Anomaly alerts in Database Autonomy Service (DAS) flag suspicious database activity detected by built-in or custom anomaly detection models. Each alert captures what happened, how severe it is, and what action to take. This topic explains how to view and handle anomaly alerts for a single database instance or across all instances at once.
Prerequisites
Before you begin, ensure that you have:
The new version of the security audit feature enabled. See Enable security audit (new version)
Anomalous event types
Anomalous events fall into three categories:
| Type | What it detects |
|---|---|
| Abnormal flow | Exceptions during data flows — for example, sensitive data downloaded from an unusual geographic location |
| Abnormal behavior | Abnormal data operations — for example, consecutive invalid password attempts or logons from unusual devices |
| Custom exceptions | Events detected by a custom anomaly detection model you have configured |
Risk levels
Each alert has a risk level based on the sensitivity level of the matched file.
| Event type | Risk level | Condition |
|---|---|---|
| Abnormal flow | High | Highest sensitivity level of matched file is S3 or above |
| Abnormal flow | Medium | Highest sensitivity level of matched file is S1 or S2 |
| Abnormal flow | Low | Highest sensitivity level of matched file is N/A |
| Abnormal behavior | Medium | Highest sensitivity level of matched file is S2 or above |
| Abnormal behavior | Low | Highest sensitivity level of matched file is S1 or lower |
| Custom exceptions | Configured by you | Determined by your model configuration |
View alerts for a single database instance
Log on to the DAS console.
In the left-side navigation pane, choose Intelligent O &M Center > Instance Monitoring.
Find the database instance you want to manage and click the instance ID. The instance details page appears.
In the left-side navigation pane, choose Security Center > Security Audit.
On the Security Audit page, click the Alert tab.
Click the Abnormal flow, Abnormal behavior, or Custom exceptions tab to filter by event type and view the corresponding statistics.
To inspect an event, find it in the list and click View Details in the Actions column. The Anomalous Event Details panel shows the basic information, object information, description, and handling history of the event.
To handle an event, click Process in the Actions column. In the Risk Alert panel, configure the following:
Anomalous Event Verification — Choose one option:
Confirmed and Processed: Select this if the event is a real threat. Locate the affected database instance using the event details and manually handle the anomalous event in the corresponding cloud service. If you select this option without completing remediation, DAS continues generating alerts for the event.
Add to Whitelist: Select this if you verify that the detected event is related to a normal operation. DAS stops generating alerts for this event and removes it from the anomalous event list.
Add Processing Record: Enter remarks on how you handled the event, for future reference.
To export the alert list, click Export above the anomalous event list.
View alerts for multiple database instances
If security audit is enabled on multiple database instances, their anomaly alerts are consolidated on a single page.
Log on to the DAS console.
In the left-side navigation pane, choose Security Center > Security Audit.
On the Security Audit page, click the Alert tab.
Click the Abnormal flow, Abnormal behavior, or Custom exceptions tab to filter by event type and view the corresponding statistics.
To inspect an event, find it in the list and click View Details in the Actions column. The Anomalous Event Details panel shows the basic information, object information, description, and handling history of the event.
To handle an event, click Process in the Actions column. In the Risk Alert panel, configure the following:
Anomalous Event Verification — Choose one option:
Confirmed and Processed: Select this if the event is a real threat. Locate the affected database instance using the event details and manually handle the anomalous event in the corresponding cloud service. If you select this option without completing remediation, DAS continues generating alerts for the event.
Add to Whitelist: Select this if you verify that the detected event is related to a normal operation. DAS stops generating alerts for this event and removes it from the anomalous event list.
Add Processing Record: Enter remarks on how you handled the event, for future reference.
To export the alert list, click Export above the anomalous event list.
What's next
By default, DAS enables all built-in anomaly detection models. You can disable the models that you do not need. To create custom models for specific databases, tables, fields, access sources, or instances, see Configure alert rules.