All Products
Search

This Product

    DataWorks:Abnormal behavior

    Document Center

    DataWorks:Abnormal behavior

    Last Updated:Mar 26, 2026

    Abnormal behavior detection is an intelligent risk detection engine in DataWorks Security Center. It continuously analyzes user operations on sensitive data using pre-configured detection policies, and automatically surfaces potential threats that are difficult to catch with fixed rules — for example:

    • An account downloads a large volume of data for the first time

    • A user uploads data outside of working hours

    This gives security administrators a proactive way to discover unknown threats and respond before damage occurs.

    Important

    Detection results have a T+1 timeliness. The engine runs offline analysis on the previous day's data (T), so anomalous events visible today (T+1) reflect operations that occurred yesterday. Factor this lag into your risk analysis and incident tracing.

    How it works

    The feature comprises three core modules that form a complete cycle from policy management to event discovery and alert response:

    • Smart detection strategy — The intelligence layer. Built-in algorithm-based anomaly detection models analyze your data automatically. No rule configuration is required; just enable the policies.

    • Abnormal event — Displays all detected anomalous events. Use the dashboard for a quick security posture snapshot, or filter the event list to trace and handle specific incidents.

    • Alert policy — Sends proactive notifications when anomalous events meet conditions you define. Configure recipients and channels (email, text message, or DingTalk group chatbot) so critical events reach the right people immediately.

    Limitations

    • Supported editions: DataWorks Professional Edition or Enterprise Edition. You must also enable the new data security features in Security Center.

    • Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Chengdu), China (Hong Kong), and Japan (Tokyo).

    • Supported compute engines: MaxCompute and Hologres.

    Prerequisites

    Before you begin, ensure that you have:

    • An Alibaba Cloud account or RAM user that meets one of the following conditions:

      • Attached with the AliyunDataWorksFullAccess policy

      • Assigned the tenant security administrator role in DataWorks

      • Assigned the tenant administrator role in DataWorks

    • Completed the New user guide

    Go to the abnormal behavior page

    1. Log on to the DataWorks console. In the top navigation bar, select the target region. In the left-side navigation pane, choose Data Governance > Security Center, then click Go to Security Center.

    2. In the left-side navigation pane, choose Security situation > Abnormal behavior.

    Manage smart detection strategies

    On the Smart Detection Strategy tab, all built-in anomaly detection policies are listed.

    Important

    All detection policies are built-in. You cannot add, edit, or delete them — only enable or disable them.

    All policies are enabled by default. To manage a policy:

    1. In the policy list, find the policy to manage.

    2. In the Active state column, use the switch to enable or disable the policy.

    Disabling a policy stops the system from using it to detect new anomalous events.

    View and handle anomalous events

    Based on the enabled detection policies, the system automatically identifies and generates anomalous events. On the Abnormal Event tab, monitor all discovered events and take action.

    View statistics

    The dashboard at the top of the Abnormal Event tab gives a quick view of your security posture:

    Metric Description
    Abnormal events today Total anomalous events generated in the last 24 hours (00:00–23:59)
    Pending events Total historical events with the status Pending
    Processed events Total historical events with the status Processed
    Processing rate Processed events / (Pending events + Handled events) × 100% — the event closure rate

    Handle a single event

    Note

    Currently, the interface supports marking event status only. Processing the underlying incident must be handled outside the platform.

    The event list displays all detected anomalous events. Filter by the following dimensions to focus on specific incidents:

    Filter dimension Example values
    Abnormality level High-risk, medium-risk
    Anomaly detection items First-time data download, data upload outside working hours

    To handle an event:

    1. In the event list, find the event to handle. In the Operation column, click Process Now.

    2. In the dialog box, change the Processing Status from Not treated to Processed (or vice versa), then click Confirm.

    To view full event context, click Details in the Actions column. A drawer panel opens on the right, showing the Abnormal Description, Data Engine, Project, Table, Data volume, and Client IP for the event.

    Configure alert policies

    Alert policies close the loop between passive event discovery and proactive response — relevant personnel are notified automatically when critical events occur.

    1. On the Abnormal behavior page, select the Alert Policy tab, then click Create New Alert Policy.

    2. Set the conditions that trigger an alert. Configure one or both of the following dimensions:

      • Abnormality Level: Trigger on events at or above a specified risk level, such as all "high-risk" events.

      • Anomaly Detection Items: Trigger on a specific detection type, such as all "first-time data download" events.

    3. Select notification channels and recipients. Supported channels: email, text message, and DingTalk group chatbot. For each channel, select the corresponding recipients.

    4. Click New Policy to save. The system automatically sends notifications when anomalous events match your policy conditions.