Database Audit provides user behavior auditing, multi-dimensional analysis, real-time alerts, and reports.
User behavior auditing
- Correlates access operations at the application and database layers. This enables application identity recognition in both client/server (C/S) and browser/server (B/S) architectures.
- Traces the identity and behavior of application users.
Multi-dimensional analysis
- Threat and risk analysis
Analyzes SQL activity for risks such as high, medium, and low-level threats, SQL injection, blacklisted statements, and authorization policy violations.
- Session analysis
Analyzes sessions based on multiple dimensions, such as time, client IP and port, server-side IP and port, database account, asset information, database instance, client tool, database type, and hostname.
- Detailed statement analysis
Retrieves detailed statements based on various search criteria, such as time, message content, asset information, database account, SQL template, client IP and port, server-side IP and port, database instance, number of affected rows, execution duration, operation type, and execution status.
Multi-dimensional alerting mechanism
- Security rules
Includes over 900 built-in security rules that cover common scenarios. These rules are continuously updated. Custom security rules are also supported.
Built-in security rules contain the signatures of known insecure SQL statements. Database Audit matches audited SQL statements against these rules to detect suspicious behavior.
- Risks from abnormal operations
Supports fine-grained definitions for monitoring risky access behaviors. These definitions can be based on various elements, such as IP address, user, database client tool, time, sensitive objects, number of returned rows, system objects, and high-risk operations.
- SQL injection
Provides a comprehensive SQL injection library and descriptions based on regular expressions or abstract syntax. It sends an immediate alert upon detecting abnormal database behavior.
- Blacklists and whitelists
You can define rules that precisely match specific access SQL statements to trigger an immediate alert.
Fine-grained reports
- Comprehensive analysis reports
Provides a comprehensive analysis of your database status. The analysis covers four dimensions: SQL statement execution, sessions, risk events, and SQL performance.
- Performance analysis reports
Analyzes database performance from five perspectives: performance trends, databases or system IDs (SIDs) with the worst performance, longest-running SQL statements, SQL statements with the worst performance, and most frequently executed SQL statements.
- Classified protection reference analysis reports
Provides analysis reports that align with the GB/T 28448-2019 standard for Classified Protection of Cybersecurity 2.0. These reports provide targeted analysis of security audit requirements, such as intrusion prevention, malicious code detection, and security audit monitoring.
- Statement analysis reports
Analyzes and displays statement information from five dimensions: SQL statement analysis, failed statement analysis, SQL statement trends, audit trends, and analysis of the most executed SQL templates.
- Session analysis reports
Includes four types of reports: new session analysis, failed session analysis, concurrent session analysis, and session count trend analysis.
- Alert analysis reports
Analyzes current alerts from four dimensions: alert trends, alert source analysis, alert object analysis, and rule hit analysis.
- Other reports
Includes four other types of reports: client tool analysis, database account analysis, database or SID analysis, and database access source IP analysis.