Anomaly Detection

What Cirrova detects

Two patterns account for most anomalies:

• New charges with no prior history. A resource that wasn't costing anything has started incurring daily cost. These are raised as High severity because unplanned spend on a new or newly-billable resource is almost always worth a look — it may be a leftover from a test, an auto-provisioned dependency, or a configuration change that enabled billing.
• Sustained cost increases on existing resources. An already-billed resource shows a persistent rise over its recent baseline average. Severity — High, Medium, or Low — is determined by the size of the deviation from the baseline, both in absolute terms per day and as a percentage change.

Severity is assigned automatically from the magnitude of the change and whether a baseline exists.

The Anomalies page

The Anomalies page (from the left navigation) lists every anomaly Cirrova has raised.

Summary banner

A banner at the top summarises the state of play — the count of High severity anomalies and an estimate of the monthly excess spend they represent (e.g. "17 anomalies — ~$14,280/mo excess spend"). The banner always reflects the full dataset, not the current filters, so you can drill into a subset without losing sight of the headline number.

Filters

• Tenant — scope to a single tenant, or leave at All.
• Subscription — scope to a single Azure subscription.
• Severity — High / Medium / Low.
• Status — Active / Acknowledged / Resolved.

Table columns

• Resource — name, resource group, and subscription. Click the name to drill into the resource detail page.
• Severity — High, Medium, or Low chip.
• Status — Active, Acknowledged, or Resolved chip.
• Baseline → Actual — the resource's prior daily cost alongside the current daily cost. For "new charges" anomalies, baseline shows as "—".
• Increase — percentage change. "—" where no baseline exists.
• Detail — a plain-language description of what was detected (e.g. "Daily cost increased from $312.40 to $489.60 (57% increase over the 14-day baseline average)" or "Resource has begun incurring charges: $94.20/day average (peak $118.50) with no prior billing history").
• Detected — the date the anomaly was first raised.
• Action — an Acknowledge button for Active anomalies; a status chip for everything else.

Drill-through

Clicking the resource name opens the resource detail page — the same view documented in Subscriptions, Resource Groups & Resources. Investigation happens there: the Daily cost history chart visually confirms the change, and the Performance metrics card often shows what's driving it.

Anomaly lifecycle

Anomalies move through three states:

1. Active — the anomaly has been raised and not yet acknowledged.
2. Acknowledged — someone has clicked the tick button on the row to indicate it's been seen. Acknowledgement silences further notifications for the same anomaly but doesn't close it.
3. Resolved — Cirrova has observed that the resource's cost has returned to (or below) its baseline. Resolution is automatic — there's no manual "close" action.

Acknowledge an anomaly when you've triaged it and confirmed either that the spend is expected (e.g. a planned deployment) or that a remediation is in flight. Leaving anomalies Active keeps them visible on the Dashboard's "Active anomalies" tile, which is useful as a to-do list.

Configuring sensitivity

Anomaly sensitivity is configured per tenant. Go to Organisation Settings → Tenants, click the tenant name to open its settings, switch to the Cost tracking tab, then find the Anomaly sensitivity card and click Edit.

Two thresholds are available. Leave either field blank to use the system default.

• Minimum daily cost change (per day) — only flag anomalies where the daily cost has increased by at least this amount. Use this to filter out trivial amounts that aren't worth investigating, even if they represent a large percentage change on a near-zero baseline.
• Minimum percentage change (%) — only flag anomalies where the cost has increased by at least this percentage. Use this to filter out small absolute changes on already-expensive resources.

These thresholds are both floors — an anomaly must exceed both to be raised. They don't change how Cirrova computes the baseline, only whether a detected deviation is surfaced.

Notifications

Anomalies that pass the sensitivity thresholds raise two events on the platform:

• Anomaly detected — fired when a new anomaly is raised.
• Anomaly resolved — fired when a previously-detected anomaly's underlying cost returns to baseline.

Where (and whether) anyone hears about those events is decided centrally on the Alerting page. Go to Organisation Settings → Alerting, switch to the Rules tab, and add a rule for the relevant event type. Pick the channels (email, Microsoft Teams, Slack, or a custom webhook) the rule should deliver to.

Rules can be scoped by tenant, subscription, resource group, or tag — useful for sending different audiences different anomaly streams (production into the on-call channel, sandbox into a low-priority queue, and so on). See Rule scoping for the full set of filters.