Updated on 2026-07-07 GMT+08:00

Managing Risky Operation Rules

Database audit has four built-in detection rules, including database reduction detection, slow SQL statements detection, batch data tampering detection, and batch data deletion detection, helping you detect database security risks in a timely manner. You can also add risky operations and customize detection rules.

Prerequisites

The database audit instance is in the Running state.

  • Before enabling the risky operation, ensure that its status is Disabled.
  • Before disabling the risky operation, ensure that its status is Enabled.

Constraints and Limitations

  • One piece of audited data can match only one risky operation rule.
  • For a risky operation rule whose Rule Category is System rules, you cannot edit, delete, or set priority for it.

Managing Risky Operation Rules

  1. Log in to the DBSS console.
  2. Click in the upper left corner on the displayed page and select a region.
  3. In the navigation tree on the left, choose Rules.
  4. In the Instance drop-down list, select an instance.
  5. Click the Risky Operations tab.

Adding a Risky Operation Rule

  1. Click Add above the risky operation list.
  2. On the Add Risky Operation page, set the basic information and IP address or IP range. For details, see Table 1.

    Figure 1 Configuring basic information and IP addresses or IP address segments
    Table 1 Risk operation parameters

    Parameter

    Description

    Example Value

    Name

    Custom name of a risky operation.

    test

    Risk Level

    Level of a risky operation. The options are as follows:

    • High
    • Medium
    • Low
    • No risk

    High

    Status

    Status of a risky operation.

    • Enabled
    • Disabled

    Enabled

    Select Database

    Select databases to apply the risky operation rule.

    You can select ALL or a specific database.

    -

    Exception Client IP Address/IP Address Segment

    IP addresses or IP address ranges which are trusted and will not be audited.

    The IP address can be an IPv4 address (for example, 192.168.1.2) or an IPv6 address (for example, fe80:0000:0000:0000:0000:0000:0000:0000).

    192.168.xx.xx

    Client IP Address/IP Address Segment

    Enter the IP address or IP address segment of the client that is not in the trusted client IP address or IP address segment, which is used to report alarms for risky operations set by users.

    The IP address can be an IPv4 address (for example, 192.168.1.1) or an IPv6 address (for example, fe80:0000:0000:0000:0000:0000:0000:0000).

    192.168.xx.xx

  3. Set the operation type, operation object, and execution result. For details about related parameters, see Table 2.

    Figure 2 Setting the operation type, operation object, and execution result
    Table 2 Parameters for adding a risk rule

    Parameter

    Description

    Example Value

    Operations

    Types of risky operations.

    • Login
    • Operation
      • All operations
      • DDL
      • DML
      • DCL

    Login

    Objects

    Click Add Operation Object. Enter the target database, target table, and field information. Click OK to add an operation object.

    -

    Results

    Set Affected Rows and Operation Duration. The operation conditions are as follows:

    • Greater than
    • Less than
    • Equal to
    • Equal to or greater than
    • Less than or equal to

    Equal to or greater than

  4. Click OK.

Checking the Risky Operation Rule List

Check the risky operation information. For details, see Table 3.

You can select an attribute from the search box above the list or enter a keyword to search for a specified risky operation.

Figure 3 Viewing the risky operation
Table 3 Parameters

Parameter

Description

Name

Name of a risky operation.

Rule Category

Risky operation type. The options are as follows:

  • Custom rules
  • System rules

Priority

Priority of a risky operation.

Category

Category of the risky operation.

Feature

Feature of a risky operation.

Risk Level

Risk level of an operation. The options are as follows:

  • High
  • Medium
  • Low
  • No risk

Status

Status of a risky operation. The options are as follows:

  • Enabled
  • Disabled

Setting the Priority of a Risky Operation Rule

  1. In the row containing the risky operation for which you want to set a priority, click in the Priority column.

    Figure 4 Setting the priority

  2. Click OK.

    Figure 5 Setting the priority

Enabling a Risky Operation Rule

  1. In the Operation column of a risky operation rule, click Enable.

    Figure 6 Enabling a risky operation rule

  2. Check the risk operation rule status. It will change to Enabled. Database audit will audit this risky operation.

Disabling a Risky Operation Rule

  1. In the Operation column of a risky operation rule, click Disable.

    Figure 7 Disabling a risky operation rule

  2. In the displayed dialog box, click OK.
  3. Check the risky operation rule status. The status will change to Disabled and the rule will not be implemented for audit.

Editing a Risky Operation Rule

  1. In the Operation column of a risky operation rule, click Edit.

    Figure 8 Editing a risky operation rule

  2. On the risky operation rule page, edit the rule.
  3. Confirm the information and click OK.

Deleting a Risky Operation Rule

  1. In the Operation column of a risky operation rule, click Delete.

    Figure 9 Deleting a risky operation rule

  2. In the displayed dialog box, enter DELETE and click OK.

    After the rule is deleted, if you need to configure database risky operations for the instance, add a risky operation rule again.

References

  • You can add trusted SQL statements to the whitelist. Database audit will ignore whitelisted SQL statements. For details, see Configuring SQL Whitelist.