**Anomaly detection** replaces a static threshold with a machine-learned "normal" band. CloudWatch trains a model on up to **two weeks** of a metric's history, learning its trend plus **hourly, daily, and weekly seasonal patterns** — so a nightly batch spike isn't flagged as abnormal the way a fixed threshold would. **How the band is set:** - You supply an **anomaly-detection threshold** (a band width in standard deviations); a higher value yields a **thicker** band of tolerated values. - The model is specific to a **metric + statistic** pair — enabling it for `AVG` builds a model for `AVG` only. - For known-bounded AWS metrics, bands are **clamped to logical ranges**: `MemoryUtilization` stays 0–100; count metrics never go below 0. **Operational behavior:** - The model **continually retrains**, adapting to evolving values and adding predictors for seasonal/spiky/sparse metrics. - You can **exclude time periods** (e.g. a deployment window) from training so one-off events don't distort the band. - Exposed as the `ANOMALY_DETECTION_BAND` function, and it can be applied to **metric math expressions** ([[CloudWatch Metric Math Expressions]]), not just raw metrics. An alarm fires when the metric exits the band. Anomaly-detection models **incur charges**. Best for metrics with clear cyclic patterns where a single threshold is either too noisy (false alarms at peak) or too loose (misses off-peak regressions). Foundation: [[CloudWatch Observability Primitives]]. --- *Source: [[Amazon CloudWatch User Guide]] (Amazon Web Services, 2026) — Alarms: Using anomaly detection*