With ML categorization jobs you still do an anomaly detection as well as a categorization. Usually this would use a function of the category ID. It's almost always
rare by mlcategory or
count by mlcategory, and since you don't know which you've got it must be one of these that's been added by the categorization wizard. You can find out by looking at the job configuration in the ML jobs list.
count by mlcategory then your
actual will be how many categories of Payload typically and actually occur per time bucket. If it's
rare by mlcategory then
typical will be the probability of seeing that category in a typical bucket.
You can see the category definitions without the anomaly information using the Get Categories API.