Artificial intelligence system for anomalous activity detection using static and dynamic covariates

What is claimed is: 1. A system, comprising: one or more computing devices; wherein the one or more computing devices include instructions that upon execution on or across the one or more computing devices cause the one or more computing devices to: identify a plurality of sources of event records of an application execution environment, wherein a particular event record provides an indication of (a) a user who took an action that resulted in generation of the particular event record and (b) an event identifier; extract, using the plurality of sources, respective event sequences corresponding to individual users of the application execution environment; determine, corresponding to individual users corresponding to respective event sequences which have been extracted from the plurality of sources, a respective set of static user attributes, including an indication of a user role with respect to the application execution environment; prepare a training data set comprising at least (a) the respective event sequences, (b) the respective sets of static user attributes and (c) one or more dynamic attributes associated with individual events of the respective event sequences, wherein a first dynamic attribute pertaining to a particular event of a particular event sequence indicates an elapsed time between the particular event and a preceding event of the particular event sequence; train, using the training data set, one or more machine learning models to provide, as output, at least a probabilistic prediction of a next event of an input event sequence corresponding to an individual user of the application execution environment, wherein said training comprises providing at least a portion of the training data set to the one or more machine learning models; determine, using trained versions of the one or more machine learning models, respective anomaly scores corresponding to a plurality of actions of a first user of the application execution environment, wherein the plurality of actions is not represented in the training data set; and initiate an anomaly response action based at least in part on a result of applying an aggregation algorithm to the respective anomaly scores, wherein the anomaly response action comprises barring further access by the first user. 2. The system as recited in claim 1 , wherein a machine learning model of the one or more machine learning models comprises one or more Long Short-Term Memory (LSTM) units. 3. The system as recited in claim 1 , wherein a second dynamic attribute pertaining to the particular event of the particular event sequence comprises an indication of resource usage associated with a user action represented by the particular event. 4. The system as recited in claim 1 , wherein the one or more computing devices include further instructions that upon execution on or across the one or more computing devices cause the one or more computing devices to: obtain a user session boundary definition; and utilize, to execute the aggregation algorithm, the user session boundary definition to determine a count of actions of the first user, within a particular session, having anomaly scores which exceed a first threshold, wherein the anomaly response action is based at least in part on a determination that the count exceeds a second threshold. 5. The system as recited in claim 1 , wherein the application execution environment comprises respective sets of resources of a plurality of network-accessible services including a first service and a second service, and wherein the plurality of sources include a first log file of the first service and a second log file of the second service. 6. A computer-implemented method, comprising: preparing a training data set comprising at least (a) a plurality of event sequences representing actions of respective users of an application, (b) respective sets of user properties of the respective users and (c) one or more dynamic attributes associated with individual events of the plurality of event sequences, wherein a first dynamic attribute pertaining to a particular event of a particular event sequence indicates an elapsed time between the particular event and a preceding event of the particular event sequence; training, using the training data set, one or more machine learning models to provide, as output, at least a probabilistic prediction of a next event of an input event sequence corresponding to an individual user of the application, wherein said training comprises providing at least a portion of the training data set to the one or more machine learning models; and initiating an anomaly response action based at least in part on an analysis of (a) one or more actions of a first user of the application and (b) a set of probabilistic predictions obtained from trained versions of the one or more machine learning models, wherein the anomaly response action comprises barring further access by the first user. 7. The computer-implemented method as recited in claim 6 , wherein a first set of user properties of the first user comprises one or more of: (a) a location of the first user, (b) an organizational role of the first user, or (c) a user category to which the first user has been assigned with respect to the application. 8. The computer-implemented method as recited in claim 6 , wherein a second dynamic attribute pertaining to the particular event of the particular event sequence comprises an indication of resource usage associated with a user action represented by the particular event. 9. The computer-implemented method as recited in claim 8 , wherein the indication of resource usage comprises an indication of one or more of: (a) a number of times that a particular data resource accessed in the user action has been accessed by the first user or (b) a number of resources which have been accessed by the first user. 10. The computer-implemented method as recited in claim 6 , further comprising: determining a plurality of action categories of user actions represented in the plurality of event sequences, including one or more of: (a) read actions, (b) write actions, (c) download actions, (d) upload actions, (e) login actions, or (f) logout actions, wherein a second dynamic attribute pertaining to the particular event of the particular event sequence comprises an indication of an action category of a user action represented by the particular event. 11. The computer-implemented method as recited in claim 6 , further comprising: obtaining, via one or more programmatic interfaces of an analytics service of a provider network, a model training request, wherein the training of the one or more machine learning models is responsive to the model training request. 12. The computer-implemented method as recited in claim 6 , wherein the analysis of one or more actions and the set of probabilistic predictions comprises: determining, using the trained versions of the one or more machine learning models, respective anomaly scores corresponding to a plurality of actions of the first user; and applying an aggregation algorithm to the respective anomaly scores. 13. The computer-implemented method as recited in claim 12 , wherein applying the aggregation algorithm comprises determining a number of anomaly scores of the respective anomaly scores which exceeded a threshold within a time interval. 14. The computer-implemented method as recited in claim 12 , wherein applying the aggregation algorithm comprises determining a number of consecutive actions of the plurality of actions having anomaly scores which exceeded a threshold. 15. The computer-implemented method as recited in