This detection rule identifies abnormal spikes in blocked outbound network connections from within an AWS environment, utilizing VPC Flow Logs data logged in CloudWatch. The rule focuses on actions flagged as 'blocked' and examines connections initiated from designated private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to external IP addresses, excluding internal destinations. By calculating averages and standard deviations of previously observed blocked connections, the rule sets thresholds for spike detection, indicating potential malicious activity such as data exfiltration or network misconfigurations. When a significant deviation from the norm is detected (exceeding a certain number of standard deviations from the average), the connection is flagged for potential further investigation. The rule also allows customization of its sensitivity through dataPointThreshold and deviationThreshold variables, making the detection adaptable to different operational contexts.