Intelligent Analysis allows the Database Audit system to learn the database operation patterns of users. The system statistically analyzes information, such as the IP addresses and client tools involved in user operations, to generate alerts for abnormal behavior. This helps you detect abnormal database activities. This topic describes how to add and query behavior model learning tasks in Database Audit.
Background information
Database Audit has eight built-in behavior model dimensions. The system learns behavior based on these eight dimensions over a period of time. The learning results are displayed from different perspectives. The system generates alerts for abnormal behavior for operations that fall outside the learned scope.
Add a behavior model learning task
Add a behavior model learning task to specify the objects for the model to learn from.
Log on to the Database Audit system. For more information, see Log on to the Database Audit system.
In the navigation pane on the left, choose .
On the Behavior Model page, click Add.
In the Behavior Model Learning Configuration dialog box, set the parameters and click Start Learning.
Configuration Item
Description
Asset
Select an asset. To find an asset quickly, search by its name or IP address.
Learning Dimension
Specify the dimension that the behavior model engine uses for statistical analysis.
Learning End Time
The end time for the behavior model learning task. The default is one week.
Alert Level
Options include No Alert, Low Risk, Medium Risk, and High Risk. The default is Low Risk.
Learning Scope (IP)
To specify an IP address range for the learning task, click More Configurations. Configure the range of client IP addresses for the behavior model engine to learn. The following three formats are supported:
Multiple IP addresses separated by commas (,).
An IP address range that uses an asterisk (*) as a wildcard for numbers from 0 to 255. For example: 192.168.0.* or 10.1.*.*.
An IP address range. For example: 192.168.2.1~192.168.2.128.
Understand the model learning trend graph
After you add a behavior model learning task, you can click the number in the Model Count column of the target task to view the behavior model trend graph. The horizontal axis of the graph represents the data timestamp, and the vertical axis represents the model count.
End or restart learning
The Database Audit system checks new audit logs for an asset against the learned rules only after the behavior model learning task ends. If an operation does not match the learned rules, the system generates an alert based on the rules defined in the learning task. Alerts are not generated for learning tasks that are in progress.
To end the current learning task, click End Learning in the Actions column of the target task.
If your database services change significantly, you need to restart the learning process. Click Restart Learning in the Actions column of the target task and configure the behavior model learning task.
Restarting the learning process stops the detection of database operations. Restart the learning process only if you do not need continuous detection.
Query model details
After a learning task has run for a period of time, you can view the details of the model generated for the specified asset.
Log on to the Database Audit system. For more information, see Log on to the Database Audit system.
In the navigation pane on the left, choose .
On the Task Configuration tab, click the name of the target asset.
Alternatively, on the Model Query tab, select the corresponding asset to view the behavior model generated for it.
On the Model Query tab, you can view the model results generated from the behavior learning analysis for the asset.
You can set filter conditions and click Analyze to view the results. To view the details of a node, click the node in the results graph.
View alert information
After a learning task ends, you can go to the page to view the alerts that are automatically generated by the behavior model. The rule type for these alerts is Behavior Model.