# Anomaly Detection

**Anomalies** identify and alert users to unusual or unexpected activities within a system.

<figure><img src="/files/1MtDZ6Ntw6RaeNz70pBc" alt="" width="563"><figcaption><p>Anomalies page</p></figcaption></figure>

This helps to safeguard against potential risks and ensure that tool access remains controlled:

* Detects high-risk access requests, approvals of previously rejected requests, and sudden requests from inactive users
* Flags repetitive or suspicious automated actions, ensuring that automation doesn't become a security vulnerability
* Provides detailed information on each detected anomaly

\
Anomalies are sorted by detection date.

{% hint style="success" %}
You can also [create a webhook](/docs/webhook-integrations/anomalies.md) to send Anomalies notifications to an internal system.
{% endhint %}

***

### Prerequisites

<table><thead><tr><th width="213">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>Apono Premium</strong></td><td><a href="https://www.apono.io/pricing/">Apono plan</a> providing the most features and dedicated account support</td></tr><tr><td><strong>Access Flow</strong></td><td>Minimum of one configured <a href="/pages/sVn2oYvXxhOI9ZIEDDvo">self serve</a> access flow</td></tr></tbody></table>

***

### Investigate an anomaly

<figure><img src="/files/DRMQCXWN8s4L1fqbsKLv" alt="" width="563"><figcaption><p>Alert Details panel</p></figcaption></figure>

Follow these steps to investigate an anomaly:

1. On the [**Anomalies**](http://app.apono.io/access-anomalies) page, under the **RECOMMENDATION** column, click the icon (<img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdH8hX6IWnJu82yRNpKAnlvN9xHurmM6yB-I5lEvCx16DflGVTx9sP58PqdQ0BFOdX1A3kZwxnMd_7vqsqoNU_LxrxGZgr-kYbkt_f7lhyD443mSK44MQ12heNj5LRIBA-iMZ4dzjvkltKqqL5grSd_qGY?key=tqDTyrnRXeEn7h6TooM6nA" alt="" data-size="line">). The **Alert Details** panel opens.
2. Review the alert.
3. If the alert is a valid concern, [revoke the request](#revoke-access) and [update the access flow](#update-the-access-flow).

#### Revoke access

1. On the **Alert Details** panel, under **Alert Details**, click the **Request ID** link. The **Access request details** panel appears.
2. If the request **Status** is **Active**, click the **Timeline** tab to view the history details of the request.
3. On the **Resources** tab, click **Revoke Access** to revoke the request and the associated access. The request **Status** will change to **Revoked**.

#### Update the access flow

1. On the **Alert Details** panel, under **Alert Details**, click the **Access Flow** link. The **Edit Access Flow** page appears.
2. [Edit the access flow](/docs/access-flows/manage-access-flows.md#edit-an-access-flow) (steps **3-5**).

***

### Sorting anomalies

Anomalies can be filtered by one or multiple filters. Follow the steps in the table below to apply each filter.

<table><thead><tr><th width="180">Filter</th><th>Description</th></tr></thead><tbody><tr><td><strong>All time</strong></td><td><p>Filters by relative or absolute time filter<br></p><p><strong>Relative</strong></p><p>Follow these steps to set the relative time filter:</p><ol><li>Click the first filter, a menu appears.</li><li>On the <strong>Relative</strong> tab, from the <strong>Last</strong> dropdown menu, select a time measure.</li><li>In the <strong>Last</strong> text field, enter a number.</li><li>(Optional) Click <strong>Round to the hours</strong> to begin the time filtering from the nearest hour.</li><li>Click <strong>Apply</strong>. The filter turns blue and shows a summary of the filter.</li></ol><p><strong>Absolute</strong></p><p>Follow these steps to set the absolute time filter:</p><ol><li>Click the first filter, a menu appears.</li><li>On the <strong>Absolute</strong> tab, under <strong>From</strong>, select the start date of the time filter from the date picker.</li><li>Select the start time (local system time) of the time filter from the time picker.</li><li>Under <strong>To</strong>, select the end date of the time filter from the date picker.</li><li>Select the end time (local system time) of the time filter from the time picker.</li><li>(Optional) Click <strong>Use UTC</strong> to apply the Coordinated Universal Time (UTC) timezone to the start and end times instead of the local system time.</li><li>Click <strong>Apply</strong>. The filter turns blue and shows a summary of the filter.</li></ol></td></tr><tr><td><strong>Type</strong></td><td><p>Filters by type of <a href="#anomaly-types-reference">anomaly</a></p><p>Follow these steps to filter by anomaly:</p><ol><li>Click <strong>Type</strong>.</li><li>(Optional) In the <strong>Search…</strong> field, enter a full or partial type.</li><li>Click the checkbox next to one or several types. The filter button turns blue and shows a summary of the filter.</li></ol></td></tr><tr><td><strong>Severity</strong></td><td><p>Filters by level of concern for the anomaly defined by Apono<br></p><p>Follow these steps to filter by anomaly:</p><ol><li>Click <strong>Severity</strong>.</li><li>(Optional) In the <strong>Search…</strong> field, enter a full or partial severity. Only severities matching the value entered will be displayed.</li><li>Click the checkbox next to one or several severities. The filter button turns blue and shows a summary of the filter.</li></ol></td></tr><tr><td><strong>Resource Type</strong></td><td><p>Filters by type of resource</p><p>Follow these steps to filter by resource type:</p><ol><li>Click <strong>Resource Type</strong>.</li><li>(Optional) In the <strong>Search…</strong> field, enter a full or partial resource type.</li><li>Click the checkbox next to one or several resource types. The filter button turns blue and shows a summary of the filter.</li></ol></td></tr><tr><td><strong>User</strong></td><td><p>Filters by user<br></p><p>Follow these steps to filter by user:</p><ol><li>Click <strong>More Filters > User</strong>.</li><li>(Optional) In the <strong>Search…</strong> field, enter a full or partial username.</li><li>Click the checkbox next to one or several users. The filter button turns blue and shows a summary of the filter.</li></ol></td></tr><tr><td><strong>Integrations</strong></td><td><p>Filters by integration</p><p>Follow these steps to filter by user:</p><ol><li>Click More <strong>Filters > Integration</strong>.</li><li>(Optional) In the <strong>Search…</strong> field, enter a full or partial integration.</li><li>Click the checkbox next to one or several integrations. The filter button turns blue and shows a summary of the filter.</li></ol></td></tr></tbody></table>

***

### Anomaly Types Reference

The following table explains each anomaly type.

<table><thead><tr><th width="181">Anomaly Type</th><th>Description</th></tr></thead><tbody><tr><td><strong>Request high risk access</strong></td><td><p>Triggered when elevated access is requested to a sensitive resource and may pose risks to the organization</p><p><strong>Sensitive Resource</strong></p><p>Resource name or tag contains one of the following:</p><ul><li><strong>customer</strong></li><li><strong>phi</strong></li><li><strong>pii</strong></li><li><strong>prod</strong></li></ul><p><strong>Elevated Access</strong></p><p>Permission name contains one of the following:</p><ul><li><strong>admin</strong></li><li><strong>full access</strong></li><li><strong>owner</strong></li></ul><p><strong>Recommended Actions:</strong></p><ul><li>Investigate this request.</li><li>Consider revoking this request.</li></ul></td></tr><tr><td><strong>Approved after being rejected in the past</strong></td><td><p>Triggered when a request of similar scope was manually rejected and subsequently approved within the last 90 days<br></p><p>This may indicate one or both of the following circumstances:</p><ul><li>The requester should not have access.</li><li>Due to human error, the request has been approved.</li></ul><p><strong>Recommended Actions</strong>:</p><ul><li>Validate the approval with the previous and current approvers.</li><li>Consider revoking this request.</li></ul></td></tr><tr><td><strong>Inactive user detected</strong></td><td><p>Triggered when a user makes a request for the first time in 90 days</p><p>This may indicate one of the following:</p><ul><li>The requester is an Infrequent user who needs new access.</li><li>The requester was recently on leave.</li><li>A client-side IdP off-boarding misconfiguration has permitted a requester who has recently separated from the company to retain request permissions.</li></ul><p><strong>Recommended Action</strong>:</p><ul><li>Validate the user should be granted access.</li></ul></td></tr><tr><td><strong>Access automation detected</strong></td><td><p>Code has made repeated requests with similar</p><p>This may indicate that someone is using CLI commands or other cloud automations to bypass the just-in-time mechanism.<br></p><p><strong>Recommended Action</strong>:</p><ul><li>Investigate the request with the requester.</li></ul></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.apono.io/docs/architecture-and-security/anomalies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.