Anomalies in accessing prod servers

I’m a data analyst and I have been given a free hand to initiate a ML project in the company to figure out access anomalies and report them. I tried looking for leads on this topic but could not find anything really tangible. Any leads, thoughts or help in how should I go about it and the relevant ML algorithms that I should specifically focus on would be really helpful.

Can you explain your problem little detailed, with an example of what is “access anomalies” mean in your case, in which kind of scenarios etc…,?

Thank you for replying back Rajiv. Well in the company there are admin users (users with privileged access) who access production servers (Win/Unix). Everything is logged. We have SIEM tools where all the logs are consolidated. I want to use these logs and detect breaches using time of activity, systems accessed, type or volume of information accessed, commands executed (in case of Unix), etc.
Let me know in case you need further information. More details below:
https://resources.infosecinstitute.com/category/enterprise/threat-hunting/iocs-and-artifacts/threat-hunting-for-anomalies-in-privileged-account-activity/

© Copyright 2013-2019 Analytics Vidhya