Skip to content

How do you establish a baseline of normal, and how does it help you detect anomalies?

Short answer

A baseline is a model of normal behaviour for a host, user, account, or network segment — what processes run, who logs in from where and when, typical data volumes, normal beaconing intervals. Once you know normal, anomalies (rare parent-child process pairs, first-seen binaries, logons at odd hours, unusual data egress) become detectable as deviations. Baselining is the foundation of anomaly detection, but it requires enough clean history and careful handling of legitimate change so you do not drown in false positives.

Anomaly detection only works if you know what normal is. Baselining is the discipline of building that picture of normal so that the abnormal — which is where adversaries live — visibly stands out.

What you baseline

  • Process behaviour — which executables run on a host, their typical parents, and command-line patterns. A winword.exe spawning powershell.exe is a deviation worth a look.
  • Identity — when and from where each user logs in, which systems they touch, what their normal role activity looks like.
  • Network — typical destinations, data volumes, and connection cadence per host.
  • Frequency / rarity — "first-seen" and least-frequent-occurrence analysis: a binary or domain seen exactly once across the fleet is interesting precisely because it is rare.

Turning baseline into detection

With a baseline, anomalies become queries: first-seen binaries this week, logons outside a user's historical hours, a host suddenly egressing 50x its normal volume, or a new parent-child process relationship. These are hypotheses a hunter tests.

The catch: change is normal too

Environments evolve — new software, new hires, new business hours. A naive anomaly detector flags every legitimate change and trains analysts to ignore it. Good baselining accounts for seasonality, maintains the baseline over time, and pairs statistical rarity with context before alerting.

Why this matters

Interviewers want to hear that you understand both the power and the failure mode of anomaly detection: it surfaces unknown threats, but without a maintained, context-aware baseline it becomes a false-positive machine.

Likely follow-ups

  • What makes anomaly-based detection prone to false positives?
  • How long a baseline window do you need, and why?
  • Give an example of a 'first-seen' anomaly worth hunting on.

Sources

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.