All Products
Document Center

Database Autonomy Service:Security audit

Last Updated:Mar 01, 2024

Database Autonomy Service (DAS) provides the security audit feature to automatically identify risks, such as high-risk SQL statements, SQL injections, and new access sources. This topic describes how to use the security audit feature.


  • The database instance that you want to manage is of one of the following types:

    • ApsaraDB RDS for MySQL

    • PolarDB for MySQL

  • The database instance is connected to DAS and is in the Normal Access state.

  • The SQL Explorer and Audit feature is enabled for the database instance. For more information, see the Enable SQL Explorer and Audit section of the "Overview" topic.

Storage duration

Audit data generated in real time by using the security audit feature can be stored for up to 30 days.


  • The security audit feature cannot identify all SQL injection attacks due to technical limits.

  • To prevent a large amount of audit data from being stored in a short period, DAS throttles the output of security audit results.


  1. Log on to the DAS console.

  2. In the left-side navigation pane, click Instance Monitoring.

  3. On the page that appears, find the database instance that you want to manage and click the instance ID. The instance details page appears.

  4. In the left-side navigation pane, choose Request Analysis > SQL Explorer and Audit. On the page that appears, click the SQL Explorer tab. On the SQL Explorer tab, click the Security Audit tab.

  5. Specify a time range for security audit and click Search. The security audit results on an hourly basis within the specified time range are displayed.

    When you select a time range, make sure that the end time is later than the start time and that the interval between the start time and the end time does not exceed 30 days. The time range to query data must be later than the time when DAS Enterprise Edition is enabled and must fall within the data storage duration of SQL Explorer.

    Click a point in time in the trend chart to view the security audit details of the hour after the point in time.



    Risk level

    High-risk operations

    DAS automatically identifies the following types of high-risk SQL statements based on preset rules:

    • DDL statements, such as those used to create a table, modify the schema of a table, modify an index, or rename a table

    • Statements used to update or delete full tables

    • Statements used to run large queries that meet one of the following default conditions:

      • The number of scanned rows is greater than or equal to 1,000,000.

      • The number of returned rows is greater than or equal to 100,000.

      • The number of updated rows is greater than or equal to 100,000.

    • DDL statements: low risk

    • Statements used to update full tables: high risk

    • Statements used to run large queries: medium risk

    SQL injections

    SQL injections are attacks during which malicious SQL statements are inserted into web forms, domain names, or page requests to trick servers into executing these SQL statements. This type of attack compromises database security.


    DAS continuously monitors SQL injections in databases and identifies the access sources.

    High risk

    New access sources

    DAS automatically identifies new access sources by comparing them with access source records to determine whether the access requests are sent from unknown servers.


    Access sources that did not access your database within the previous seven days are considered new access sources.

    • After the security audit feature is enabled for a new database instance, no data of new access sources is provided for the first seven days.

    • If the security audit feature has never been enabled for an existing database instance, no data of new access sources is provided for the first seven days after this feature is enabled.

    Medium risk