Sensitive Data Discovery and Protection (SDDP) can detect anomalous events related to sensitive data and generate alerts. On the Anomalous Event Processing page, you can confirm an anomalous event as a violation or exclude an anomalous event as a false positive.

SDDP divides anomalous events into the following types:
  • Anomalous permission usage: Permissions are used anomalously. For example, a user logs on from an unusual IP address or by using the AccessKey of another user.
  • Anomalous data flow: Anomalous events are detected during data flows. For example, a user downloads sensitive data files unnecessarily or during an unusual time period.
  • Anomalous data operation: Anomalous operations are performed on sensitive data. For example, a user modifies sensitive fields.
On the Anomalous Event Processing page, you can perform the following operations:
  • View the statistics on anomalous events that are detected in different cloud services.
  • Process anomalous events. You can confirm an anomalous event as a violation or exclude an anomalous event as a false positive.
  • Query anomalous events.

View the statistics on anomalous events

On the Anomalous Event Processing page, you can view the statistics on anomalous events, including the types of anomalous events, number of anomalous events that are not processed, and number of processed anomalous events.Anomalous Event Processing

Process anomalous events

On the Anomalous Event Processing page, you can view the details of anomalous events and process anomalous events.
  • To view the details of an anomalous event, click View Details in the Actions column for the anomalous event, and view the details in the Anomalous Event Details dialog box that appears. This dialog box displays the basic information about the event, the cloud service where the event occurs, event description, and suggestions on processing the event.View Details
  • To process an anomalous event, click Process in the Actions column for the anomalous event, and process it in the Anomalous Event Processing dialog box that appears. Generally, SDDP reports an anomalous event when an unauthorized user accesses or downloads sensitive data, an authorized user accesses or downloads sensitive data in an unusual time period, or a user accesses sensitive data from an unusual terminal.Process
    After SDDP detects anomalous events, it displays them on the Anomalous Event Processing page for you to process.Anomalous Event Processing
    • Add Processing Record: Enter remarks about the anomalous event. The remarks are useful to analyze the event later.
    • Anomalous Event Verification:
      • Confirmed and Processed: If a detected event is indeed an anomalous one, you must manually process this event in the corresponding cloud service based on the details and processing suggestions provided in the Anomalous Event Details dialog box. After the event is processed, select this option. If you select this option without manually processing the event in the corresponding service, SDDP keeps generating alerts for the event.
      • False Positive: Select this option if you are certain that the detected event is a normal one and does not need to be processed. After you select this option, SDDP no longer generates alerts for this event. That is, this event will no longer appear on the Anomalous Event Processing page.
    • Anomalous Event Sample-based Enhancement: If you select this check box, an event confirmed as a false positive will be added to the library of false positive samples to increase the accuracy rate of detecting anomalous events.

Query anomalous events

You can query anomalous events by event type, event status, and alert time. The time range for querying events is not restricted.Query anomalous events