云端指标
创建安全配置文件时,您可以通过为 IoT 设备生成的指标配置行为和阈值来指定 IoT 设备的预期行为。以下是云端指标,来自 AWS IoT。
消息大小 (aws:message-byte-size)
消息中的字节数。使用此指标指定从设备传输到 AWS IoT 的每条消息的最大或最小大小(以字节为单位)。
兼容:Rules Detect | ML Detect
运算符:less-than | less-than-equals | greater-than | greater-than-equals
值:非负整数
单位:字节
例
{ "name": "Max Message Size", "metric": "aws:message-byte-size", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 1024 }, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true }
例 使用 statisticalThreshold 的示例
{ "name": "Large Message Size", "metric": "aws:message-byte-size", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p90" }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true }
例 使用 ML Detect 的示例
{ "name": "Message size ML behavior", "metric": "aws:message-byte-size", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": true }
如果设备在连续三个五分钟时段内,传输的消息累积大小超过针对该安全配置文件行为报告的所有其他设备累积大小的 90%,则会发出告警。
已发送的消息 (aws:num-messages-sent)
设备在给定时间段内发送的消息数量。
使用此指标指定给定时间段内 AWS IoT 与各个设备之间可发送的最大或最小消息数量。
兼容:Rules Detect | ML Detect
运算符:less-than | less-than-equals | greater-than | greater-than-equals
值:非负整数
单位:消息
持续时间:非负整数。有效值为 300、600、900、1800 或 3600 秒。
例
{ "name": "Out bound message count", "metric": "aws:num-messages-sent", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 50 }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true }
例 使用 statisticalThreshold 的示例
{ "name": "Out bound message rate", "metric": "aws:num-messages-sent", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p99" }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true }
例 使用 ML Detect 的示例
{ "name": "Messages sent ML behavior", "metric": "aws:num-messages-sent", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": true }
已收到的消息 (aws:num-messages-received)
设备在给定时间段内接收的消息数量。
使用此指标指定给定时间段内 AWS IoT 与各个设备之间可接收的最大或最小消息数量。
兼容:Rules Detect | ML Detect
运算符:less-than | less-than-equals | greater-than | greater-than-equals
值:非负整数
单位:消息
持续时间:非负整数。有效值为 300、600、900、1800 或 3600 秒。
例
{ "name": "In bound message count", "metric": "aws:num-messages-received", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 50 }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true }
例 使用 statisticalThreshold 的示例
{ "name": "In bound message rate", "metric": "aws:num-messages-received", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p99" }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true }
例 使用 ML Detect 的示例
{ "name": "Messages received ML behavior", "metric": "aws:num-messages-received", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": true }
授权失败 (aws:num-authorization-failures)
使用此指标指定给定时间段内每个设备允许的最大授权失败次数。如果从设备发往 AWS IoT 的请求遭到拒绝(例如,设备试图发布到某个主题,但没有足够的权限),则会发生授权失败。
兼容:Rules Detect | ML Detect
单位:失败次数
运算符:less-than | less-than-equals | greater-than | greater-than-equals
值:非负整数
持续时间:非负整数。有效值为 300、600、900、1800 或 3600 秒。
例
{ "name": "Authorization Failures", "metric": "aws:num-authorization-failures", "criteria": { "comparisonOperator": "less-than", "value": { "count": 5 }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true }
例 使用 statisticalThreshold 的示例
{ "name": "Authorization Failures", "metric": "aws:num-authorization-failures", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p50" }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true }
例 使用 ML Detect 的示例
{ "name": "Authorization failures ML behavior", "metric": "aws:num-authorization-failures", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": true }
源 IP (aws:source-ip-address)
设备连接到 AWS IoT 的 IP 地址。
使用此指标指定一组允许(以前称为列入白名单)或拒绝(以前称为列入黑名单)的无类域间路由 (CIDR),每个设备必须或不得通过它们连接到 AWS IoT。
兼容:Rule Detect
运算符:in-cidr-set | not-in-cidr-set
值:CIDR 列表
单位:n/a
例
{ "name": "Denied source IPs", "metric": "aws:source-ip-address", "criteria": { "comparisonOperator": "not-in-cidr-set", "value": { "cidrs": [ "12.8.0.0/16", "15.102.16.0/24" ] } }, "suppressAlerts": true }
连接尝试 (aws:num-connection-attempts)
设备在给定时间段内尝试建立连接的次数。
使用此指标指定每个设备尝试建立连接的最大或最小次数。成功和失败的尝试都会计算在内。
兼容:Rules Detect | ML Detect
运算符:less-than | less-than-equals | greater-than | greater-than-equals
值:非负整数
单位:连接尝试次数
持续时间:非负整数。有效值为 300、600、900、1800 或 3600 秒。
例
{ "name": "Connection Attempts", "metric": "aws:num-connection-attempts", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 5 }, "durationSeconds": 600, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true }
例 使用 statisticalThreshold 的示例
{ "name": "Connection Attempts", "metric": "aws:num-connection-attempts", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p10" }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true }
例 使用 ML Detect 的示例
{ "name": "Connection attempts ML behavior", "metric": "aws:num-connection-attempts", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": false }
断开连接 (aws:num-disconnects)
设备在给定时间段内与 AWS IoT 断开连接的次数。
使用此指标来指定设备在给定时间段内与 AWS IoT 断开连接的最大或最小次数。
兼容:Rules Detect | ML Detect
运算符:less-than | less-than-equals | greater-than | greater-than-equals
值:非负整数
单位:连接断开次数
持续时间:非负整数。有效值为 300、600、900、1800 或 3600 秒。
例
{ "name": "Disconnections", "metric": "aws:num-disconnects", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 5 }, "durationSeconds": 600, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true }
例 使用 statisticalThreshold 的示例
{ "name": "Disconnections", "metric": "aws:num-disconnects", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p10" }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true }
例 使用 ML Detect 的示例
{ "name": "Disconnects ML behavior", "metric": "aws:num-disconnects", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": true }
断开连接持续时间(aws:disconnect-duration)
设备与 AWS IoT 断开连接的持续时间。
使用此指标指定设备与 AWS IoT 保持断开连接的最大持续时间。
兼容:Rule Detect
运算符:less-than | less-than-equals
值:非负整数(分钟)
例
{ "name": "DisconnectDuration", "metric": "aws:disconnect-duration", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 5 } }, "suppressAlerts": true }
