Name:Detect Spike in AWS Security Hub Alerts for User id:2a9b80d3-6220-4345-b5ad-290bf5d0d222 version:10 date:2026-03-10 author:Bhavin Patel, Splunk status:experimental type:Anomaly Description:The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation. Data_source:
how_to_implement:You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval. known_false_positives:No false positives have been identified at this time. References: drilldown_searches:
: tags: analytic_story: - 'AWS Security Hub Alerts' - 'Critical Alerts' asset_type:AWS Instance product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:network
