Detect Spike In AWS Security Hub Alerts For User
This search looks for a spike in number of of AWS security Hub alerts for an AWS IAM User in 4 hours intervals.
This content is not mapped to any local saved search. Add mapping
Detect Spike In AWS Security Hub Alerts For User Help
You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.
Open in Search