Skip to main content

Anomaly Detection

Currently in Early Access

The Anomaly Detection system is currently only exposed via the Jupiterone Early Access Program (EAP). Please contact your Solutions Architect or Account Manager to get enrolled.

Anomaly Detection

JupiterOne provides out-of-the-box Anomaly Detection powered by advanced machine learning and data analytics. It assesses all of the Device entities to proactively identify Device entities that do not conform to established patterns in an account's Asset Inventory. Once identified, these entities can be understood, triaged, and any associated risks, mitigated. In the future, JupiterOne will expand this offering to provide anomaly detection on other entity classes and types.

Data Model

The JupiterOne Anomaly Detection Assessment for Device data will create the following entities in the JupiterOne graph based on it's overall Assessment findings. It will attach anomaly data to the _type unified_device when it finds that a Device is an anomaly.


ResourceEntity _typeEntity _class
Overall Anomaly Detection Assessmentanomaly_detection_assessmentAssessment
Device Anomalydevice_anomalyFinding


Source Entity _typeRelationship _classTarget Entity _type

Data used in Anomaly Detection

Just like context is key to evaluating your asset landscape, context is key to finding real anomalies in any dataset. JupiterOne combines the raw properties of an entity with properties computed from the overall graph context of an account. This allows more granular, targeted anomaly detection based on connections as well as raw property data. The tables below break down the properties (both raw and computed) that are used for anomaly detection. This is not an exhaustive list, but meant to illustrate the types of data being used.

Raw Properties

These are properties that exist on each device entity itself. These are usually provided by integrations themselves.

associatedEmailAddressstringThe emailAddress associated with this Device. Is a proxy for ownership
_classstring[]The JupiterOne assigned class value
_lastSeenOnstringWhen JupiterOne last saw this Device from an integration
_typestring[]The JupiterOne assigned type value
encryptionStatusbooleanIndication of if this Device is encrypted or not
firewallEnabledbooleanIndication of if this Device has a firewall enabled or not
ipAddressstringThe IP Address of this Device
macAddressstringThe MAC Address of this Device
osTypestringThe Operation System type for this Device

Computed Properties

These are properties that are computed before each run of an Anomaly Detection Assessment, using an account's current JupiterOne graph.

Difference of Last Seen On and Oldest Seen OnstringThe difference between the last time a Device was seen, and the oldest time a device was seen. This could indicate misconfiguration for a specific integration (like a HostAgent or ConfigurationManagement tool).
Host Agent ConfigurationbooleanDoes this device have a regularly checking in HostAgent connected to it?
Number of In RelationshipsnumberThe number of relationships that terminate with this Device
Number of Out RelationshipsnumberThe number of relationships that originate with this Device
Number of ProblemsnumberThe number of Problem entities that are connected to this Device
Property Importance

When inspecting a specific device_anomaly in the Property Panel or in the Anomaly Detection Report, you will see a Property Importance indicator. This indicates how much a specific property contributed to the overall anomaly score for this device. If a device property had values that were more anomalous than others, it will have a higher importance value. If a device property had values that were less anomalous than others, it will have a lower importance value.

Property Importance indicator

Property Formats


Categorizing continuous data into defined ranges helps JupiterOne better detect anomalies in your dataset. Therefore, some properties are discretely segmented into ranged bins that follow interval notation. Square brackets [ ] indicate an inclusive value, while round brackets ( ) indicate an exclusive value. For example, (1, 5] represents all numbers from 1 to 5, excluding 1 but including 5.

For example, in the screenshot below, the Page Rank property is segmented into many bins, and they all look to be exclusive on the lower bound, and inclusive on the upper.

Binned Property Example

In-App Experience

JupiterOne Anomaly Detection data is accessible via the JupiterOne application in a few places:

  1. Anomaly Detection Report
  2. Property Panel for a device_anomaly entity
  3. Property Panel for an anomaly_detection_assessment entity
  4. The Device Anomaly Detection (Beta) Insights Dashboard
  5. The Device Matrix (coming soon)

Anomaly Detection Report

The JupiterOne Anomaly Detection Report is a comprehensive overview of your device inventory, along with categorized anomalies that it contains. Currently, the Anomaly Detection Report can be launched via

  1. The Anomaly Detection navigation item in the Assets application
  2. The device_anomaly Property Panel
  3. The anomaly_detection_assessment Property Panel, or from Anomaly Detection in Assets.

Anomaly Detection Report

From the report, you can drill-down to a specific device using the Device selector in the report header. When selected, that Device's data will be loaded into the report, allowing you to compare it to the overall dataset (see screenshot below).

Anomaly Detection Report

Property Panel for a device_anomaly Entity

The Property Panel for a device_anomaly entity now shows an Anomaly Detection section, and it provides data that portrays all of the properties used by the anomaly detection model.

Each property contains:

  • Importance - The relative sway this property had on considering this entity an anomaly. A higher value indicates the property was more anomalous.
  • Value - The value for this property. In the case of a numeric or date property, the value could be "binned" with other similar values.
  • Others Had Values - A few values that other entities had for this same property. These values give a quick look into the other common values for this property.
  • Prevalence - The percentage of this property value across the entire device inventory.

Property Panel for a device_anomaly entity

Property Panel for an anomaly_detection_assessment entity

The Property Panel for a anomaly_detection_assessment entity now shows an Anomaly Detection section, and it gives a quick overview of the Assessment run against the device inventory, along with a button to view the Anomaly Detection Report.

Property Panel for an anomaly_detection_assessment entity

The Device Anomaly Detection (Beta) Insights Dashboard

Upon access to the Early Access Program, your account will be given access to the Device Anomaly Detection (Beta) Insights Dashboard that is a part of the Assets and Attack Surface category. This dashboard shows high level statistics about the anomalies in your account, as well as a query results table to encourage drill-downs into the data. Once this functionality is released to all customers, these widgets will be added to the Device Management Insights Dashboard.

The `Device Anomaly Detection (Beta)` Insights Dashboard


In order to effectively predict anomalies, the machine learning model requires at least 256 rows of data. So any accounts with less than 256 unified_device entities will not be eligible for anomaly detection. To check this, run the J1QL query:

Find unified_device RETURN count(unified_device)

If the result is less than 256, anomaly detection will not run on your account, and you will see the below screen when navigating to the anomaly detection page.

Missing Requirements Message

What's Next

As mentioned above, we are currently working on integrating anomaly data with the Device Matrix. In parallel, we are working to uncover other interesting data points in your JupiterOne graph in order to enhance the Anomaly Detection system and extend it to other data types.