Anomaly detection alerts utilize artificial intelligence algorithms to analyze incoming logs and predict their expected behavior for 24 hours. When a log falls above or below a predefined threshold, something unusual may have occurred, indicating an opportunity for corrective action. For example, an anomaly detection alert can help you discover when a transaction's response time exceeds its usual duration, allowing you to pinpoint and address performance bottlenecks. Or it can alert you when the outgoing traffic of a host exceeds its usual levels, indicating a potential security breach. Dynamic alerts are powered by our [Streama© technology](https://coralogix.com/how-it-works/), which allows them to run on the Coralogix monitoring pipeline at a third of the cost, without prior indexing. ## Create an alert Set up a logs-based anomaly detection alert to notify you if a log exceeds an AI-generated baseline threshold. 1. Access **Alerts**, then **Alert Management**. Click **Create Alert**. 2. When defining your alert conditions, select to be alerted when an event is **more-than-usual** compared to the baseline condition. 3. Define the [alert conditions](https://coralogix.com/docs/user-guides/alerting/multiple-alert-conditions/index.md). 4. Add one or more group-by keys. An alert is triggered whenever the condition threshold is met for a specific aggregated key within the specified time window. Our machine-learning model establishes the baseline standard for every group-by key. 5. [Optional] Configure the advanced settings, including [custom evaluation delay](https://coralogix.com/docs/user-guides/alerting/custom-evaluation-delay/index.md) and [percentage deviation](https://coralogix.com/docs/user-guides/alerting/anomaly-detection-deviation-percentage/index.md). 6. Finalize the alert setup. ## Data requirements Anomaly detection requires sufficient historical data to establish a reliable baseline. - The model trains on the previous 7 days of log data. - At least 90% of this 7-day period must contain data. - If the log source already has 7+ days of history when you create the alert, the alert becomes active within approximately 24 hours after the next daily model build. ### Changes that trigger a new learning period - Creating a new anomaly detection alert - Changing the query or filter - Changing core condition logic that defines the data being modeled ### Changes that do not trigger a new learning period - Changing the deviation percentage or sensitivity - Changing notification settings, labels, or suppression rules - Changing the alert name or priority > Plan changes to the query carefully. Editing the query retrains the model and leaves the alert inactive for the duration of the new learning period. ## Limitations The machine-learning model establishes the baseline standard for your logs for every group-by key in your alert definition. It is applied daily for the next 24 hours, using data from the past 7 days, and is based on a maximum of 500 permutations. ## Related resources [Anomaly sensitivity](https://coralogix.com/docs/user-guides/alerting/anomaly-detection-deviation-percentage/) [Configure alert definition](https://coralogix.com/docs/user-guides/alerting/configuring-alert-definition/) [Notification Center](https://coralogix.com/docs/user-guides/notification-center/introduction/) [Cases](https://coralogix.com/docs/user-guides/cases/overview/) ## Next steps Monitor specific datasets for threshold conditions with [Dataset alerts](https://coralogix.com/docs/user-guides/alerting/create-an-alert/logs/dataset-alerts/index.md). ## Support Reach our customer success team 24/7 via the in-app chat or by email at [support@coralogix.com](mailto:support@coralogix.com).