Anomaly Detection

Safeguard against potential risky access to your tools

Anomalies identify and alert users to unusual or unexpected activities within a system.

This helps to safeguard against potential risks and ensure that tool access remains controlled:

Detects high-risk access requests, approvals of previously rejected requests, and sudden requests from inactive users
Flags repetitive or suspicious automated actions, ensuring that automation doesn't become a security vulnerability
Provides detailed information on each detected anomaly

Anomalies are sorted by the detection date.

You can also create a webhook to send Anomalies notifications to an internal system.

Prerequisites

Item	Description
Apono Premium	Apono plan providing the most features and dedicated account support
Access Flow	Minimum of one configured self serve access flow

Item

Description

Apono Premium

Apono plan providing the most features and dedicated account support

Access Flow

Minimum of one configured self serve access flow

Investigate an anomaly

Follow these steps to investigate an anomaly:

On the Anomalies page, under the RECOMMENDATION column, click the icon (). The Alert Details panel opens.
Review the alert.
If the alert is a valid concern, revoke the request and update the access flow.

Revoke access

On the Alert Details panel, under Alert Details, click the Request ID link. The Access request details panel appears.
If the request Status is Active, click the Timeline tab to view the history details of the request.
On the Resources tab, click Revoke Access to revoke the request and the associated access. The request Status will change to Revoked.

Update the access flow

On the Alert Details panel, under Alert Details, click the Access Flow link. The Edit Access Flow page appears.
Edit the access flow (steps 3-5).

Sorting anomalies

Anomalies can be filtered by one or multiple filters. Follow the steps in the table below to apply each filter.

Filter	Description
All time	Filters by relative or absolute time filter Relative Follow these steps to set the relative time filter: Click the first filter, a menu appears. On the Relative tab, from the Last dropdown menu, select a time measure. In the Last text field, enter a number. (Optional) Click Round to the hours to begin the time filtering from the nearest hour. Click Apply. The filter turns blue and shows a summary of the filter. Absolute Follow these steps to set the absolute time filter: Click the first filter, a menu appears. On the Absolute tab, under From, select the start date of the time filter from the date picker. Select the start time (local system time) of the time filter from the time picker. Under To, select the end date of the time filter from the date picker. Select the end time (local system time) of the time filter from the time picker. (Optional) Click Use UTC to apply the Coordinated Universal Time (UTC) timezone to the start and end times instead of the local system time. Click Apply. The filter turns blue and shows a summary of the filter.
Type	Filters by type of anomaly Follow these steps to filter by anomaly: Click Type. (Optional) In the Search… field, enter a full or partial type. Click the checkbox next to one or several types. The filter button turns blue and shows a summary of the filter.
Severity	Filters by level of concern for the anomaly defined by Apono Follow these steps to filter by anomaly: Click Severity. (Optional) In the Search… field, enter a full or partial severity. Only severities matching the value entered will be displayed. Click the checkbox next to one or several severities. The filter button turns blue and shows a summary of the filter.
Resource Type	Filters by type of resource Follow these steps to filter by resource type: Click Resource Type. (Optional) In the Search… field, enter a full or partial resource type. Click the checkbox next to one or several resource types. The filter button turns blue and shows a summary of the filter.
User	Filters by user Follow these steps to filter by user: Click More Filters > User. (Optional) In the Search… field, enter a full or partial username. Click the checkbox next to one or several users. The filter button turns blue and shows a summary of the filter.
Integrations	Filters by integration Follow these steps to filter by user: Click More Filters > Integration. (Optional) In the Search… field, enter a full or partial integration. Click the checkbox next to one or several integrations. The filter button turns blue and shows a summary of the filter.

Filter

Description

All time

Filters by relative or absolute time filter

Relative

Follow these steps to set the relative time filter:

Click the first filter, a menu appears.
On the Relative tab, from the Last dropdown menu, select a time measure.
In the Last text field, enter a number.
(Optional) Click Round to the hours to begin the time filtering from the nearest hour.
Click Apply. The filter turns blue and shows a summary of the filter.

Absolute

Follow these steps to set the absolute time filter:

Click the first filter, a menu appears.
On the Absolute tab, under From, select the start date of the time filter from the date picker.
Select the start time (local system time) of the time filter from the time picker.
Under To, select the end date of the time filter from the date picker.
Select the end time (local system time) of the time filter from the time picker.
(Optional) Click Use UTC to apply the Coordinated Universal Time (UTC) timezone to the start and end times instead of the local system time.
Click Apply. The filter turns blue and shows a summary of the filter.

Type

Filters by type of anomaly

Follow these steps to filter by anomaly:

Click Type.
(Optional) In the Search… field, enter a full or partial type.
Click the checkbox next to one or several types. The filter button turns blue and shows a summary of the filter.

Severity

Filters by level of concern for the anomaly defined by Apono

Follow these steps to filter by anomaly:

Click Severity.
(Optional) In the Search… field, enter a full or partial severity. Only severities matching the value entered will be displayed.
Click the checkbox next to one or several severities. The filter button turns blue and shows a summary of the filter.

Resource Type

Filters by type of resource

Follow these steps to filter by resource type:

Click Resource Type.
(Optional) In the Search… field, enter a full or partial resource type.
Click the checkbox next to one or several resource types. The filter button turns blue and shows a summary of the filter.

User

Filters by user

Follow these steps to filter by user:

Click More Filters > User.
(Optional) In the Search… field, enter a full or partial username.
Click the checkbox next to one or several users. The filter button turns blue and shows a summary of the filter.

Integrations

Filters by integration

Follow these steps to filter by user:

Click More Filters > Integration.
(Optional) In the Search… field, enter a full or partial integration.
Click the checkbox next to one or several integrations. The filter button turns blue and shows a summary of the filter.

Anomaly Types Reference

The following table explains each anomaly type.

Anomaly Type	Description
Request high risk access	Triggered when elevated access is requested to a sensitive resource and may pose risks to the organization Sensitive Resource Resource name or tag contains one of the following: customer phi pii prod Elevated Access Permission name contains one of the following: admin full access owner Recommended Actions: Investigate this request. Consider revoking this request.
Approved after being rejected in the past	Triggered when a request of similar scope was manually rejected and subsequently approved within the last 90 days This may indicate one or both of the following circumstances: The requester should not have access. Due to human error, the request has been approved. Recommended Actions: Validate the approval with the previous and current approvers. Consider revoking this request.
Inactive user detected	Triggered when a user makes a request for the first time in 90 days This may indicate one of the following: The requester is an Infrequent user who needs new access. The requester was recently on leave. A client-side IdP off-boarding misconfiguration has permitted a requester who has recently separated from the company to retain request permissions. Recommended Action: Validate the user should be granted access.
Access automation detected	Code has made repeated requests with similar This may indicate that someone is using CLI commands or other cloud automations to bypass the just-in-time mechanism. Recommended Action: Investigate the request with the requester.

Anomaly Type

Description

Request high risk access

Triggered when elevated access is requested to a sensitive resource and may pose risks to the organization

Sensitive Resource

Resource name or tag contains one of the following:

customer
phi
pii
prod

Elevated Access

Permission name contains one of the following:

admin
full access
owner

Recommended Actions:

Investigate this request.
Consider revoking this request.

Approved after being rejected in the past

Triggered when a request of similar scope was manually rejected and subsequently approved within the last 90 days

This may indicate one or both of the following circumstances:

The requester should not have access.
Due to human error, the request has been approved.

Recommended Actions:

Validate the approval with the previous and current approvers.
Consider revoking this request.

Inactive user detected

Triggered when a user makes a request for the first time in 90 days

This may indicate one of the following:

The requester is an Infrequent user who needs new access.
The requester was recently on leave.
A client-side IdP off-boarding misconfiguration has permitted a requester who has recently separated from the company to retain request permissions.

Recommended Action:

Validate the user should be granted access.

Access automation detected

Code has made repeated requests with similar

This may indicate that someone is using CLI commands or other cloud automations to bypass the just-in-time mechanism.

Recommended Action:

Investigate the request with the requester.

PreviousTroubleshooting Errors NextMulti-factor Authentication

Last updated 15 days ago