Anomaly detection flags behavior or events that deviate from a baseline so defenders can investigate unusual activity.
Anomaly detection is the identification of behavior or events that differ meaningfully from an expected baseline. In plain language, it looks for activity that appears unusual enough to deserve attention even if it does not match a known static signature.
Anomaly detection matters because not every security issue arrives in a form defenders already know how to label precisely. Unusual behavior can be one of the earliest signs that a compromise, misuse pattern, or system problem is developing.
It also matters because modern environments produce too much activity for humans to review manually without some way of highlighting what stands out.
| Baseline type | What it represents | Example |
|---|---|---|
| User baseline | Normal access patterns | Usual login hours |
| System baseline | Typical process activity | Expected service start |
| Network baseline | Usual traffic paths | Known destinations |
Anomaly detection appears in SIEM, User and Entity Behavior Analytics, network monitoring, endpoint security, and cloud activity review. Teams connect it to Detection Engineering, False Positive, False Negative, and Threat Hunting.
It is most effective when unusual activity can be interpreted in the context of normal business behavior.
| Method | What it looks for | Strength | Common limitation |
|---|---|---|---|
| Anomaly detection | Deviations from a baseline | Finds novel or unexpected behavior | Can be noisy without good baselines |
| Detection Rule | Known patterns or signatures | Reliable for known threats | Misses novel activity |
| Threat Hunting | Hypothesis-driven patterns | High-context investigation | Not continuous monitoring |
A service account that normally connects to one internal API suddenly begins making requests to many unfamiliar systems. An anomaly-detection rule flags the behavior because it departs sharply from the account’s normal pattern.
Anomaly detection is not the same as certainty of compromise. Unusual behavior may be malicious, accidental, or simply new but legitimate activity.
It is also different from a Detection Rule based only on a fixed known pattern. Anomaly detection depends more on deviation from baseline than on one static signature.
It is also a mistake to treat anomaly detection as fully automatic truth. Human review and tuning are still required to reduce false positives and refine baselines.