# FinOps Agent — event-triggered anomaly automation checklist

Copy per environment. Wire this **after** Cost Anomaly Detection monitors exist and alert on real spikes — not on day-one noise.

## Pre-flight

- [ ] Cost Anomaly Detection monitor scoped per OU or account group (not one org-wide monitor with $5 threshold)
- [ ] Context file uploaded: account → owner → Slack/Jira (see `context-file-account-owner-template.csv`)
- [ ] Jira / Slack integration tested with a **manual** agent query before enabling automation
- [ ] FinOps owner named as escalation when agent cannot determine root cause

## Automation to enable (in order)

1. **Event-triggered investigation** — on Cost Anomaly Detection event → agent produces consolidated report
2. **Slack delivery** — post to team channel from context file routing (not `#general`)
3. **Jira ticket** — only for anomalies > agreed $ threshold (e.g. $500/day impact) to avoid ticket spam
4. **Weekly optimization digest** — scheduled pull from Cost Optimization Hub + Compute Optimizer → Jira backlog

## Report must include (verify on first 3 runs)

- [ ] Anomaly amount, service, account, Region, time window
- [ ] CloudTrail-correlated change (who/when/what API) when available
- [ ] Named owner from context file
- [ ] Recommended next action (rightsizing link, idle resource, or "expected seasonal — no action")

## Stop conditions

- Disable automation if >50% of investigations are "no root cause found" for two consecutive weeks — tune monitors first.
- Disable Jira auto-create if engineers mark >30% of tickets as duplicate/won't fix — threshold too low.