In one embodiment, a device in a network receives fingerprints of two or more network anomalies detected in the network by different anomaly detectors. Each fingerprint comprises a hash of tags that describe a detected anomaly. The device associates the fingerprints with network records captured within a timeframe in which the two or more network anomalies were detected. The device compares the fingerprints associated with the network records to determine that the two or more detected anomalies are part of a singular anomaly event. The device generates a notification regarding the singular anomaly event, wherein the notification includes those of the fingerprints that are associated with the singular anomaly event.