Skip to main content

Overview

The anomalies client provides automated anomaly detection for your authorization system. It identifies unusual patterns such as rate spikes, high failure rates, new principals, and off-hours activity. Access the anomalies client via client.anomalies.

Detect

Run anomaly detection across all agents and return any detected anomalies: 
from grantex import Grantex

with Grantex(api_key="gx_live_...") as client:
    result = client.anomalies.detect()

    print(f"Detected at: {result.detected_at}")
    print(f"Total anomalies: {result.total}")
    for anomaly in result.anomalies:
        print(f"  [{anomaly.severity}] {anomaly.type}: {anomaly.description}")

DetectAnomaliesResponse

FieldTypeDescription
detected_atstrISO 8601 timestamp of the detection run.
totalintNumber of anomalies detected.
anomaliestuple[Anomaly, ...]The detected anomalies.

List

List stored anomalies. Optionally filter to show only unacknowledged anomalies: 
from grantex import Grantex

with Grantex(api_key="gx_live_...") as client:
    # List all anomalies
    result = client.anomalies.list()
    print(f"Total: {result.total}")

    # List only unacknowledged anomalies
    result = client.anomalies.list(unacknowledged=True)
    for anomaly in result.anomalies:
        print(f"  {anomaly.id}: [{anomaly.severity}] {anomaly.type}")
        print(f"    {anomaly.description}")
        print(f"    Detected: {anomaly.detected_at}")

Parameters

ParameterTypeRequiredDefaultDescription
unacknowledgedboolNoFalseIf True, only return unacknowledged anomalies.
The parameter is keyword-only.

ListAnomaliesResponse

FieldTypeDescription
anomaliestuple[Anomaly, ...]The list of anomalies.
totalintTotal number of anomalies.

Acknowledge

Acknowledge an anomaly to mark it as reviewed: 
from grantex import Grantex

with Grantex(api_key="gx_live_...") as client:
    anomaly = client.anomalies.acknowledge("anom_abc123")

    print(f"Acknowledged at: {anomaly.acknowledged_at}")
Returns the updated Anomaly with the acknowledged_at timestamp set.

Anomaly Type

The Anomaly frozen dataclass has the following fields:
FieldTypeDescription
idstrUnique anomaly identifier.
typestrThe anomaly type (see table below).
severitystr"low", "medium", or "high".
agent_idstr | NoneThe agent involved (if applicable).
principal_idstr | NoneThe principal involved (if applicable).
descriptionstrHuman-readable description of the anomaly.
metadatadict[str, Any]Additional data about the anomaly.
detected_atstrISO 8601 timestamp when the anomaly was detected.
acknowledged_atstr | NoneISO 8601 timestamp when the anomaly was acknowledged (or None).

Anomaly Types

TypeDescription
rate_spikeUnusual spike in authorization or token requests.
high_failure_rateAbnormally high rate of failed actions.
new_principalA previously unseen principal is being used.
off_hours_activityAuthorization activity outside normal hours.

Example: Monitor and Acknowledge

from grantex import Grantex

with Grantex(api_key="gx_live_...") as client:
    # Run detection
    detection = client.anomalies.detect()

    if detection.total > 0:
        print(f"Found {detection.total} anomalies!")

        for anomaly in detection.anomalies:
            print(f"\n[{anomaly.severity.upper()}] {anomaly.type}")
            print(f"  {anomaly.description}")

            if anomaly.agent_id:
                print(f"  Agent: {anomaly.agent_id}")
            if anomaly.principal_id:
                print(f"  Principal: {anomaly.principal_id}")

            # Acknowledge after review
            client.anomalies.acknowledge(anomaly.id)
            print(f"  -> Acknowledged")
    else:
        print("No anomalies detected")