Anomalies
Findings the analyzer surfaced from run history — repeated failures, row-count drops, schedule drift, stale credentials, expected evidence missing. The story behind every audit prep.
- critical
Two consecutive scheduled runs failed with HTTP 401 — likely token expiry. AU-12 evidence will gap if not fixed today.
run_failed_consecutive · detected 5/1/2026, 7:07:57 PM · m365_admin_audit_logopen
{ "last_error": "AADSTS700082: refresh token expired", "failure_count": 2 } - info
IAM access key `AKIA…7XKL` (user `ci-bot`) is 412 days old. AC-6 / IA-5 expects rotation under 90.
stale_key_detected · detected 4/30/2026, 7:07:57 PM · aws_iam_inventory✓ resolved 5/1/2026
{ "user": "ci-bot", "key_age_days": 412, "threshold_days": 90 } - info
Last 6 runs took 3-5x longer than the 30-day median — filesystem may be bottlenecked.
schedule_drift · detected 4/29/2026, 7:07:57 PM · filesystem_evidence_staging✓ resolved 5/2/2026
{ "median_seconds": 4.2, "recent_p95_seconds": 18.1 } - warning
MFA enrollment rate dropped 14 percentage points week-over-week — investigate before next surveillance audit.
row_count_drop · detected 4/28/2026, 7:07:57 PM · okta_mfa_enrollmentopen
{ "last_week": 0.94, "this_week": 0.8, "threshold": 0.05 } - warning
Repo `ac5-platform-internal` was excluded from the last run — check whether protection settings were changed during the deploy.
expected_evidence_missing · detected 4/26/2026, 7:07:57 PM · github_branch_protectionopen
{ "missing_repos": [ "ac5-platform-internal" ], "expected_repos": 47 }