DocsICP FilingConsole
官方文档
首页

Custom data audit rule configuration

更新时间:
复制 MD 格式
产品详情
我的收藏

Rules

Note

When you configure a custom data audit rule, all conditions are combined with AND logic. A rule triggers only when an event meets every defined condition. To avoid creating invalid rules, do not configure mutually exclusive conditions.

Commonly confused operators

  • equals: The field value must exactly match the configured value, as in val.equals(exp).

  • contains: Matches if the field value includes the configured value as a substring, as in val.contains(exp).

  • belongs to: The field value must match any one of the values in the configured list, as in val.equals(exp1) || val.equals(exp2) || val.equals(exp3) || ....

Example scenarios

Review the following examples of conflicting configurations to avoid creating invalid rules.

Scenario 1: Asset scope conflicts

When you configure an asset condition, the specified instance, database, and database table must have a valid hierarchical relationship. If the database does not belong to the selected instance, the condition fails, and no alert is triggered.

For example, in the following configuration, the condition is never met because the specified Instance Name, Database Name, and Table Name do not form a valid hierarchical relationship.

In the Asset condition, Instance Name is set to Instance A, Database Name is set to Database B in Instance B, and Table Name is set to Table C in Database C.

Scenario 2: SQL and operation type conflicts

When you configure a Behavior condition, the configured SQL content must match the executed Operation Type. Otherwise, the condition fails, and no alert is triggered.

For example, login failed! is a logon failure message. It corresponds to the Login Operation Type, not the Select Operation Type. Therefore, this condition fails.

Note

  • When the operator is Equal To, you can select only one target object.

  • When the operator is belongs to, to enter multiple target objects, press Enter to separate them.

Scenario 3: Conflicts between Behavior and Result

The conditions for Behavior and Result must be compatible. If they conflict, the condition fails, and no alert is triggered.

  • Example 1: A login failed! event is a logon failure message and does not affect the number of rows in a database table. Therefore, this condition fails.

    In the Behavior condition, the operator for SQL content is set to equals, and the value is login failed!. No operation type is selected.

    In the Result condition, Affected Rows is set to greater than 10. Execution Duration, Result Set, and Execution Status are not configured.

  • Example 2: login failed! configured in Behavior indicates a logon Failure status. This conflicts with the Result condition, where the execution status is set to Success. Therefore, this condition fails.

    In the Behavior condition, the operator for SQL content is set to equals, and the value is login failed!. No operation type is selected.

Previous:View and handle audit alertsNext:Built-in security audit rules