DocsICP FilingConsole
官方文档
首页

View anomaly alerts

更新时间:
复制 MD 格式
产品详情
我的收藏

The anomaly alert feature uses built-in and custom detection models to detect and report anomalous operations on sensitive data. This topic describes how to manage these models and how to view and handle anomalous events.

Prerequisites

Before you begin, ensure that you have:

View anomaly alerts for a single instance

  1. Log on to the DAS console.

  2. In the navigation pane on the left, click Intelligent O&M Center > Instance Monitoring .

  3. Find the target instance and click the instance ID to open the instance details page.

  4. In the left-side navigation pane, click Security Audit.

  5. On the Security Audit page, click Exception Alerts.

  6. On the Exception Alerts page, view anomaly alerts related to sensitive data.

    Click the Anomalous data flow, Abnormal behavior, or Custom exceptions tab to view the statistics for the corresponding type of event.

  7. Find the target anomaly event and click View Details in the Actions column. In the Anomalous Event Details pane, view the basic information, object information, event description, and processing history.

  8. Find the target anomaly event and click Process in the Actions column.

  9. In the Risk Alert pane, follow the recommended actions to handle the alert promptly.

    Configure the following parameters:

    • Event verification result

      • Confirmed and processed: Select this option if you confirm that the detected event is an anomaly. Use the information on the page to locate the source of the anomaly and manually resolve it in the corresponding cloud service. If you do not resolve a confirmed anomaly, DAS continues to generate alerts for it.

      • Add to whitelist: Select this option if you verify that the detected activity is a normal operation. After you add an event to the whitelist, DAS no longer generates alerts for it and removes the event from the anomaly alert list.

    • Processing record: Enter notes about how you handled the alert.

  10. To export the events displayed in the list, click Export above the list.

View anomaly alerts for all instances

If security audit is enabled on multiple database instances, you can view anomaly alerts for all instances.

  1. Log on to the DAS console.

  2. In the left-side navigation pane, click Security Center > Security Audit.

  3. On the Security Audit page, click Exception Alerts.

  4. On the Exception Alerts page, view anomaly alerts related to sensitive data.

    Click the Anomalous data flow, Abnormal behavior, or Custom exceptions tab to view the statistics for the corresponding type of event.

  5. Find the target anomaly event and click View Details in the Actions column. In the Anomalous Event Details pane, view the basic information, object information, event description, and processing history.

  6. Find the target anomaly event and click Process in the Actions column.

  7. In the Risk Alert pane, follow the recommended actions to handle the alert promptly.

    Configure the following parameters:

    • Event verification result

      • Confirmed and processed: Select this option if you confirm that the detected event is an anomaly. Use the information on the page to locate the source of the anomaly and manually resolve it in the corresponding cloud service. If you do not resolve a confirmed anomaly, DAS continues to generate alerts for it.

      • Add to whitelist: Select this option if you verify that the detected activity is a normal operation. After you add an event to the whitelist, DAS no longer generates alerts for it and removes the event from the anomaly alert list.

    • Processing record: Enter notes about how you handled the alert. You can optionally select the Enhance detection for this risk checkbox. This submits the event as a sample to improve future alert accuracy.

  8. To export the events displayed in the list, click Export above the list.

Anomaly event types

Anomaly events are classified into the following types:

  • Abnormal flow: Anomalies that occur during data transfer. For example, sensitive data is downloaded from an unusual geographic location.

  • Abnormal behavior: Unusual data operations. For example, consecutive failed login attempts or logins from unrecognized devices.

  • Custom exceptions: Events detected by your custom anomaly detection models and reported as alerts.

Risk levels

The risk level of an anomaly alert is determined by the sensitivity level of the data involved. Alerts for the same event subtype can have a different risk level. The rules are as follows:

  • Abnormal flow: The risk level is High if the highest sensitivity level of the involved data is S3 or higher, Medium if the highest sensitivity level is S1 or S2, and Low if the sensitivity level is N/A.

  • Abnormal behavior: The risk level is Medium if the highest sensitivity level of the involved data is S2 or higher, and Low if the sensitivity level is S1 or lower.

  • Custom exceptions: The risk level is determined by the level you configure in the custom alert rule.

Related documentation

By default, all built-in anomaly detection models in DAS are enabled. You can disable any models you do not need. DAS also allows you to create custom alert rules based on various dimensions, such as the database, table, field, access source, or instance. For more information, see Configure alert rules.

Previous:View audit alertsNext:Configure alert rules