Motivating question: Can you look at [IRIS-based internal application] and see if anything unusual happened [while there was possibly an intruder on the network]?
In theory, the IRIS database would help to provide an answer. In practice, this is a challenging data problem in two ways. First, there are so many individual events that combing through them one at a time looking for anything suspicious (by virtue of being different from what's usually there) is tedious and error-prone. On the other hand, "unusual" activity might also include changes in volume of traffic along certain dimensions, and there's no good way to see that from a list of events as is currently available in the Management Portal.
The idea would be to use ML to identify anomalous individual events from a near real-time stream of events from IRIS audit databases (possibly across multiple instances), as well as anomalous aggregates along automatically-discovered dimensions and time buckets.
Thank you for submitting the idea. The status has been changed to "Community Opportunity".
Stay tuned!
This is a great idea, but not something we'll likely add to the near-term roadmap. Now that we've released OpenTelemetry support for metrics, logs, and traces, there should be a lot of opportunity for leveraging existing log mining solutions to accomplish this, hence marking as community opportunity.