Cisco Secure Access Alerts for API Anomalies, Overview

Alerts for API Anomalies

Cisco Secure Access Alert Rules manage the configuration and administration of alerts for specific types of conditions on the organization's resources. You can configure an alert rule with an alert category and conditions, and a list of email recipients and a Webhook target.

Overview

The Secure Access API Anomalies alert rule monitors the usage of the Secure Access API with your organization's Secure Access API keys.

Secure Access monitors these activities:

  • Too many requests to get an access token
  • High percentage of API errors
  • Large number of rate limit errors
  • More than one client using an API credential
  • Authentication failures
  • Programmatic creation of more than one API credential in a day

Secure Access sends notifications formatted in JSON using the Secure Access Alert schema for API Anomalies. For more information, see Event Format: API Anomalies Alerts.

Get Started

To get started, add an Alert Rule in Secure Access and choose the methods for sending the notifications: email and Webhook. You can add your Alert Rules using the Secure Access user interface (UI) or Cisco Secure Access Alerting API. For more information, see Alerting API.

Set Up Alerts

  1. Deploy an HTTP listener in your on-premises or cloud environment. The target system must support Basic authentication with a username and password and accept HTTP POST messages.
  2. Add a Webhook in Secure Access as a Third-party integration. Configure the Webhook with the URL and Basic authentication credentials of the HTTP listener. For more information, see Third-Party Integrations API.
  3. Validate that your target system receives the alerts.

Sample JSON Alert Message: API Anomalies

{
  "specversion": "1.0",
  "type": "secureaccess.alerts.api.anomaly.v1",
  "source": "secureaccess.alerts",
  "id": "ff6e300b-5ba1-552d-83ca-0ee70417cc86",
  "time": "2025-11-24T09:38:47Z",
  "datacontenttype": "application/json",
  "integrationids": "webhook.v1:b101adb9-7fa6-4d6e-9bbe-686dc999dbdb",
  "orgid": "1234567",
  "data": {
      "alerts": [
        "status": "Active",
        "severity": "High",
        "ruleName": "Unusual API Key Usage Pattern",
        "ruleId": 2048,
        "alertType": "More than 1 client using an API credential",
        "time": "2025-10-29T14:26:17Z",
        "category": "API anomaly",
        "alertId": "2048.8332025.1761747977000",
        "ruleDescription": "This is a test alert",
        "apiKeyId": "043e860fcb994b2e820b01bcdb9b11d9",
        "userAgents": [
          "curl/7.68.0",
          "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/91.0",
          "PostmanRuntime/7.28.0"
        ],
        "conditionsApplied": {
          "conditions": [
              "Greater than 1 user agent using the same key ID within 3600 seconds"
          ]
        }
      ]
    }
}

JSON Schema: API Anomalies

You can download the Cisco Secure Access API Anomalies Alert schema at Cisco Secure Access API Anomalies Alerts Schema.