CLI Reference: Anomaly Detection
Commands for viewing anomaly detection events.
The anomaly detector monitors agent behavior for patterns that deviate from expected norms: unusually high tool invocation rates, repeated failures, excessive resource consumption, or suspicious capability usage. See Anomaly Detection for background.
ash anomaly list
List recent anomaly detection events.
ash anomaly list [--agent <agent-id>] [--limit <n>]
| Flag | Default | Description |
|---|---|---|
--agent | (all agents) | Filter events by agent ID |
--limit | 20 | Maximum number of events to show |
Examples:
# Last 20 anomaly events across all agents
ash anomaly list
# Filter to a specific agent, show more events
ash anomaly list --agent 550e8400-e29b-41d4-a716-446655440000 --limit 50
Output format
Each anomaly event includes:
| Field | Description |
|---|---|
event_id | UUID |
agent_id | Agent that triggered the event |
detected_at | RFC3339 UTC timestamp |
kind | Anomaly type (see below) |
severity | low, medium, high, critical |
detail | Human-readable description |
Anomaly kinds
| Kind | Description |
|---|---|
HighToolInvocationRate | Agent exceeded the per-minute tool call threshold |
RepeatedToolFailure | Same tool failed more than N times in a row |
CapabilityEscalationAttempt | Agent attempted to use a capability it does not hold |
ResourceExhaustion | Agent approached or hit its memory/CPU limits |
UnexpectedStateTransition | Agent lifecycle state changed in an unexpected way |
CostBudgetExceeded | Agent exceeded its declared cost budget |
Integration with audit log
All anomaly events are also written to the audit log. Use ash audit to see them alongside other events:
ash audit --agent <agent-id>
Automatic responses
Depending on the severity, agentd may automatically:
- Log the event (all severities)
- Pause the agent pending operator review (
high) - Terminate the agent (
critical)
Automatic response behavior is configured in agentd.toml.