AuditSphere ML Service - Overview
Introduction
The AuditSphere ML Service is a machine learning-powered anomaly detection microservice that analyzes SharePoint and OneDrive audit events in real-time. It uses the Isolation Forest algorithm to learn what “normal” activity looks like for your organization and flags anything that deviates from established patterns.
Architecture
How it works:
| Connection | Purpose |
|---|---|
| Cron → ML Service | Scheduled job triggers anomaly detection every 15 minutes |
| API → ML Service | Sends batch of audit events for analysis |
| ML Service → Database | Fetches historical events for model training |
| ML Service → API | Returns anomaly detection results |
What It Detects
The ML service identifies six categories of suspicious activity:
1. Unusual Timing
Activity occurring outside normal business hours for a user.
| Indicator | Example |
|---|---|
| Off-hours access | Employee downloading files at 2 AM |
| Weekend activity | File access when user has no weekend history |
| Holiday access | Operations during company holidays |
2. Bulk File Operations
Unusually large numbers of file operations in a short time.
| Indicator | Example |
|---|---|
| Mass downloads | 500 files downloaded in 10 minutes |
| Bulk deletions | Rapid deletion from shared folders |
| Data staging | Copying files to personal folders |
3. External & Guest Access
Suspicious activity from users outside the organization.
| Indicator | Example |
|---|---|
| Guest access | Guest user accessing HR documents |
| External contractor | Contractor downloading from restricted areas |
| External markers | Users with #EXT# accessing sensitive data |
4. Suspicious Location
Access from unexpected geographic locations or devices.
| Indicator | Example |
|---|---|
| Location change | NY user suddenly accessing from Eastern Europe |
| Impossible travel | Multiple countries within hours |
| New device | Unknown device accessing sensitive files |
5. Sensitive Operations
High-risk actions that could expose data.
| Indicator | Example |
|---|---|
| Public sharing | Creating anonymous links for confidential files |
| Admin changes | Adding new site collection administrators |
| Permission changes | Broadening access to restricted folders |
6. Unusual Volume
Activity levels far exceeding normal patterns.
| Indicator | Example |
|---|---|
| Spike in access | 5 files/day user suddenly accessing 200 |
| Inactive user surge | Rarely active user performing hundreds of operations |
Technology Stack
| Component | Technology | Purpose |
|---|---|---|
| Framework | FastAPI | High-performance async API server |
| ML Algorithm | Isolation Forest | Unsupervised anomaly detection |
| ML Library | scikit-learn | Model training and inference |
| Runtime | Python 3.12+ | Service execution |
| Deployment | Railway | Cloud hosting |
API Endpoints
| Endpoint | Method | Description |
|---|---|---|
/ | GET | Service status |
/health | GET | Health check |
/api/v1/anomaly/detect | POST | Batch anomaly detection |
/api/v1/anomaly/score | POST | Single event scoring |
/api/v1/anomaly/train | POST | Retrain model |
/api/v1/anomaly/model/status | GET | Model status |
How Detection Works
How it works:
- Audit Event - Raw event arrives (user, operation, timestamp, file, IP, etc.)
- Feature Extraction - Transforms event into 16 numeric features (hour, day, guest flag, bulk operation, etc.)
- Isolation Forest - ML model scores how “isolated” (unusual) the event is compared to training data
- Detection Result - Returns anomaly flag, confidence score, and anomaly type (unusual_timing, bulk_operation, etc.)
Feature Extraction
The model analyzes 16 features from each audit event:
Temporal Features
- Hour of day
- Day of week
- Weekend flag
- Business hours flag
User Behavior
- Event count (1h window)
- Event count (24h window)
- Unique sites accessed
- Unique operations performed
Access Patterns
- Guest user flag
- External access flag
- New IP address
- Unusual location
Operation Context
- Operation category
- Sensitive operation flag
- File type category
- Bulk operation flag
Scoring
Each detected anomaly includes:
| Field | Description |
|---|---|
anomaly_score | How unusual the activity is (0-1, higher = more suspicious) |
confidence | Model certainty about the detection |
anomaly_type | Category of suspicious behavior detected |
contributing_factors | Specific reasons for flagging |
Model Training
Auto-Training
The service supports automatic training from the AuditSphere database:
- On Startup: If model is untrained, fetches up to 2000 recent events and trains automatically
- On Detection: If detection is requested with untrained model, trains first then detects
Training Requirements
| Requirement | Value |
|---|---|
| Minimum events | 100 |
| Recommended events | 1000+ |
| Data freshness | Recent activity preferred |
Configuration
| Variable | Description | Default |
|---|---|---|
PORT | Server port | 8000 |
DATABASE_URL | PostgreSQL connection for auto-training | - |
AUTO_TRAIN_ON_STARTUP | Enable auto-training | true |
MIN_TRAINING_EVENTS | Minimum events for training | 100 |
CONTAMINATION | Expected anomaly proportion | 0.10 |
N_ESTIMATORS | Number of trees in forest | 200 |
BUSINESS_HOURS_START | Business hours start | 9 |
BUSINESS_HOURS_END | Business hours end | 18 |
Integration with AuditSphere
Detection Flow
- Cron Job triggers every 15 minutes
- AuditSphere API fetches unprocessed audit events
- ML Service receives batch of events
- Feature extraction transforms events into 16 numeric features
- Isolation Forest scores each event
- Results returned with anomaly flags and scores
- Anomalies stored in database for user review
API Usage Examples
Detect Anomalies
curl -X POST https://ml-service.example.com/api/v1/anomaly/detect \
-H "Content-Type: application/json" \
-d '{
"events": [
{
"event_id": "evt_123",
"operation": "FileDownloaded",
"user_id": "user@company.com",
"creation_time": "2025-01-15T02:30:00Z",
"site_url": "https://company.sharepoint.com/sites/hr",
"source_file_name": "salaries.xlsx",
"client_ip": "203.0.113.50",
"user_type": 0,
"event_count_1h": 5,
"event_count_24h": 50
}
]
}'Response
{
"results": [
{
"event_id": "evt_123",
"is_anomaly": true,
"anomaly_score": 0.85,
"confidence": 0.92,
"anomaly_type": "unusual_timing"
}
],
"total_events": 1,
"anomalies_detected": 1,
"processing_time_ms": 45
}Check Model Status
curl https://ml-service.example.com/api/v1/anomaly/model/status{
"model_loaded": true,
"training_samples": 2000,
"contamination": 0.1,
"last_trained": "2025-12-15T10:30:00"
}Deployment
The ML service is deployed separately from the main AuditSphere application:
| Platform | Configuration |
|---|---|
| Railway | Auto-detected Python deployment |
| Docker | Available via Dockerfile |
| Manual | uvicorn app.main:app --port 8000 |
Environment Setup
# Required
DATABASE_URL=postgresql://user:pass@host/db?sslmode=require
# Optional
PORT=8000
AUTO_TRAIN_ON_STARTUP=true
CONTAMINATION=0.10
N_ESTIMATORS=200Document Information
| Property | Value |
|---|---|
| Version | 1.0 |
| Last Updated | December 2025 |
| Classification | Client Documentation |
Last updated on