Abnormally High AWS Instances Terminated By User - MLTK

Description

This search looks for CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.

   Help

Abnormally High AWS Instances Terminated By User - MLTK Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.

   Search

Open in Search

   Baseline Generation Searches

This detection relies on the following search to generate the baseline lookup.

  • Baseline of Excessive AWS Instances Terminated by User - MLTK