Viewing Abnormal Behaviors Through Data Usage Audit
Report and audit real-time alarms of abnormal data usage in the cloud. You can view abnormal behavior data of last 30 minutes, 3 hours, 24 hours, 7 days, or 30 days. DSC stores abnormal event data for 180 days.
DSC can detect abnormal events related to the access, operation, and management of sensitive data and provide alarm notifications for you to confirm and handle these abnormal events.
- Unauthorized users access and download sensitive data.
- Authorized users access, download, and modify sensitive data, as well as change and delete permissions.
- Authorized users change or delete permissions granted for buckets that contain sensitive data.
- Users who accessed sensitive files fail to log in to the device.
Prerequisites
An abnormal event has been detected and displayed on the page.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click
and choose .
- In the left navigation pane, choose Data Risk Detection > Data Usage Audit, and the Risky Behavior Detection tab page is displayed by default. For parameter details, see Table 1.
In the upper right corner of the list, select a time range, set the time period, and select an event type and status to query the abnormal behaviors you want to view.Figure 1 Data usage audit list
Table 1 Parameters of detected risky behaviors Parameter
Description
User ID
ID of a resource owner
Event Type
DSC classifies abnormal events into the following three types:- Unauthorized data access
- Access sensitive files without granted permissions.
- Download sensitive files.
- Abnormal data operations
- Update sensitive files.
- Append data to sensitive files.
- Delete sensitive files.
- Copy sensitive files.
- Abnormal data management
- When a bucket is added, the system detects that the bucket is a public read or a public read/write bucket.
- When a bucket is added, the system detects that the access/ACL access permissions of a private bucket are granted for anonymous users or registered user groups.
- The policy of a bucket containing sensitive files is changed or deleted.
- The ACL of a bucket containing sensitive files is changed or deleted.
- The cross-region replication configuration of a bucket containing sensitive files is modified or deleted.
- The ACL of a sensitive file is modified or deleted.
Event Name
Event that causes an exception
Alarm Time
Time when an exception occurs
Status
Status description is as follows:
- Unhandled: indicates that an abnormal event is not handled.
- Confirmed Violation: indicates that a handled abnormal event causes an exception.
- Confirmed Non-violation: indicates that a handled abnormal event does not cause any exceptions.
- Unauthorized data access
- Click View Details in the Operation column of an abnormal event to view details about the event.
You can determine whether an abnormal event is a violation according to the event details, and then determine how to handle the event. For details, see Handling Abnormal Behaviors Found in Data Usage Audit.Figure 2 Abnormal event details
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.