The anomaly alert feature supports built-in and custom anomaly detection models. After you specify a model, Database Autonomy Service (DAS) uses the model to detect abnormal operations on sensitive data and generate anomaly alerts. This topic describes how to manage built-in and custom anomaly detection models and how to view and handle anomalous events.
Prerequisites
The new version of the security audit feature is enabled. For more information, see Enable security audit (new version).
View the anomaly alerts of a single database instance
Log on to the DAS console.
In the left-side navigation pane, choose Intelligent O&M Center > Instance Monitoring.
On the page that appears, find the database instance that you want to manage and click the instance ID. The instance details page appears.
In the left-side navigation pane, choose Security Center > Security Audit.
On the Security Audit page, click the Alert tab.
On the Alert tab, view the anomaly alerts related to sensitive data.
Click the Abnormal flow, Abnormal behavior, or Custom exceptions tab to view the statistics of different types of anomalous events.
Find the anomalous event that you want to view and click View Details in the Actions column. In the Anomalous Event Details panel, view the basic information, object information, description, and handling history of the anomalous event.
Find the anomalous event that you want to handle and click Process in the Actions column.
In the Risk Alert panel, handle the anomalous event based on the provided solution.
You need to configure the following parameters:
Anomalous Event Verification
Confirmed and Processed: If you verify that a detected event is an anomalous event, select this option. You must locate the database instance on which the anomalous event occurred based on the displayed information and manually handle the anomalous event in the corresponding cloud service. If you select this option for an event but do not handle the event, DAS keeps generating alerts for the event.
Add to Whitelist: If you verify that a detected event is related to a normal operation, select this option. After an anomalous event is added to the whitelist, DAS no longer generates alerts for the event. The event is not displayed in the anomalous event list.
Add Processing Record: Enter remarks on handling the anomalous event for future reference.
Click Export above the anomalous event list to export the listed anomalous events.
View the anomaly alerts of multiple database instances
If you have enabled security audit for multiple database instances, you can view the anomaly alerts of all database instances on the same page.
Log on to the DAS console.
In the left-side navigation pane, choose Security Center > Security Audit.
On the Security Audit page, click the Alert tab.
On the Alert tab, view the anomaly alerts related to sensitive data.
Click the Abnormal flow, Abnormal behavior, or Custom exceptions tab to view the statistics of different types of anomalous events.
Find the anomalous event that you want to view and click View Details in the Actions column. In the Anomalous Event Details panel, view the basic information, object information, description, and handling history of the anomalous event.
Find the anomalous event that you want to handle and click Process in the Actions column.
In the Risk Alert panel, handle the anomalous event based on the provided solution.
You need to configure the following parameters:
Anomalous Event Verification
Confirmed and Processed: If you verify that a detected event is an anomalous event, select this option. You must locate the database instance on which the anomalous event occurred based on the displayed information and manually handle the anomalous event in the corresponding cloud service. If you select this option for an event but do not handle the event, DAS keeps generating alerts for the event.
Add to Whitelist: If you verify that a detected event is related to a normal operation, select this option. After an anomalous event is added to the whitelist, DAS no longer generates alerts for the event. The event is not displayed in the anomalous event list.
Add Processing Record: Enter remarks on handling the anomalous event for future reference.
Click Export above the anomalous event list to export the listed anomalous events.
Anomalous event types
Anomalous events can be classified into the following types:
Abnormal flow: Anomalous events of this type indicate exceptions that occur during data flows. For example, sensitive data is downloaded in an unusual geographic location.
Abnormal behavior: Anomalous events of this type indicate abnormal data operations, such as consecutive invalid password attempts and logons from unusual devices.
Custom exceptions: Anomalous events of this type are detected by the custom anomaly detection model that you specify.
Risk levels
The risk level of an anomalous event is determined by using specific rules based on the sensitivity level of the event. Alerts that belong to the same event subtype may have different risk levels. The following rules apply:
Abnormal flow: For an anomaly alert of this type, if the highest sensitivity level of the matched file is S3 or higher, the risk level of the alert is High. If the highest sensitivity level of the matched file is S1 or S2, the risk level of the alert is Medium. If the highest sensitivity level of the matched file is N/A, the risk level of the alert is Low.
Abnormal behavior: For an anomaly alert of this type, if the highest sensitivity level of the matched file is S2 or higher, the risk level of the alert is Medium. If the highest sensitivity level of the matched file is S1 or lower, the risk level of the alert is Low.
Custom exceptions: For anomaly alerts of this type, the risk level is determined by your configuration.
References
By default, DAS enables all built-in anomaly detection models. You can disable the models that you do not need. You can also customize anomaly detection models at various levels such as databases, tables, fields, access sources, and instances. For more information, see Configure alert rules.