Techniques to reduce false positives in detecting anomalous use of resources are disclosed. In various embodiments, resource access data indicating for each resource in a set of resources respective usage data for each of one or more users of the resource is received. Cluster analysis is performed to determine one or more clusters of users. For each cluster, a set of recommended resources to be associated with the cluster is determined. For each of at least a subset of users, a temporal behavior based model for each user that reflects one or more resources included in the set of recommended resources associated with a corresponding cluster of which the user is a member is generated.