Help Center> Data Security Center> User Guide> Data Risk Detection> Viewing Abnormal Behaviors Through Data Usage Audit
Updated on 2023-11-16 GMT+08:00
View PDF

Viewing Abnormal Behaviors Through Data Usage Audit

Report and audit real-time alarms of abnormal data usage in the cloud. You can view abnormal behavior data of last 30 minutes, 3 hours, 24 hours, 7 days, or 30 days. DSC stores abnormal event data for 180 days.

DSC can detect abnormal events related to the access, operation, and management of sensitive data and provide alarm notifications for you to confirm and handle these abnormal events.

The following behaviors are regarded as abnormal events:
  • Unauthorized users access and download sensitive data.
  • Authorized users access, download, and modify sensitive data, as well as change and delete permissions.
  • Authorized users change or delete permissions granted for buckets that contain sensitive data.
  • Users who accessed sensitive files fail to log in to the device.

Prerequisites

An abnormal event has been detected and displayed on the page.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Data Security Center.
  4. In the left navigation pane, choose Data Risk Detection > Data Usage Audit, and the Risky Behavior Detection tab page is displayed by default. For parameter details, see Table 1.

    In the upper right corner of the list, select a time range, set the time period, and select an event type and status to query the abnormal behaviors you want to view.
    Figure 1 Data usage audit list
    Table 1 Parameters of detected risky behaviors

    Parameter

    Description

    User ID

    ID of a resource owner

    Event Type
    DSC classifies abnormal events into the following three types:
    • Unauthorized data access
      • Access sensitive files without granted permissions.
      • Download sensitive files.
    • Abnormal data operations
      • Update sensitive files.
      • Append data to sensitive files.
      • Delete sensitive files.
      • Copy sensitive files.
    • Abnormal data management
      • When a bucket is added, the system detects that the bucket is a public read or a public read/write bucket.
      • When a bucket is added, the system detects that the access/ACL access permissions of a private bucket are granted for anonymous users or registered user groups.
      • The policy of a bucket containing sensitive files is changed or deleted.
      • The ACL of a bucket containing sensitive files is changed or deleted.
      • The cross-region replication configuration of a bucket containing sensitive files is modified or deleted.
      • The ACL of a sensitive file is modified or deleted.

    Event Name

    Event that causes an exception

    Alarm Time

    Time when an exception occurs

    Status

    Status description is as follows:

    • Unhandled: indicates that an abnormal event is not handled.
    • Confirmed Violation: indicates that a handled abnormal event causes an exception.
    • Confirmed Non-violation: indicates that a handled abnormal event does not cause any exceptions.

  5. Click View Details in the Operation column of an abnormal event to view details about the event.

    You can determine whether an abnormal event is a violation according to the event details, and then determine how to handle the event. For details, see Handling Abnormal Behaviors Found in Data Usage Audit.
    Figure 2 Abnormal event details

Parent topic: Data Risk Detection