Detect Spike In AWS Security Hub Alerts For EC2 Instance

Description

This search looks for a spike in number of of AWS security Hub alerts for an EC2 instance in 4 hours intervals

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks for a spike in number of of AWS security Hub alerts for an EC2 instance in 4 hours intervals

SPL Difficulty

None

Journey

Stage 3

Data Sources

AWS
Audit Trail

   Help

Detect Spike In AWS Security Hub Alerts For EC2 Instance Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.

   Search

Open in Search