We have not been able to test, simulate, or build datasets for this detection. Use at your own risk. This analytic is NOT supported.

Try in Splunk Security Cloud


This search looks for a spike in number of of AWS security Hub alerts for an AWS IAM User in 4 hours intervals.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2021-01-26
  • Author: Bhavin Patel, Splunk
  • ID: 2a9b80d3-6220-4345-b5ad-290bf5d0d222
`aws_securityhub_finding` "findings{}.Resources{}.Type"= AwsIamUser 
| rename findings{}.Resources{}.Id as user 
| bucket span=4h _time 
| stats count AS alerts by _time user 
| eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev 
| eval threshold_value = 2 
| eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) 
| search isOutlier=1 
| table _time user alerts 

Associated Analytic Story

How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.

Required field

  • _time
  • findings{}.Resources{}.Type
  • indings{}.Resources{}.Id
  • user

Kill Chain Phase

Known False Positives



Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 3