Anomalous behaviour detection gives businesses an approach to identify “in-role users”, whether human or machine, who behave abnormally but within agreed security and compliance frameworks. In this paper, we will show you the common reference architecture for the ingestion, storage, analysis and action layers of an enterprise capability that provides not only multiple use case fulfilment, but also an extensible open capability for the enterprise to leverage.