Most Azure environments are not monitored — they are alerted on. Teams configure static CPU thresholds, set memory warnings, and wire up a handful of Azure Monitor rules. When something crosses a line, a notification fires. When it does not, the assumption is that everything is fine.
That assumption breaks regularly. A resource can behave abnormally without ever crossing a static threshold. A compromised identity can operate quietly for hours. A cost spike on a single cluster can double your bill before anyone notices. Static rules catch the obvious failures. Anomaly detection catches everything else.
Why static thresholds are not enough
The problem with fixed thresholds is that they require you to know in advance what "wrong" looks like. A CPU at 80% is normal for a batch processing cluster and alarming for an idle API server. A sign-in from a new country might be expected for a traveling executive and critical for an administrative account that never leaves the region.
Applying the same rule to both scenarios produces either too much noise or too many misses. Teams quickly learn to tune thresholds aggressively to silence the noise, which means they are also silencing the early warnings.
How intelligent baselines change the signal
TENET establishes a baseline for each resource based on its actual historical behavior. Detection is relative, not absolute. When CPU climbs 340% above its seven-day baseline on a specific VM, that deviates significantly from what is normal for that resource at that time of day. The alert carries context — not just a raw number, but the magnitude of the deviation and the resource's historical pattern — so the team receiving it already understands why it matters.
The result is far fewer alerts that actually require action, and those that do fire arrive with enough context to act on immediately.
What TENET monitors
Workload and performance anomalies. TENET tracks compute, storage, networking, databases, function apps, and containers. Metrics, logs, traces, events, and behavioral signals are ingested together. When P99 latency spikes on a VM, when error rates climb on a production API, or when storage egress deviates sharply from normal, the deviation surfaces as a prioritized anomaly rather than a raw metric alert.
Identity threats across Azure and Microsoft 365. The identity surface is where most compromises begin. TENET monitors sign-in behavior across Entra ID and M365, flagging impossible travel, sign-ins from Tor exit nodes, new device registrations, legacy authentication attempts that bypass MFA, and unusual access patterns. These events appear in the same anomaly feed as infrastructure signals, so security and operations teams see the full picture in one place.
Cost anomalies. Unexpected spend is one of the most common Azure problems teams discover too late. TENET tracks daily spend per resource against its historical baseline. When a single AKS cluster's cost spikes 550% over its 13-day average, the anomaly surfaces immediately — with the affected resource identified and BriteAI's hypothesis on what caused it, typically a scaling event, a runaway job, or an autoscale misconfiguration.
Distributed application traces. Application failures often originate several layers below the surface. TENET correlates distributed traces from Application Insights to identify the span where failures originate. When a checkout flow times out, the trace view shows that the root cause is a payment gateway timeout four hops deep — not the API surface where the error appears.
Investigation in plain language
When an anomaly is detected, BriteAI provides a natural language summary alongside the signal. Rather than navigating to separate dashboards or writing queries, teams can ask directly: what caused this, what is the blast radius, what should we do next. Answers draw on the live Azure data and TENET's correlation engine.
For log-heavy investigations, BriteAI accepts natural language queries against Log Analytics workspaces. What would normally take a Kusto query becomes a conversational exchange.
Alerts in Microsoft Teams
Anomalies are delivered to Microsoft Teams channels with full context attached — resource name, metric, region, deviation magnitude, and timestamp. The goal is that the person receiving the alert has enough information to begin triage without logging into any portal. For teams already operating in Teams, this keeps the response workflow in one place.
Getting started
TENET connects to Azure through a read-only service principal and begins building baselines immediately. There is no agent installation, no instrumentation, and no threshold configuration. Coverage spans every subscription the service principal has access to from the first data refresh.
The anomaly detection tab is available on all plans, including the 14-day free trial.