This topic describes the built-in anomalous activity detection rules that Sensitive Data Discovery and Protection (SDDP) provides.

Type Anomalous activity Possible cause Supported service
Anomalous data flow Sensitive data download in an unusual location An external attacker obtained the logon credentials of an account and used the account to download sensitive data. Object Storage Service (OSS), Relational Database Service (RDS), and MaxCompute
Sensitive data download on an unusual terminal An external attacker obtained the logon credentials of an account and used the account to download sensitive data, or an employee downloaded sensitive data to a personal terminal. OSS
Sensitive data download during an unusual period An external attacker obtained the logon credentials of an account and used the account to download sensitive data, or an employee downloaded sensitive data after working hours. OSS, RDS, and MaxCompute
Sensitive data download for the first time An account was mistakenly granted the permission to download sensitive data. OSS, RDS, and MaxCompute
Anomalous volume of downloaded sensitive data An external attacker obtained the logon credentials of an account and used the account to download sensitive data, or an employee maliciously backed up sensitive data. OSS, RDS, and MaxCompute
Download of unnecessary sensitive tables An account was mistakenly granted the permission to download sensitive data. RDS and MaxCompute
Unusual low log output The log feature encountered a failure. As a result, anomalous data operations cannot be effectively detected. OSS, RDS, and MaxCompute
Anomalous volume of downloaded objects An external attacker obtained the logon credentials of an account and used the account to download sensitive data, or an employee maliciously backed up sensitive data. OSS
Anomalous volume of downloaded data An external attacker obtained the logon credentials of an account and used the account to download sensitive data, or an employee maliciously backed up sensitive data. RDS and MaxCompute
Anomalous permission access Unusual logon time An external attacker obtained the logon credentials of an account and used the account to log on to the service, or an employee logged on to the service after working hours. OSS, RDS, and MaxCompute
Unusual logon terminal An external attacker obtained the logon credentials of an account and used the account to log on to the service, or an employee logged on to the service on a personal terminal. OSS, RDS, and MaxCompute
Unusual logon location An external attacker obtained the logon credentials of an account and used the account to log on to the service. OSS, RDS, and MaxCompute
Download of sensitive objects from an unusual OSS bucket An account was mistakenly granted the permission to download sensitive data. OSS
No protection for a sensitive MaxCompute project Protection was disabled for a sensitive MaxCompute project. As a result, the MaxCompute project is not protected when data flows out of it. MaxCompute
LabelSecurity disabled for a sensitive MaxCompute project LabelSecurity was disabled for a sensitive MaxCompute project. As a result, the workspace administrator cannot control the access of users to sensitive data in the MaxCompute project. MaxCompute
Sensitive OSS bucket at the security level of public The security level of a sensitive OSS bucket was set to public. As a result, external users can access sensitive data in the OSS bucket by calling the relevant API operation. OSS
Beyond the maximum idle period for a permission An unnecessary permission was granted, which violates the principle of minimum authorization. It is difficult to detect external attackers who obtained such permissions. OSS, RDS, and MaxCompute
Access to an object that does not exist for multiple times An external attacker made repeated access attempts. OSS
Access to an unauthorized object for multiple times An external attacker made repeated access attempts. OSS
Multiple failed access attempts An external attacker made repeated access attempts. OSS, RDS, and MaxCompute
Anomalous data operation Anomalously low risk level marked for a MaxCompute project The risk level marked for a MaxCompute project was maliciously lowered. As a result, permission control lost effectiveness and data security protection cannot cover all sensitive data. MaxCompute
Sensitive field modification in the SDDP console An employee maliciously modified sensitive fields in the SDDP console. Compared with data modification in the SDDP console, data modification through applications is riskier. MaxCompute