Try in Splunk Security Cloud


This search looks for a spike in number of of AWS security Hub alerts for an EC2 instance in 4 hours intervals

  • Type: Anomaly
  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2021-01-26
  • Author: Bhavin Patel, Splunk
  • ID: 2a9b80d3-6340-4345-b5ad-290bf5d0d222
`aws_securityhub_finding` "Resources{}.Type"=AWSEC2Instance 
| bucket span=4h _time 
| stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest 
| eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev 
| eval threshold_value = 3 
| eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) 
| search isOutlier=1 
| table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg 
| `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`

Associated Analytic Story

How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.

Required field

  • _time
  • Resources{}.Type
  • Title
  • Types{}
  • vendor_account
  • vendor_region
  • severity
  • dest

Kill Chain Phase

Known False Positives



Risk Score Impact Confidence Message
15.0 30 50 Spike in AWS security Hub alerts with title $Title$ for EC2 instance $dest$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 3