Anomaly Detection
Safeguard against potential risky access to your tools
Last updated
Safeguard against potential risky access to your tools
Last updated
Anomalies identify and alert users to unusual or unexpected activities within a system.
This helps to safeguard against potential risks and ensure that tool access remains controlled:
Detects high-risk access requests, approvals of previously rejected requests, and sudden requests from inactive users
Flags repetitive or suspicious automated actions, ensuring that automation doesn't become a security vulnerability
Provides detailed information on each detected anomaly
Anomalies are sorted by the detection date.
You can also create a webhook to send Anomalies notifications to an internal system.
Apono Premium
Access Flow
Follow these steps to investigate an anomaly:
Review the alert.
If the alert is a valid concern, revoke the request and update the access flow.
On the Alert Details panel, under Alert Details, click the Request ID link. The Access request details panel appears.
If the request Status is Active, click the Timeline tab to view the history details of the request.
On the Resources tab, click Revoke Access to revoke the request and the associated access. The request Status will change to Revoked.
On the Alert Details panel, under Alert Details, click the Access Flow link. The Edit Access Flow page appears.
Edit the access flow (steps 3-5).
Anomalies can be filtered by one or multiple filters. Follow the steps in the table below to apply each filter.
All time
Filters by relative or absolute time filter
Relative
Follow these steps to set the relative time filter:
Click the first filter, a menu appears.
On the Relative tab, from the Last dropdown menu, select a time measure.
In the Last text field, enter a number.
(Optional) Click Round to the hours to begin the time filtering from the nearest hour.
Click Apply. The filter turns blue and shows a summary of the filter.
Absolute
Follow these steps to set the absolute time filter:
Click the first filter, a menu appears.
On the Absolute tab, under From, select the start date of the time filter from the date picker.
Select the start time (local system time) of the time filter from the time picker.
Under To, select the end date of the time filter from the date picker.
Select the end time (local system time) of the time filter from the time picker.
(Optional) Click Use UTC to apply the Coordinated Universal Time (UTC) timezone to the start and end times instead of the local system time.
Click Apply. The filter turns blue and shows a summary of the filter.
Type
Follow these steps to filter by anomaly:
Click Type.
(Optional) In the Search… field, enter a full or partial type.
Click the checkbox next to one or several types. The filter button turns blue and shows a summary of the filter.
Severity
Filters by level of concern for the anomaly defined by Apono
Follow these steps to filter by anomaly:
Click Severity.
(Optional) In the Search… field, enter a full or partial severity. Only severities matching the value entered will be displayed.
Click the checkbox next to one or several severities. The filter button turns blue and shows a summary of the filter.
Resource Type
Filters by type of resource
Follow these steps to filter by resource type:
Click Resource Type.
(Optional) In the Search… field, enter a full or partial resource type.
Click the checkbox next to one or several resource types. The filter button turns blue and shows a summary of the filter.
User
Filters by user
Follow these steps to filter by user:
Click More Filters > User.
(Optional) In the Search… field, enter a full or partial username.
Click the checkbox next to one or several users. The filter button turns blue and shows a summary of the filter.
Integrations
Filters by integration
Follow these steps to filter by user:
Click More Filters > Integration.
(Optional) In the Search… field, enter a full or partial integration.
Click the checkbox next to one or several integrations. The filter button turns blue and shows a summary of the filter.
The following table explains each anomaly type.
Request high risk access
Triggered when elevated access is requested to a sensitive resource and may pose risks to the organization
Sensitive Resource
Resource name or tag contains one of the following:
customer
phi
pii
prod
Elevated Access
Permission name contains one of the following:
admin
full access
owner
Recommended Actions:
Investigate this request.
Consider revoking this request.
Approved after being rejected in the past
Triggered when a request of similar scope was manually rejected and subsequently approved within the last 90 days
This may indicate one or both of the following circumstances:
The requester should not have access.
Due to human error, the request has been approved.
Recommended Actions:
Validate the approval with the previous and current approvers.
Consider revoking this request.
Inactive user detected
Triggered when a user makes a request for the first time in 90 days
This may indicate one of the following:
The requester is an Infrequent user who needs new access.
The requester was recently on leave.
A client-side IdP off-boarding misconfiguration has permitted a requester who has recently separated from the company to retain request permissions.
Recommended Action:
Validate the user should be granted access.
Access automation detected
Code has made repeated requests with similar
This may indicate that someone is using CLI commands or other cloud automations to bypass the just-in-time mechanism.
Recommended Action:
Investigate the request with the requester.
providing the most features and dedicated account support
Minimum of one configured access flow
On the Anomalies page, under the RECOMMENDATION column, click the icon (). The Alert Details panel opens.
Filters by type of