It is expected that a small percentage of anomaly alerts will appear more than 3 days after the anomaly and the platform is working as designed.

The anomaly engine relies on 13 months of data to determine a moving average as time passes and compares that to the policy parameters.  In some cases, the average may shift in a way that an anomaly will be identified a few days after it occurred because of the updated average.

Internal analysis indicates that approximately 95% of anomalies will be alerted in 3 days or less with 5% or fewer being reported more than 3 days after the anomaly.  Many factors go in to the anomaly detection system and in some cases data availability and timing can sometimes affect how quickly and accurate an alert will be.  To increase accuracy, ensure that policy evaluation timeframes are set to twice a day.