What it is
A sudden, sharp increase in one resource's daily spend above the level it normally runs at, a data-egress burst, a runaway autoscale, a log pipeline that started ingesting far more than usual. The resource keeps working, so the only symptom is a bill that comes in higher than expected, often noticed weeks after the spike started.
Why it happens
The native guardrail most teams rely on is a budget alert, and a budget watches a total against a fixed threshold, usually a whole subscription or resource group. A single resource can double or triple its own daily cost and stay completely invisible if the subscription total is still under budget, which it usually is. The alert is coarse by design: it answers "are we over our number" not "is any one resource behaving unlike itself."
Azure's own cost anomaly detection helps, but it operates at subscription scope and is not tuned to each resource's individual pattern, so a spike that is dramatic relative to one resource can be lost in the aggregate. The honest problem is one of baseline: catching a spike means comparing a resource against its own recent normal, not against a static dollar figure or a subscription-wide total.
What it costs / blast radius
The magnitude is the difference between the resource's baseline daily cost and its spiked daily cost, multiplied by every day the spike runs before anyone catches it. A threshold budget only trips once the cumulative total crosses the line, which can be most of the way through the month, so the loss is the spike times the detection lag. (Authored assessment of Azure alerting behavior, not a measured figure; the actual dollars depend entirely on the resource and how long the spike persists.)
See it
resource budget 'Microsoft.Consumption/budgets@2023-05-01' = {
name: 'monthly-cap'
properties: {
category: 'Cost'
timeGrain: 'Monthly'
amount: 50000 // a single fixed number for the entire subscription
notifications: {
over80: {
enabled: true
operator: 'GreaterThan'
threshold: 80 // fires only when the TOTAL crosses 80%
contactEmails: [ 'finops@example.com' ]
}
}
// A resource that doubles its own daily spend is invisible here
// as long as the subscription total stays under the cap.
}
}// The gap a static budget can't close: a *per-resource baseline*.
//
// for each resource:
// baseline = its own typical daily cost over a recent window
// today = its cost today
// if today is sharply above baseline -> flag a spike
//
// The unit of comparison is the resource against itself, not the
// subscription total against a fixed dollar figure. That is what lets
// a spike on one resource surface while everything else is normal.How StratoLens helps
StratoLens establishes what each resource's spend normally looks like and flags the ones that spike sharply above their own baseline, per resource, across every subscription, so a runaway line item surfaces on its own instead of hiding inside a subscription total that's still under budget. It runs continuously in your own tenant, so you find the spike in days, not at month-end.