Try in Splunk Security Cloud

Description

This story is focused around detecting Security Hub alerts generated from AWS

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-08-04
  • Author: Bhavin Patel, Splunk
  • ID: 2f2f610a-d64d-48c2-b57c-96722b49ab5a

Narrative

AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.

Detections

Name Technique Type
Detect Spike in AWS Security Hub Alerts for EC2 Instance   Anomaly
Detect Spike in AWS Security Hub Alerts for User   Anomaly

Reference

source | version: 1