Sensitive Data Discovery and Protection (SDDP) can detect anomalous events related to sensitive data and generate alerts. On the Anomalous Event Processing page, you can confirm an anomalous event as a violation or exclude an anomalous event as a false positive.
- Anomalous permission usage: Permissions are used anomalously. For example, a user logs on from an unusual IP address or by using the AccessKey of another user.
- Anomalous data flow: Anomalous events are detected during data flows. For example, a user downloads sensitive data files unnecessarily or during an unusual time period.
- Anomalous data operation: Anomalous operations are performed on sensitive data. For example, a user modifies sensitive fields.
- View the statistics on anomalous events that are detected in different cloud services.
- Process anomalous events. You can confirm an anomalous event as a violation or exclude an anomalous event as a false positive.
- Query anomalous events.
View the statistics on anomalous events
Process anomalous events
- To view the details of an anomalous event, click View Details in the Actions column for the anomalous event, and view the details in the Anomalous Event Details dialog box that appears. This dialog box displays the basic information about the event, the cloud service where the event occurs, event description, and suggestions on processing the event.
- To process an anomalous event, click Process in the Actions column for the anomalous event, and process it in the Anomalous Event
Processing dialog box that appears. Generally, SDDP reports an anomalous event when
an unauthorized user accesses or downloads sensitive data, an authorized user accesses
or downloads sensitive data in an unusual time period, or a user accesses sensitive
data from an unusual terminal.
After SDDP detects anomalous events, it displays them on the Anomalous Event Processing page for you to process.
- Add Processing Record: Enter remarks about the anomalous event. The remarks are useful to analyze the event later.
- Anomalous Event Verification:
- Confirmed and Processed: If a detected event is indeed an anomalous one, you must manually process this event in the corresponding cloud service based on the details and processing suggestions provided in the Anomalous Event Details dialog box. After the event is processed, select this option. If you select this option without manually processing the event in the corresponding service, SDDP keeps generating alerts for the event.
- False Positive: Select this option if you are certain that the detected event is a normal one and does not need to be processed. After you select this option, SDDP no longer generates alerts for this event. That is, this event will no longer appear on the Anomalous Event Processing page.
- Anomalous Event Sample-based Enhancement: If you select this check box, an event confirmed as a false positive will be added to the library of false positive samples to increase the accuracy rate of detecting anomalous events.