Abnormal behavior detection is an intelligent risk detection engine built into DataWorks Security Center. Through pre-configured intelligent detection policies, it continuously analyzes user operations on sensitive data and automatically identifies potential security threats that deviate from usual patterns and are hard to catch with fixed rules — for example, "an account downloads a large volume of data for the first time" or "a user uploads data at abnormal off-hours". It helps you proactively surface unknown risks and improve overall security posture and response capability.
How it works
Abnormal behavior is composed of the following three core modules, which together form a complete loop from policy management to event discovery to alert response.
-
Smart Detection Strategy
The "intelligence brain" of risk identification. It contains a series of built-in, algorithm-based anomaly detection models. You do not need to configure complex rules — just enable a policy and the system will automatically analyze and surface potential anomalies for you.
-
Abnormal Event
Based on the enabled intelligent detection policies, hits produce anomaly events. All detected abnormal behavior events are displayed here. You can view the overall posture through the dashboard and filter, trace, and handle events in the list.
-
Alert Policy
To enable proactive response, configure an alert policy. When an anomaly event meets the conditions you specify (for example, any "high-risk" event, or a specific "first-time data download" event), the system automatically pushes the alert to the designated recipients through channels such as email or text message.
Anomaly detection results have a T+1 timeliness. Detection is not real-time; it is based on offline analysis of the previous day (T)'s data. Therefore, anomaly events you see today (T+1) reflect operations that occurred yesterday. Keep this time characteristic in mind when performing risk analysis and event tracing.
Limitations
-
Applicable users: This feature is available to DataWorks Professional Edition or Enterprise Edition users who have enabled the new version of data security in Security Center.
-
Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore, and Indonesia (Jakarta).
-
Supported compute engines: MaxCompute and Hologres.
Prerequisites
-
The Alibaba Cloud account or a RAM user that you use must meet one of the following conditions:
The Alibaba Cloud account or RAM user is attached with the AliyunDataWorksFullAccess policy.
The Alibaba Cloud account or RAM user is assigned the tenant security administrator role of DataWorks.
The Alibaba Cloud account or RAM user is assigned the tenant administrator role of DataWorks.
-
Completed Getting started.
If you have activated the edition but have not completed data security initialization (first-time use), the page automatically redirects you to the Data Security guide page; follow the guide to complete initialization.
Go to the Abnormal behavior page
-
Log on to the DataWorks console. In the target region, click in the left-side navigation pane. On the page that appears, click Go to Security Center.
-
In the left-side navigation pane, choose .
Manage intelligent detection policies
On the Smart Detection Strategy tab, you can manage all built-in intelligent anomaly detection policies. They are the rule foundation for discovering anomaly events.
All intelligent detection policies are built into the system. Adding, editing, or deleting is not supported. You can only control whether each policy is enabled or disabled.
-
In the policy list, find the policy to operate on. In the Active state column, use the toggle to Open or Close the policy.
-
All policies are enabled by default. After a policy is disabled, the system no longer uses it to detect new anomaly events.
View and handle anomaly events
Based on the intelligent detection policies above, the system automatically judges, identifies, and generates anomaly events. On the Abnormal Event tab, you can monitor and handle all detected anomaly events.
View the event statistics dashboard
The core metrics dashboard helps you quickly understand the overall anomaly event posture.
|
Metric |
Description |
|
Today's unusual event |
Total number of anomaly events newly displayed today. Because anomaly behavior detection uses T+1 offline analysis, the events displayed here actually occurred the previous day (read together with the T+1 timeliness note at the beginning of this document). |
|
Pending Events |
Total number of historical anomaly events whose handling status is Pending. |
|
Processed Events |
Total number of historical anomaly events whose handling status is Procesed. |
|
Processing Rate |
|
Filter anomaly events
The following filters are provided at the top of the event list to locate the target events within a large volume of history.
|
Filter |
Control type |
Value source / Description |
|
Anomaly Detection Items |
Multi-select dropdown |
Comes from the list of built-in intelligent detection policies. |
|
Tag processing status |
Multi-select dropdown |
Two states: Unprocessed / Processed. |
|
Time |
Date-time range |
Start and end timestamps, accurate to hour/minute/second. |
|
Operator |
User multi-select |
DataWorks tenant members. |
|
Data scope |
Cascading selector |
Currently only the MaxCompute engine is supported, with the hierarchy Project → Schema → Table. |
The "Data scope" cascading selector only queries the directory tree of the MaxCompute engine. Filtering by engine or cascading to the directory is currently not available for anomaly events from other engines such as Hologres / EMR / DLF / StarRocks.
Handle a single event
Currently, handling only supports marking the event status; the event itself cannot be processed within this interface.
The event list displays all detected anomaly events, with rich filtering and operation capabilities. You can handle a single event or view its details.
-
In the event list, find the event to handle. In the Operation column, click Immediate processing.
-
In the dialog box that appears, change Tag processing status from Not treated to Procesed (or the reverse), then click Confirm.
-
For in-depth analysis, click Details in the Operation column. A drawer panel opens on the right, showing the full context of this anomaly event. The details include the following fields:
Field
Description
Time
The time when the event occurred (based on T+1 scheduling, actually representing operations from the previous day).
Anomaly Detection Items
The name of the built-in policy that triggered the event.
Abnormal Description
Readable description of the hit policy.
Operator
The DataWorks user who performed the operation.
Abnormality Level
High / Medium / Low.
Data Engine
The engine type of the operation target.
Project
The project that owns the operation target.
Schema
The schema that owns the operation target.
Table
Name of the target table.
Row count
Number of rows involved in this operation (shown with thousands separators).
Data volume
Data size of this operation (automatically converted to B / KB / MB / GB / TB, with 2 decimal places).
Client IP
The client IP from which the operation was initiated.
Batch handle events
To mark the handling status of multiple events at once, select target rows in the event list (or select the header checkbox to select all on the current page), click the Batch handle button at the bottom of the page, choose the target status (Procesed or Not treated) in the dialog box, and confirm. Batch handling only applies to the selected events; when no row is selected, the Batch handle button is disabled (grayed out).
Configure alert policies
To close the loop from passive discovery to proactive response, configure alert policies here to ensure critical anomaly events reach the relevant responsible personnel immediately.
-
Under the Abnormal behavior module, select the Alert Policy tab and click Create New Alert Policy.
-
Define trigger conditions: Select the conditions that trigger the alert. The following dimensions are supported:
-
Abnormality Level: For example, all "high-risk" and above anomaly events.
-
Anomaly Detection Items: For specific categories of abnormal behavior that you focus on, such as all "first-time data download" events.
-
-
Configure alert notifications: Select the notification channels you want. A total of 6 channels are supported: Email, Text message, Email + Text message, DingTalk group chatbot, Lark group chatbot, and WeCom group chatbot (multiple can be selected simultaneously). For each channel, select the corresponding Notification Recipients. Note that Email + Text message is a standalone combined channel (not the result of selecting "Email" and "Text message" separately). Lark group chatbot and WeCom group chatbot require you to fill in the corresponding group's Webhook URL in the notification recipient field.
-
After configuration, click Confirm to save the policy. Once an anomaly event meets the policy conditions you configured, the system automatically triggers a notification.
Manage baselines
Baseline management collects user operation behavior within a specified period as the security baseline for subsequent intelligent detection, feeding back into the algorithms that identify "baseline-deviation" behavior. At any point in time only one Effective baseline exists; resetting the baseline creates a new baseline that replaces the old one once its collection completes.
Baseline list fields
On the Abnormal behavior tab, switch to Baseline to view all baseline records for the current tenant. The columns are described below:
|
Field |
Description |
|
Baseline name |
The name entered when the baseline was created. |
|
Collection start date |
The date on which the baseline starts collecting behavior data. |
|
Collection end date |
The end date of collection, calculated from the start date plus the collection duration. |
|
Collection duration |
Displayed in the form configured days + extension days (for example, |
|
Status |
Baseline lifecycle status. See the table below. |
|
Actions |
Only baselines with the status Effective provide the "Disable" action; the Actions column is empty for the other three states. |
Baseline lifecycle: four states
|
Status |
Meaning |
|
To be collected |
The baseline has been created but the collection start date has not yet arrived. |
|
Collecting |
Behavior data is being collected. |
|
Effective |
Collection is complete, and the baseline participates in the intelligent detection algorithm. |
|
Disabled |
The user has actively disabled the baseline, or it was superseded by a new baseline and became invalid. |
Reset a baseline (create a new baseline)
Resetting a baseline creates a new baseline. Reset causes the currently effective baseline to become invalid immediately, and the new baseline takes effect automatically once collection completes. Steps:
-
On the Baseline tab, click Reset baseline in the toolbar.
-
Read the prompt at the top of the dialog box: "After the baseline is reset, the original baseline becomes invalid immediately; the new baseline takes effect automatically once collection is complete."
-
Enter the Baseline name (required).
-
Select the Start date (dates earlier than today cannot be selected).
-
Set the Collection duration. The valid range is 7 to 30 days, and the default is 7 days.
-
Click Confirm to submit. The new baseline enters the To be collected state.
7 to 30 days is the valid range for the collection duration; values outside this range cannot be submitted. The actual server-side constraint is subject to the system response.
Disable a baseline
Only baselines with the status Effective provide the Disable action. In the Actions column of the corresponding row, click Disable. After the second confirmation "Once disabled, the baseline will no longer take effect. Confirm disable?", the baseline enters the Disabled state.
At any point in time only one Effective baseline exists. If you need to replace the baseline, it is recommended to use Reset baseline directly (the new baseline automatically disables the old one when it takes effect); there is no need to manually disable and then create a new one.