Risk overview and self-built intelligence - Data Security Center

Data Security Center (DSC) Detection and Response value-added service supports data leak detection, access tracing, and self-built intelligence input. This topic describes how to view data leak overview, authorize assets, and input self-built intelligence.

Prerequisites

You have purchased Data Security Center and Detection and Response quota (purchased separately as a value-added service or included as default quota with Enterprise Edition). If you have not activated the Detection and Response service or have insufficient quota, you can upgrade your instance.
Make sure that the region where your instance is located supports the Detection and Response feature. For more information, see Supported regions.

Data leak statistics overview

The overview page uses various visualization forms to comprehensively display data leak situations over the past year, including different types of leak events, occurrence frequency, risk levels, affected assets, and other detailed information, helping you quickly understand the overall security posture.

Log on to the Data Security Center console.
In the navigation pane on the left, choose Data Detection and Response > Data Leak.

On the Overview page, view data leak event statistics and related operations.

Function area	Description	Available operations
AccessKey leak and account password leak statistics (shown as ①)	Statistics of Full Data Leak and Unhandled Leaks, including Total AccessKey pair Leaks and Total Database Leaks, which include leak counts from GitHub Leak Amount, Public Plaintext Storage, Private Plaintext Storage, Threat Intelligence, and Self-managed Intelligence channels.	Click in the upper-right corner of the function area to view Full Data Leak and Unhandled Leaks. Click Add Intelligence to customize AccessKey leak and account password leak intelligence. Click a number in the statistics to go to the Security Event page for Risk details and handling.
Asset authorization statistics (shown as ②)	Displays the resource capacity and usage of your purchased OSS protection volume and database instances.	Click Authorize Immediately to go to the Asset Authorization Configuration panel to complete asset authorization.
Top 5 risk objects (shown as ③)	Statistics of the top 5 risk objects by total risk events and their risk levels.	Click a risk object name to go to the Security Event page to view all types of risk events for that asset.
Risk trend (shown as ④)	Visually displays the trend of total alerts and the number of each risk level (important, medium, low) through a line chart for better security posture analysis.	Supports filtering data by Last 1 Day, Last 7 Days, Last 15 Days, Last 30 Days, and Custom.

Asset authorization

To detect potential data leak risks in OSS buckets and database instances, complete asset authorization by following these steps:

Log on to the Data Security Center console.
In the navigation pane on the left, choose Data Detection and Response > Data Leak.
On the Overview tab, in the Storage Authorization Statistics and Database Authorization Statistics sections, click Authorize Immediately for the corresponding asset.
In the Asset Authorization Configuration panel, complete the Authorization for target assets on the Not authorized tab.
Important
- Currently, only RDS and PolarDB asset authorization is supported.
- If you cannot find the asset you want to authorize, click Asset synchronization and try again after the synchronization is complete.

After completing asset authorization, you can view detailed information about risk events detected by DSC.

Self-built intelligence input

If you know or suspect that certain AccessKeys or database instance information may have leak risks, you can input their related information (including AccessKey, database instance name, and account) into DSC. The Data Detection and Response service will continuously track abnormal AccessKey access behaviors to authorized buckets and database instance access activities, detect accessed files and database information, and provide real-time alerts to help you promptly discover and handle data leak risks.

AccessKey leak intelligence input

If no AccessKey leaks are detected in GitHub and authorized bucket files, risk events will not be triggered even if there are AccessKey access behaviors to authorized buckets. Therefore, to view event information for such AccessKey access behaviors, you need to create intelligence and input target AccessKey information yourself.

In the AccessKey Leak (Past Year) section, click Add Intelligence.
In the Intelligence Management panel, click Add Intelligence.
Use one of the following methods to add AccessKey pairs:
- Manual input for single entry
  On the Manual Import tab, enter the AccessKey ID, select the Leak Status (Leaked, Not Leaked, Suspected Leak), enter a Remarks, and then click OK.
  Note
  If you have completed target bucket authorization and at least one detection after successful authorization, DSC will record the detected AccessKey information that accessed authorized buckets and generate sample data. You can click Preview to copy these AccessKey details for later input.
- Batch upload
  1. On the Batch Upload tab, click Download Template to obtain the template file (.xlsx). Enter the AccessKeyId (AccessKey ID), Status (Leak Status: Leaked, Not Leaked, Suspected Leak), and Comment (Remarks) according to the format.
    Before this, if you have completed target bucket authorization and at least one detection after successful authorization, DSC will record the detected AccessKey information that accessed authorized buckets and compile it as sample data in the template file, as shown in the following table.
  2. Enter the required AccessKey information in the AccessKey information file, and then save it.
  3. Return to the Batch Upload tab, click View Local File or the upload icon to import the saved .xlsx file.
  4. Click OK.
After input is complete, you can view the created intelligence information in the Intelligence Management panel, which supports Delete operations.

Account password leak intelligence input

For databases with suspected leaks, confirmed leaks, or potential data leak risks, and databases for which you need to view access details, we recommend inputting their information into the Data Detection and Response self-built intelligence for continuous monitoring and risk analysis.

Important

You must complete database instance authorization before you can input the target database instance into self-built intelligence.

In the Account Leak (Past Year) section, click Add Intelligence.
In the Intelligence Management panel, click Add Intelligence.

In the Add Intelligence dialog box, configure the database intelligence information and click OK.

Parameter	Description
Asset Type	Specify the OS of the host to add. Only RDS and PolarDB are supported.
Database Instance	Select an authorized database instance.
Database Account	Select an account for the database instance.
Leak Status	Configure the leak status. You can select Leaked, Not Leaked, or Suspected Leak.
Remarks	Enter a description.

After input is complete, you can view the created intelligence information in the Intelligence Management panel, which supports Delete operations.

What to do next

You can also view risk event details and handle related risks in Risk details and handling.