detect_anomalies
Identify unusual secret access patterns like burst reads or off-hour usage to detect potential security issues and provide actionable recommendations.
Instructions
Scan for anomalous secret access patterns: burst reads, unusual-hour access. Returns findings and recommendations.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| key | No | Check anomalies for a specific key |
Implementation Reference
- src/core/observer.ts:127-160 (handler)The implementation of the detectAnomalies function, which analyzes the audit log for burst and unusual-hour access patterns.
export function detectAnomalies(key?: string): AccessAnomaly[] { const recent = queryAudit({ key, action: "read", since: new Date(Date.now() - 3600000).toISOString(), // last hour }); const anomalies: AccessAnomaly[] = []; // Burst detection: more than 50 reads of the same key in an hour if (key && recent.length > 50) { anomalies.push({ type: "burst", description: `${recent.length} reads of "${key}" in the last hour`, events: recent.slice(0, 10), }); } // Unusual hour detection: access between 1am-5am local time const nightAccess = recent.filter((e) => { const hour = new Date(e.timestamp).getHours(); return hour >= 1 && hour < 5; }); if (nightAccess.length > 0) { anomalies.push({ type: "unusual-hour", description: `${nightAccess.length} access(es) during unusual hours (1am-5am)`, events: nightAccess, }); } return anomalies; }