Identifying potentially malicious behavior by analyzing system events and activities to determine if they deviate from defined policies, baselines or patterns of normal operations. This approach flags anomalies by detecting actions, traffic, resource usage or other observable traits that do not conform to specified rules or models of acceptable system utilization. The detection mechanism looks for outlier activities that statistically or behaviorally differ from the norm, which could indicate threats, misuse or unauthorized actions requiring further investigation.