Analytics Story: AWS Security Hub Alerts

Date: 2020-08-04 ID: 2f2f610a-d64d-48c2-b57c-96722b49ab5a Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

This story is focused around detecting Security Hub alerts generated from AWS

Why it matters

AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Detect Spike in AWS Security Hub Alerts for EC2 Instance	None	Anomaly
Detect Spike in AWS Security Hub Alerts for User	None	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
AWS Security Hub	AWS	`aws:securityhub:finding`	`aws_securityhub_finding`

References

https://aws.amazon.com/security-hub/features/

Source: GitHub | Version: 1