How long does it take CloudTrail to create an insights event?

0

I enabled cloudtrail insights one month ago, but I can't find any insights events.

How long does it take CloudTrail to create an insights event for unusual activity?

Enter image description here

nodejh
asked 2 years ago321 views
2 Answers
1

Hi,

Insights are created as soon as CloudTrail Insights detect changes in your account's API usage that differ significantly from the account's typical usage patterns.

CloudTrail Insights continuously monitors CloudTrail write management events, and uses mathematical models to determine the normal levels of API event and error rate activity for an account.

Checking your CloudTrail logs did you see any anomalous requests (errors, volume of requests, etc) during this one month window?

Best regards,
Ricardo Makino

profile pictureAWS
answered 2 years ago
  • Hi,

    Thanks for your answer very much!

    I'm still a little confused. What is "as soon as CloudTrail Insights detect " mean?

    For example: 01:00, unusual activity occurred, and lasts until 01:30.

    When insights event created ?

    A: In minutes, e.g.:

    • 01:01, create "start insights event" , eventTime is "2022-12-08T01:01:00Z"
    • 01:31, create "end insights event" , eventTime is "2022-12-08T01:31:00Z"

    B: Or in hours, e.g.:

    • 02:00, create "start insights event (2022-12-08T01:01:00Z)" and " end insights event ( 2022-12-08T01:31:00Z) "
1

Hi,

What is "as soon as CloudTrail Insights detect " mean?

A: It means that after activated CloudTrail Insights starts to analise the events on write API and if any behavior change is detected an insight is created:

Enter image description here

On the example above the baseline of API call rate was 0.0011 and was identified a growth on 139260%.

Best regards,
Ricardo Makino

profile pictureAWS
answered 2 years ago
  • Hi,

    Thank you!

    Do Insights detect anomalous per minute, which means insights aggregate events per minute and create a start event where start time is based on ‘minute’ level after detecting anomalies? By the way, if an insights event ends, Insights will post an end event with end time('minute' level) and duration ?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions