Skip to content
← Docs

Anomaly detection

A background detector watches your activity stream and flags unusual sessions — off-hours access, first-time host access, and bursts of file operations — notifying the workspace's owners and admins. It runs continuously and needs no setup.

Detections are reviewed from the Detections page in the console at app.subnomic.com.

What it flags

  • Off-hours access — a session opened outside normal business hours (evenings / weekends), evaluated in the actor's local time.
  • New host access — the first time a given user connects to a particular server or database.
  • Mass operations — a burst of file downloads / uploads by one actor inside a short window.

Review & triage

Open Detections to see open flags, each with its severity, the actor, the target, and when it fired. The sidebar badge counts open detections. For each one you can:

  • Acknowledge — you've seen it and it's expected / handled.
  • Dismiss — it's a false positive.
The detector is the sole writer of detections — reviewers only acknowledge or dismiss. When a flag is raised, the workspace's owners and admins get a security notification. It runs safely across replicas, so each event is evaluated once.

Permissions

detection.read detection.manage

detection.read views the list; detection.manage acknowledges and dismisses.