> For the complete documentation index, see [llms.txt](https://docs.finout.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.finout.io/user-guide/optimize/anomalies.md).

# Anomalies

## Anomalies Detection Overview <a href="#h_0e457f6bf9" id="h_0e457f6bf9"></a>

Finout's advanced algorithms analyze historical data to pinpoint cost anomalies within your [MegaBill](https://docs.finout.io/user-guide/inform/megabill). Finout identifies both cost increases and decreases, allowing you to quickly investigate the reason for any deviations from your regular spending. In addition, you can monitor these anomalies within Finout or receive anomaly updates directly via [Slack](https://docs.finout.io/user-guide/operate/slack-notification-endpoint), [MS Teams](/settings/app-integrations/connect-to-microsoft-teams.md), ServiceNow (coming soon), or email.

For comprehensive tracking, Finout scans your most frequently used tags, services, cost centers, and virtual tags. Each newly created virtual tag includes an anomaly scan to ensure you get a holistic view of your data.

**Anomaly types:**

[**Predefined Anomalies**](#predefined-anomalies): These are anomalies identified by Finout for significant cost groups and filters. You have the option to modify these to better fit your specific requirements.

[**Custom Anomalies**](#h_5bb724f4af): Customize your cloud cost anomaly detection to meet your team's unique needs. You can set your own rules, thresholds, and patterns to align with your specific cost management strategies. Custom anomalies offer the flexibility to pinpoint and tackle cost inconsistencies that are most pertinent to your team.&#x20;

<figure><img src="https://docs.finout.io/~gitbook/image?url=https%3A%2F%2F3858159242-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FWqjB2puKXPDR7L86FX2e%252Fuploads%252FSgbwKtyXqibFS9ixLWE7%252Fimage.png%3Falt%3Dmedia%26token%3D28bc3144-9f7b-4ba4-b8e0-94f6ff1234e7&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=54dc1172&#x26;sv=2" alt=""><figcaption></figcaption></figure>

There are four main functions in Anomalies:

* [Anomalies Feed](https://docs.finout.io/user-guide/optimize/anomalies#h_f0e3eace3e)
* [Create a Custom Anomaly Alert](https://docs.finout.io/user-guide/optimize/anomalies#h_5bb724f4af)
* [Cost Anomaly](#h_5bb724f4af-1), [Unit Economics Anomaly](#unit-economics-anomaly-coming-soon), and [Commitment Expiration Anomaly](#h_3524f0f26d)
* [Predefined Anomalies](#predefined-anomalies)

***

## Anomalies Feed <a href="#h_f0e3eace3e" id="h_f0e3eace3e"></a>

In the Anomalies Feed, you can see all of your anomalies and filter, investigate, and manage them.

{% hint style="info" %}
**Note**: Finout automatically filters out taxes, credits, and promotions from anomaly detection to reduce noise and highlight only operationally significant changes.
{% endhint %}

<figure><img src="/files/V14iat5xrJ0cFSX3pwIz" alt=""><figcaption></figcaption></figure>

1. **Filters**:
   * **Time Frame**\
     **-** The default is the last 30 days. You can either select one of the predefined options or switch to custom.\
     ![](/files/Uo59tlYeaxSTFWSIFEUu)\
     **-** When switching to custom, you can define a custom start and end date. You can keep **Today** as the relative end date or unmark it to set a custom end date.\
     ![](/files/FhpFzY1DqNV5qmUn3PuU)

   * **Anomaly threshold**: Filter anomalies based on specific thresholds. \
     Threshold is changing based on the selected anomaly type.\
     For example: Set a threshold of over 20% will display all anomalies exceeding this limit.

     <figure><img src="/files/yvwwAB6vG3RMHUIkYt0X" alt=""><figcaption></figcaption></figure>

   * **Type**: Select the anomaly type.

   * **Cost center**: Select a cost center.

   * **Key**: Select a Key.

   * **Value**: Select a value.

   * **Search**: Use free text search to find anomalies based on various terms or descriptions.
2. **Create Anomaly Alert**: To create an Anomaly Alert, see [Create Custom Anomalies](https://docs.finout.io/user-guide/optimize/anomalies#h_5bb724f4af).
3. **Anomaly Settings**:&#x20;
   1. In the Anomalies Feed, click ![](https://docs.finout.io/~gitbook/image?url=https%3A%2F%2F3858159242-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FWqjB2puKXPDR7L86FX2e%252Fuploads%252FNRqYv6NSGe1sRR6i9sQx%252Fimage.png%3Falt%3Dmedia%26token%3Da9369024-1de8-4965-8806-86616620764a\&width=300\&dpr=4\&quality=100\&sign=4c4b7ae1\&sv=2) and then click **Anomalies Settings**. The Anomalies Settings pop-up appears.<br>

      <figure><img src="/files/0lSbqwvTTSLzjAWoAIu6" alt=""><figcaption></figcaption></figure>
   2. Choose a default endpoint. <br>

      <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note:</strong> If a default endpoint is created, all anomaly alerts with no configured endpoint will automatically be directed to that channel. You can modify their endpoints as needed.</p></div>

      <div align="left"><figure><img src="/files/MqtAPWlskAbfALVLJegY" alt=""><figcaption></figcaption></figure></div>
   3. Choose the maximum number of alerts per day.<br>

      <div align="left"><figure><img src="/files/LSqEZ0DqJ8W3RKPuUw4t" alt=""><figcaption></figcaption></figure></div>

      <div data-gb-custom-block data-tag="hint" data-style="warning" class="hint hint-warning"><p><strong>Limitations</strong>:</p><ul><li>The threshold applies only to anomaly alerts; FP alerts and reports are unaffected.</li><li>A maximum number of anomalies with the highest cost changes will be sent as alerts to your endpoint each day, with a maximum of 150 alerts a day.</li></ul></div>
   4. Anomaly creation for new Virtual Tags: \
      By default, Finout creates anomalies for each newly created virtual tag.&#x20;

      <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note:</strong> Untoggle to disable this functionality.<br></p></div>

      <div align="left"><figure><img src="/files/VKXOoakGRvjJUwxC4oZQ" alt=""><figcaption></figcaption></figure></div>
   5. Click **Save**.<br>
4. **Clear Anomalies Feed**:<br>

   <div data-gb-custom-block data-tag="hint" data-style="warning" class="hint hint-warning"><p><strong>Important:</strong> Proceed with caution, this action will clear the whole anomalies feed. Clearing the feed will remove these notifications, and they won't be available for future reference.</p></div>

   In the Anomalies Feed, click ![](https://docs.finout.io/~gitbook/image?url=https%3A%2F%2F3858159242-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FWqjB2puKXPDR7L86FX2e%252Fuploads%252FNRqYv6NSGe1sRR6i9sQx%252Fimage.png%3Falt%3Dmedia%26token%3Da9369024-1de8-4965-8806-86616620764a\&width=300\&dpr=4\&quality=100\&sign=4c4b7ae1\&sv=2) and then click **Clear anomalies feed**.
5. **Anomaly information**: Information regarding a single Anomaly Alert.
6. **Investigate**: Clicking **Investigate** opens MegaBill in a new tab with the anomaly configuration (filters) already populated.
7. **Delete an Anomaly**:
   1. In the Anomalies Feed, click **Delete** in a select Anomaly. ![](https://docs.finout.io/~gitbook/image?url=https%3A%2F%2F3858159242-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FWqjB2puKXPDR7L86FX2e%252Fuploads%252FxpXsj8Ti03ezJPGLXKnr%252Fimage.png%3Falt%3Dmedia%26token%3Db064894a-3813-400d-8d71-1359f0987a16\&width=300\&dpr=4\&quality=100\&sign=b0590010\&sv=2)
   2. Click **Yes**.
8. **Add a Comment**:
   1. In the Anomalies Feed, click **Add Comment** in a select Anomaly.

      <figure><img src="https://docs.finout.io/~gitbook/image?url=https%3A%2F%2F3858159242-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FWqjB2puKXPDR7L86FX2e%252Fuploads%252FA6ZFMWdMKOY1j4dclZ1L%252Fimage.png%3Falt%3Dmedia%26token%3D4199b850-1385-4c5c-ba00-6881420d3bde&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=4558cfb1&#x26;sv=2" alt=""><figcaption></figcaption></figure>
   2. Write a comment and click **Save**.
9. **Create a Jira issue**.

***

## Create Custom Anomalies <a href="#h_5bb724f4af" id="h_5bb724f4af"></a>

1. Navigate to **Anomalies**.
2. Click **Create Anomaly Alert**.\
   The **Anomaly Alert Type** side window appears.<br>

   <figure><img src="/files/StyrSHo9HUlXibIkEJNA" alt=""><figcaption></figcaption></figure>
3. Choose the Anomaly Alert Type:
   * [Cost Anomaly](#h_5bb724f4af-1)
   * [Unit Economics Anomaly](#unit-economics-anomaly-coming-soon)\
     \
     Go to the specific widget procedure to complete the dashboard setup.

***

### Cost Anomaly  <a href="#h_5bb724f4af" id="h_5bb724f4af"></a>

Enable configuration of cost anomalies to detect and flag deviations, triggering alerts to specified endpoints to help identify cost inefficiencies and unexpected trends.&#x20;

1. Navigate to **Anomalies**.
2. Click **Create Anomaly Alert**.\
   The **Anomaly Alert Type** side window appears.<br>

   <figure><img src="/files/StyrSHo9HUlXibIkEJNA" alt=""><figcaption></figcaption></figure>
3. Select **Cost Anomaly**.\
   The **Create Anomaly Alert** procedure appears.<br>

   <figure><img src="/files/kBwSdReQ81RJMjWUqA3s" alt=""><figcaption></figcaption></figure>
4. **Alert Name**: Enter an alert name.<br>

   <div align="left"><figure><img src="/files/PfOqZXFq9i3NhCKQMP5s" alt=""><figcaption></figcaption></figure></div>
5. **Cost Type**: Define the cost type.

   <div align="left"><figure><img src="/files/jaY69G2MQZXthhURnGiF" alt=""><figcaption></figcaption></figure></div>

   1. Select a Cost type. See [Cost and Usage](/get-started-with-finout/cost-and-usage-types.md) for the list of Cost Types.
   2. Load View configuration for the cost. (Optional)
   3. Select a Filter for the cost.
   4. Select what to group by for the cost (Optional). Make sure your selection matches how the costs are organized so the data displays correctly.
6. **Alert Thresholds:** \
   Alert thresholds allow you to control when anomalies are surfaced based on cost changes that matter to your organization. By setting specific thresholds, you can filter out noise and focus on meaningful deviations.

   For example, setting a threshold of 20% will display only anomalies that exceed that deviation from expected behavior. You can also define a minimum dollar amount—such as $20—to ensure only significant cost spikes trigger alerts. To detect smaller fluctuations, lower either the percentage or dollar threshold. To focus on major anomalies, increase them.

   Use alert thresholds to align anomaly detection with your operational norms and cost management goals.<br>

   <figure><img src="/files/vDvduhbMMlKmZKCOYnE0" alt=""><figcaption></figcaption></figure>

   **Result**: After defining your group and filters, the associated values will appear. You have the option to activate or deactivate each value, allowing you to refine the anomaly alert parameters, making sure it matches exactly what you're looking for.<br>

   <div data-full-width="true"><figure><img src="/files/IXmlS4qQxbXztGgrODc3" alt=""><figcaption></figcaption></figure></div>
7. **Alert Endpoints:** Easily integrate notifications with endpoints. Select your desired endpoint, ensuring its configuration is completed beforehand, to start receiving anomaly alerts.

   <figure><img src="/files/oRMD1plzw9x7YpJV7WDO" alt=""><figcaption></figcaption></figure>

   1. Set a default endpoint for this anomaly. If no endpoint is defined for a group-by value, the alert for that value will be sent to this default endpoint. If no default endpoint is set, the alert will be sent to the endpoint specified in the anomalies settings.<br>
   2. Enable sending alerts to endpoints based on group-by values: ![](https://docs.finout.io/~gitbook/image?url=https%3A%2F%2F3858159242-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FWqjB2puKXPDR7L86FX2e%252Fuploads%252FdAJgXLwdND5Wf43UtfQy%252Fimage.png%3Falt%3Dmedia%26token%3D4066b68b-328b-4d20-a98b-29d37f570f73\&width=300\&dpr=4\&quality=100\&sign=57019808\&sv=2)
      1. Select an endpoint :
         1. *Default endpoint -* When the toggle is off, all alerts will be sent to the default endpoint you chose in step a.
         2. *Selected endpoints and Metadata endpoints* -<br>

            <figure><img src="/files/RltGk2FOt1KFykSFxYdI" alt=""><figcaption></figcaption></figure>

            1. Click **Choose an Endpoint** and add any additional endpoints to send the alert.
            2. If you group by a virtual tag, it will automatically send Alerts to its associated Metadata endpoints.
               * Click  ![](/files/DxLcEL32A3KGEELq7saT) if you would like to disable the Metadata endpoint for this value.
8. **Alert Time Interval:**<br>

   <div align="left"><figure><img src="/files/coKAoKFfZPQGoUG6XRa5" alt=""><figcaption></figcaption></figure></div>

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note:</strong> </p><ul><li>Daily - Choosing a day means that an alert is triggered daily.</li><li>Weekly - A Week is a weekly alert that notifies you every Tuesday (when you have a full week).</li><li>The difference between "last week" and "last 7 days" lies in calculating the timeframes. "Last week" refers to the calendar week immediately before the current one. On the other hand, "last 7 days" refers to the prior 7 days from the selected date, regardless of the day of the week.</li></ul></div>

   1. **Define Evaluation Period** - Set your preferred time period (Days or Weeks) to check for anomalies. For example, the last 5 days.
   2. **Set Comparison Period** - This compares the total cost of the current period to the average total cost of several previous periods. For example: You choose 20 days (4 periods). This is compared to the current 5-day **total cost** to the average **total cost** of the previous 20 days.\
      \
      **Use Case**:

      You want to evaluate anomalies over a 2-day period compared to the previous 6 days:

      * **Date**: Assume today is August 22nd.
      * **Evaluation Period**: Calculates the total cost for the chosen evaluation period: The last 2 days (August 19-20).
      * **Comparison Period:** Calculates the average of the evaluation period (2 days) over the chosen comparison period: the preceding 6 days (August 12-18).
      * **Alert**: An alert is triggered if the time period cost of the *evaluation period* exceeds the average cost of the *comparison period's total costs* from the defined thresholds.
9. **Seasonality Check**: The Seasonality Check helps reduce false-positive anomaly alerts by recognizing recurring cost patterns. Instead of flagging every cost spike as an anomaly, it checks whether the increase follows a regular weekly or monthly trend before triggering an alert.<br>

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note:</strong> Currently, daily seasonality is supported for an evaluation period of 1 to 6 days.<br><br></p></div>

   <div align="left"><figure><img src="/files/lT4bmlgOW7EZlcdEhsi8" alt=""><figcaption></figcaption></figure></div>

   \
   *Weekday Seasonality*

   * Compares the cost on a specific weekday (e.g., Monday) to the average cost of the same weekday over the past few weeks (e.g., the last 4 Mondays).
   * An alert is triggered only if the cost exceeds the expected range based on your alert settings.

   *Monthly Seasonality*

   * Compares the cost on a specific date (e.g., the 1st of each month) to the average cost on the same date over the past few months (e.g., the last 4 months).
   * An alert is sent if the cost surpasses the historical trend beyond the defined threshold.

   This feature ensures that anomalies are detected more accurately, minimizing noise from predictable fluctuations.\
   &#x20;\
   \&#xNAN;*What Happens When You Enable Seasonality?* \
   When the Seasonality Check is enabled, Finout automatically filters out alerts identified as seasonal anomalies: - They won’t appear in your anomaly feed. - They won’t be sent to your configured endpoint. This ensures that your alerts focus only on unexpected anomalies, helping you cut through the noise of predictable cost fluctuations.<br>
10. Click **Save**.\
    The Anomaly alert is created and appears under [Manage Anomalies](#h_3524f0f26d). This tab displays a comprehensive table of both custom-created and pre-defined anomalies generated by Finout.\
    **Result:**\
    A message will appear in your endpoint when a report or anomaly is triggered. For example, email:<br>

    <figure><img src="/files/HrYFdDI2y5Dnm2jK5FRP" alt=""><figcaption></figcaption></figure>

***

### Usage Anomaly (Beta)

Usage Anomalies notify you when a usage metric — such as AI tokens, compute hours, storage, or requests — deviates from its expected pattern, so your team can catch operational spikes before they become a cost problem. Unlike a Cost Anomaly, which evaluates spend, a Usage Anomaly evaluates the underlying usage volume, catching issues that don't immediately surface on your bill (for example, usage running under promotional credits). Alerts appear in the[ Anomalies feed](https://docs.finout.io/user-guide/optimize/anomalies) and are sent to your configured endpoints (Slack, email, or Teams).

<figure><img src="/files/cT9VlmuOzHvBaP9EB6WV" alt=""><figcaption></figcaption></figure>

1. Navigate to Anomalies and click **Create Anomaly Alert.**\
   The Anomaly Alert Type store window appears.<br>

   <figure><img src="/files/StyrSHo9HUlXibIkEJNA" alt=""><figcaption></figcaption></figure>
2. Select **Usage**.\
   The Create **Usage Anomaly Alert** form appears.<br>

   ![](/files/xDxkZijpk7SoDVXYSf8J)
3. **Alert Name:** Enter the alert name.<br>

   <img src="/files/zgXq2V8PTcn3iZtIDP5w" alt="" height="187" width="476">
4. **Alert Configuration:** Define the parameters of the usage anomaly detection scan.
   1. **Load View** configuration (optional). Selecting a[ View](https://docs.finout.io/user-guide/inform/megabill) populates the filters and group by, which you can then edit.
   2. **Filter** the usage.
   3. Select what to **Group by** (optional). Make sure your selection matches how the usage is organized so the data displays correctly.<br>

      <img src="/files/Z4oD0EanRW5O7fcNn2Kh" alt="" height="152" width="512">
5. **Usage Units:** Define the usage units of the anomaly alert. The available options are driven by your configuration.<br>

   <img src="/files/HqwpLtxz9tLJ41XafaRJ" alt="" height="185" width="451">

   1. **Note**: If the applied configuration has no supported usage, you'll see an error and can't save the alert. Adjust the configuration to dimensions that expose usage data.<br>

      ![](/files/jnkloB1z30T6jBTyaZV7)
6. **Alert Thresholds:** Set the conditions that trigger the alert, in the units of the selected usage type. Choose an **above** or **below** direction, a percentage deviation, and an absolute amount. \
   The alert triggers only when both are exceeded — for example, a spike over 20% **and** over 100,000 tokens. The absolute floor filters out small, low-impact fluctuations.<br>

   <img src="/files/fxV1osZ0eY8bdWe0biht" alt="" height="171" width="624">

   1. **Set anomaly threshold for every value in the group:** Enable this toggle to set thresholds per value instead of across the whole group. Each value in the group then appears with its own threshold.<br>

      ![](/files/HR7LOvqqc5tt6NraVMvj)
7. **Alert Endpoint:** Select the endpoint to receive alert notifications. Supported endpoint types: email, Slack, and Teams.<br>

   <img src="/files/okRgvAruSeNXB8C4o2dp" alt="" height="128" width="624">

   1. **Send alerts to endpoints per group of values:** Enable this toggle to route alerts to different endpoints based on the group-by value, rather than sending every alert to a single default endpoint. When enabled, you can assign a specific endpoint to each value — so the right team is notified for the usage they own.<br>

      ![](/files/ydV5FcWLt8UcahXdU952)
8. **Alert Time Interval:** Set how often Finout evaluates the alert and the window it measures.

   1. **Define Evaluation Period** — the recent window (in days or weeks) Finout measures usage over, for example the last 2 days.
   2. **Set Comparison Period** — the historical baseline the evaluation period is compared against. Finout compares the evaluation period's usage to the average usage of equivalent periods within the comparison window.

   ![](/files/LCl1rJbZjgH3wLCvF7LV)
9. **Seasonality Check:** The Seasonality Check helps reduce false-positive anomaly alerts by recognizing recurring cost patterns. Instead of flagging every cost spike as an anomaly, it checks whether the increase follows a regular weekly or monthly trend before triggering an alert.<br>

   <img src="/files/TumuiF2kvKhKFDs0gW6M" alt="" height="149" width="527">

   1. **Note**: Currently, daily seasonality is supported for an evaluation period of 1 to 6 days.
   2. ***Weekday Seasonality***\
      Compares the cost on a specific weekday (e.g., Monday) to the average cost of the same weekday over the past few weeks (e.g., the last 4 Mondays).\
      An alert is triggered only if the cost exceeds the expected range based on your alert settings.
   3. ***Monthly Seasonality***\
      Compares the cost on a specific date (e.g., the 1st of each month) to the average cost on the same date over the past few months (e.g., the last 4 months).\
      An alert is sent if the cost surpasses the historical trend beyond the defined threshold.&#x20;
   4. ***What Happens When You Enable Seasonality?***\
      When the Seasonality Check is enabled, Finout automatically filters out alerts identified as seasonal anomalies: - They won’t appear in your anomaly feed. - They won’t be sent to your configured endpoint. This ensures that your alerts focus only on unexpected anomalies, helping you cut through the noise of predictable cost fluctuations.
10. Click **Save**.\
    The Anomaly alert is created.

**Result:**

After saving, your usage anomaly appears at the top of the[ Manage Anomalies](https://docs.finout.io/user-guide/optimize/anomalies#h_3524f0f26d) tab, alongside your other custom and predefined anomaly configurations.

Once a day, after the data run completes, Finout evaluates the alert against its threshold and interval. When a usage anomaly is detected, it appears in the[ Anomalies Feed](https://docs.finout.io/user-guide/optimize/anomalies#h_f0e3eace3e) and a notification is sent to your configured endpoints.

<figure><img src="/files/vqel64NFMtIVqluw3uik" alt="" width="563"><figcaption></figcaption></figure>

***

### Unit Economics Anomaly&#x20;

Enable configuration of unit economics anomalies to detect and flag deviations, triggering alerts to specified endpoints to help identify cost inefficiencies and unexpected trends.

1. Navigate to **Anomalies**.

2. Click **Create Anomaly Alert**.\
   The **Anomaly Alert Type** side window appears.

   <figure><img src="/files/StyrSHo9HUlXibIkEJNA" alt=""><figcaption></figcaption></figure>

3. Select **Unit Economics**.\
   The **Create Anomaly Alert** procedure appears.<br>

   <figure><img src="/files/PG41Ass7DXeyKYHsI9pW" alt=""><figcaption></figcaption></figure>

4. **Alert Name**: Enter an alert name.\
   \
   ![](/files/PfOqZXFq9i3NhCKQMP5s)

5. **Unit Economics Configuration:** Define what unit economics the alert will monitor.\
   Choose between loading a configuration from an existing Unit Economics widget or setting up a new one.<br>

   <figure><img src="/files/uI3i2FowroxT7FRv6Oy4" alt=""><figcaption></figcaption></figure>

   1\. Select a **Widget**.

   2\. Select a **Cost type**.

   3\. Select a **View** for the cost.

   4\. Select a **Filter** for the cost.

   5\. Select what to **Group by** for the cost.

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note:</strong> When a group by is applied, the selected dimensio  in cost must match the group by field defined in the telemetry dimension.</p></div>

   6\. Select a **Telemetry**.

   7\. Select a **Filter** for the **Telemetry**.

   8\. Select what to **Group** by for the **Telemetry**.

6. **Alert Thresholds:** \
   Alert thresholds allow you to control when anomalies are surfaced based on cost changes that matter to your organization. By setting specific thresholds, you can filter out noise and focus on meaningful deviations.

   For example, setting a threshold of 20% will display only anomalies that exceed that deviation from expected behavior. You can also define a minimum dollar amount, such as $20, to ensure only significant cost spikes trigger alerts. To detect smaller fluctuations, lower either the percentage or dollar threshold. To focus on major anomalies, increase them.

   Use alert thresholds to align anomaly detection with your operational norms and cost management goals.<br>

   <figure><img src="/files/1k38eCb7I80eX4BFsG3Z" alt=""><figcaption></figcaption></figure>

   **Result**: After defining your group and filters, the associated values will appear. You have the option to activate or deactivate each value, allowing you to refine the anomaly alert parameters, making sure it matches exactly what you're looking for.<br>

   <figure><img src="/files/IXmlS4qQxbXztGgrODc3" alt=""><figcaption></figcaption></figure>

7. **Alert Endpoints:** Easily integrate notifications with endpoints. Select your desired endpoint, ensuring its configuration is completed beforehand, to start receiving anomaly alerts.

   <figure><img src="/files/oRMD1plzw9x7YpJV7WDO" alt=""><figcaption></figcaption></figure>

   1. Set a default endpoint for this anomaly. If no endpoint is defined for a group-by value, the alert for that value will be sent to this default endpoint. If no default endpoint is set, the alert will be sent to the endpoint specified in the anomalies settings.<br>
   2. Enable sending alerts to endpoints based on group-by values: ![](https://docs.finout.io/~gitbook/image?url=https%3A%2F%2F3858159242-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FWqjB2puKXPDR7L86FX2e%252Fuploads%252FdAJgXLwdND5Wf43UtfQy%252Fimage.png%3Falt%3Dmedia%26token%3D4066b68b-328b-4d20-a98b-29d37f570f73\&width=300\&dpr=4\&quality=100\&sign=57019808\&sv=2)
      1. Select an endpoint :
         1. *Default endpoint -* When the toggle is off, all alerts will be sent to the default endpoint you chose in step a.
         2. *Selected endpoints and Metadata endpoints* -<br>

            <figure><img src="/files/RltGk2FOt1KFykSFxYdI" alt=""><figcaption></figcaption></figure>

            1. Click **Choose an Endpoint** and add any additional endpoints to send the alert.
            2. If you group by a virtual tag, it will automatically send Alerts to its associated Metadata endpoints.
               * Click  ![](/files/DxLcEL32A3KGEELq7saT) if you would like to disable the Metadata endpoint for this value.

8. **Alert Time Interval:**<br>

   <div align="left"><figure><img src="/files/coKAoKFfZPQGoUG6XRa5" alt=""><figcaption></figcaption></figure></div>

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note:</strong> </p><ul><li>Daily - Choosing a day means that an alert is triggered daily.</li><li>Weekly - A Week is a weekly alert that notifies you every Tuesday (when you have a full week).</li><li>The difference between "last week" and "last 7 days" lies in calculating the timeframes. "Last week" refers to the calendar week immediately before the current one. On the other hand, "last 7 days" refers to the prior 7 days from the selected date, regardless of the day of the week.</li></ul></div>

   1. **Define Evaluation Period** - Set your preferred time period (Days or Weeks) to check for anomalies. For example, the last 5 days.
   2. **Set Comparison Period** - This compares the total cost of the current period to the average total cost of several previous periods. For example: You choose 20 days (4 periods). This is compared to the current 5-day **total cost** to the average **total cost** of the previous 20 days.\
      \
      **Use Case**:

      You want to evaluate anomalies over a 2-day period compared to the previous 6 days:

      * **Date**: Assume today is August 22nd.
      * **Evaluation Period**: Calculates the total cost for the chosen evaluation period: The last 2 days (August 19-20).
      * **Comparison Period:** Calculates the average of the evaluation period (2 days) over the chosen comparison period: the preceding 6 days (August 12-18).
      * **Alert**: An alert is triggered if the time period cost of the *evaluation period* exceeds the average cost of the *comparison period's total costs* from the defined thresholds.

9. **Seasonality Check**: The Seasonality Check helps reduce false-positive anomaly alerts by recognizing recurring cost patterns. Instead of flagging every cost spike as an anomaly, it checks whether the increase follows a regular weekly or monthly trend before triggering an alert.

   **Note:** Currently, daily seasonality is supported for an evaluation period of 1 to 6 days.<br>

   <div align="left"><figure><img src="/files/lT4bmlgOW7EZlcdEhsi8" alt=""><figcaption></figcaption></figure></div>

   \
   *Weekday Seasonality*

   * Compares the cost on a specific weekday (e.g., Monday) to the average cost of the same weekday over the past few weeks (e.g., the last 4 Mondays).
   * An alert is triggered only if the cost exceeds the expected range based on your alert settings.

   *Monthly Seasonality*

   * Compares the cost on a specific date (e.g., the 1st of each month) to the average cost on the same date over the past few months (e.g., the last 4 months).
   * An alert is sent if the cost surpasses the historical trend beyond the defined threshold.

   This feature ensures that anomalies are detected more accurately, minimizing noise from predictable fluctuations.\
   &#x20;\
   \&#xNAN;*What Happens When You Enable Seasonality?* \
   When the Seasonality Check is enabled, Finout automatically filters out alerts identified as seasonal anomalies: - They won’t appear in your anomaly feed. - They won’t be sent to your configured endpoint. This ensures that your alerts focus only on unexpected anomalies, helping you cut through the noise of predictable cost fluctuations.

10. Click **Save**.\
    The Anomaly alert is created.\
    **Result:**\
    After saving the anomaly, your anomaly will appear under [Manage Anomalies](#h_3524f0f26d). This tab displays a comprehensive table of both custom-created and pre-defined anomalies generated by Finout.

***

### Commitment Expiration Anomaly (Beta) <a href="#h_3524f0f26d" id="h_3524f0f26d"></a>

Commitment Expiration Alerts notify you when a commitment plan is approaching its expiration date, so your team can act before it lapses. Commitment expiration alerts appear in the [Anomalies Feed ](https://docs.finout.io/user-guide/optimize/anomalies)and can be sent to your configured endpoints (Slack, email, or Teams) based on your needs.

<img src="/files/GWF2pfjpfhrissLqkgNs" alt="" height="144" width="624">

1. Navigate to **Anomalies** and click Create Anomaly Alert.\
   The Anomaly Alert Type store window appears.<br>

   <figure><img src="/files/StyrSHo9HUlXibIkEJNA" alt=""><figcaption></figcaption></figure>
2. Select "**Commitment" Alert**.\
   The Create **Commitment Expiration Alert** form appears.<br>

   <img src="/files/YpZ6FJOpJWYUNFD3vGYc" alt="" height="384" width="377">
3. **Alert Name:** Enter the alert name.<br>

   <img src="/files/50Q0v24JDALR8xQ4y78K" alt="" height="143" width="487">
4. **Cloud Provider**: Select a cloud provider: AWS or Azure.<br>

   <img src="/files/FuLRlF6CWSBX1KsOiqjj" alt="" height="186" width="358">

   1. **Note**: These are the cloud providers currently supported in[ My Commitments](https://docs.finout.io/user-guide/optimize/my-commitments). Only providers with existing commitments in your account will appear as options.
5. **Alert Configuration (Optional)**: Define the scope of commitments this alert will monitor.
   1. **Commitment Type:** Select a commitment type. Available options depend on the selected cloud provider.\
      \&#xNAN;*For example: AWS — Reserved Instances (RI), Savings Plans (SP). This field defaults to all types selected.*<br>

      <img src="/files/42VPltdGHiItFDSoTFPo" alt="" height="221" width="487">
   2. **Filters**: Narrow the alert to specific commitments. Only commitments that match all selected filters will trigger the alert.\
      \&#xNAN;*Available values are based on the commitments that are available in your*[ *My Commitments*](https://docs.finout.io/user-guide/optimize/my-commitments)*.*<br>

      <table data-header-hidden><thead><tr><th width="113.9453125">Cloud</th><th width="181.7578125">Commitment Type</th><th>Supported Filters</th></tr></thead><tbody><tr><td>AWS</td><td>Reserved Instances</td><td>Service, Instance Type, Region, Operating System, Offering Class, Payment Option, Account Name, Reservation Term.</td></tr><tr><td>AWS</td><td>Savings Plans </td><td>Saving Plan Type, Term, Payment Option, Account Name.</td></tr><tr><td>Azure</td><td>Reservations</td><td>Instance Type, Region, Reservation Term, Reserved Resource Type, Subscription Name, Auto Renew Status.</td></tr><tr><td>Azure</td><td>Savings Plans </td><td>Scope Type, Reservation Term, Saving Plan type, Subscription Name, Auto Renew Status.</td></tr></tbody></table>
6. **Alert Thresholds:** Set when to be notified before a commitment plan expires.
   1. **Remind me about this plan expiration every (Optional)** — enable the toggle to receive recurring reminders after the initial alert. Set the frequency and unit (Days or Weeks).<br>

      <img src="/files/R63HFOp1TKxPjB7O96KP" alt="" height="209" width="521">
   2. **Alert Endpoints:** Select the endpoint to receive alert notifications. Supported endpoint types: email, Slack, and Teams. <br>

      <img src="/files/D4YkQ48Vjuon0yC7VkoQ" alt="" height="102" width="556">
7. Click **Save**.\
   The alert is created and appears in the Manage Anomalies tab.

**Result**: When a commitment plan matches the configured filters and reaches the expiration threshold, an alert appears in the[ Anomalies Feed](https://claude.ai/chat/3ba16f8d-4325-4564-85bc-f35314c98d7f#view-alerts-in-the-anomalies-feed), and a notification is sent to the configured endpoint. For example, Slack:

<img src="/files/fNwNKkXipZrO1N2ersJy" alt="" height="340" width="624">

***

### Manage Custom Anomalies <a href="#h_3524f0f26d" id="h_3524f0f26d"></a>

The Manage Anomalies tab displays a comprehensive table of both custom-created and pre-defined anomalies generated by Finout.&#x20;

1. Navigate to **Anomalies** and select the **Manage Anomalies** tab.<br>

   <figure><img src="/files/kPtIqmYn180gwo8Y0jx2" alt=""><figcaption></figcaption></figure>
2. Search for the relevant anomaly: Use the search bar for a direct query or apply filters to narrow down results.
3. Toggle off an anomaly to disable alerts for that specific issue.
4. Click ![](/files/UREeLq4A3ND6VfSpsIYu) beside the relevant anomaly and then select one of the following:
   * &#x20;**Edit**: Edit the Anomaly Alert and click **Save.**

     <figure><img src="/files/AkbP4EOEe1V1UDAMgu48" alt=""><figcaption></figcaption></figure>
   * **Duplicate**: make changes to the Duplicated Alert and click **Save**.<br>

     <figure><img src="/files/5KIzw0Wmrx4XMRra9fuz" alt=""><figcaption></figcaption></figure>
   * **Delete**: Deletes the Anomaly Alert.

***

## Predefined Anomalies

Finout provides pre-configured anomalies out of the box that can be customized to meet your specific requirements. You can toggle these anomalies on or off, or duplicate them as a foundation for creating custom anomalies, ensuring they align with your needs.

Finout automatically detects the following predefined anomalies:

* **AWS**: Regions, Sub Service, Account Name, Entity Name, Charge Type
* **Azure**: Service, Meter Region, Meter Sub Category, Service Family, Consumed Service
* **GCP**: Project ID, Compute Machine Spec, Folder, Project Name, Project Number, Region, SKU description, Services
* **Global**: Cost Center, Extended Support
* **Kubernetes**: deployment, demonset, k8s\_namespace, cronjob
* **SnowFlake**: cost type, warehouse\_name, user name, account, database name
* **DataDog**: Product, Organization, Sub-Product, Index, Metric Name, Region, Service, Status, Usage Type
* **All Virtual Tags**
* **OpenAI:** Project ID, Model, Token Type, API Key
* **OCI:** Services, Regions, Tenant ID, Compartment Name
* **Anthropic**: Cost per workspace name, Token type, Model for Anthropic.
* **Cursor:**  Model, User, Kind
* **CircleCI:** Resource Class, Workflow Name, Project Name<br>

{% hint style="info" %}
**Note:** Creating anomalies for new virtual tags is enabled for all accounts by default.
{% endhint %}

### Manage Predefined Anomalies <a href="#h_3524f0f26d" id="h_3524f0f26d"></a>

1. Navigate to **Anomalies** and select the **Manage Anomalies** tab.<br>

   <figure><img src="/files/8HSQWhhDSrJ3kh6mr0uQ" alt=""><figcaption></figcaption></figure>
2. Search for the relevant anomaly: Use the search bar for a direct query or apply filters to narrow down results.
3. Toggle off an anomaly to disable alerts for that specific issue.
4. To duplicate, select ![](/files/UREeLq4A3ND6VfSpsIYu) beside the relevant anomaly \
   If you choose to duplicate, set a name for the duplicated anomaly and adjust all fields accordingly.

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note</strong>: Pre-defined anomalies can be customized to suit your needs. You have the flexibility to edit the group values by toggling them on or off, ensuring they meet your specific requirements.</p></div>

   When you modify a predefined anomaly, a new custom anomaly is created with the revised settings, and the original predefined anomaly is deactivated.

***

## FAQs

**Why does the comparison period need to be a multiple of the evaluation period?** \
\
The comparison period must be a multiple of the evaluation period to ensure consistency in calculations. This allows Finout to calculate the total cost of each evaluation period within the comparison period and determine an accurate average. For example, if your evaluation period is 3 days, the comparison period could be 9 days (3 evaluation periods) but not 10 days, ensuring reliable and consistent anomaly detection.&#x20;

**Why can’t I choose arbitrary intervals like 3 weeks compared to 4 weeks?**&#x20;

To maintain accurate comparisons, the comparison period must align with the evaluation period to ensure equal, consistent time intervals. This alignment ensures anomalies are detected based on reliable averages derived from comparable time intervals.

**Is there a limit to how many values I can set thresholds for in anomaly alerts?**

Yes. To ensure anomaly alerts save and run reliably at scale, thresholds can only be set for the top 1,500 values by cost when using the “set thresholds by value” or “set endpoints by value” options.

**Is there a limit to anomaly alert data values?**

Yes. To ensure anomaly alerts run reliably and efficiently, Finout automatically analyzes only the top 10,000 values by cost. When the data exceeds this limit, only the most cost-significant values will be analyzed.&#x20;

**Why does the "Investigate" button open MegaBill with a \~60-day date range, even for short-interval alerts?**

This is the default behavior. When you click **Investigate**, MegaBill opens with a broader historical window, not the alert's evaluation period, so you can see the full cost trend for that filter and better identify the root cause. The date range is the same across all alerts in the account.

You can adjust the date range directly in MegaBill after it opens.

**Why isn't seasonal detection available for my anomaly?**&#x20;

Seasonal detection is only supported when the anomaly is configured with **daily time aggregation** and an **evaluation period of 6 days or fewer**. If either condition isn't met, the option is disabled automatically.

<figure><img src="/files/4e1K9K0uSkOKpdDTVHAf" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.finout.io/user-guide/optimize/anomalies.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
