Anomalies

Anomalies Detection Overview

Finout's advanced algorithms analyze historical data to pinpoint cost anomalies within your MegaBill. Finout identifies both cost increases and decreases, allowing you to quickly investigate the reason for any deviations from your regular spending. In addition, you can monitor these anomalies within Finout or receive anomaly updates directly via Slack, MS Teams, ServiceNow (coming soon), or email.

For comprehensive tracking, Finout scans your most frequently used tags, services, cost centers, and virtual tags. Each newly created virtual tag includes an anomaly scan to ensure you get a holistic view of your data.

Anomaly types:

Predefined Anomalies: These are anomalies identified by Finout for significant cost groups and filters. You have the option to modify these to better fit your specific requirements.

Custom Anomalies: Customize your cloud cost anomaly detection to meet your team's unique needs. You can set your own rules, thresholds, and patterns to align with your specific cost management strategies. Custom anomalies offer the flexibility to pinpoint and tackle cost inconsistencies that are most pertinent to your team.

There are four main functions in Anomalies:


Anomalies Feed

In the Anomalies Feed, you can see all of your anomalies and filter, investigate, and manage them.

Note: Finout automatically filters out taxes, credits, and promotions from anomaly detection to reduce noise and highlight only operationally significant changes.

  1. Filters:

    • Timeframe

    • Anomaly threshold: Filter anomalies based on specific thresholds. For example: Set a threshold of over 20% will display all anomalies exceeding this limit.

    • Type: Select the anomaly type.

    • Cost center: Select a cost center.

    • Key: Select a Key.

    • Value: Select a value.

    • Search: Use free text search to find anomalies based on various terms or descriptions.

  2. Create Anomaly Alert: To create an Anomaly Alert, see Create Custom Anomalies.

  3. Anomaly Settings:

    1. In the Anomalies Feed, click and then click Anomalies Settings. The Anomalies Settings pop-up appears.

    2. Choose a default endpoint.

      Note: If a default endpoint is created, all anomaly alerts with no configured endpoint will automatically be directed to that channel. You can modify their endpoints as needed.

    3. Choose the maximum number of alerts per day.

    4. Anomaly creation for new Virtual Tags: By default, Finout creates anomalies for each newly created virtual tag.

      Note: Untoggle to disable this functionality.

    5. Click Save.

  4. Clear Anomalies Feed:

    In the Anomalies Feed, click and then click Clear anomalies feed.

  5. Anomaly information: Information regarding a single Anomaly Alert.

  6. Investigate: Clicking Investigate opens MegaBill in a new tab with the anomaly configuration (filters) already populated.

  7. Delete an Anomaly:

    1. In the Anomalies Feed, click Delete in a select Anomaly.

    2. Click Yes.

  8. Add a Comment:

    1. In the Anomalies Feed, click Add Comment in a select Anomaly.

    2. Write a comment and click Save.

  9. Create a Jira issue.


Create Custom Anomalies

  1. Navigate to Anomalies.

  2. Click Create Anomaly Alert. The Anomaly Alert Type side window appears.

  3. Choose the Anomaly Alert Type:


Cost Anomaly

Enable configuration of cost anomalies to detect and flag deviations, triggering alerts to specified endpoints to help identify cost inefficiencies and unexpected trends.

  1. Navigate to Anomalies.

  2. Click Create Anomaly Alert. The Anomaly Alert Type side window appears.

  3. Select Cost Anomaly. The Create Anomaly Alert procedure appears.

  4. Alert Name: Enter an alert name.

  5. Cost Type: Define the cost type.

    1. Select a Cost type. See Cost and Usage for the list of Cost Types.

    2. Load View configuration for the cost. (Optional)

    3. Select a Filter for the cost.

    4. Select what to group by for the cost (Optional). Make sure your selection matches how the costs are organized so the data displays correctly.

  6. Alert Thresholds: Alert thresholds allow you to control when anomalies are surfaced based on cost changes that matter to your organization. By setting specific thresholds, you can filter out noise and focus on meaningful deviations.

    For example, setting a threshold of 20% will display only anomalies that exceed that deviation from expected behavior. You can also define a minimum dollar amount—such as $20—to ensure only significant cost spikes trigger alerts. To detect smaller fluctuations, lower either the percentage or dollar threshold. To focus on major anomalies, increase them.

    Use alert thresholds to align anomaly detection with your operational norms and cost management goals.

    Result: After defining your group and filters, the associated values will appear. You have the option to activate or deactivate each value, allowing you to refine the anomaly alert parameters, making sure it matches exactly what you're looking for.

  7. Alert Endpoints: Easily integrate notifications with endpoints. Select your desired endpoint, ensuring its configuration is completed beforehand, to start receiving anomaly alerts.

    1. Set a default endpoint for this anomaly. If no endpoint is defined for a group-by value, the alert for that value will be sent to this default endpoint. If no default endpoint is set, the alert will be sent to the endpoint specified in the anomalies settings.

    2. Enable sending alerts to endpoints based on group-by values:

      1. Select an endpoint :

        1. Default endpoint - When the toggle is off, all alerts will be sent to the default endpoint you chose in step a.

        2. Selected endpoints and Metadata endpoints -

          1. Click Choose an Endpoint and add any additional endpoints to send the alert.

          2. If you group by a virtual tag, it will automatically send Alerts to its associated Metadata endpoints.

            • Click if you would like to disable the Metadata endpoint for this value.

  8. Alert Time Interval:

    Note:

    • Daily - Choosing a day means that an alert is triggered daily.

    • Weekly - A Week is a weekly alert that notifies you every Tuesday (when you have a full week).

    • The difference between "last week" and "last 7 days" lies in calculating the timeframes. "Last week" refers to the calendar week immediately before the current one. On the other hand, "last 7 days" refers to the prior 7 days from the selected date, regardless of the day of the week.

    1. Define Evaluation Period - Set your preferred time period (Days or Weeks) to check for anomalies. For example, the last 5 days.

    2. Set Comparison Period - This compares the total cost of the current period to the average total cost of several previous periods. For example: You choose 20 days (4 periods). This is compared to the current 5-day total cost to the average total cost of the previous 20 days. Use Case:

      You want to evaluate anomalies over a 2-day period compared to the previous 6 days:

      • Date: Assume today is August 22nd.

      • Evaluation Period: Calculates the total cost for the chosen evaluation period: The last 2 days (August 19-20).

      • Comparison Period: Calculates the average of the evaluation period (2 days) over the chosen comparison period: the preceding 6 days (August 12-18).

      • Alert: An alert is triggered if the time period cost of the evaluation period exceeds the average cost of the comparison period's total costs from the defined thresholds.

  9. Seasonality Check: The Seasonality Check helps reduce false-positive anomaly alerts by recognizing recurring cost patterns. Instead of flagging every cost spike as an anomaly, it checks whether the increase follows a regular weekly or monthly trend before triggering an alert.

    Note: Currently, daily seasonality is supported for an evaluation period of 1 to 6 days.

    Weekday Seasonality

    • Compares the cost on a specific weekday (e.g., Monday) to the average cost of the same weekday over the past few weeks (e.g., the last 4 Mondays).

    • An alert is triggered only if the cost exceeds the expected range based on your alert settings.

    Monthly Seasonality

    • Compares the cost on a specific date (e.g., the 1st of each month) to the average cost on the same date over the past few months (e.g., the last 4 months).

    • An alert is sent if the cost surpasses the historical trend beyond the defined threshold.

    This feature ensures that anomalies are detected more accurately, minimizing noise from predictable fluctuations. What Happens When You Enable Seasonality? When the Seasonality Check is enabled, Finout automatically filters out alerts identified as seasonal anomalies: - They won’t appear in your anomaly feed. - They won’t be sent to your configured endpoint. This ensures that your alerts focus only on unexpected anomalies, helping you cut through the noise of predictable cost fluctuations.

  10. Click Save. The Anomaly alert is created. Result: After saving the anomaly, your anomaly will appear under Manage Anomalies. This tab displays a comprehensive table of both custom-created and pre-defined anomalies generated by Finout.


Unit Economics Anomaly (Coming Soon)

Enable configuration of unit economics anomalies to detect and flag deviations, triggering alerts to specified endpoints to help identify cost inefficiencies and unexpected trends.

  1. Navigate to Anomalies.

  2. Click Create Anomaly Alert. The Anomaly Alert Type side window appears.

  3. Select Unit economics. The Create Anomaly Alert procedure appears.

  4. Alert Name: Enter an alert name.

  5. Unit Economics Configuration: Define what unit economics the alert will monitor. Choose between loading a configuration from an existing Unit Economics widget or setting up a new one.

    1. Select a Widget.

    2. Select a Cost type.

    3. Select a View for the cost.

    4. Select a Filter for the cost.

    5. Select what to Group by for the cost.

    Note: When a group by is applied, the selected dimensio in cost must match the group by field defined in the telemetry dimension.

    6. Select a Telemetry.

    7. Select a Filter for the Telemetry.

    8. Select what to Group by for the Telemetry.

  6. Alert Thresholds: Alert thresholds allow you to control when anomalies are surfaced based on cost changes that matter to your organization. By setting specific thresholds, you can filter out noise and focus on meaningful deviations.

    For example, setting a threshold of 20% will display only anomalies that exceed that deviation from expected behavior. You can also define a minimum dollar amount, such as $20, to ensure only significant cost spikes trigger alerts. To detect smaller fluctuations, lower either the percentage or dollar threshold. To focus on major anomalies, increase them.

    Use alert thresholds to align anomaly detection with your operational norms and cost management goals.

    Result: After defining your group and filters, the associated values will appear. You have the option to activate or deactivate each value, allowing you to refine the anomaly alert parameters, making sure it matches exactly what you're looking for.

  7. Alert Endpoints: Easily integrate notifications with endpoints. Select your desired endpoint, ensuring its configuration is completed beforehand, to start receiving anomaly alerts.

    1. Set a default endpoint for this anomaly. If no endpoint is defined for a group-by value, the alert for that value will be sent to this default endpoint. If no default endpoint is set, the alert will be sent to the endpoint specified in the anomalies settings.

    2. Enable sending alerts to endpoints based on group-by values:

      1. Select an endpoint :

        1. Default endpoint - When the toggle is off, all alerts will be sent to the default endpoint you chose in step a.

        2. Selected endpoints and Metadata endpoints -

          1. Click Choose an Endpoint and add any additional endpoints to send the alert.

          2. If you group by a virtual tag, it will automatically send Alerts to its associated Metadata endpoints.

            • Click if you would like to disable the Metadata endpoint for this value.

  8. Alert Time Interval:

    Note:

    • Daily - Choosing a day means that an alert is triggered daily.

    • Weekly - A Week is a weekly alert that notifies you every Tuesday (when you have a full week).

    • The difference between "last week" and "last 7 days" lies in calculating the timeframes. "Last week" refers to the calendar week immediately before the current one. On the other hand, "last 7 days" refers to the prior 7 days from the selected date, regardless of the day of the week.

    1. Define Evaluation Period - Set your preferred time period (Days or Weeks) to check for anomalies. For example, the last 5 days.

    2. Set Comparison Period - This compares the total cost of the current period to the average total cost of several previous periods. For example: You choose 20 days (4 periods). This is compared to the current 5-day total cost to the average total cost of the previous 20 days. Use Case:

      You want to evaluate anomalies over a 2-day period compared to the previous 6 days:

      • Date: Assume today is August 22nd.

      • Evaluation Period: Calculates the total cost for the chosen evaluation period: The last 2 days (August 19-20).

      • Comparison Period: Calculates the average of the evaluation period (2 days) over the chosen comparison period: the preceding 6 days (August 12-18).

      • Alert: An alert is triggered if the time period cost of the evaluation period exceeds the average cost of the comparison period's total costs from the defined thresholds.

  9. Seasonality Check: The Seasonality Check helps reduce false-positive anomaly alerts by recognizing recurring cost patterns. Instead of flagging every cost spike as an anomaly, it checks whether the increase follows a regular weekly or monthly trend before triggering an alert.

    Note: Currently, daily seasonality is supported for an evaluation period of 1 to 6 days.

    Weekday Seasonality

    • Compares the cost on a specific weekday (e.g., Monday) to the average cost of the same weekday over the past few weeks (e.g., the last 4 Mondays).

    • An alert is triggered only if the cost exceeds the expected range based on your alert settings.

    Monthly Seasonality

    • Compares the cost on a specific date (e.g., the 1st of each month) to the average cost on the same date over the past few months (e.g., the last 4 months).

    • An alert is sent if the cost surpasses the historical trend beyond the defined threshold.

    This feature ensures that anomalies are detected more accurately, minimizing noise from predictable fluctuations. What Happens When You Enable Seasonality? When the Seasonality Check is enabled, Finout automatically filters out alerts identified as seasonal anomalies: - They won’t appear in your anomaly feed. - They won’t be sent to your configured endpoint. This ensures that your alerts focus only on unexpected anomalies, helping you cut through the noise of predictable cost fluctuations.

  10. Click Save. The Anomaly alert is created. Result: After saving the anomaly, your anomaly will appear under Manage Anomalies. This tab displays a comprehensive table of both custom-created and pre-defined anomalies generated by Finout.


Manage Custom Anomalies

The Manage Anomalies tab displays a comprehensive table of both custom-created and pre-defined anomalies generated by Finout.

  1. Navigate to Anomalies and select the Manage Anomalies tab.

  2. Search for the relevant anomaly: Use the search bar for a direct query or apply filters to narrow down results.

  3. Toggle off an anomaly to disable alerts for that specific issue.

  4. Click beside the relevant anomaly and then select one of the following:

    • Edit: Edit the Anomaly Alert and click Save.

    • Duplicate: make changes to the Duplicated Alert and click Save.

    • Delete: Deletes the Anomaly Alert.


Predefined Anomalies

Finout provides pre-configured anomalies out of the box that can be customized to meet your specific requirements. You can toggle these anomalies on or off, or duplicate them as a foundation for creating custom anomalies, ensuring they align with your needs.

Finout automatically detects the following predefined anomalies:

  • AWS: Regions, Sub Service, Account Name, Entity Name, Charge Type

  • Azure: Service, Meter Region, Meter Sub Category, Service Family, Consumed Service

  • GCP: Project ID, Compute Machine Spec, Folder, Project Name, Project Number, Region, SKU description, Services

  • Global: Cost Center

  • Kubernetes: deployment, demonset, k8s_namespace, cronjob

  • SnowFlake: cost type, warehouse_name, user name, account, database name

  • DataDog: Product, Organization, Sub-Product, Index, Metric Name, Region, Service, Status, Usage Type

  • All Virtual Tags

    Note: Creating anomalies for new virtual tags is enabled for all accounts by default.

Manage Predefined Anomalies

  1. Navigate to Anomalies and select the Manage Anomalies tab.

  2. Search for the relevant anomaly: Use the search bar for a direct query or apply filters to narrow down results.

  3. Toggle off an anomaly to disable alerts for that specific issue.

  4. To duplicate, select beside the relevant anomaly If you choose to duplicate, set a name for the duplicated anomaly and adjust all fields accordingly.

    Note: Pre-defined anomalies can be customized to suit your needs. You have the flexibility to edit the group values by toggling them on or off, ensuring they meet your specific requirements.

    When you modify a predefined anomaly, a new custom anomaly is created with the revised settings, and the original predefined anomaly is deactivated.


FAQs

Why does the comparison period need to be a multiple of the evaluation period? The comparison period must be a multiple of the evaluation period to ensure consistency in calculations. This allows Finout to calculate the total cost of each evaluation period within the comparison period and determine an accurate average. For example, if your evaluation period is 3 days, the comparison period could be 9 days (3 evaluation periods) but not 10 days, ensuring reliable and consistent anomaly detection.

Why can’t I choose arbitrary intervals like 3 weeks compared to 4 weeks?

To maintain accurate comparisons, the comparison period must align with the evaluation period to ensure equal, consistent time intervals. This alignment ensures anomalies are detected based on reliable averages derived from comparable time intervals.

Is there a limit to how many values I can set thresholds for in anomaly alerts?

Yes. To ensure anomaly alerts save and run reliably at scale, thresholds can only be set for the top 1,500 values by cost when using the “set thresholds by value” or “set endpoints by value” options.

Is there a limit to anomaly alert data values?

Yes. To ensure anomaly alerts run reliably and efficiently, Finout automatically analyzes only the top 10,000 values by cost. When the data exceeds this limit, only the most cost-significant values will be analyzed.

Last updated

Was this helpful?