The security risk feature helps you proactively identify potential security threats and data compliance violations. This feature provides built-in expert rules for risk detection and lets you visually manage risks to improve detection and response efficiency. You can also create custom detection rules to meet your specific business needs and security policies.
Function Introduction
The security risk feature consists of three core modules that work together to create a complete cycle: rule definition, event discovery, and alert response.
Risk Detection Item
This module is the rule library for risk detection. It contains built-in expert rules, such as "batch query of sensitive data" and "frequent deletion of sensitive data". You can also create custom detection rules based on your unique business needs to define which behaviors are considered security risks.
Risk Event
Risk events are generated when enabled risk check items are hit. This module displays all detected security risk events. You can filter and trace events by criteria such as the check item name and occurrence time. This module is the core interface for daily security inspections and post-event analysis.
Alert Policy
To enable proactive responses, you can configure alert policies in this module. When a risk event that meets specific conditions occurs, such as any "high-risk" event or a specific "batch export of sensitive data" event, the system automatically sends an alert to the specified personnel. Alerts can be sent by email, text message, or DingTalk/WeCom robots.
Risk detection results are available with a T+1 delay. This means that risk detection is not performed in real time. Instead, it is based on an offline analysis of data from the previous day (T). Therefore, the risk events that you see today (T+1) reflect operations that occurred yesterday. Keep this delay in mind when you perform risk analysis and event tracing.
Limitations
Applicable users: This feature is available to users of DataWorks Professional Edition or Enterprise Edition. You must also enable the new data security features for DataWorks in Security Center.
Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Chengdu), China (Hong Kong), and Japan (Tokyo).
Supported compute engines: MaxCompute and Hologres.
Prerequisites
The Alibaba Cloud account or a RAM user that you use must meet one of the following conditions:
The Alibaba Cloud account or RAM user is attached with the AliyunDataWorksFullAccess policy.
The Alibaba Cloud account or RAM user is assigned the tenant security administrator role of DataWorks.
The Alibaba Cloud account or RAM user is assigned the tenant administrator role of DataWorks.
You have completed the New user guide.
Go to the security risks page
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose . On the page that appears, click Go to Security Center.
In the navigation pane on the left, choose .
Configure Risk Detection Item
Risk check items define specific data operation behavior patterns to monitor. By creating and configuring these check items, you can identify potential security threats or non-compliant operations and classify them as specific, traceable risk events.
Built-in Risk Check Items
You can modify the configurations of default built-in risk check items, but you cannot delete them.
DataWorks provides several common built-in risk check items. You can also create custom risk check items based on your data security needs. The following table describes some of the built-in risk check items.
Category | Risk Name | Risk description | Condition / Default threshold |
Abnormal source | Data Exit | Data is downloaded from an IP address outside China. The IP address is from an overseas IP address library or a custom IP list. Important Supported only in the Chinese mainland. Not supported in China (Hong Kong) or overseas. | - |
Risk IP address to download data | Data is downloaded from a risk IP address. The IP address is from a risk intelligence library or a custom IP list. | - | |
Risk IP address to upload data | Data is uploaded from a risk IP address. The IP address is from a risk intelligence library or a custom IP list. | - | |
Abnormal behavior pattern | Similar SQL query | The number of similar SQL queries exceeds the threshold within a specified time range. | Number of queries ≥ 10 within 10 minutes |
Query sensitive data in batches during non-working hours | The number of sensitive data records in a single query exceeds the threshold outside working hours. |
| |
Batch export sensitive data during non-working hours | The number of sensitive data records in a single export exceeds the threshold outside working hours. | ||
Delete the table where sensitive data reside | A table that contains sensitive fields is deleted. | - | |
Clear the table where sensitive data resides | A table that contains sensitive fields is truncated. | - | |
High-frequency operation | Frequently Querying Sensitive Data | The number of sensitive data queries exceeds the threshold within a specified time range. | Number of operations ≥ 5 within 5 minutes |
Frequently update sensitive data | The number of sensitive data updates exceeds the threshold within a specified time range. | ||
Frequent deletion of sensitive data | The number of sensitive data deletions exceeds the threshold within a specified time range. | ||
Frequent Upload of sensitive data | The number of sensitive data uploads exceeds the threshold within a specified time range. | ||
Frequent export of sensitive data | The number of sensitive data exports exceeds the threshold within a specified time range. | ||
Batch operation | Batch Query Sensitive Data | The number of sensitive data records in a single query exceeds the threshold. | Number of records in a single operation ≥ 10,000 |
Batch update sensitive data | The number of sensitive data records in a single update exceeds the threshold. | ||
Delete sensitive data in bulk | The number of sensitive data records in a single deletion exceeds the threshold. | ||
Batch Upload sensitive data | The number of sensitive data records in a single upload exceeds the threshold. | ||
Batch export sensitive data | The number of sensitive data records in a single export exceeds the threshold. |
Custom check items
This feature lets you create fine-grained risk detection rules by combining different operation dimensions, such as operational object, operation type, data volume, frequency, operator, and time. The system analyzes data operation logs based on the enabled detection rules and generates corresponding risk events.
On the Security Risks page, click the Risk Detection Item tab to go to the risk check item list page.
Click New Test Item to create a custom check item. For more information about the configuration parameters, see the following tables:
Basic information: Defines the basic properties and metadata of the check item.
Parameter
Required
Description
Policy Name
Yes
Give the check item a name that clearly reflects its monitoring purpose, such as "Detection for batch export of core customer information".
Type of Risk
Yes
Categorize the risk for subsequent statistics and management.
Behavioral Risk: Usually refers to operations performed by users or system accounts that may have security risks.
Turnover Risk: Focuses on risks that may arise when data is transmitted between different systems, applications, or network borders.
Risk Level
Yes
Define the severity of the risk corresponding to this check item. The system aggregates risks and sends alerts based on this level.
High-risk: Behaviors that may lead to serious data breaches, business interruptions, or major compliance issues.
Medium-risk: Behaviors that may pose potential security threats and require attention and auditing from security personnel.
Low-risk: General non-standard operations, usually for auditing or statistical purposes.
Note Information
No
A detailed description of the check item, such as its background, the specific business scenario it monitors, or information about the relevant owner.
Operational Objectives: Defines the monitoring scope of the rule. This scope specifies the data assets whose operations are included in the detection.
Parameter
Required
Description
Detection Range
Yes
Define the scope of data assets to monitor. You can select and combine one or more dimensions based on your data management policy.
By Location: Filter by the physical or logical location of data storage, such as a specific database instance or storage bucket. If you select Hologres, the hierarchy is Database Name > Table Name. If you select MaxCompute, the hierarchy is Project Name > Table Name.
By Classification: Filter by data category.
By Grading: Filter by data sensitivity level, such as S1, S2, or S3.
When you select multiple dimensions, they are combined with an
ANDoperator. This means only assets that meet all selected dimensions are monitored.Operation rule definition: This is the core of the rule definition. It is used to precisely describe which behavior patterns should be considered security risks.
Parameter
Required
Description
Data manipulation
No
Define the SQL operation types to monitor. By default, this is empty, which means all operation types are monitored.
Behavioral Risk: Optional operations include
Select,Update,Insert,Delete,Alter,Drop,Truncate, and more.Turnover Risk: Optional operations include
TunnelUpload,TunnelDownload, and more.
Operational Data Volume
No
Set a threshold for the data volume of an operation. If not enabled, there is no limit.
Single operation data volume: Triggers when the number of data rows affected by a single operation is greater than or equal to the set value.
Amount of data in cumulative time: Triggers when the cumulative number of data rows operated on within a specified time window is greater than or equal to the set value.
Operating frequency
No
Set a threshold for the frequency of data operations. If not enabled, there is no limit.
For example: Execute
5DELETEoperations within1minute. This means an alert is generated when the rule is hit for the fifth time within one minute.
Operator
No
Specify the users or user groups to which this rule applies.
Enable this item: The rule applies only to the selected users.
Do not enable/Leave empty: The rule applies to all users. Note that this may generate many risk events.
Operation time
No
Define the time window during which the rule is effective. If not enabled, the rule is effective 24/7. You can flexibly select one or more time periods by week and hour (0-23). For example, you can monitor batch data export behavior only during non-working hours, such as from 18:00 to 09:00 the next day.
Operation buttons
Effective immediately: Saves the current configuration and immediately activates the check item. The system starts the risk analysis based on this rule from the next detection epoch (T+1).
Save Only: Saves the current configuration but does not activate it. The check item is set to the "Disabled" state and is not used for risk analysis. You can enable it manually later.
Cancel: Discards all configurations in the current session and returns to the list page.
Enable or disable risk detection items
After you create a check item, you can enable or disable it on the Risk Check Items tab.
Enabled: DataWorks identifies events that match the rule of the check item and marks them as risk events.
Not Enabled: DataWorks retains the previously marked risk events but no longer identifies new events that match the rule.
You can enable or disable a single risk item, or select multiple risk items and click Batch Open or Batch Close.
Edit or delete risk check items
After you create a check item, you can edit or delete it on the Risk Check Items tab if needed.
Edit: Reconfigures the information of the risk check item. All configuration information can be reconfigured except for the Policy Name, which cannot be edited.
Delete: Deletes the configured risk check item. After a check item is deleted, no new risk events are generated based on it.
To Edit or Delete risk check items, you can click Edit or Delete for an individual item in the Actions column. You can also select multiple risk check items and click Batch Delete.
Handle risk events
View risk events
When a risk check item that you configured and enabled is triggered, the system generates a corresponding risk event. You can view a detailed list of all events on the Risk Event tab.
Field | Description | |
Occurrence time | The date and time when the operator triggered the event. | |
Type of Risk | The type of risk corresponding to the event after it is identified as a risk item. | |
Risk Item | The security risk that the event is identified as. | |
Operator | The account that triggered the event. This is usually the logon account or the default access identity of the data source. | |
Risk Level | Evaluates the possible consequences and impact of the risk. | |
Processing Status | Marks the handling result of the risk: Processed, Not treated. | |
Related Events | Click Details in the Operation column to view related events. Related events describe the execution order of a series of events to help security administrators assess the actual impact of the event. | |
Handle risk events
On the Security risk page, you can view risk events on the Risk Event tab. You can also handle the risk events. In the Operation column, click Immediate processing to mark the handling status of a risk event.
Configure alert policies
The alert policy feature lets you create custom notification rules for different security risk events. This ensures that the relevant owners receive risk information and can respond promptly.
Scenarios
In daily data security management, manually inspecting risk events is inefficient and can lead to delayed responses. You may need to automatically distribute alerts to different teams based on the severity or type of risk.
Scenario 1: Real-time response to critical risks
When the system detects a security event with an High-risk level, it must immediately notify the security owner by text message and IM tools (such as DingTalk) for emergency handling.
Scenario 2: Focus on specific behaviors
The data security team wants to monitor all batch exports of sensitive data and automatically send email notifications to all team members for auditing.
Scenario 3: Categorize alerts by function
Alerts related to data behavioral risks are sent to the data governance team, and alerts related to data turnover risks are sent to the architect team.
Function
The core feature of alert policies is to provide automated and differentiated notifications for security risks by sending the right information to the right people at the right time.
Custom alert rules: You can flexibly define trigger conditions based on Security Risk Level, Types of Security Risks, or Security Risk Events.
Multi-channel real-time delivery: Supports sending alerts through various methods, such as email, text message, and DingTalk/Lark/WeCom group robots, to ensure that information is not missed.
Improved response efficiency: Shifts the process from passive "locating risks" to active "identifying risks", which shortens the time from risk occurrence to response and handling.
Configuration steps
Go to the alert policy page
In the Security risk page, select the Alert Policy tab and click Create New Alert Policy.
Enter basic information
Policy Name: Enter a name for your policy, for example, "Important Event SMS Alert".
Strategy Description (optional): Briefly describe the purpose of the policy.
Define trigger conditions: This is the core of the policy and determines when an alert is triggered.
Select Trigger Condition Type:
Security Risk Level: This is the broadest rule. You can select High-risk, Medium-risk, or Low-risk. All risk events of the selected level trigger this alert.
Types of Security Risks: Sets rules by category. You can select Data Behavior Risks or Data Flow Risk. All events in the selected category trigger the alert.
Security Risk Events: This is the most fine-grained rule. You can select one or more specific events, such as Batch Query Sensitive Data or Frequently update sensitive data.
Configure Alert Notification
Click Notification Method and select your desired notification channel from the drop-down list, such as email, text message, or DingTalk group robot.
Select the corresponding Notification Recipients for each method.
Email/Text message: Select one or more RAM users or roles.
Robot: Enter the webhook URL of the corresponding group.
You can add multiple notification methods for the same policy.
Save and manage
Click New Policy to save the policy.
After the policy is saved, it appears in the list. You can View, Modification, or Remove it at any time.