Technologies are provided for the monitoring, detection, and notification of emerging, related issues within a system, which may indicate a problem. Within a computing-security system, a sudden increase in the frequency of events associated with unauthorized logon attempts signal a real-time and ongoing security risk. A method monitors system-related events and generates a vector representation for each event based on event features. Clusters of related events are determined, and a state automaton is employed to determine a strength of temporal "bursty" activity for each cluster. Hypothesis testing is performed on each cluster to determine a likelihood that the cluster is a temporally emergent cluster. Clusters with a bursting likelihood above a threshold are determined to be an emergent cluster associated with an anomalous issue. A notification regarding the detected anomaly is provided. A remedial action addressing the anomaly is performed. Noisy clusters are filtered and aggregated based on their bursting likelihood and overlapping sub-spaces of the hyperspace.