AI-Powered Anomaly Detection for Elasticsearch

Detect unusual patterns in your Elasticsearch data using unsupervised machine learning. No training data needed. Search Guard Anomaly Detection learns what is normal and alerts you when something changes.

Machine learning that works out of the box

Search Guard Anomaly Detection uses the Random Cut Forest algorithm, an unsupervised machine learning approach that requires no labeled training data. Point it at your Elasticsearch indices and it automatically learns normal data patterns. When behavior deviates from the norm, anomalies are flagged with a confidence score so you can focus on what matters most.

Real-time and historical detection

Run detectors continuously for live monitoring or analyze past data to uncover anomalies you may have missed. Configure detection intervals from minutes to hours and fine-tune window delays to handle late-arriving data. Whether you are watching live metrics or investigating an incident, anomaly detection adapts to your workflow.

High-cardinality detectors for granular insights

Not all anomalies happen at the aggregate level. Use category fields to automatically create individual detection models per entity, such as per IP address, hostname, user, or service. Monitor thousands of entities simultaneously and pinpoint exactly which dimension is causing the anomaly instead of searching through aggregated data.

Built-in alerting integration

Connect your anomaly detectors directly to Signals Alerting watches. Define thresholds for anomaly grades and confidence levels, configure severity escalation, and get notified through Email, Slack, PagerDuty, JIRA, or webhooks. Monitor multiple detectors in a single watch or set up entity-specific alerts for high-cardinality detectors.

How it works

1
Create a Detector
Point your detector to any Elasticsearch index. Apply filters to focus on the data that matters and set a detection interval that fits your use case.
2
Define Features
Choose from built-in aggregations like average, count, sum, min, or max. Need more control? Use custom Elasticsearch queries to define exactly what to monitor.
3
Detect and Act
Start real-time or historical detection. View anomaly scores and breakdowns in the Kibana UI, and connect to Signals Alerting for automated notifications.

Key capabilities

trending_up
Spikes and Dips
Detect unexpected spikes, dips, or both in any metric. Fine-tune each feature to only flag the anomaly types that matter to your operations.
category
Per-Entity Detection
Use category fields to create high-cardinality detectors that monitor anomalies per IP address, hostname, user, or any other dimension in your data.
history
Historical Analysis
Analyze past data to uncover anomalies you may have missed. Run historical detectors over any time range to identify patterns and validate your detection strategy.
tune
Custom Aggregations
Go beyond built-in aggregations with custom Elasticsearch queries. Define exactly what to measure using the full power of Elasticsearch query DSL.
notifications_active
Signals Alerting
Connect anomaly detectors to Signals Alerting watches. Set thresholds and get notifications via Email, Slack, PagerDuty, JIRA, or webhooks.
settings_ethernet
Full REST API
Automate detector creation, management, and result retrieval with a comprehensive REST API. Integrate anomaly detection into your existing DevOps workflows.

Built for production Elasticsearch clusters

Fully integrated with Search Guard Security

Anomaly Detection is fully integrated with Search Guard role-based access control. Define who can create and manage detectors, and separate access using Search Guard tenancy and document-level security.

Enterprise-grade performance

Run up to 1,000 single-entity detectors and 10 high-cardinality detectors simultaneously. Built-in resource management protects your cluster with automatic memory limits and JVM safeguards.

Quick and easy setup

Get started in minutes with a straightforward installation process. Comprehensive documentation and sensible defaults let you deploy your first anomaly detector right away, with fine-tuning options for production workloads.

Free 60-day Trial

Want to see how your company can benefit from Search Guard? Give our 60-day trial a spin, free of charge, no credit card required.
start free trial
Sign up for Search Guard Newsletter