Fabric RTI 101: Anomaly Detection in KQL

Fabric RTI 101: Anomaly Detection in KQL

Anomaly detection is a key use case for real-time analytics — it’s about automatically identifying when something unusual or unexpected happens in your data.

Pulse

In most systems, normal behavior forms a fairly predictable pattern. For example, transactions follow a steady daily rhythm, CPU usage fluctuates within a typical range, and sensor readings stay within expected bounds.

Anomalies are the data points that break from those patterns — a sudden spike in temperature, a large payment outside normal limits, or a sudden burst of failed login attempts.

The goal of anomaly detection is to spot these deviations quickly, ideally as they happen, so that you can take action before the situation escalates.

In Microsoft Fabric, KQL provides built-in functions to make this easier. One of the most common is series_decompose_anomalies(). This function looks at a time series — essentially, a set of values over time — and uses statistical techniques to decompose it into trend, seasonality, and residual components.

It then identifies which points in the residuals are outside the expected range, marking them as anomalies. This method works well for continuous numeric data, such as sensor measurements or event counts, where there’s a repeating pattern over time.

Not all anomaly detection needs to be statistical, though. In many cases, simple rules-based detection works perfectly well. For example, you might filter for transactions above a certain threshold, or alert when error rates exceed a known limit.

Rules-based approaches are easier to implement, and they’re often more transparent — you know exactly what condition triggered the alert. Statistical models, on the other hand, are more powerful for finding subtle or evolving patterns that humans might not specify in a rule.

The use cases for anomaly detection are broad. In IoT scenarios, it might be spotting when a machine starts vibrating outside its normal range. In security monitoring, it could be identifying a user logging in from an unusual location or at an unusual time. In financial systems, it can help flag potential fraud or suspicious transaction patterns.

An important point is that anomaly detection often feeds directly into alerting and automated actions. When the system detects something unusual, it can trigger an event — for example, sending a message to a monitoring dashboard, pushing an alert to a response team, or automatically running a mitigation workflow. That’s why anomaly detection is such a common pattern in real-time pipelines: it turns raw analytics into actionable insight almost instantly.

Anomaly detection is about identifying unexpected behavior in your data — whether through statistical models like series_decompose_anomalies() or through straightforward rules and filters. It’s one of the most powerful and practical applications of real-time analytics because it enables immediate awareness and automated response to problems as they occur.

Learn more about Fabric RTI

If you really want to learn about RTI right now, we have an online on-demand course that you can enrol in, right now. You’ll find it at Mastering Microsoft Fabric Real-Time Intelligence

2026-06-24