FINOPS-ANOMALY-DETECTION
FinOps Anomaly Detection ML-based cloud cost spikes.
Definition
FinOps Anomaly Detection key features: (1) Multi-dimensional analysis: detect anomalies per service + per linked account + per tag + per region dimensions, granular detection vs aggregate-only. (2) ML models: various algorithms (Prophet seasonal decomposition + statistical methods variance-based + custom NN models), train on historical cost data to detect deviations vs expected patterns considering seasonality + trends. (3) Alert thresholds: configurable severity tiers (low + medium + high), configurable absolute $ thresholds or percentage deviation from expected. (4) Alert channels: email + SNS topics + webhooks Slack/Teams + ITSM ServiceNow tickets. (5) Root cause analysis: identify specific resource(s) causing anomaly (e.g., specific EC2 instance scaling up unexpected, specific S3 bucket egress spike, etc.) + suggested remediation. (6) Suppression rules: suppress known patterns (planned cost spikes for product launch, marketing campaign, etc.) to reduce noise. AWS Cost Anomaly Detection free service, Azure + GCP similar free integration. Use cases: detect crypto mining attacks (compromised cloud account, attacker spins up EC2 GPU instances), runaway batch jobs (Lambda + Cloud Run errors retries cost amplification), forgot resources (dev/test resources left running months unused).
Origin
AWS Cost Anomaly Detection launched 2020 ; Azure Cost Management Anomaly Detection 2022 ; GCP Cost Anomaly Detection 2023 ; third-party tools 2018+.
Example in context
Enterprise FinOps team uses AWS Cost Anomaly Detection: configured anomalies detection per service category (Compute + Storage + Networking + Database + AI/ML), alert threshold >20% deviation expected + >$1000 absolute, Slack channel #finops-alerts ; detected anomaly cryptocurrency mining compromise compromised AWS access keys spinning up p3.16xlarge instances ($12K/day cost), immediately quarantined + investigated.
Related terms
- AWS Cost Explorer — detection complement.