Systems, methods, and related technologies for determining an anomaly based on properties associated with an entity are described. The determination of an anomaly associated with an entity may include accessing network traffic from a network and storing a first value of a property associated with an entity communicatively coupled to the network. The first value of the property is based on the network traffic. Additional network traffic associated with the entity may be accessed and a second value of the property determined based on the additional network traffic. Whether the first value of the property does not match the second value of the property may be determined and in response to the first value of the property not matching the second value of the property, an indicator that an anomaly has detected may be stored. An action may be performed based on determination of an anomaly.