CloudWatch anomaly detection pipeline

Hello Matvey,

Thank you for the question. To my understanding, your question "Is there a way to forward anomaly detection alarms out of CloudWatch, or does the API call to retrieve these?" is a good and valid one.

As CloudWatch was originally designed and built as a purely monitoring-and-raising-an-alarm service, that is why it does not push or pull data without the help of additional services. This is where (former CloudWatch Event service) nowadays CloudWatch EventBridge (https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) comes into picture. CloudWatch EventBridge is the service which is capable to send CloudWatch anomaly detection alarm to an application or other services.

Here is the link to Amazon EventBridge API Reference for your information: https://docs.aws.amazon.com/eventbridge/latest/APIReference/Welcome.html and Boto documentation for your convenience: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/events.html

If you require more specific guidance, do not hesitate to open a support case with us, we will be able to craft the answer specific to your needs.

Anomaly detection is a feature of CloudTrail that uses machine learning to identify unusual activity in your AWS account. By default, CloudTrail does not send anomaly detection alarms to any external destinations, such as email or Slack. However, you can configure CloudTrail to send anomaly detection alarms to an Amazon SNS topic, which you can then subscribe to with any other AWS service or application.

It is important to note that CloudTrail anomaly detection alarms are based on machine learning algorithms, which means that they may not detect all unusual activity in your AWS account. Additionally, CloudTrail anomaly detection alarms may generate false positive results, which means that they may indicate unusual activity when there is no actual unusual activity. Therefore, it is important to carefully evaluate the results of CloudTrail anomaly detection alarms and to take any necessary actions based on the information provided.

Hi Gionavnni,

Thank you for your answer. I have not found how to get configuration for the event forwarding over to SNS - this is exactly what I am asking basically. As per false positives, we are aware, but thank you for the fair warning!

Best regards Matvey Teplov

Please refer to this article which will guide you on how to configure Cloudtrail

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html#configure-cloudtrail-to-send-notifications

Anil,

This is CloudTail, not CloudWatch. Yes, it does have SNS, but it has nothing to do with the CloudWatch and I think it is my fault mentioning CloudTrail - I am always mistaking between two.

Regards

Good morning Katya,

I looked into it before, but EventBridge doesn't seem to have integrated log anomaly events. Anyhow, I have put an archival rule in to see if any events can be matched. I will come back here once I have an answer.

Regards

Hi,

I made an Eventbridge rule that catches everything that comes from the Cloudwatch and stored everything via Firehose over into the S3. I got some CreateLogStream events, but nothing from Anomaly detection came through. Since we have multiple anomaly detectors from the different log groups, I can only assume that it is not a right even group in the bridge or these are sending nothing. Unfortunately, Event Bridge cannot have a wildcard in the source to direct ALL messages into the firehose, so the debug is impossible. Any ideas?

Regards

For those who are interested, the Eventbridge topic with catch-all is at : https://repost.aws/questions/QUTKuRph2DRMqs2fKLptX9nA/eventbridge-catch-all

I have successfully caught all events from the Eventbridge, but I cannot get any single event from the anomaly detector via it. I am quite stumbled, to be honest.