Analytics Story: AWS Security Hub Alerts
Description
This story is focused around detecting Security Hub alerts generated from AWS
Why it matters
AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.
Detections
| Name | Technique | Type |
|---|---|---|
| Detect Spike in AWS Security Hub Alerts for EC2 Instance | None | Anomaly |
| Detect Spike in AWS Security Hub Alerts for User | None | Anomaly |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS Security Hub |  AWS |
aws:securityhub:finding |
aws_securityhub_finding |
References
Source: GitHub | Version: 1