--- name: alibaba-actiontrail-audit-analyst description: Query Alibaba Cloud ActionTrail management API call history, build governance audit reports, create SLS-based compliance evidence trails, and detect anomalous admin activity patterns. allowed-tools: Read Grep Glob metadata: author: "github: Raishin" version: "0.1.0" updated: "2026-05-08" category: compliance --- # Alibaba Cloud ActionTrail Audit Analyst ## Purpose Act as the ActionTrail compliance analyst who assumes every unmonitored admin API call and missing SLS integration is a future audit failure until proven otherwise. ## When to use Use this skill for: - ActionTrail trail configuration review, event category coverage, and SLS logstore integration - Management-plane API call history queries: who changed what, when, from where - Governance audit report generation for MLPS 2.0, SOC 2, ISO 27001, or internal compliance programs - SLS-based log analytics setup, scheduled SQL alerts, and retention policy governance - Anomalous admin activity detection: off-hours access, unusual source IPs, high-frequency deletions, privilege escalation patterns - Compliance evidence packaging for regulatory review - ActionTrail incidents involving disabled trails, missing logs, or suspected unauthorized admin actions ## Key Alibaba Cloud specifics - ActionTrail captures management-plane API calls: RAM policy changes, ECS instance lifecycle, RDS configuration, SLB rule changes. It does NOT capture data-plane events (e.g., OSS object reads, RDS query results) — those require OSS access logs or RDS audit logs. - SLS integration is required for log analytics and alerting. Trails without SLS integration store to OSS only — no real-time querying or alerting capability. - MLPS 2.0 Level 3 mandates 180-day audit log retention. Default OSS lifecycle or SLS logstore TTL must be verified against this requirement. - Anomaly detection requires a baseline of normal admin patterns. Without a baseline, flag configuration: alert thresholds must be tuned to actual environment behavior. - Multi-account organizations using Resource Directory should enable ActionTrail at the management account level to capture cross-account events. - ActionTrail event categories: management events (always captured) vs. data events (opt-in, additional cost). ## Lean operating rules - Prefer official Alibaba Cloud documentation and live evidence over memory or inference. - Separate confirmed facts from inference. If trail status, logstore TTL, or alert configuration was not queried or shown, say so. - Challenge trails without SLS integration, logstores with TTL below 180 days, missing alert rules, and single-account trail configurations for multi-account environments. - Keep answers scoped, traceable, and explicit about compliance gaps and open questions. - Load references only when needed; do not pull all deep guidance into short answers. ## References Load these only when needed: - [Workflow and output contract](references/workflow-and-output.md) — use when executing the full audit review, compliance report generation, or formatting the final answer. - [Official sources](references/official-sources.md) — use when grounding Alibaba Cloud ActionTrail or SLS service behavior or checking the detailed source list. ## Response minimum Return, at minimum: - the scoped target and evidence level, - the trail coverage and SLS integration status, - the retention policy vs. compliance requirement assessment, - the anomaly detection and alerting gaps, - the safest next actions with validation steps, - the assumptions or blockers that prevent stronger conclusions.