This analytic rule detects spikes in AWS Security Hub alerts for EC2 instances, leveraging AWS Security Hub findings data. It calculates the average and standard deviation of alert counts over a rolling 4-hour bucket span. The rule triggers when the number of alerts exceeds the average alert count plus three standard deviations, indicating a potential security incident or misconfiguration. This is critical for Security Operations Centers (SOCs) as such spikes may suggest unauthorized access attempts, data exfiltration, or service disruptions. Correctly tuned, the rule assists in prioritizing alerts for further investigation.