Risk Detection
Omnodex includes a declarative rule engine that analyzes traced events and flags behavior that may indicate security risks, policy violations, or unexpected agent actions.
How It Works
Section titled “How It Works”Detection rules are declarative definitions - they describe a pattern to match and what it means when matched. The rule engine evaluates each event against all active rules and produces findings.
Rules operate on single events (point-in-time analysis). Each rule specifies:
- What to match - Which event types and field patterns trigger the rule
- Risk level - How severe the finding is (critical, high, medium, low)
- Description - Human-readable explanation of why this matters
Rule Categories
Section titled “Rule Categories”The community rule set covers these categories:
Sensitive File Access
Section titled “Sensitive File Access”Detects when an agent reads files that typically contain secrets or sensitive system information. Examples: SSH keys, environment files, password databases, credential stores.
Credential Exposure
Section titled “Credential Exposure”Detects API keys, tokens, or passwords appearing in contexts where they should not - for example, as URL parameters in web requests (where they get logged in server access logs).
Credential Exfiltration
Section titled “Credential Exfiltration”Detects credentials being sent to unexpected external destinations. This catches scenarios where an agent might inadvertently (or intentionally, if compromised) send secrets to a third party.
Unexpected Network Activity
Section titled “Unexpected Network Activity”Detects outbound network connections to domains that are not clearly related to the task at hand. Useful for catching supply chain attacks or compromised tools reaching out to command-and-control infrastructure.
Supply Chain
Section titled “Supply Chain”Detects potentially risky package installations - packages with known vulnerabilities, typosquatting patterns, or suspicious characteristics.
Input Validation
Section titled “Input Validation”Detects untrusted input being passed to sensitive operations without proper validation or sanitization.
Risk Levels
Section titled “Risk Levels”| Level | When Assigned |
|---|---|
critical | Active security threat - credential exfiltration, data breach indicators |
high | Significant risk requiring immediate review - exposed credentials, sensitive data access |
medium | Unusual behavior worth investigating - unexpected network calls, atypical patterns |
low | Informational - logged for audit trail completeness |
Community vs. Advanced Rules
Section titled “Community vs. Advanced Rules”Community rules (included in the free tier) cover the categories above with general-purpose patterns. They are open source and can be inspected.
Advanced rules (Pro and Enterprise tiers) add machine-learning-based detection, behavioral baselines, and rules that leverage cross-session intelligence. These rules are encrypted and executed server-side.
Next Steps
Section titled “Next Steps”- Running Detection - How to run the analyzer
- Tiers and Plans - What is included at each tier