Anomaly-Driven Hunting

Author: Roger C.B. Johnsen

Introduction

Anomaly-driven hunting is a threat hunting approach where the hunter looks for meaningful deviations from expected behaviour.

The basic idea is simple: malicious activity often creates behaviour that does not fit the normal pattern of an environment. A user logs in from an unusual location. A service account authenticates to systems it normally never touches. A workstation starts talking to infrastructure it has never contacted before. A process launches from an unusual parent. A backup server receives interactive logons from unexpected accounts.

Those deviations may be malicious. They may also be completely benign. That is why anomaly-driven hunting is not only about finding strange things. It is about understanding whether the strange thing matters.

This makes anomaly-driven hunting different from simply reviewing alerts. The hunter is not waiting for a known signature to fire. The hunter is asking what normal looks like, where the environment deviates from that normal and whether those deviations can be explained.

A useful anomaly-driven hunting question is:

What is unusual here, and is it unusual for a reason that matters?

That question is important because unusual does not automatically mean suspicious, and suspicious does not automatically mean malicious.

An anomaly is not a finding. It is an invitation to ask a better question.

– Roger Johnsen

What Anomaly-Driven Hunting Is

Anomaly-driven hunting starts with a comparison between expected behaviour and observed behaviour. The expected behaviour may come from a formal baseline, historical data, analyst experience, business knowledge, asset roles, identity patterns, peer groups or known administrative processes. The observed behaviour comes from telemetry.

The hunter then looks for deviations that may indicate attacker activity, misconfiguration, policy violations, misuse, operational drift or visibility problems.

ElementMeaning
BaselineA representation of what normal or expected behaviour looks like.
AnomalyA deviation from that expected behaviour.
ContextThe information needed to decide whether the deviation matters.
HypothesisA testable explanation for what the anomaly may represent.
InvestigationThe process of validating, rejecting or refining that explanation.

This is where anomaly-driven hunting becomes useful. It does not require the hunter to know the exact indicator in advance. Instead, the hunter starts from behaviour that does not fit the environment. That makes it useful for discovering unknown, emerging or poorly detected activity.

But it also makes it dangerous if used carelessly. Anomaly-driven hunting can produce endless noise if the team does not understand the environment, scope the hunt properly or distinguish between rare and relevant.

Why Anomalies Matter

Attackers often need to interact with the environment in ways that differ from normal business activity. They may need to:

  • authenticate using stolen credentials
  • access systems outside a user’s normal pattern
  • execute tools from unusual paths
  • create new services
  • move laterally between hosts
  • access sensitive data stores
  • stage files before exfiltration
  • disable logging, backup or security controls
  • use administrative tools from unexpected devices
  • communicate with external infrastructure

Each of these behaviours may create anomalies. However, legitimate activity can create anomalies too. A system administrator may perform emergency maintenance. A developer may test a new deployment tool. A service account may be changed by an application owner. A user may travel. A business unit may migrate to a new SaaS platform. A backup job may be rescheduled.

This is why anomaly-driven hunting depends heavily on context. The hunt is not finished when the anomaly is found. It starts there.

Baseline Before Anomaly

Anomaly-driven hunting depends on some understanding of normal behaviour. A baseline does not have to be perfect, but the hunter needs a reference point. Without a baseline, almost everything can look unusual, and the hunt becomes guesswork.

Baselines can be built around many things:

Baseline areaExample questions
User behaviourWhen does this user normally log in, from where and using which devices?
Service accountsWhich systems does this account normally access, and how often?
HostsWhich processes normally run on this host?
Network trafficWhich destinations does this system normally communicate with?
Administrative activityWhich users normally perform privileged operations?
Cloud activityWhich applications, tokens, roles and regions are normally used?
Data accessWhich users normally access this file share, database or storage account?
Process behaviourWhich parent-child process relationships are expected on this system?

The baseline should also be scoped. A baseline for all users may be too broad. A baseline for finance users, domain administrators, backup operators, developers or point-of-sale systems may be more useful. The more specific the peer group, the more meaningful the anomaly may become.

For example:

This user logged in at 03:00.

That may be meaningless.

But this is more useful:

This finance user logged in at 03:00 from a country they have never used before, then accessed a privileged application and downloaded unusually large amounts of data.

The difference is context.

Types of Anomalies

Not all anomalies are the same. A good hunter should understand what kind of deviation they are looking at.

Anomaly typeExample
Time anomalyA user logs in outside their normal working hours.
Location anomalyAuthentication occurs from an unusual country, region or network.
Volume anomalyA host transfers much more data than usual.
Frequency anomalyA service account authenticates far more often than normal.
Peer group anomalyOne workstation behaves differently from similar workstations.
Sequence anomalyA process chain occurs in an unusual order.
Relationship anomalyA user accesses a system they normally never touch.
Tooling anomalyAdministrative tools are used from an unexpected host.
Persistence anomalyNew scheduled tasks, services or autoruns appear outside expected change windows.
Control anomalyLogging, EDR, backup or security controls are modified unexpectedly.

These categories help the hunter ask better questions. For example, “unusual PowerShell” is too vague. The hunter should ask what makes it unusual.

  • Is it the parent process?
  • The command line?
  • The user?
  • The host?
  • The destination?
  • The timing?
  • The frequency?

The answer changes the investigation.

Anomaly-Driven Hunting Process

Anomaly-driven hunting can be approached as a structured process.

StepPurpose
Define the behaviour areaDecide what kind of behaviour the hunt will examine.
Establish the baselineUnderstand what normal or expected behaviour looks like.
Identify deviationsFind activity that differs from the baseline.
Add contextEnrich the anomaly with user, host, asset, business and threat context.
Form a hypothesisExplain what the anomaly may represent.
InvestigateValidate, reject or refine the hypothesis using additional data.
ActEscalate, document, tune, create detections or update baselines.
Feed backImprove the baseline, detection logic or future hunts.

This process matters because anomaly-driven hunting can otherwise become a random walk through strange data. The goal is not to collect anomalies. The goal is to identify deviations that can be explained, tested and acted on.

From Anomaly to Hypothesis

An anomaly is only a starting point. The hunter must turn it into a hypothesis.

For example:

A service account authenticated to five new servers this week.

That is an observation.

A possible hypothesis could be:

The service account may be used for lateral movement because it authenticated to systems outside its normal application scope and was followed by remote service creation.

The hypothesis is stronger because it gives direction. It suggests what to validate next:

  • Is the service account expected to access those servers?
  • Did the authentication originate from a normal host?
  • Was the logon type unusual?
  • Was there process execution after authentication?
  • Were remote services, scheduled tasks or administrative shares used?
  • Did the activity happen during a change window?
  • Did the account recently receive new privileges?
  • Are there related alerts, tickets or deployments?

This is where anomaly-driven hunting becomes real investigation.

The hunter moves from “this is strange” to “this is strange in a way that may indicate a specific behaviour”.

Practical Example: Unusual Service Account Activity

Consider a service account used by an internal application. For months, the account has authenticated only between a small group of application servers and a database server. Suddenly, the account begins authenticating to several file servers, backup servers and administrative workstations.

That is an anomaly.

Baseline

The hunter first establishes expected behaviour:

  • normal source systems
  • normal destination systems
  • usual logon types
  • normal authentication frequency
  • expected maintenance windows
  • normal process activity after authentication
  • known application owners
  • related change tickets

Anomaly

The new activity differs from the baseline:

  • new destination systems
  • unusual authentication paths
  • access to backup infrastructure
  • authentication outside normal hours
  • remote administration behaviour after logon

Hypothesis

The hunter formulates a hypothesis:

The service account may be compromised and used for lateral movement or preparation for ransomware activity.

Investigation

The hunter reviews:

  • authentication logs
  • endpoint telemetry
  • process execution
  • remote service creation
  • administrative share access
  • privilege changes
  • backup system access
  • related alerts
  • change management records

The activity may turn out to be a legitimate application change. It may also reveal compromised credentials, poor service account hygiene, excessive privileges or early-stage attacker activity.

Either outcome has value.

  • If it is malicious, the team escalates.
  • If it is legitimate but undocumented, the team improves the baseline.
  • If it cannot be validated because logs are missing, the team has identified a visibility gap.

Techniques and Tools

Anomaly-driven hunting can use many techniques. The important part is not the tool itself, but whether the technique helps the hunter identify meaningful deviations.

TechniqueUse
Statistical analysisIdentify outliers using frequency, volume, distribution or time-series patterns.
Peer group comparisonCompare users, hosts or accounts against similar entities.
Behavioural analyticsIdentify deviations in user, entity, process or network behaviour.
ClusteringGroup similar behaviours and identify items that do not fit.
Time-series analysisDetect unusual changes over time.
Rule-based logicIdentify specific deviations that are known to be suspicious.
Machine learningModel expected behaviour and surface unusual activity for review.
Visual analysisUse timelines, graphs or heatmaps to identify unusual relationships or sequences.

Machine learning and UEBA tools can support anomaly-driven hunting, but they do not replace the hunter. A tool may say that something is rare. The hunter still has to decide whether it is relevant. Rare activity may be malicious, but it may also be a business exception, maintenance activity, onboarding, travel, testing or telemetry noise.

Anomaly-Driven Hunting and PEAK

Anomaly-driven hunting fits naturally inside PEAK. PEAK provides the hunt lifecycle:

Prepare → Execute → Act with Knowledge

Anomaly-driven hunting can use that lifecycle directly.

PEAK phaseAnomaly-driven hunting activity
PrepareSelect the behaviour area, define the peer group, identify data sources and establish the baseline.
ExecuteIdentify deviations, enrich with context, form hypotheses and investigate suspicious anomalies.
Act with KnowledgeDocument findings, update baselines, tune detections, create new detections or identify visibility gaps.

This is important because anomaly-driven hunting can easily become endless exploration. PEAK helps keep the hunt disciplined. It forces the team to ask what they are hunting, how they will test it and what should happen with the result.

Anomaly-Driven Hunting and TaHiTI

TaHiTI can also support anomaly-driven hunting, especially when threat intelligence suggests a behaviour but the organisation does not have a simple indicator to search for. For example, threat intelligence may say that an actor abuses valid accounts for lateral movement. That does not give the hunter one perfect IOC. Instead, it suggests a behaviour pattern.

The hunter can then use anomaly-driven methods to look for deviations such as:

  • users authenticating to unusual systems
  • service accounts appearing on new hosts
  • remote administration activity from unexpected devices
  • privileged access outside normal patterns
  • unusual authentication sequences before suspicious process execution

In this sense, TaHiTI can provide the hunting trigger, while anomaly-driven hunting provides one way to investigate the behaviour locally.

TaHiTI gives the intelligence-driven question.
Anomaly-driven hunting helps test whether the behaviour appears locally.

Anomaly-Driven Hunting and Detection Engineering

Anomaly-driven hunts often produce useful detection engineering output. The output may be:

  • a new detection
  • a tuned detection
  • a better suppression rule
  • a baseline update
  • a triage note
  • an enrichment requirement
  • a visibility gap
  • a new hunt idea

However, not every anomaly should become a detection. A detection should be based on behaviour that is meaningful, repeatable and actionable. If the anomaly is too broad, too noisy or too dependent on one narrow context, it may not be suitable as a detection without additional logic.

The team should ask:

QuestionWhy it matters
Is the anomaly meaningful?Prevents detections from being based on random outliers.
Is the behaviour repeatable?Helps determine whether the detection can run reliably.
Is the signal actionable?Ensures analysts know what to do when it fires.
What context is required?Prevents alerts from losing meaning outside the hunt.
How noisy is it likely to be?Helps estimate tuning and operational cost.
What is the expected response?Connects detection to triage and incident handling.

This is where anomaly-driven hunting can strengthen detection engineering. The hunt does not simply find strange things. It teaches the team which deviations matter.

What Usually Goes Wrong

Several problems are common in anomaly-driven hunting.

ProblemWhy it hurts
Treating every anomaly as suspiciousThe team burns time investigating rare but harmless behaviour.
No baselineThe team cannot explain why something is unusual.
Weak peer groupsBehaviour is compared across entities that should not be compared.
No contextThe anomaly is reviewed without user, host, asset, business or change context.
Alert queue thinkingThe team treats anomaly hunting as normal alert triage instead of investigation.
Over-reliance on toolsThe tool says something is rare, but nobody validates whether it matters.
Static baselinesThe baseline becomes outdated as the environment changes.
No feedback loopFindings do not improve baselines, detections, triage or future hunts.
Ignoring visibility gapsMissing telemetry is treated as failure instead of a useful finding.

A common failure pattern is simple: the team opens an anomaly dashboard, sorts by rare events, investigates a few strange things and stops when nothing obvious is found. That is not enough.

Anomaly-driven hunting needs a question, a scope, a baseline and a way to decide whether the deviation matters.

Where Anomaly-Driven Hunting Fits With Other Frameworks

Anomaly-driven hunting fits naturally with the other frameworks in this section.

FrameworkMain value
PEAKStructures the hunt lifecycle from preparation to execution and action.
TaHiTIHelps turn intelligence into focused hunting questions that may be investigated through anomalies.
MITRE ATT&CKProvides behavioural vocabulary for describing suspicious activity.
Pyramid of PainHelps move from low-level indicators toward behaviour that is harder for adversaries to change.
OODA LoopHelps the hunter observe, orient, decide and act as evidence changes.
MaGMaHelps manage resulting use cases, detections, metrics and improvement work.

Anomaly-driven hunting is not a replacement for these frameworks. It is a hunting approach that can operate inside them.

PEAK gives it a lifecycle. TaHiTI can give it an intelligence-driven trigger. ATT&CK can describe the behaviour. The Pyramid of Pain can help judge the durability of the signal. MaGMa can help preserve and manage the outputs.

Working Position for This Book

For this book, anomaly-driven hunting is best treated as a practical hunting approach for finding meaningful deviations from expected behaviour.

It helps answer a simple question:

What is unusual in this environment, and does it matter?

The value of anomaly-driven hunting is that it can reveal activity that was not already known, signed or explicitly detected.

But the weakness is equally important.

Anomaly-driven hunting can create noise if the hunter does not understand the baseline, scope the hunt properly or add enough context.

A good anomaly-driven hunt should not celebrate strangeness. It should explain it.

The goal is not to find weird things. The goal is to find weird things that matter.

– Roger Johnsen

Resources

Revision

Revised DateComment
2026-07-10Major rewrite. Reframed the article as a practical guide to anomaly-driven threat hunting, baselines, context, investigation and detection engineering output.
2024-10-06Improved formatting and wording
2024-07-29Added page