Anomaly Detection

Automatically detect unusual patterns, drift, and misconfigurations in your infrastructure using graph-aware AI analysis.

Overview

The anomaly detection engine continuously analyzes your knowledge graph for patterns that deviate from the norm. It combines statistical baselines, graph topology analysis, and LLM-powered contextual reasoning to identify potential issues before they become incidents.

Graph-aware detection

Unlike standalone monitoring tools, Knowledge Tree's anomaly detection considers the full graph context -- a new security group rule might be benign in isolation but suspicious when connected to an internet-facing resource.

Detection methods

Method	Description
Statistical baseline	Resource counts, change frequency, and type distribution compared to historical baselines
Graph topology	Unexpected relationship patterns, unusual centrality, or orphaned resources
Configuration drift	Resource attributes that deviate from expected values or templates
LLM contextual	AI-powered analysis of resource configurations against best practices
Temporal patterns	Changes at unusual times, rapid succession changes, or cascading modifications

Graph anomalies

Knowledge Tree detects anomalies that are specific to the graph structure:

Orphaned resources -- resources with no relationships to any other resource
Hub explosion -- a resource with an unusually high number of dependencies
Isolated subgraphs -- groups of resources disconnected from the main graph
Unexpected connections -- resources connected across scope/environment boundaries
Missing dependencies -- resources that typically depend on another type but don't

Alerting

Anomalies can trigger alerts through multiple channels:

In-app notifications -- anomaly feed in the Knowledge Tree dashboard
Webhook -- POST to any webhook URL with anomaly payload
PagerDuty -- create PagerDuty incidents for critical anomalies
Slack -- post to a Slack channel with anomaly details
Email -- email digest of daily anomalies

Configuration

# config.yaml
ai:
  anomaly_detection:
    enabled: true
    methods:
      - statistical_baseline
      - graph_topology
      - llm_contextual
    sensitivity: medium
    schedule: "0 */4 * * *"
    alerting:
      - channel: slack
        webhook: ${SLACK_WEBHOOK}
        severity: [high, critical]
      - channel: pagerduty
        severity: [critical]
      - channel: webhook
        url: ${ANOMALY_WEBHOOK}