Detect Spike In AWS Security Hub Alerts For User

Description

This search looks for a spike in number of of AWS security Hub alerts for an AWS IAM User in 4 hours intervals.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks for a spike in number of of AWS security Hub alerts for an AWS IAM User in 4 hours intervals.

SPL Difficulty

None

Journey

Stage 3

Data Sources

AWS
Audit Trail

   Help

Detect Spike In AWS Security Hub Alerts For User Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.

   Search

Open in Search