Datadog Cloud SIEM has introduced Content Anomaly Detection, a novel method for identifying unusual activities by analyzing the content of logs rather than just their frequency or recency. This new detection approach aims to uncover subtle deviations in user behavior or unexpected command patterns that traditional methods may miss. By establishing a baseline of normal log content during a learning period, the system can detect anomalies through Jaccard similarity, implemented with MinHash and Locality Sensitive Hashing, and trigger alerts based on configured thresholds. It allows security teams to fine-tune detection rules with parameters such as similarity threshold, minimum similar items, and evaluation window to reduce noise and enhance precision. This method enhances the ability to detect risks, like unauthorized access or configuration changes, that might otherwise go unnoticed, providing deeper visibility into log content beyond their structure or volume.