heroui logo

Detect Spike in AWS Security Hub Alerts for User

Splunk Security Content

View Source
Summary
This detection rule identifies anomalies in AWS Security Hub alerts associated with IAM users by analyzing the count of alerts received over a defined 4-hour period. The rule collects data from AWS Security Hub findings, specifically filtering for alerts categorized under IAM users. Using statistical methods, it calculates the average and standard deviation of the alert counts. An increase in alerts that surpasses a defined threshold (derived from the average plus two standard deviations) is flagged as a potential outlier. Such spikes in alerts could indicate suspicious behavior, unauthorized access, or another security incident involving the IAM users. Thus, this analytic serves as an early warning mechanism to detect potential malicious activities related to AWS IAM user credential misuse.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Service
  • User Account
  • Application Log
Created: 2024-11-14