This detection rule identifies instances of anomalous spikes in API activity linked to security groups in an AWS environment. It accomplishes this by processing data from AWS CloudTrail, particularly focusing on security group API calls. The rule calculates the average and standard deviation of API calls made by users to determine what constitutes a typical pattern of behavior and detects significant deviations or spikes. The search employs methods to cache the baseline of activity over time and updates this cache with the latest data to ensure ongoing accuracy. However, it's important to note that this rule has been deprecated and transitioned to using the Change Data Model, indicating it may no longer be best practice for current implementations. Users are advised to evaluate the parameters such as dataPointThreshold and deviationThreshold, and modify them based on their security postures to minimize false positives associated with environmental changes. The configuration requires integration with the AWS App for Splunk and appropriate configuration of AWS CloudTrail inputs to function effectively. The underlying logic focuses on detecting significant variances away from established norms, providing insights into potential security incidents based on user actions.