Abnormally High AWS Instances Launched by User


This search looks for CloudTrail events where a user successfully launches an abnormally high number of instances.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Advanced Threat Detection


Cloud Security, SaaS

Alert Volume

Medium (?)

SPL Difficulty



Stage 3



Kill Chain Phases

Actions On Objectives

Data Sources

Audit Trail


Abnormally High AWS Instances Launched by User Help

In this search, we query CloudTrail logs to look for events where an instance is successfully launched by a particular user. Since we want to detect a high number of instances launched within a short period, we create event buckets for 10-minute windows. We then calculate the total number of instances launched by a particular user, as well as the average and standard deviation values. Assign a threshold_value in the search. Start with 3 (but it will likely need to be tweaked for your environment). The eval function will set the outlier 1 if the number of instances is greater than the average number of instances terminated, added to the multiplied value of threshold and standard deviation. For your reference, we then keep only the outliers and calculate the number of standard deviations away the value is from the average.