Cisco Secure Access Alerts for API Anomalies, Overview

Overview of Alerts for API Anomalies

In Cisco Secure Access, you can add Alert Rules and configure alerts for certain conditions observed in the Secure Access organization. One type of condition is anomalies of API usage. Set up an Alert Rule in Secure Access and add a Webhook target through the Cisco Secure Access Third-Party Integrations API. For more information, see Third-Party Integrations API.

The Webhook target sends the alerts (HTTP POST operations) from Secure Access to an HTTP listener deployed in your on-premises or cloud environment. The Webhook is configured with the destination and authentication credentials for the HTTP listener.

Secure Access sends alerts formatted in JSON using the Secure Access Alert schema for API anomalies. For more information, see Data Definition of Alerts for API Anomalies.

How to Set Up Alerts for API Anomalies

  1. Deploy an HTTP listener in your on-premises or cloud environment. The target system must support Basic authentication with a username and password and accept HTTP POST messages.
  2. Add a Webhook in Secure Access as a Third-party integration. Configure the Webhook with the URL and Basic authentication credentials of the HTTP listener. For more information, see Third-Party Integrations API.
  3. Validate that your target system receives the Secure Access API Anomalies alerts.

Example of API Anomalies Alert Message

{
  "specversion": "1.0",
  "type": "secureaccess.alerts.api.anomaly.v1",
  "source": "secureaccess.alerts",
  "id": "ff6e300b-5ba1-552d-83ca-0ee70417cc86",
  "time": "2025-11-24T09:38:47Z",
  "datacontenttype": "application/json",
  "data": {
      "alerts": [
        "status": "Active",
        "severity": "High",
        "ruleName": "Unusual API Key Usage Pattern",
        "ruleId": 2048,
        "alertType": "More than 1 client using an API credential",
        "time": "2025-10-29T14:26:17Z",
        "category": "API anomaly",
        "alertId": "2048.8332025.1761747977000",
        "ruleDescription": "This is a test alert",
        "apiKeyId": "043e860fcb994b2e820b01bcdb9b11d9",
        "userAgents": [
          "curl/7.68.0",
          "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/91.0",
          "PostmanRuntime/7.28.0"
        ],
        "conditionsApplied": {
          "conditions": [
              "Greater than 1 user agent using the same key ID within 3600 seconds"
          ]
        }
      ]
    },
    "integrationid": "webhook.v1:b101adb9-7fa6-4d6e-9bbe-686dc999dbdb",
    "orgid": "1234567"
}

API Anomalies Alerts JSON Schema

You can download the Cisco Secure Access API Anomalies Alerts schema at Cisco Secure Access API Anomalies Alerts Schema.