detect_anomalies
Identify unusual secret access patterns like burst reads or off-hour usage to detect potential security risks and provide actionable recommendations.
Instructions
Scan for anomalous secret access patterns: burst reads, unusual-hour access. Returns findings and recommendations.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| key | No | Check anomalies for a specific key |
Implementation Reference
- src/core/observer.ts:127-155 (handler)The core implementation of the detectAnomalies function, which analyzes audit logs for burst or unusual access patterns.
export function detectAnomalies(key?: string): AccessAnomaly[] { const recent = queryAudit({ key, action: "read", since: new Date(Date.now() - 3600000).toISOString(), // last hour }); const anomalies: AccessAnomaly[] = []; // Burst detection: more than 50 reads of the same key in an hour if (key && recent.length > 50) { anomalies.push({ type: "burst", description: `${recent.length} reads of "${key}" in the last hour`, events: recent.slice(0, 10), }); } // Unusual hour detection: access between 1am-5am local time const nightAccess = recent.filter((e) => { const hour = new Date(e.timestamp).getHours(); return hour >= 1 && hour < 5; }); if (nightAccess.length > 0) { anomalies.push({ type: "unusual-hour", description: `${nightAccess.length} access(es) during unusual hours (1am-5am)`, events: nightAccess, - src/mcp/server.ts:534-549 (registration)MCP tool registration for 'detect_anomalies' in the MCP server setup.
server.tool( "detect_anomalies", "Scan for anomalous secret access patterns: burst reads, unusual-hour access. Returns findings and recommendations.", { key: z.string().optional().describe("Check anomalies for a specific key"), }, async (params) => { const anomalies = detectAnomalies(params.key); if (anomalies.length === 0) return text("No anomalies detected"); const lines = anomalies.map( (a) => `[${a.type}] ${a.description}`, ); return text(lines.join("\n")); }, );