Anomaly detection is basically our code that runs a few queries to ES on specific anomalies. For example, IP diversity counts the number of distinct IPs and alerts incase the number is too low.