Insight Events
Insight events enable AWS CloudTrail to automatically detect anomalous API activity in your AWS accounts. When CloudTrail identifies unusual patterns in API call rates or error rates, it generates insight events that alert you to potentially suspicious or problematic activity.
What Are Insight Events?
Unlike management events and data events that record every matching API call, insight events are generated only when CloudTrail detects activity that deviates significantly from established baselines. CloudTrail continuously analyzes your normal API activity patterns and flags deviations.
For example, if your account typically sees 20 RunInstances calls per day and suddenly there are 500 in an hour, CloudTrail would generate an insight event for the anomalous API call rate.
Insight Types
The Prism CloudTrail supports two types of insight analysis:
API Call Rate Insight
| Property | Value |
|---|---|
| Field | Checkbox |
| Default | Disabled |
Detects anomalies in the volume of API calls. CloudTrail establishes a baseline for normal API call patterns in your account and generates an insight event when the call rate for a specific API deviates significantly from that baseline.
Example scenarios detected:
- Sudden spike in
RunInstancescalls could indicate unauthorized resource provisioning - Unusual increase in
CreateAccessKeycalls could indicate credential compromise - Burst of
DeleteObjectcalls could indicate data exfiltration or accidental deletion
API Error Rate Insight
| Property | Value |
|---|---|
| Field | Checkbox |
| Default | Disabled |
Detects anomalies in the error rate of API calls. CloudTrail monitors the ratio of failed API calls and generates an insight event when the error rate for a specific API deviates from the normal pattern.
Example scenarios detected:
- Spike in
AccessDeniederrors could indicate a misconfigured policy or unauthorized access attempts - Increase in
ThrottlingExceptionerrors could indicate an application hitting service limits - Rise in
ResourceNotFoundExceptionerrors could indicate configuration drift or resource cleanup issues
How Insights Work
- Baseline establishment -- CloudTrail analyzes your management event history to establish normal API activity patterns
- Continuous monitoring -- Ongoing management events are compared against the baseline
- Anomaly detection -- When activity deviates significantly from the baseline, CloudTrail generates an insight event
- Insight delivery -- Insight events are delivered to the same S3 bucket as your trail logs, in a separate
/CloudTrail-Insight/prefix
Insight events require management events to be enabled on the trail. CloudTrail uses management event data to establish baselines and detect anomalies. If management events are disabled, insight analysis cannot function.
Configuration in Prism
You configure insight events in two places:
- Create Trail -- Step 4 (Event Configuration) -- During initial trail creation
- Edit Trail -- On an existing trail
Enable one or both insight types by checking the corresponding checkboxes.
Insight Event Output
When an anomaly is detected, the insight event includes:
- The API name that triggered the anomaly (e.g.,
RunInstances) - The start and end time of the anomalous period
- The baseline value (normal activity level)
- The insight value (the anomalous activity level)
- The AWS account where the anomaly was detected
Insight events are stored in the trail's S3 bucket under a dedicated path prefix, separate from management and data events.
Best Practices
- Enable both insight types -- API call rate and API error rate insights complement each other and provide comprehensive anomaly detection
- Keep management events enabled -- Insights depend on management event data for baseline analysis
- Monitor insights regularly -- Set up S3 event notifications or integrate with your SIEM to alert on new insight events
- Investigate promptly -- Insight events indicate potentially significant deviations; treat them as actionable alerts
- Allow baseline time -- CloudTrail needs time to establish accurate baselines. Expect fewer false positives after the trail has been running for several days
Insight events have relatively low volume compared to management and data events because they are only generated when anomalies are detected. Enabling insights adds minimal overhead to your trail.
Related Pages
- Events Overview -- Overview of all event types
- Management Events -- Control plane events (required for insights)
- Data Events -- Data plane event configuration
- Network Activity Events -- Network activity configuration
- Event Configuration -- Configuring events during trail creation