Skip to main content
PluginsAccess Anomaly Detector
ML Task · NER + anomaly detection

Access Anomaly Detector reference implementation

Named-entity recognition (NER) pipeline that transforms unstructured access logs into actionable compliance artifacts and near-real-time alerts.

ML Task: NER + anomaly detectionDomain: Data security & auditabilityGuardrail: VPC-only & KMS everywhere
Platform fee$2,250/mo + compliance support
FocusAccess HygieneEntity-linked compliance narratives.
GuardrailZero egressPrivate subnets + customer KMS keys.
OutcomeAudit-readyExports map directly to IAM approvals.

Anomaly score vs. entity baseline

Named-entity recognition and graph context surface risky access spikes. You can show interviewers how anomaly scores stay explainable against learned baselines and alert thresholds.

Anomaly detector score versus entity baseline and alert thresholdAlert threshold 0.2500:0001:0002:0003:0004:0005:0006:0007:0008:0009:000.030.130.230.320.42Observation window (hour)Risk score
Entity risk deltaAnomaly scoreBehavior baselineAlert threshold

Detection fidelity dashboard

Highlight precision, containment, and evidence rigor so hiring managers see how the NER + anomaly stack behaves in the real world.

  • Precision @ alert93%Entity graph enrichment slashes false positives against privileged access spikes.
  • Mean time to contain7 minEventBridge-driven Slack/PagerDuty workflow pre-populates reviewers with context and policy lineage.
  • Evidence completeness100%Every alert packages IAM approvals, device posture, and KMS audit logs for quarterly reviews.

Automation hooks

  • Graph embeddings retrain nightly with drift diffs published to Security Hub before promotion.
  • High-severity anomalies spawn immutable evidence bundles in KMS-encrypted buckets with lifecycle policies.
  • Service Control Policy checks block IAM rollouts that lack regression results from the anomaly detector.

Anomaly pipeline lifecycle

From log ingestion through entity graphing and risk scoring, every stage is observable and locked behind your security baseline.

  • Log ingestion + tokenisation. Step Functions flow batches CloudTrail, Okta, and custom SaaS logs into Glue jobs that scrub secrets and prep entities for embedding.
  • Entity graph + risk scoring. Named entities join with IAM identity centre data; graph edges track device posture, location, and approval lineage before an anomaly score ships.
  • Compliance export. Detections publish into Security Hub + ServiceNow with justifications, reviewer links, and retention policies suited for audits.

Security & compliance guardrails

Identity and access insights are only valuable if the pipeline itself stays compliant.

  • VPC-only inference path with cross-account IAM roles and customer-managed KMS keys.
  • Secrets Manager backed rotation for API keys and embedding access tokens.
  • Automated evidence bundle that snapshots enrichment context for every high-severity alert.

Response & evidence playbooks

Containment channel

EventBridge routes anomalies into Slack / Teams with just the evidence needed to accelerate approvals.

  • Dynamic access forms pre-populated with entity context and historic reviewer notes.
  • Escalation policy integrates PagerDuty for privileged identity violations.

Auditor workflow

Exports package annotations, analyst decisions, and KMS audit logs into immutable S3 buckets.

  • Lifecycle policies ensure retention windows for SOX / GDPR compliance.
  • QuickSight dashboards highlight anomaly trends for quarterly reviews.

Artifacts delivered

  • Step Functions orchestrate log ingestion, entity extraction, and anomaly scoring so sensitive identities remain inside VPC-scoped subnets.
  • KMS-encrypted feature stores and Secrets Manager rotation keep entity embeddings locked down while preserving audit trails.
  • Compliance exports map detections to IAM approvals, raising EventBridge signals when access deviates from policy baselines.