Anomaly detection identifies deviations from established baselines — a user logging in at 3am from a new country, a server sending unusual amounts of data outbound.
Requires a baseline first. High false positive rate initially. UEBA (User and Entity Behavior Analytics) applies ML to detect subtle anomalies. Complements signature-based detection.