Abnormal behavior

更新时间:
复制 MD 格式

Abnormal behavior detection is an intelligent risk detection engine built into DataWorks Security Center. Through pre-configured intelligent detection policies, it continuously analyzes user operations on sensitive data and automatically identifies potential security threats that deviate from usual patterns and are hard to catch with fixed rules — for example, "an account downloads a large volume of data for the first time" or "a user uploads data at abnormal off-hours". It helps you proactively surface unknown risks and improve overall security posture and response capability.

How it works

Abnormal behavior is composed of the following three core modules, which together form a complete loop from policy management to event discovery to alert response.

  • Smart Detection Strategy

    The "intelligence brain" of risk identification. It contains a series of built-in, algorithm-based anomaly detection models. You do not need to configure complex rules — just enable a policy and the system will automatically analyze and surface potential anomalies for you.

  • Abnormal Event

    Based on the enabled intelligent detection policies, hits produce anomaly events. All detected abnormal behavior events are displayed here. You can view the overall posture through the dashboard and filter, trace, and handle events in the list.

  • Alert Policy

    To enable proactive response, configure an alert policy. When an anomaly event meets the conditions you specify (for example, any "high-risk" event, or a specific "first-time data download" event), the system automatically pushes the alert to the designated recipients through channels such as email or text message.

Important

Anomaly detection results have a T+1 timeliness. Detection is not real-time; it is based on offline analysis of the previous day (T)'s data. Therefore, anomaly events you see today (T+1) reflect operations that occurred yesterday. Keep this time characteristic in mind when performing risk analysis and event tracing.

Limitations

  • Applicable users: This feature is available to DataWorks Professional Edition or Enterprise Edition users who have enabled the new version of data security in Security Center.

  • Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore, and Indonesia (Jakarta).

  • Supported compute engines: MaxCompute and Hologres.

Prerequisites

  • The Alibaba Cloud account or a RAM user that you use must meet one of the following conditions:

    • The Alibaba Cloud account or RAM user is attached with the AliyunDataWorksFullAccess policy.

    • The Alibaba Cloud account or RAM user is assigned the tenant security administrator role of DataWorks.

    • The Alibaba Cloud account or RAM user is assigned the tenant administrator role of DataWorks.

  • Completed Getting started.

Note

If you have activated the edition but have not completed data security initialization (first-time use), the page automatically redirects you to the Data Security guide page; follow the guide to complete initialization.

Go to the Abnormal behavior page

  1. Log on to the DataWorks console. In the target region, click Data Governance > Security Center in the left-side navigation pane. On the page that appears, click Go to Security Center.

  2. In the left-side navigation pane, choose Security risk > Abnormal behavior.

Manage intelligent detection policies

On the Smart Detection Strategy tab, you can manage all built-in intelligent anomaly detection policies. They are the rule foundation for discovering anomaly events.

Important

All intelligent detection policies are built into the system. Adding, editing, or deleting is not supported. You can only control whether each policy is enabled or disabled.

  1. In the policy list, find the policy to operate on. In the Active state column, use the toggle to Open or Close the policy.

  2. All policies are enabled by default. After a policy is disabled, the system no longer uses it to detect new anomaly events.

View and handle anomaly events

Based on the intelligent detection policies above, the system automatically judges, identifies, and generates anomaly events. On the Abnormal Event tab, you can monitor and handle all detected anomaly events.

View the event statistics dashboard

The core metrics dashboard helps you quickly understand the overall anomaly event posture.

Metric

Description

Today's unusual event

Total number of anomaly events newly displayed today. Because anomaly behavior detection uses T+1 offline analysis, the events displayed here actually occurred the previous day (read together with the T+1 timeliness note at the beginning of this document).

Pending Events

Total number of historical anomaly events whose handling status is Pending.

Processed Events

Total number of historical anomaly events whose handling status is Procesed.

Processing Rate

Processed events / (Pending events + Processed events) * 100%, an intuitive reflection of event closure.

Filter anomaly events

The following filters are provided at the top of the event list to locate the target events within a large volume of history.

Filter

Control type

Value source / Description

Anomaly Detection Items

Multi-select dropdown

Comes from the list of built-in intelligent detection policies.

Tag processing status

Multi-select dropdown

Two states: Unprocessed / Processed.

Time

Date-time range

Start and end timestamps, accurate to hour/minute/second.

Operator

User multi-select

DataWorks tenant members.

Data scope

Cascading selector

Currently only the MaxCompute engine is supported, with the hierarchy Project → Schema → Table.

Note

The "Data scope" cascading selector only queries the directory tree of the MaxCompute engine. Filtering by engine or cascading to the directory is currently not available for anomaly events from other engines such as Hologres / EMR / DLF / StarRocks.

Handle a single event

Note

Currently, handling only supports marking the event status; the event itself cannot be processed within this interface.

The event list displays all detected anomaly events, with rich filtering and operation capabilities. You can handle a single event or view its details.

  1. In the event list, find the event to handle. In the Operation column, click Immediate processing.

  2. In the dialog box that appears, change Tag processing status from Not treated to Procesed (or the reverse), then click Confirm.

  3. For in-depth analysis, click Details in the Operation column. A drawer panel opens on the right, showing the full context of this anomaly event. The details include the following fields:

    Field

    Description

    Time

    The time when the event occurred (based on T+1 scheduling, actually representing operations from the previous day).

    Anomaly Detection Items

    The name of the built-in policy that triggered the event.

    Abnormal Description

    Readable description of the hit policy.

    Operator

    The DataWorks user who performed the operation.

    Abnormality Level

    High / Medium / Low.

    Data Engine

    The engine type of the operation target.

    Project

    The project that owns the operation target.

    Schema

    The schema that owns the operation target.

    Table

    Name of the target table.

    Row count

    Number of rows involved in this operation (shown with thousands separators).

    Data volume

    Data size of this operation (automatically converted to B / KB / MB / GB / TB, with 2 decimal places).

    Client IP

    The client IP from which the operation was initiated.

Batch handle events

To mark the handling status of multiple events at once, select target rows in the event list (or select the header checkbox to select all on the current page), click the Batch handle button at the bottom of the page, choose the target status (Procesed or Not treated) in the dialog box, and confirm. Batch handling only applies to the selected events; when no row is selected, the Batch handle button is disabled (grayed out).

Configure alert policies

To close the loop from passive discovery to proactive response, configure alert policies here to ensure critical anomaly events reach the relevant responsible personnel immediately.

  1. Under the Abnormal behavior module, select the Alert Policy tab and click Create New Alert Policy.

  2. Define trigger conditions: Select the conditions that trigger the alert. The following dimensions are supported:

    • Abnormality Level: For example, all "high-risk" and above anomaly events.

    • Anomaly Detection Items: For specific categories of abnormal behavior that you focus on, such as all "first-time data download" events.

  3. Configure alert notifications: Select the notification channels you want. A total of 6 channels are supported: Email, Text message, Email + Text message, DingTalk group chatbot, Lark group chatbot, and WeCom group chatbot (multiple can be selected simultaneously). For each channel, select the corresponding Notification Recipients. Note that Email + Text message is a standalone combined channel (not the result of selecting "Email" and "Text message" separately). Lark group chatbot and WeCom group chatbot require you to fill in the corresponding group's Webhook URL in the notification recipient field.

  4. After configuration, click Confirm to save the policy. Once an anomaly event meets the policy conditions you configured, the system automatically triggers a notification.

Manage baselines

Baseline management collects user operation behavior within a specified period as the security baseline for subsequent intelligent detection, feeding back into the algorithms that identify "baseline-deviation" behavior. At any point in time only one Effective baseline exists; resetting the baseline creates a new baseline that replaces the old one once its collection completes.

Baseline list fields

On the Abnormal behavior tab, switch to Baseline to view all baseline records for the current tenant. The columns are described below:

Field

Description

Baseline name

The name entered when the baseline was created.

Collection start date

The date on which the baseline starts collecting behavior data.

Collection end date

The end date of collection, calculated from the start date plus the collection duration.

Collection duration

Displayed in the form configured days + extension days (for example, 7+2). If data for a specific day is empty (considered invalid collection), the collection duration is extended by one day.

Status

Baseline lifecycle status. See the table below.

Actions

Only baselines with the status Effective provide the "Disable" action; the Actions column is empty for the other three states.

Baseline lifecycle: four states

Status

Meaning

To be collected

The baseline has been created but the collection start date has not yet arrived.

Collecting

Behavior data is being collected.

Effective

Collection is complete, and the baseline participates in the intelligent detection algorithm.

Disabled

The user has actively disabled the baseline, or it was superseded by a new baseline and became invalid.

Reset a baseline (create a new baseline)

Resetting a baseline creates a new baseline. Reset causes the currently effective baseline to become invalid immediately, and the new baseline takes effect automatically once collection completes. Steps:

  1. On the Baseline tab, click Reset baseline in the toolbar.

  2. Read the prompt at the top of the dialog box: "After the baseline is reset, the original baseline becomes invalid immediately; the new baseline takes effect automatically once collection is complete."

  3. Enter the Baseline name (required).

  4. Select the Start date (dates earlier than today cannot be selected).

  5. Set the Collection duration. The valid range is 7 to 30 days, and the default is 7 days.

  6. Click Confirm to submit. The new baseline enters the To be collected state.

Note

7 to 30 days is the valid range for the collection duration; values outside this range cannot be submitted. The actual server-side constraint is subject to the system response.

Disable a baseline

Only baselines with the status Effective provide the Disable action. In the Actions column of the corresponding row, click Disable. After the second confirmation "Once disabled, the baseline will no longer take effect. Confirm disable?", the baseline enters the Disabled state.

Important

At any point in time only one Effective baseline exists. If you need to replace the baseline, it is recommended to use Reset baseline directly (the new baseline automatically disables the old one when it takes effect); there is no need to manually disable and then create a new one.