The Audit Alerts page displays audit alerts that are generated for data assets based on the configured auditing mode and audit alert rules. You can identify and trace risks such as abnormal database operations, vulnerability exploitations, and data leaks based on alert details. This topic describes how to view the audit alerts of data assets to help you better understand the risk status of data assets from an audit perspective and handle the risks.
Prerequisites
The data auditing mode is enabled for data assets whose audit logs you want to and are authorized to view. For more information, see Enable and configure the data auditing mode.
If no audit alert rules are enabled or a custom audit alert rule is required, an audit alert rule is configured and enabled. For more information, see Configure and enable an audit alert rule.
View audit alerts
Log on to the DSC console.
In the left-side navigation pane, choose
.On the Audit Alerts tab, view the statistical information on the Alert Overview and Alert Logs tabs.
Alert Overview tab
The tab displays the audit risk score that is calculated based on the cumulative alert data of the last 24 hours, the deduction rules, and the deduction details. If no new alerts are detected within 24 hours, the audit risk score is increased.
The tab displays the real-time alert information about data assets. You can click Details in the Actions column to view the asset information and access source list.
Alert Logs tab
Above the alert list, select a data type from the Current Data Type drop-down list. Example: RDS. By default, you can view the audit alert information about data assets in the last 1 day.
Filter alerts by time range, instance name, risk level, operation type, rule type, rule name, account, client IP address, and SQL statement.
Click Details in the Actions column to view alert information such as the alert time, client information, server information, behavior information, and execution result.
You can click Capture Snapshot to save the screenshot of the alert information to the default download path of your browser.
Handle audit alerts
If you confirm that data security is threatened based on an audit alert, you must find and manually handle the audit alert in the related data asset based on the audit alert log.
If you confirm that an audit alert is generated for normal workloads and can be ignored, you can add the audit alert to the whitelist. Then, DSC no longer reports the same audit alert for the data asset.
Add an audit alert to the whitelist
You can perform the following operations to add an audit alert to the whitelist. The account and IP address that are related to the audit alert are displayed on the Whitelist tab of the System Settings page. If an audit alert hits the whitelist rule when Data Security Center (DSC) detects data, DSC no longer reports the audit alert for the operations or events of databases or OSS. For more information, see Manage a whitelist.
On the Alert Overview or Alert Logs tab, find the alert that you want to add to the whitelist and click Add to Whitelist in the Actions column.
In the Add to Whitelist dialog box, configure parameters such as Account, IP, and Action Type. Then, click OK.
References
You can view more audit logs of data assets on the Log Analysis page. For more information, see View audit logs.
You can configure an alert notification on the Alert notification tab of the System Settings page in the DSC console. This way, you can receive audit-related alert notifications at the earliest opportunity. For more information, see Configure email, phone call, and text message alert notifications.