US Patent 11856014 Anomaly detection in computing computing system events

Methods and systems are described herein for detecting anomalous access to system resources. An anomaly detection system may access system events from one or more computing devices and may generate entries from the system events. Each entry may include a corresponding timestamp indicating a time when a corresponding system event occurred, a corresponding user identifier indicating a user account within a computing environment associated with the corresponding system event, a corresponding location identifier indicating a location within the computing environment, and a corresponding action identifier indicating an action that the user account performed with respect to the location or an object within the computing environment. The generated entries may be aggregated and input into an anomaly detection model to obtain anomalous activity identified by the model.