All Products
Search
Document Center

Data Security Center:Configure and enable an audit alert rule

Last Updated:Oct 15, 2024

By default, Data Security Center (DSC) provides and enables built-in audit alert rules for data assets. The built-in audit alert rules include database audit alert rules, Object Storage Service (OSS) audit alert rules, and MaxCompute audit alert rules. You can also create custom audit alert rules. You can use audit alert rules to identify potential risks and threats when your database is running. This ensures database security and compliance with classified protection requirements. This topic describes the built-in audit alert rules that are supported for data audit. This topic also describes how to create a custom audit alert rule.

Prerequisites

The data audit mode is enabled for data assets whose audit logs you want to view and are allowed to view. For more information, see Set and enable the data audit mode.

Background information

After you enable the data audit mode, DSC can collect audit logs from databases based on the enabled data audit mode. After the logs are collected, DSC uses enabled audit alert rules to identify risks in data assets, such as abnormal operations, data leaks, vulnerability exploits, and SQL injections. If risks are identified, DSC sends alert notifications.

Usage notes

  • Built-in audit alert rules: You can use built-in audit alert rules to detect risks in OSS, MaxCompute, ApsaraDB RDS, and PolarDB. The built-in audit alert rules are enabled by default and take effect for supported asset types.

  • Custom audit alert rules: You can create a custom audit alert rule from the following dimensions: sensitive data type, data sensitivity, database, table, field, source, and database instance. This helps implement fine-grained monitoring. You can create a custom audit alert rule for different scenarios and different types of applications. This helps manage database access in an accurate manner.

View built-in audit alert rules

The built-in audit alert rules include database audit alert rules, OSS audit alert rules, and MaxCompute audit alert rules. You can perform the following steps to view built-in audit alert rules and details of the rules.

  1. Log on to the DSC console.

  2. In the left-side navigation pane, choose Data Auditing > Config.

  3. On the Config page, click the Rule Configurations tab.

  4. Click the Database Audit Rules, OSS Audit Rules, or MaxCompute Audit Rules tab. In the Rule classification list, view the types of built-in audit alert rules.

    image

  5. In the rule list, find a built-in audit alert rule that you want to manage and view the values in the Rule Name, Rule Type, Risk Level, Status, and Hits columns.

    In the Rule classification list, you can select a specific rule type to view all rules of this type.

  6. Find a rule that you want to manage and click Details in the Actions column to view the supported asset types and details of the rule.

    image

Create a custom audit alert rule

If the built-in audit alert rules cannot meet your audit requirements, you can create custom audit alert rules. After you create a custom audit alert rule, the rule is enabled by default.

  1. On the Rule Configurations tab, click the Custom Audit Rules tab.

  2. Click Add Rule.

  3. In the Add Rule panel, configure the parameters and click Submit. The following table describes the parameters.

    Parameter

    Description

    Rule Name

    The name of the custom audit alert rule. We recommend that you specify a name that can help you identify the rule.

    Rule Type

    The type of the custom audit alert rule. Select a type from the drop-down list. Valid values:

    • Attempt to Exploit SQL Injections

    • Bypass Attempt by Using SQL Injections

    • Stored Procedure Abuse

    • Buffer Overflow

    • Error-based SQL Injection

    • Boolean-based SQL Injection

    • Time-based SQL Injection

    • Denial-of-service Vulnerability

    • Database Detection

    • Configuration Operation

    • Other

    Risk Level

    The risk level of the custom audit alert rule. Select a risk level from the drop-down list. Valid values: High, Medium, and Low.

    Asset Type

    The type of the assets to which the custom audit alert rule is applied. Select a type from the drop-down list.

    Important

    You must select the asset type that is supported by the selected rule type based on the types of built-in audit rules. Otherwise, the custom audit alert rule does not take effect.

    Behavior information

    The description of the custom audit alert rule.

    Rule Description

    The conditions of the custom audit alert rule. You can specify conditions based on your business requirements. After you configure a condition, you can click Add to add a condition. Multiple conditions are evaluated by using a logical AND.

    DSC generates an audit alert when a condition is met.

Enable or disable an audit alert rule

If you no longer use a built-in audit alert rule or an enabled custom audit alert rule, you can turn off Status for the rule. If you want to re-use an audit alert rule, you can turn on Status for the rule.

  1. On the Rule Configurations tab, click the Database Audit Rules, OSS Audit Rules, MaxCompute Audit Rules, or Custom Audit Rules tab.

  2. In the rule list, find the rule that you want to manage and turn on or turn off the switch in the Status column.

    image

Configure notification settings

To receive audit-related alert notifications at the earliest opportunity, you can configure notification settings on the Alert notification tab of the System Settings page in the DSC console. For more information, see Configure email, text message, and phone call alert notifications.

What to do next

After you enable an audit alert rule, DSC generates alerts on operations that hit the audit alert rule. You can view the alerts on the Audit Alerts page of DSC. You can handle risks based on the alerts and log analysis results. For more information, see View and handle audit alerts.

References

DSC provides the whitelist feature. You can add trusted data assets-related accounts and IP addresses to the whitelist. DSC does not generate audit alerts for data assets whose accounts or IP addresses are added to the whitelist. This helps reduce invalid alerts. For more information, see Manage the whitelist.