We present a hybrid anomaly detection framework that combines unsupervised and supervised models to identify abnormal authentication behavior and privilege-escalation activities in enterprise Active Directory environments. The system outperforms single-model baselines and incorporates a zero-tolerance One-Class SVM baseline to ensure highly reliable, production-grade alerts.

‍