条件为过去30分钟内存在RDS实例释放事件。 | event.serviceName: RDS and (event.eventName: DeleteDBInstance or event.eventName: Release or event.eventName: DestroyDBInstance) | SELECT account_id, resourceArray[num] as instance_id, ram_user_id, user_type, user_name FROM (SELECT "event.userIdentity.accountId" as account_id, "event.userIdentity.principalId" as ram_user_id, split("event.resourceName", ';') as resourceArray, array_position(split("event.resourceType", ';'), 'ACS::RDS::DBInstance') as num, case when "event.userIdentity.type"='root-account' then '阿里云主账号' when "event.userIdentity.type"='ram-user' then 'RAM用户' when "event.userIdentity.type"='assumed-role' then 'RAM角色' when "event.userIdentity.type"='system' then '阿里云服务' else "event.userIdentity.type" end as user_type, "event.userIdentity.userName" as user_name FROM log ) where num > 0
| 有数据 | 标签自定义:account_id,instance_id | 标题:RDS数据库实例释放告警
描述:账号${account_id}下的RDS实例${instance_id}已被释放。操作账号类型:${user_type},操作账号ID:${ram_user_id},操作账户用户名:${user_name}。
|
sls_app_actiontrail_ipsight | IpInsight告警 | 每15分钟检查一次,触发条件为过去半小时内,存在IpInsight事件。 | event.insightDetails.insightType: IpInsight | select array_agg(distinct "event.acsRegion") as regions, array_agg(distinct "event.insightDetails.sourceIpAddress") as ips, count(1) as cnt from log
| 有数据匹配,cnt > 0 | 不分组 | 标题:IpInsight告警
描述:区域${regions}发生告警,访问IP为${ips},请尽快查看。详细日志请前往操作审计控制台-Insight查看!
|