Try in Splunk Security Cloud


This story is focused around detecting Security Hub alerts generated from AWS

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-08-04
  • Author: Bhavin Patel, Splunk
  • ID: 2f2f610a-d64d-48c2-b57c-96722b49ab5a


AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.


Name Technique Type
Detect Spike in AWS Security Hub Alerts for EC2 Instance   Anomaly
Detect Spike in AWS Security Hub Alerts for User   Anomaly


source | version: 1