What sort of best practices are there for monitoring apps for "suspicious behaviour"? I understand some basics, like checking request/error rates on service scopes, etc, but how sophisticated do these things get? Is there any "intelligent" tooling that people use for this kind of anomaly/threat detection where I can just point it at an event stream and it will identify anomalous behaviour, or do i need to consider everything up-front and add rules for what i need to monitor?
I am an armchair layperson with no experience in this, so take this with a grain of salt. First order of business is an audit trail; every operation done on a user's account or data, every change in the system, should be in an audit log containing timestamps, user, etc. Especially things like updating passwords or account details.
Once you have that event stream, you can release your data analysis tooling. A few days / weeks / months of activity gives you a baseline of what's normal, so something that stands out - like idk, mass password or email updates - should trigger alarms.
But that's just armchair hypotheses; is there anyone on here that has experience with audit logs and what to do with them?
That’s a good idea for AI startup — Security ad Service. Just proxy all your requests through a third party service, which will detect anomalies. But if doesn’t, the service is no liable.
