Overview
When the system detects abnormal access based on the security rules, it generates an alarm of a level corresponding to the security rule matched. You can view the information of all SQL statements that have triggered alarms and related content such as the alarm levels on the "Alarm Logs" page, and can also filter the logs by time, field, alarm level, rule name, etc.
Query Alarm Logs
1. In the menu, select Query Analysis > Alarm Logs to enter the Alarm Logs page, select the Alarm Logs tab, set the query conditions (e.g. time range, packet, asset, etc.), and click Search to query the relevant alarm logs.
2. In the alarm log list, click Details in the Operation column on the right to view details of an alarm record, including basic information, client information, server information, request details, and response details.
3. On the "Alarm Log Details" page, click Statistics to view information such as the client and database account.
Alarm Analysis
1. In the left menu, select Query Analysis > Alarm Logs to enter the Alarm Logs page, select the Alarm Analysis tab, you can set the filtering conditions (time range, rule name, asset, database account, client IP), and query the alarms that meet the filtering conditions.
2. Click Details under the Operation column to view the alarm statistics, including rule details, alarm assets, alarm trends under each asset, alarm sources (the dimensions include client IP and database account), and SQL templates that have triggered alarms.
3. In the Rule Details area, click the asset quantity link to edit the assets with the rule enabled, and click the trustlist quantity link to edit the trustlists for the rule.
4. In the Alarm Asset area, click the Rule Status switch to change the status of the rule for an asset.
5. In the Alarm Source area, click Stop Alarm in the Operation column.
6. Edit the relevant information in the "Do Not Alarm" dialog box that pops up and click OK. Add the client IP addresses that meet the conditions to the trust rules and the rule trustlist. For alarms generated for general rules:
Select Add to Trustlist, and then click OK. Then, the system will no longer generate alarms for related operations that meet the conditions of the selected items in this rule.
Select Add to Trust Rules, and click OK. Then, no alarm will be generated for assets that meet the optional properties of the trust rule.
7. In the SQL Template area for alarm triggering, click Stop Alarm in the Operation column.
8. Edit the relevant information in the "Do Not Alarm" dialog box that pops up and click OK. Add the SQL templates that meet the conditions to the trust rules and the rule trustlist. For alarms generated for general rules:
Select Add to Trustlist, and then click OK. Then, the system will no longer generate alarms for related operations that meet the conditions of the selected items in this rule.
Select Add to Trust Rules, and click OK. Then, no alarm will be generated for assets that meet the optional properties of the trust rule.