This chapter covers anomaly detection, a key capability in Azure AI services that identifies unusual patterns or outliers in time-series data. For the AI-900 exam, anomaly detection appears in approximately 5-10% of questions, primarily testing your understanding of when to use the Anomaly Detector service, its key features, and how it differs from other AI services. Mastering this topic will help you answer scenario-based questions about monitoring metrics, detecting fraud, or identifying equipment failures. You will learn the underlying mechanisms, configuration options, and real-world applications of the Azure Anomaly Detector API.
Jump to a section
Imagine a factory assembly line that produces thousands of identical widgets per hour. A quality control inspector stands at the end of the line, watching each widget pass by. The inspector has been trained on what a 'normal' widget looks like—its size, weight, color, and shape are within a specific range. Most widgets pass inspection without issue. However, occasionally a widget is too heavy, too small, or has a scratch—these are anomalies. The inspector flags these for removal. The inspector does not need to know every possible defect in advance; instead, they learn the pattern of normality and anything that deviates significantly is flagged. In the same way, anomaly detection in machine learning learns the baseline pattern of data and identifies points that deviate from that baseline. The inspector's sensitivity can be adjusted—if set too high, many good widgets are flagged (false positives); if too low, defective widgets slip through (false negatives). In Azure Anomaly Detector, you can tune the sensitivity parameter to balance these errors. Just as the inspector might use a checklist of acceptable ranges, the Anomaly Detector uses statistical models (like moving averages and z-scores) to define the expected range for each data point.
What is Anomaly Detection?
Anomaly detection is the process of identifying data points, events, or observations that deviate significantly from the majority of the data. In the context of Azure AI, the Anomaly Detector service is a pre-built AI model that automatically detects anomalies in time-series data without requiring you to train a custom model. It is part of Azure Cognitive Services and can be accessed via a REST API or client SDK.
Why Use a Dedicated Service?
While you could build a custom anomaly detection model using Azure Machine Learning, the Anomaly Detector service is designed for rapid integration and minimal setup. It is optimized for time-series data—data points indexed in time order, such as server CPU usage over hours, daily sales figures, or IoT sensor readings. The service handles seasonality, trends, and noise, which are common challenges in real-world data.
How Does It Work Internally?
The Anomaly Detector uses a combination of statistical and machine learning models. The core algorithm is based on SR-CNN (Spectral Residual and Convolutional Neural Network) for batch detection and a sliding window approach for real-time detection. Here’s a step-by-step mechanism:
Data Ingestion: You send a time-series dataset via HTTP POST to the Anomaly Detector endpoint. The data must be in JSON format with timestamps and numeric values.
Preprocessing: The service cleans the data by handling missing values (e.g., interpolation) and normalizing the scale.
Seasonality Detection: The service automatically detects the dominant period (e.g., daily, weekly) using autocorrelation or Fast Fourier Transform (FFT). This is crucial for distinguishing normal cyclical patterns from anomalies.
Trend Estimation: A trend component is extracted using a moving average or STL (Seasonal-Trend decomposition using Loess).
Residual Calculation: The residual (difference between actual and expected value based on seasonality and trend) is computed.
Anomaly Scoring: Each residual is scored based on its deviation from the expected distribution. The service uses a z-score or Grubbs' test to determine statistical significance. A threshold (controlled by the sensitivity parameter) determines whether a point is flagged as anomalous.
Output: The API returns a JSON response with anomaly flags, expected values, upper and lower bounds, and confidence intervals.
Key Components and Parameters
sensitivity: A float between 0 and 1 (default 0.95). Higher values make the model more sensitive, meaning it will flag more points as anomalies (higher recall, lower precision). Lower values reduce false positives but may miss subtle anomalies.
maxAnomalyRatio: A float between 0 and 1 (default 0.25). The maximum ratio of anomalies expected in the data. This helps the model determine the baseline.
granularity: The time interval between data points (e.g., hourly, daily, weekly). If not provided, the service attempts to infer it from the timestamps.
customInterval: An integer specifying a custom time interval in minutes if the granularity is per_minute or per_second.
period: An integer optionally specifying the seasonality period. If omitted, the service auto-detects it.
API Endpoints
The Anomaly Detector service offers two main detection modes:
Entire Series Detection (POST /anomalydetector/v1.0/timeseries/entire/detect): Analyzes the entire dataset at once. Best for historical analysis.
Last Point Detection (POST /anomalydetector/v1.0/timeseries/last/detect): Analyzes only the most recent data point. Ideal for real-time monitoring.
Change Point Detection (POST /anomalydetector/v1.0/timeseries/changepoint/detect): Detects trend changes in the data (e.g., a sudden shift in mean value).
Configuration and Verification
To use the service, you need an Azure Cognitive Services resource of type 'Anomaly Detector'. You can create one via the Azure portal or CLI:
az cognitiveservices account create \
--name myAnomalyDetector \
--resource-group myResourceGroup \
--kind AnomalyDetector \
--sku F0 \
--location eastusAfter creation, obtain the endpoint and key:
az cognitiveservices account show --name myAnomalyDetector --resource-group myResourceGroup --query "properties.endpoint"
az cognitiveservices account keys list --name myAnomalyDetector --resource-group myResourceGroup --query "key1"Then, you can call the API using curl:
curl -X POST "https://<your-endpoint>/anomalydetector/v1.0/timeseries/entire/detect" \
-H "Content-Type: application/json" \
-H "Ocp-Apim-Subscription-Key: <your-key>" \
-d '{
"series": [
{"timestamp": "2023-01-01T00:00:00Z", "value": 100},
{"timestamp": "2023-01-01T01:00:00Z", "value": 200},
{"timestamp": "2023-01-01T02:00:00Z", "value": 150}
],
"granularity": "hourly",
"sensitivity": 95
}'The response includes isAnomaly boolean for each point, expectedValue, upperMargin, and lowerMargin.
Interaction with Other Azure Services
Anomaly Detector can be integrated with: - Azure Stream Analytics: For real-time anomaly detection on streaming data. - Azure Data Explorer: For historical analysis of large time-series datasets. - Power BI: To visualize anomalies in dashboards. - Azure Logic Apps: To trigger alerts or workflows when anomalies are detected.
Limitations
The service works best with data that has a clear seasonality and trend. Random noise can cause false positives.
It is not suitable for non-time-series data (e.g., images, text). Use other Cognitive Services like Computer Vision or Text Analytics for those.
The free tier (F0) has a limit of 5,000 transactions per month. For production, use S0 tier.
Create Anomaly Detector Resource
First, you must create an Anomaly Detector resource in your Azure subscription. Use the Azure portal, CLI, or PowerShell. Choose a pricing tier (F0 for free, S0 for paid). The resource provides an endpoint URL and two subscription keys. These are required for API authentication. In the portal, navigate to 'Create a resource' > 'AI + Machine Learning' > 'Anomaly Detector'. Fill in the subscription, resource group, name, region, and pricing tier. Click Review + Create. After deployment, note the endpoint and keys from the 'Keys and Endpoint' blade.
Prepare Time-Series Data
Your data must be a JSON array of objects with 'timestamp' (ISO 8601 format) and 'value' (numeric). Ensure timestamps are in chronological order and evenly spaced. Missing values can be interpolated by the service, but it's best to provide clean data. The minimum data length is 12 points for seasonality detection. For example: [{'timestamp': '2023-01-01T00:00:00Z', 'value': 100}, ...]. You can also include an optional 'period' parameter if you know the seasonality.
Choose Detection Mode
Decide whether you need to analyze the entire dataset or just the latest point. Use 'entire/detect' for batch analysis of historical data. Use 'last/detect' for real-time monitoring where you send one new point at a time. The 'changepoint/detect' endpoint is for detecting shifts in the trend (e.g., a sudden increase in mean). Each mode returns different response fields. For example, 'entire/detect' returns 'isAnomaly' array, while 'last/detect' returns a single boolean.
Configure Parameters
Set the 'granularity' to match your data interval (e.g., 'hourly', 'daily'). If auto-detection fails, provide 'period' manually. Adjust 'sensitivity' (0-100) to control anomaly detection strictness. A higher sensitivity (e.g., 95) flags more points as anomalies. 'maxAnomalyRatio' (0-1) sets the maximum expected anomaly proportion; the default 0.25 works for most cases. You can also set 'customInterval' for non-standard granularities. These parameters are passed in the request body.
Call API and Interpret Response
Send a POST request to the chosen endpoint with your JSON body and subscription key in the header. The response includes: 'expectedValues' (the model's prediction), 'upperMargins' and 'lowerMargins' (confidence bounds), 'isAnomaly' (boolean array for each point), 'period' (detected seasonality), and 'severity' (0-100 indicating anomaly strength). For 'last/detect', the response includes 'isAnomaly', 'expectedValue', and 'margin'. Use these to trigger alerts or visualize anomalies.
Scenario 1: Monitoring Cloud Infrastructure Metrics
A large e-commerce company uses Azure Anomaly Detector to monitor server CPU utilization across thousands of VMs. They collect metrics every 5 minutes into Azure Monitor, then stream the data via Azure Stream Analytics to the Anomaly Detector API. The goal is to detect unusual spikes that may indicate a DDoS attack or a runaway process. They use the 'last/detect' endpoint for real-time detection. The sensitivity is set to 90 to catch moderate anomalies while tolerating normal load spikes during flash sales. In production, they discovered that the default sensitivity of 95 caused too many false positives during peak hours, so they tuned it down. They also set up Azure Logic Apps to automatically scale out VMs when an anomaly is detected. A common misconfiguration is not providing the correct granularity—if timestamps are 5 minutes apart but granularity is set to 'hourly', the model misinterprets the seasonality, leading to poor detection.
Scenario 2: Predictive Maintenance in Manufacturing
A factory uses IoT sensors to record vibration levels of machinery every second. They want to detect early signs of bearing failure. They use the 'entire/detect' endpoint on historical data to identify patterns that precede failures. The data has strong daily seasonality (machines run at different speeds during shifts). They set the 'period' to 86400 seconds (24 hours) to help the model. The sensitivity is set to 80 because the cost of missing a real anomaly (catastrophic failure) is much higher than false positives (unnecessary maintenance checks). They also use the change point detection endpoint to identify when the machine's baseline vibration shifts permanently. A challenge is that the data is noisy, so they preprocess it with a moving average filter before sending it to the API. They also had to adjust the 'maxAnomalyRatio' to 0.1 because only about 10% of data points correspond to pre-failure conditions.
Scenario 3: Financial Fraud Detection
A fintech startup uses Anomaly Detector to monitor daily transaction volumes. They look for sudden drops or spikes that might indicate fraud or system issues. They use the 'changepoint/detect' endpoint to detect shifts in the trend. For example, if the average daily transactions suddenly drop from 10,000 to 5,000, that's a change point. They set the sensitivity to 95 to catch even small shifts. They also use the 'last/detect' endpoint to flag individual days that are unusually high or low compared to the expected seasonal pattern. A key consideration is that financial data often has weekly seasonality (weekdays vs weekends), so they set 'granularity' to 'daily' and 'period' to 7. They found that the service works well out-of-the-box, but they had to exclude holidays manually because the model cannot predict irregular events.
AI-900 Exam Focus on Anomaly Detection (Objective 2.2)
The AI-900 exam tests your ability to identify appropriate use cases for the Anomaly Detector service and understand its basic capabilities. You will NOT be asked to write code or interpret API responses in detail. Instead, expect scenario-based questions where you must choose whether Anomaly Detector is suitable.
Common Wrong Answers and Why Candidates Choose Them
Choosing 'Computer Vision' for detecting unusual patterns in time-series data: Candidates mistakenly think that any 'detection' task belongs to Computer Vision. However, Computer Vision works with images and video, not time-series numbers. Anomaly Detector is the correct service for time-series data.
Selecting 'Custom Vision' for anomaly detection: Custom Vision is for image classification and object detection. Candidates confuse 'anomaly' with 'custom classification'. Remember: Anomaly Detector is a pre-built service; Custom Vision requires training.
Thinking that Anomaly Detector requires training a model: Unlike Custom Vision or custom ML models, Anomaly Detector is pre-trained and does not require you to provide labeled data. It uses unsupervised learning to detect anomalies.
Selecting 'Language Understanding' (LUIS) for detecting anomalies in text: LUIS is for natural language understanding, not numerical anomaly detection. Candidates may associate 'anomaly' with unusual text patterns, but Anomaly Detector is strictly for time-series numeric data.
Specific Numbers and Terms That Appear on the Exam
Sensitivity parameter: default 95 (or 0.95). Know that higher sensitivity = more anomalies flagged.
Granularity options: yearly, monthly, weekly, daily, hourly, per_minute, per_second.
Endpoints: entire/detect, last/detect, changepoint/detect.
Data format: JSON with timestamp and value fields.
Limitations: Works only with time-series data; not for images, text, or audio.
Edge Cases and Exceptions
If the data has no clear seasonality, the model may still work but with lower accuracy. The service can handle non-seasonal data by treating the entire series as a single trend.
The service can detect both point anomalies (single outlier) and change points (shift in trend). The exam may ask you to distinguish between these two types.
The free tier (F0) is limited to 5,000 transactions per month. For production, use S0.
How to Eliminate Wrong Answers
If the scenario involves time-series numeric data, Anomaly Detector is likely correct.
If the scenario involves images, text, or audio, look for other services like Computer Vision, Text Analytics, or Speech.
If the scenario requires training with labeled data, it is not Anomaly Detector (which is unsupervised).
If the scenario is about predicting future values (forecasting), that is not anomaly detection; look for Azure Machine Learning or Time Series Insights (though Anomaly Detector can provide expected values as a byproduct, the primary goal is anomaly flagging).
Anomaly Detector is a pre-built Azure Cognitive Service for detecting anomalies in time-series data.
It does NOT require training or labeled data — it uses unsupervised learning.
Key parameters: sensitivity (default 95), maxAnomalyRatio (default 0.25), granularity (e.g., hourly, daily).
Three main endpoints: entire/detect, last/detect, changepoint/detect.
Input data must be JSON with timestamp (ISO 8601) and numeric value fields.
Higher sensitivity = more anomalies flagged (increase true positives but also false positives).
The service can detect both point anomalies and change points (trend shifts).
Common exam scenarios: monitoring server metrics, predictive maintenance, fraud detection.
Do not confuse with Computer Vision (images), Text Analytics (text), or Custom Vision (requires training).
Free tier limited to 5,000 transactions per month; use S0 for production.
These come up on the exam all the time. Here's how to tell them apart.
Anomaly Detector (Pre-built AI Service)
No training required; works out-of-the-box.
Optimized for time-series data only.
Easily integrated via REST API.
Limited customization (sensitivity, maxAnomalyRatio).
Free tier available (F0, 5K transactions/month).
Custom Anomaly Detection Model (Azure ML)
Requires labeled data and training.
Can be built for any data type (images, text, etc.).
More complex deployment (ML pipelines, endpoints).
Full control over algorithm and parameters.
Cost depends on compute resources.
Mistake
Anomaly Detector requires labeled training data to detect anomalies.
Correct
The Anomaly Detector service is pre-trained and uses unsupervised learning. It does not require any labeled data. You simply provide the time-series data, and it automatically identifies anomalies based on statistical patterns.
Mistake
Anomaly Detector can detect anomalies in any type of data, including images and text.
Correct
Anomaly Detector is specifically designed for time-series numeric data. For image anomaly detection, use Computer Vision or Custom Vision. For text, use Text Analytics. The service only accepts JSON with timestamps and numeric values.
Mistake
Higher sensitivity always gives better results because it catches more anomalies.
Correct
Higher sensitivity increases the true positive rate but also increases false positives. In scenarios where false positives are costly (e.g., unnecessary maintenance), lower sensitivity may be better. The optimal sensitivity depends on the cost balance between false positives and false negatives.
Mistake
The Anomaly Detector service can only detect point anomalies (single outliers).
Correct
The service can detect both point anomalies and change points (trend shifts). The 'changepoint/detect' endpoint specifically detects changes in the underlying distribution. The 'entire/detect' endpoint flags both types depending on the data.
Mistake
You must specify the 'period' parameter for the service to work correctly.
Correct
The 'period' parameter is optional. If omitted, the service automatically detects the dominant seasonality using FFT. However, specifying the correct period can improve accuracy, especially when auto-detection fails due to noise.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The 'entire/detect' endpoint analyzes the entire time-series dataset at once, returning anomaly flags for every point. It is used for batch analysis of historical data. The 'last/detect' endpoint analyzes only the most recent data point, making it suitable for real-time monitoring where you stream data point by point. The response from 'last/detect' includes whether the latest point is anomalous, its expected value, and the margin. For the exam, remember that 'last/detect' is for real-time scenarios, while 'entire/detect' is for historical analysis.
Yes, the service can handle missing values through interpolation. However, for best results, you should provide clean, evenly-spaced data. The service assumes the data points are in chronological order. If there are many missing points, the model's accuracy may decrease. In the API request, you can omit the missing timestamps, and the service will treat the gap as missing. It's recommended to fill missing values with reasonable estimates (e.g., linear interpolation) before sending.
The sensitivity parameter controls how strict the model is in flagging anomalies. It ranges from 0 to 100 (or 0 to 1 in some SDKs), with a default of 95 (or 0.95). A higher sensitivity means the model will flag more points as anomalies (higher recall, lower precision). A lower sensitivity will only flag extreme outliers (lower recall, higher precision). You should adjust sensitivity based on the cost of false positives vs. false negatives. For example, in fraud detection where missing a real anomaly is expensive, use higher sensitivity.
Anomaly Detector is a pre-built cognitive service that requires no training or machine learning expertise. It is specific to time-series data and can be called via a simple REST API. Azure Machine Learning is a platform for building, training, and deploying custom machine learning models. It requires you to provide data, choose algorithms, and manage compute resources. If you need a quick, no-code solution for time-series anomaly detection, use Anomaly Detector. If you need to detect anomalies in images or text, or need a custom algorithm, use Azure ML.
Anomaly Detector can identify two main types: point anomalies and change points. Point anomalies are individual data points that deviate significantly from the expected pattern (e.g., a sudden spike in CPU usage). Change points are shifts in the underlying trend or distribution (e.g., a gradual increase in average temperature). The 'entire/detect' endpoint flags both types, while the 'changepoint/detect' endpoint specifically detects change points. The exam may ask you to identify which type of anomaly is present in a given scenario.
No, Anomaly Detector is designed exclusively for time-series data where observations are ordered by time. For non-time-series data like customer churn (tabular data with features), you should use other Azure AI services like Azure Machine Learning to build a classification model. The exam will test your ability to match the service to the data type. If the data does not have timestamps, Anomaly Detector is not appropriate.
Anomaly Detector offers a free tier (F0) with 5,000 transactions per month and a paid tier (S0) with 50,000 transactions per month at a cost of approximately $0.149 per 1,000 transactions (prices may vary by region). The free tier is sufficient for development and testing. For production workloads, use S0. The exam may ask about the limitations of the free tier.
You've just covered Anomaly Detection — now see how well it sticks with free AI-900 practice questions. Full explanations included, no account needed.
Done with this chapter?