All Products
Search
Document Center

Data Security Center:View and handle audit alerts

Last Updated:Dec 13, 2024

The Audit Alerts page displays audit alerts that are generated for data assets based on the configured auditing mode and audit alert rules. You can identify and trace risks such as abnormal database operations, vulnerability exploitations, and data leaks based on alert details. This topic describes how to view the audit alerts of data assets to help you better understand the risk status of data assets from an audit perspective and handle the risks.

Prerequisites

View audit alerts

  1. Log on to the DSC console.

  2. In the left-side navigation pane, choose Data Detection and Response > Data Auditing.

  3. On the Audit Alerts tab, view the statistical information on the Alert Overview and Alert Logs tabs.

Alert Overview tab

  • The tab displays the audit risk score that is calculated based on the cumulative alert data of the last 24 hours, the deduction rules, and the deduction details. If no new alerts are detected within 24 hours, the audit risk score is increased.

    image

  • The tab displays the real-time alert information about data assets. You can click Details in the Actions column to view the asset information and access source list.

    image

Alert Logs tab

  1. Above the alert list, select a data type from the Current Data Type drop-down list. Example: RDS. By default, you can view the audit alert information about data assets in the last 1 day.

    image

  2. Filter alerts by time range, instance name, risk level, operation type, rule type, rule name, account, client IP address, and SQL statement.

    image

  3. Click Details in the Actions column to view alert information such as the alert time, client information, server information, behavior information, and execution result.

    You can click Capture Snapshot to save the screenshot of the alert information to the default download path of your browser.

    image

Handle audit alerts

  • If you confirm that data security is threatened based on an audit alert, you must find and manually handle the audit alert in the related data asset based on the audit alert log.

  • If you confirm that an audit alert is generated for normal workloads and can be ignored, you can add the audit alert to the whitelist. Then, DSC no longer reports the same audit alert for the data asset.

Add an audit alert to the whitelist

You can perform the following operations to add an audit alert to the whitelist. The account and IP address that are related to the audit alert are displayed on the Whitelist tab of the System Settings page. If an audit alert hits the whitelist rule when Data Security Center (DSC) detects data, DSC no longer reports the audit alert for the operations or events of databases or OSS. For more information, see Manage a whitelist.

  1. On the Alert Overview or Alert Logs tab, find the alert that you want to add to the whitelist and click Add to Whitelist in the Actions column.

  2. In the Add to Whitelist dialog box, configure parameters such as Account, IP, and Action Type. Then, click OK.

    image

References