# Anomaly Detection

**Anomalies** identify and alert users to unusual or unexpected activities within a system.

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-75a13e0fa90610c47f5f35cc8af3d692a9af6515%2Fanomalies-research%20(1).png?alt=media" alt="" width="563"><figcaption><p>Anomalies page</p></figcaption></figure>

This helps to safeguard against potential risks and ensure that tool access remains controlled:

* Detects high-risk access requests, approvals of previously rejected requests, and sudden requests from inactive users
* Flags repetitive or suspicious automated actions, ensuring that automation doesn't become a security vulnerability
* Provides detailed information on each detected anomaly

\
Anomalies are sorted by detection date.

{% hint style="success" %}
You can also [create a webhook](https://docs.apono.io/docs/webhook-integrations/anomalies) to send Anomalies notifications to an internal system.
{% endhint %}

***

### Prerequisites

<table><thead><tr><th width="213">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>Apono Premium</strong></td><td><a href="https://www.apono.io/pricing/">Apono plan</a> providing the most features and dedicated account support</td></tr><tr><td><strong>Access Flow</strong></td><td>Minimum of one configured <a href="../access-flows/creating-access-flows-in-apono/self-serve-access-flows">self serve</a> access flow</td></tr></tbody></table>

***

### Investigate an anomaly

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-7a1d3433bee710d6baf8218ca00dea1d85f32ac9%2Fanomalies-alert-details%20(1).png?alt=media" alt="" width="563"><figcaption><p>Alert Details panel</p></figcaption></figure>

Follow these steps to investigate an anomaly:

1. On the [**Anomalies**](http://app.apono.io/access-anomalies) page, under the **RECOMMENDATION** column, click the icon (<img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdH8hX6IWnJu82yRNpKAnlvN9xHurmM6yB-I5lEvCx16DflGVTx9sP58PqdQ0BFOdX1A3kZwxnMd_7vqsqoNU_LxrxGZgr-kYbkt_f7lhyD443mSK44MQ12heNj5LRIBA-iMZ4dzjvkltKqqL5grSd_qGY?key=tqDTyrnRXeEn7h6TooM6nA" alt="" data-size="line">). The **Alert Details** panel opens.
2. Review the alert.
3. If the alert is a valid concern, [revoke the request](#revoke-access) and [update the access flow](#update-the-access-flow).

#### Revoke access

1. On the **Alert Details** panel, under **Alert Details**, click the **Request ID** link. The **Access request details** panel appears.
2. If the request **Status** is **Active**, click the **Timeline** tab to view the history details of the request.
3. On the **Resources** tab, click **Revoke Access** to revoke the request and the associated access. The request **Status** will change to **Revoked**.

#### Update the access flow

1. On the **Alert Details** panel, under **Alert Details**, click the **Access Flow** link. The **Edit Access Flow** page appears.
2. [Edit the access flow](https://docs.apono.io/docs/access-flows/manage-access-flows#edit-an-access-flow) (steps **3-5**).

***

### Sorting anomalies

Anomalies can be filtered by one or multiple filters. Follow the steps in the table below to apply each filter.

<table><thead><tr><th width="180">Filter</th><th>Description</th></tr></thead><tbody><tr><td><strong>All time</strong></td><td><p>Filters by relative or absolute time filter<br></p><p><strong>Relative</strong></p><p>Follow these steps to set the relative time filter:</p><ol><li>Click the first filter, a menu appears.</li><li>On the <strong>Relative</strong> tab, from the <strong>Last</strong> dropdown menu, select a time measure.</li><li>In the <strong>Last</strong> text field, enter a number.</li><li>(Optional) Click <strong>Round to the hours</strong> to begin the time filtering from the nearest hour.</li><li>Click <strong>Apply</strong>. The filter turns blue and shows a summary of the filter.</li></ol><p><strong>Absolute</strong></p><p>Follow these steps to set the absolute time filter:</p><ol><li>Click the first filter, a menu appears.</li><li>On the <strong>Absolute</strong> tab, under <strong>From</strong>, select the start date of the time filter from the date picker.</li><li>Select the start time (local system time) of the time filter from the time picker.</li><li>Under <strong>To</strong>, select the end date of the time filter from the date picker.</li><li>Select the end time (local system time) of the time filter from the time picker.</li><li>(Optional) Click <strong>Use UTC</strong> to apply the Coordinated Universal Time (UTC) timezone to the start and end times instead of the local system time.</li><li>Click <strong>Apply</strong>. The filter turns blue and shows a summary of the filter.</li></ol></td></tr><tr><td><strong>Type</strong></td><td><p>Filters by type of <a href="#anomaly-types-reference">anomaly</a></p><p>Follow these steps to filter by anomaly:</p><ol><li>Click <strong>Type</strong>.</li><li>(Optional) In the <strong>Search…</strong> field, enter a full or partial type.</li><li>Click the checkbox next to one or several types. The filter button turns blue and shows a summary of the filter.</li></ol></td></tr><tr><td><strong>Severity</strong></td><td><p>Filters by level of concern for the anomaly defined by Apono<br></p><p>Follow these steps to filter by anomaly:</p><ol><li>Click <strong>Severity</strong>.</li><li>(Optional) In the <strong>Search…</strong> field, enter a full or partial severity. Only severities matching the value entered will be displayed.</li><li>Click the checkbox next to one or several severities. The filter button turns blue and shows a summary of the filter.</li></ol></td></tr><tr><td><strong>Resource Type</strong></td><td><p>Filters by type of resource</p><p>Follow these steps to filter by resource type:</p><ol><li>Click <strong>Resource Type</strong>.</li><li>(Optional) In the <strong>Search…</strong> field, enter a full or partial resource type.</li><li>Click the checkbox next to one or several resource types. The filter button turns blue and shows a summary of the filter.</li></ol></td></tr><tr><td><strong>User</strong></td><td><p>Filters by user<br></p><p>Follow these steps to filter by user:</p><ol><li>Click <strong>More Filters > User</strong>.</li><li>(Optional) In the <strong>Search…</strong> field, enter a full or partial username.</li><li>Click the checkbox next to one or several users. The filter button turns blue and shows a summary of the filter.</li></ol></td></tr><tr><td><strong>Integrations</strong></td><td><p>Filters by integration</p><p>Follow these steps to filter by user:</p><ol><li>Click More <strong>Filters > Integration</strong>.</li><li>(Optional) In the <strong>Search…</strong> field, enter a full or partial integration.</li><li>Click the checkbox next to one or several integrations. The filter button turns blue and shows a summary of the filter.</li></ol></td></tr></tbody></table>

***

### Anomaly Types Reference

The following table explains each anomaly type.

<table><thead><tr><th width="181">Anomaly Type</th><th>Description</th></tr></thead><tbody><tr><td><strong>Request high risk access</strong></td><td><p>Triggered when elevated access is requested to a sensitive resource and may pose risks to the organization</p><p><strong>Sensitive Resource</strong></p><p>Resource name or tag contains one of the following:</p><ul><li><strong>customer</strong></li><li><strong>phi</strong></li><li><strong>pii</strong></li><li><strong>prod</strong></li></ul><p><strong>Elevated Access</strong></p><p>Permission name contains one of the following:</p><ul><li><strong>admin</strong></li><li><strong>full access</strong></li><li><strong>owner</strong></li></ul><p><strong>Recommended Actions:</strong></p><ul><li>Investigate this request.</li><li>Consider revoking this request.</li></ul></td></tr><tr><td><strong>Approved after being rejected in the past</strong></td><td><p>Triggered when a request of similar scope was manually rejected and subsequently approved within the last 90 days<br></p><p>This may indicate one or both of the following circumstances:</p><ul><li>The requester should not have access.</li><li>Due to human error, the request has been approved.</li></ul><p><strong>Recommended Actions</strong>:</p><ul><li>Validate the approval with the previous and current approvers.</li><li>Consider revoking this request.</li></ul></td></tr><tr><td><strong>Inactive user detected</strong></td><td><p>Triggered when a user makes a request for the first time in 90 days</p><p>This may indicate one of the following:</p><ul><li>The requester is an Infrequent user who needs new access.</li><li>The requester was recently on leave.</li><li>A client-side IdP off-boarding misconfiguration has permitted a requester who has recently separated from the company to retain request permissions.</li></ul><p><strong>Recommended Action</strong>:</p><ul><li>Validate the user should be granted access.</li></ul></td></tr><tr><td><strong>Access automation detected</strong></td><td><p>Code has made repeated requests with similar</p><p>This may indicate that someone is using CLI commands or other cloud automations to bypass the just-in-time mechanism.<br></p><p><strong>Recommended Action</strong>:</p><ul><li>Investigate the request with the requester.</li></ul></td></tr></tbody></table>