Documentation Index
Fetch the complete documentation index at: https://docs.tryflare.ai/llms.txt
Use this file to discover all available pages before exploring further.
Understanding Results
After an analysis completes, Flare presents findings in a ranked list with explanations and evidence. Here’s how to read them.AI summary
At the top of the results page, Flare provides a narrative summary of the overall patterns detected. This gives you the big picture before diving into individual anomalies - for example, whether the findings suggest a coordinated attack, routine administrative activity, or a misconfiguration.Anomaly scores
Every anomaly receives a score from 0 to 100 based on how unusual it is relative to your environment’s baseline. Higher scores mean more anomalous.| Score | Category | Color | Meaning |
|---|---|---|---|
| 85-100 | Critical | Red | Highly anomalous - likely requires immediate investigation |
| 65-84 | High | Orange | Significantly unusual - worth reviewing soon |
| 40-64 | Medium | Blue | Moderately unusual - may be expected activity worth confirming |
| 0-39 | Low | Green | Mildly unusual - likely routine but flagged for awareness |
SetIamPolicy call scores differently in a project where IAM changes happen daily versus one where they’ve never occurred.
Anomaly details
Each anomaly card shows:- Rank - position in the severity-ordered list (#1 is the most anomalous)
- Field name and anomalous value - what was detected (e.g.,
protoPayload.methodName -> SetIamPolicy) - Explanation - a plain English description of why this is anomalous and what it could mean
- Severity badge - Critical, High, Medium, or Low
Expanded view
Click an anomaly to expand it and see additional detail:- Baseline frequency - how often this value appears in your historical analyses (e.g., “0.4% of events”)
- Query frequency - how often it appeared in this analysis (e.g., “67% of events”)
- Source logs - the actual raw log entries that triggered the detection (1-5 entries)
First Seen badge
Anomalies involving field values that have never appeared in any previous analysis for this project get a “First Seen” badge. This is a strong indicator of genuinely new activity in your environment - a new service account, a new IP address, a new API method being called.Source log evidence
For each anomaly, Flare shows the raw log entries that contributed to the finding. These are the actual GCP audit log events, displayed as JSON. Use them to:- Verify the finding - confirm that the raw data matches Flare’s explanation
- Investigate further - extract IP addresses, principal emails, resource names for deeper analysis in GCP
- Copy evidence - use the Copy button to save specific log entries for incident reports
Copy as Markdown
Click the Copy as Markdown button in the analysis header to copy the full results (summary, all anomalies, and explanations) as formatted Markdown. This is useful for pasting into Slack, Notion, or incident tickets.Interpreting results
A few patterns to look for:- Multiple Critical/High findings in one analysis - may indicate a coordinated attack or significant incident
- First Seen values on sensitive fields (IAM, service accounts, network) - worth investigating even at lower scores
- Recurring patterns across analyses - if the same anomaly appears in multiple scheduled runs, it may be an ongoing issue or a new normal that needs to be acknowledged
- Clean results - zero anomalies is good news. It means your audit logs showed no unusual patterns in the analyzed window