Alert rule: ManyBillingEntitiesCreated

Please consider opening a PR to improve this runbook if you gain new information about causes of the alert, or how to debug or resolve the alert. Click "Edit this Page" in the top right corner to create a PR directly on GitHub.

Overview

This alert fires if many BillingEntities have been created. This is usually the case if someone tries to abuse APPUiO Cloud.

Steps for debugging

Check the newly created BillingEntities

List all billing entities created less than 30 minutes ago

start=$(date -u -d '30 min ago' '+%Y-%m-%dT%H:%m:%SZ') (1)
kubectl get billingentities -ojson | jq --arg start $start -r \
  '.items[] |
  select(.metadata.creationTimestamp|fromdateiso8601 >= ($start|fromdateiso8601)) |
  "\(.metadata.name) \(.spec.name) \(.spec.accountingContact.name)"'

1	Adjust the `30 min ago` part to be a longer or shorter time frame depending on your needs.

Check the billing entities which are returned for suspicious patterns, such as identical names, addresses, or phone numbers. Check whether the addresses and names look made up. Check with your company’s sales representatives whether they expect a number of new billing entities.

Follow-up actions

Billing entities look legitimate

Check if the APPUiO Cloud zones have sufficient resources to accommodate workloads for the new Billing Entities

Billing entities look suspicious

Contact your company’s fraud prevention or security officer to determine next steps