The audit alert page displays alerts for your data assets based on configured audit modes and rules. You can use the alert details to identify and track risks such as unusual database operations, vulnerability attacks, and data breaches. This topic describes how to view and handle audit alerts to better manage the risk status of your assets.
Prerequisites
-
The log audit feature is enabled for the supported data assets that you need to audit. For more information, see Enable data audit.
-
You have configured and enabled any disabled or custom audit alert rules. For more information, see Configure and enable audit alert rules.
View audit alert information
Log on to the Data Security Center console.
-
In the left-side navigation pane, choose .
-
On the Risk Detection tab, view the statistical information on the Alert Overview and Alert Logs subtabs.
Alert overview
-
View the Audit Risk Score, which is calculated based on cumulative alert data from the last 24 hours. The page also lists the Deduction rules and Actual deductions. If no new alerts are detected within this 24-hour period, your Audit Risk Score decreases.
The Actual deductions table is categorized by risk level: High (3 points deducted per item), Medium (2 points deducted per item), and Low (1 point deducted per item), with a threshold of 10 occurrences for each. The alert list at the bottom of the page displays the aggregated alert time, data type, rule name, risk level, alert count, number of affected assets, account count, client IP count, and rule description. You can filter alerts by Data type, Risk level, or Rule classification. For each alert, you can click Details to view more information or click Add to Whitelist.
-
For real-time alerts on your data assets, click Details in the Actions column to view remediation suggestions, the list of affected assets, and the list of access sources.
On the alert rule details page, the Basic information section displays the rule name, risk level, rule classification, asset type, and enabled status. The Detailed information section provides remediation suggestions, such as deploying a WAF, using parameterized queries, restricting database permissions, and implementing input validation. The Alert assets list includes columns for asset name/ID, database type, alert count, and alert trend, with an option to Add to Whitelist in the Actions column. The Access source table shows the client IP, database account, and alert count.
Alert logs
-
Above the alert list, select a data type, such as RDS, from the Current data type drop-down list. By default, the list displays audit alerts from the last day for the selected asset.
Supported data types include RDS, PolarDB, PolarDB-X, Redis, MongoDB, OceanBase, and self-managed database. The drop-down menu also shows the number of instances for each type.
-
You can filter alerts based on criteria such as time range, instance name, risk level, operation type, rule classification, rule name, account, client IP, and SQL command.
Supported time ranges include Last 1 hour, Last 12 hours, Last 1 day, Last 7 days, Last 30 days, and Last 90 days. You can also filter by IP type. The alert list displays columns such as Sensitive feature, Alert time, Rule type, Rule name, Risk level (High, Medium, Low), Account, Client IP, Operation type, and Status. For each record, you can click Details or Add to Whitelist. You can also Export the alert data.
-
Click Details in the Actions column to view information such as the alert time, client and server details, behavior information, and execution results to help you locate the risk.
You can click Capture Snapshot to save a screenshot of the alert details to your browser's default download location.
The audit alert section of the details pop-up window also includes the Risk level and Rule name fields. You can also click Add to Whitelist in the upper-right corner to add the alert to a whitelist.
Handle audit alerts
-
If you confirm that an alert event poses a threat to data security, use the alert log to locate and manually handle the threat on the corresponding data asset.
-
If you confirm that an alert event is a normal operation and requires no action, you can add the event to a whitelist. DSC will no longer generate alerts for this type of event on the specified data asset.
Add to whitelist
Follow these steps to add an alert event to a whitelist. The accounts, IP addresses, and other information you add are displayed in the system whitelist. DSC does not generate alerts for operations or events that match a whitelist rule. For more information, see Manage whitelists.
-
In the alert list on the Alert Overview or Alert Logs tab, find the target alert event and click Details in the Actions column.
-
On the alert event details page, in the Alert Assets list or the client IP list under Source, find the asset or IP address you want to add to the whitelist and click Add to Whitelist in the Actions column.
-
The Add to Whitelist dialog box displays the corresponding asset instance or IP address and its database account information. You can add more information for the whitelist rule, and then click OK.
A message at the top of the dialog box states that adding an item to the whitelist stops alarm generation, but logs can still be viewed in Log Analysis. The form fields include Whitelist Name (required), Rule Name, SQL Template (for selecting a database type and creating a template), Instance, Database (defaults to all databases if left empty), Table Name (defaults to all tables if left empty), Account, and IP.
Related documents
-
You can view more audit logs for your data assets on the Log Analysis page. For more information, see View audit logs.
-
In the Data Security Center (DSC) console, go to System Settings > Alert Notification to configure notifications and receive timely audit alerts. For more information, see Configure email, SMS, and phone call alert notifications.