Set Security Audit Alert Rules to Detect Anomalies in DAS - Database Autonomy Service

The security audit feature (new version) ships with all built-in database audit rules and anomaly detection models enabled. Disable the rules or models you don't need, or create custom anomaly detection models scoped to specific databases, tables, fields, access sources, or instances.

Prerequisites

Before you begin, ensure that you have:

The new version of the security audit feature enabled. For more information, see Enable security audit (new version).

Manage database audit rules

All built-in database audit rules are enabled by default. Disable any rules that don't apply to your environment.

Log on to the DAS console.
In the left-side navigation pane, choose Security Center > Security Audit.
On the Security Audit page, click the Alert Rule tab, and then click the Database Audit Rules tab.
Disable the rules you don't need.

Manage anomaly detection models

All built-in anomaly detection models are enabled by default. Disable any models that don't apply to your environment.

Log on to the DAS console.
In the left-side navigation pane, choose Security Center > Security Audit.
On the Security Audit page, click the Alert Rule tab, and then click the Anomaly Detection Model tab.
Disable the models you don't need.

Create a custom anomaly detection model

If the built-in anomaly detection models don't meet your requirements, create a custom model.

Log on to the DAS console.
In the left-side navigation pane, choose Security Center > Security Audit.
On the Security Audit page, click the Alert Rule tab, and then click the Custom Detection Model tab.
Click Add Rule.

In the Create Rule dialog box, configure the parameters described in the following table, and then click OK.

Parameter	Description
Rule Name	A name for the model. Use a descriptive name for easy identification.
Risk Level	The risk level for the model. Select from the drop-down list.
Asset Type	The type of asset to monitor. For example, RDS.
Filter Condition	The condition used to detect anomalous events.
Create More	Click Create More to add multiple filter conditions. Multiple filter conditions are connected by the AND logical operator.
Alert Condition	The time interval and triggering conditions for anomaly detection. DAS generates an anomaly alert when database activity within the specified interval matches the alert conditions.

After the model is created, it appears in the model list with a default status of Off. You must enable the model to make the model take effect.

In the Status column, turn on the switch to enable the model.