How Anomaly Detection (AD) Works.Summary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This section provides a simplified overview of the Anomaly Detection (AD) process in ServiceNow, from raw data ingestion to alert generation. Anomaly Detection Workflow Raw Data CollectionHistorical raw metric data is continuously collected and stored.Model LearningOn a daily basis, the AD engine trains a statistical model using the last 21 days of raw data. The resulting model can be viewed in the sa_time_series table. Model Synchronization to MID ServerIf anomaly detection is enabled for a metric, the trained model is synchronized to the MID Server.Anomaly Score CalculationAs new raw metric values arrive, the anomaly detection engine evaluates how far each value deviates from the learned model boundaries. This calculation produces an anomaly score, which can be viewed in the sa_metric_anomaly_score table. Score Ingestion into the InstanceThe calculated anomaly scores are sent back to the ServiceNow instance for further evaluation.Alert Generation (Based on AD Level)Depending on the configured Anomaly Detection level: Anomaly Alerts: An anomaly alert is generated and can be viewed under the Anomaly Alerts menu.IT Alerts: A standard IT alert is created and appears in the Alerts table. 6.a. APE Integration (If Enabled) When APE + Anomaly Alerts is enabled: The APE engine evaluates the number of open anomaly alerts on a CI.If the count meets or exceeds the threshold defined in the APE configuration, an IT (Classification) alert is created (promoted).