LogoLogo
Documentation and Guides
Documentation and Guides
  • ABOUT APONO
    • Why Choose Apono
    • Security and Architecture
    • Glossary
  • GETTING STARTED
    • How Apono Works
    • Getting started
    • Access Discovery
    • Integrating with Apono
  • CONNECTORS AND SECRETS
    • Apono Integration Secret
    • High Availability for Connectors
    • Installing a connector with Docker
    • Manage integrations
    • Manage connectors
  • AWS ENVIRONMENT
    • AWS Overview
    • Apono Connector for AWS
      • Installing a connector on EKS Using Terraform
      • Updating a connector in AWS
      • Installing a connector on AWS ECS using Terraform
    • AWS Integrations
      • Integrate an AWS account or organization
        • Auto Discover AWS RDS Instances
        • AWS Best Practices
      • Amazon Redshift
      • RDS PostgreSQL
      • AWS RDS MySQL
      • Integrate with EKS
      • AWS Lambda Custom Integration
      • EC2 via Systems Manager Agent (SSM)
  • AZURE ENVIRONMENT
    • Apono Connector for Azure
      • Install an Azure connector on ACI using Azure CLI
      • Install an Azure connector on ACI using PowerShell
      • Install an Azure connector on ACI using Terraform
      • Updating a connector in Azure
    • Azure Integrations
      • Integrate with Azure Management Group or Subscription
        • Auto Discover Azure SQL Databases
      • Azure MySQL
      • Azure PostgreSQL
      • Integrate with AKS
  • GCP ENVIRONMENT
    • Apono Connector for GCP
      • Installing a GCP connector on Cloud Run using CLI
      • Installing a GCP connector on GKE using CLI (Helm)
      • Installing a GCP connector on GKE using Terraform
      • Updating a connector in Google Cloud
    • GCP Integrations
      • Integrate a GCP organization or project
      • CloudSQL - MySQL
      • CloudSQL - PostgreSQL
      • Google Cloud Functions
      • Integrate with GKE
      • AlloyDB
  • KUBERNETES ENVIRONMENT
    • Apono Connector for Kubernetes
      • Installing a connector on Kubernetes with AWS permissions
      • Updating a Kubernetes connector
    • Kubernetes Integrations
      • Integrate with Self-Managed Kubernetes
  • ADDITIONAL INTEGRATIONS
    • Databases and Data Repositories
      • Microsoft SQL Server
      • MongoDB
      • MongoDB Atlas
      • MongoDB Atlas Portal
      • MySQL
      • Oracle Database
      • PostgreSQL
      • Redis Cloud (Redislabs)
      • Snowflake
      • Vertica
      • MariaDB
    • Network Management
      • SSH Servers
      • RDP Servers
      • Windows Domain Controller
      • AWS EC2 SSH Servers
      • Azure VM SSH Servers
      • Installing the Apono HTTP Proxy
    • Development Tools
      • GitHub
      • Rancher
    • Identity Providers
      • Okta SCIM
      • Okta Groups
      • Okta SSO for Apono logins
      • Google Workspace (Gsuite)
      • Google Workspace (GSuite) Groups
      • Azure Active Directory (Microsoft Entra ID)
      • Azure Active Directory (Entra ID) Groups
      • Jumpcloud
      • JumpCloud Groups
      • OneLogin
      • OneLogin Group
      • LDAP Groups
      • The Manager Attribute in Access Flows
      • HiBob
      • Ping Identity SSO
    • Incident Response Integrations
      • Opsgenie
      • PagerDuty
      • VictorOps (Splunk On-Call)
      • Zenduty
    • ChatOps Integrations
      • Slack integration
      • Teams integration
      • Backstage Integration
  • WEBHOOK INTEGRATIONS
    • Webhooks Overview
    • Anomaly Webhook
    • Audit Log Webhook
    • Request Webhook
      • Custom Webhooks
      • Communications and Notifications
        • Slack Outbound Webhooks
        • Teams
        • Outlook and Gmail (Using Azure Logic App)
      • ITSM
        • Freshdesk
        • Jira
        • ServiceNow
        • Zendesk
        • Freshservice
        • ServiceDesk Plus
      • Logs and SIEMs
        • Coralogix
        • Datadog
        • Logz.io
        • Grafana
        • New Relic
        • SolarWinds
        • Sumo Logic
        • Cortex
        • Logpoint
        • Splunk
        • Microsoft Sentinel
      • Orchestration and workflow builders
        • Okta Workflows
        • Torq
    • Integration Webhook
    • Webhook Payload References
      • Audit Log Webhook Payload Schema Reference
      • Webhook Payload Schema Reference
    • Manage webhooks
    • Troubleshoot a webhook
    • Manual Webhook
      • ITSM
        • PagerDuty
  • ACCESS FLOWS
    • Access Flows
      • What are Access Flows?
    • Create Access Flows
      • Self Serve Access Flows
      • Automatic Access Flows
      • Access Duration
    • Manage Access Flows
      • Right Sizing
    • Revoke Access
    • Dynamic Access Management
      • Resource and Integration Owners
    • Common Use Cases
      • Ensuring SLA
      • Protecting PII and Customer Data
      • Production Stability and Management
      • Break Glass Protocol
    • Create Bundles
    • Manage Bundles
  • ACCESS REQUESTS AND APPROVALS
    • Slack
      • Requesting Access with Slack
      • Approving Access with Slack
    • Teams
      • Requesting Access with Teams
      • Approving Access with Teams
    • CLI
      • Install and manage the Apono CLI
      • Requesting Access with CLI
    • Web Portal
      • Requesting Access with the Web Portal
      • Approving Access with the Web Portal
      • Reviewing historical requests with the Web Portal
    • Freshservice
    • Favorites
  • Inventory
    • Inventory Overview
    • Inventory
    • Access Scopes
    • Risk Scores
    • Apono Query Language
  • AUDITS AND REPORTS
    • Activity Overview
      • Activity
      • Create Reports
      • Manage Reports
    • Compliance: Audit and Reporting
    • Auditing Access in Apono
    • Admin Audit Log (Syslog)
  • HELP AND DEBUGGING
    • Integration Status Page
    • Troubleshooting Errors
  • ARCHITECTURE AND SECURITY
    • Anomaly Detection
    • Multi-factor Authentication
    • Credentials Rotation Policy
    • Periodic User Cleanup & Deletion
    • End-user Authentication
    • Personal API Tokens
  • User Administration
    • Role-Based Access Control (RBAC) Reference
    • Create Identities
    • Manage Identities
Powered by GitBook
On this page
  • Prerequisites
  • Investigate an anomaly
  • Sorting anomalies
  • Anomaly Types Reference

Was this helpful?

Export as PDF
  1. ARCHITECTURE AND SECURITY

Anomaly Detection

Safeguard against potential risky access to your tools

PreviousTroubleshooting ErrorsNextMulti-factor Authentication

Last updated 1 month ago

Was this helpful?

Anomalies identify and alert users to unusual or unexpected activities within a system.

This helps to safeguard against potential risks and ensure that tool access remains controlled:

  • Detects high-risk access requests, approvals of previously rejected requests, and sudden requests from inactive users

  • Flags repetitive or suspicious automated actions, ensuring that automation doesn't become a security vulnerability

  • Provides detailed information on each detected anomaly

Anomalies are sorted by detection date.


Prerequisites

Item
Description

Apono Premium

Access Flow


Investigate an anomaly

Follow these steps to investigate an anomaly:

  1. Review the alert.

Revoke access

  1. On the Alert Details panel, under Alert Details, click the Request ID link. The Access request details panel appears.

  2. If the request Status is Active, click the Timeline tab to view the history details of the request.

  3. On the Resources tab, click Revoke Access to revoke the request and the associated access. The request Status will change to Revoked.

Update the access flow

  1. On the Alert Details panel, under Alert Details, click the Access Flow link. The Edit Access Flow page appears.


Sorting anomalies

Anomalies can be filtered by one or multiple filters. Follow the steps in the table below to apply each filter.

Filter
Description

All time

Filters by relative or absolute time filter

Relative

Follow these steps to set the relative time filter:

  1. Click the first filter, a menu appears.

  2. On the Relative tab, from the Last dropdown menu, select a time measure.

  3. In the Last text field, enter a number.

  4. (Optional) Click Round to the hours to begin the time filtering from the nearest hour.

  5. Click Apply. The filter turns blue and shows a summary of the filter.

Absolute

Follow these steps to set the absolute time filter:

  1. Click the first filter, a menu appears.

  2. On the Absolute tab, under From, select the start date of the time filter from the date picker.

  3. Select the start time (local system time) of the time filter from the time picker.

  4. Under To, select the end date of the time filter from the date picker.

  5. Select the end time (local system time) of the time filter from the time picker.

  6. (Optional) Click Use UTC to apply the Coordinated Universal Time (UTC) timezone to the start and end times instead of the local system time.

  7. Click Apply. The filter turns blue and shows a summary of the filter.

Type

Follow these steps to filter by anomaly:

  1. Click Type.

  2. (Optional) In the Search… field, enter a full or partial type.

  3. Click the checkbox next to one or several types. The filter button turns blue and shows a summary of the filter.

Severity

Filters by level of concern for the anomaly defined by Apono

Follow these steps to filter by anomaly:

  1. Click Severity.

  2. (Optional) In the Search… field, enter a full or partial severity. Only severities matching the value entered will be displayed.

  3. Click the checkbox next to one or several severities. The filter button turns blue and shows a summary of the filter.

Resource Type

Filters by type of resource

Follow these steps to filter by resource type:

  1. Click Resource Type.

  2. (Optional) In the Search… field, enter a full or partial resource type.

  3. Click the checkbox next to one or several resource types. The filter button turns blue and shows a summary of the filter.

User

Filters by user

Follow these steps to filter by user:

  1. Click More Filters > User.

  2. (Optional) In the Search… field, enter a full or partial username.

  3. Click the checkbox next to one or several users. The filter button turns blue and shows a summary of the filter.

Integrations

Filters by integration

Follow these steps to filter by user:

  1. Click More Filters > Integration.

  2. (Optional) In the Search… field, enter a full or partial integration.

  3. Click the checkbox next to one or several integrations. The filter button turns blue and shows a summary of the filter.


Anomaly Types Reference

The following table explains each anomaly type.

Anomaly Type
Description

Request high risk access

Triggered when elevated access is requested to a sensitive resource and may pose risks to the organization

Sensitive Resource

Resource name or tag contains one of the following:

  • customer

  • phi

  • pii

  • prod

Elevated Access

Permission name contains one of the following:

  • admin

  • full access

  • owner

Recommended Actions:

  • Investigate this request.

  • Consider revoking this request.

Approved after being rejected in the past

Triggered when a request of similar scope was manually rejected and subsequently approved within the last 90 days

This may indicate one or both of the following circumstances:

  • The requester should not have access.

  • Due to human error, the request has been approved.

Recommended Actions:

  • Validate the approval with the previous and current approvers.

  • Consider revoking this request.

Inactive user detected

Triggered when a user makes a request for the first time in 90 days

This may indicate one of the following:

  • The requester is an Infrequent user who needs new access.

  • The requester was recently on leave.

  • A client-side IdP off-boarding misconfiguration has permitted a requester who has recently separated from the company to retain request permissions.

Recommended Action:

  • Validate the user should be granted access.

Access automation detected

Code has made repeated requests with similar

This may indicate that someone is using CLI commands or other cloud automations to bypass the just-in-time mechanism.

Recommended Action:

  • Investigate the request with the requester.

You can also to send Anomalies notifications to an internal system.

providing the most features and dedicated account support

Minimum of one configured access flow

On the page, under the RECOMMENDATION column, click the icon (). The Alert Details panel opens.

If the alert is a valid concern, and .

(steps 3-5).

Filters by type of

create a webhook
revoke the request
update the access flow
Apono plan
self serve
anomaly
Anomalies
Edit the access flow
Anomalies page
Alert Details panel