Skip to main content
Splunk Lantern

Detecting AWS security hub alerts

You are an Amazon Web Services (AWS) admin who manages AWS resources and services across your organization. As part of your role, you need to be able to detect Security Hub alerts generated from AWS.

AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as:

  • intrusion detection findings from Amazon GuardDuty
  • vulnerability scans from Amazon Inspector
  • S3 bucket policy findings from Amazon Macie
  • publicly accessible and cross-account resources from IAM Access Analyzer
  • resources that lack WAF coverage from AWS Firewall Manager

These searches are designed to uncover these alerts.

How to use Splunk software for this use case

  • Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment.
  • To optimize the searches, you should specify an index and a time range when appropriate. 

Detection searches

► Detect spike in AWS security hub alerts for Elastic Compute Cloud (EC2) instance

Ensure you have configured your Security Hub inputs.

This search looks for a spike in number of of AWS security hub alerts for an EC2 instance in 4-hour intervals.

The threshold_value should be tuned to your environment, and you should schedule these searches according to the bucket span interval.

| search ("Resources{}.Type"=AWSEC2Instance sourcetype="aws:securityhub:finding") 
| bucket span=4h _time 
| stats count AS alerts values(Title) AS Title values(Types{}) AS Types values(vendor_account) AS vendor_account values(vendor_region) AS vendor_region values(severity) AS severity BY _time dest 
| eventstats avg(alerts) AS total_alerts_avg, stdev(alerts) AS total_alerts_stdev 
| eval threshold_value=3, isOutlier=if((alerts > (total_alerts_avg + (total_alerts_stdev * threshold_value))),1,0)
| search isOutlier=1 
| table _time, dest, alerts, Title, Types, vendor_account, vendor_region, severity, isOutlier, total_alerts_avg
► Detect spike in AWS security hub alerts for user

Ensure you have configured your Security Hub inputs.

This search looks for a spike in number of of AWS security hub alerts for an AWS IAM User in 4-hour intervals.

The threshold_value should be tuned to your environment and you should schedule these searches according to the bucket span interval.

| search ("findings{}.Resources{}.Type"=AwsIamUser sourcetype="aws:securityhub:finding") 
| rename "findings{}.Resources{}.Id" AS user 
| bucket span=4h _time 
| stats count AS alerts BY _time user 
| eventstats avg(alerts) AS total_launched_avg, stdev(alerts) AS total_launched_stdev 
| eval threshold_value=2, isOutlier=if((alerts > (total_launched_avg + (total_launched_stdev * threshold_value))),1,0)
| search isOutlier=1 
| table _time, user, alerts

Investigative searches

► Investigate user activities by ARN

Ensure you have configured your CloudTrail inputs.

This search lists all the logged CloudTrail activities by a specific user Amazon Resource Name (ARN) and creates a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and all the user's identity information.

| search sourcetype=aws:cloudtrail userIdentity.arn={arn} 
| table _time userIdentity.type userIdentity.userName userIdentity.arn aws_account_id src awsRegion eventName eventType
 
► Get EC2 instance details

Ensure you have configured your AWS description inputs.

This search queries AWS description logs and returns all the information about a specific instance via the instanceId field.

| search sourcetype=aws:cloudtrail responseElements.instancesSet.items{}.instanceId={dest} 
| rename userIdentity.arn AS arn, responseElements.instancesSet.items{}.instanceId AS instanceId, responseElements.instancesSet.items{}.privateIpAddress AS privateIpAddress, responseElements.instancesSet.items{}.imageId AS amiID, responseElements.instancesSet.items{}.architecture AS architecture, responseElements.instancesSet.items{}.keyName AS keyName 
| table arn, awsRegion, instanceId, architecture, privateIpAddress, amiID, keyName
 
► Get EC2 launch details

Ensure you have configured your AWS description inputs.

This search returns key launch details for a EC2 instance.

| search sourcetype=aws:cloudtrail responseElements.instancesSet.items{}.instanceId={dest} 
| rename userIdentity.arn AS arn, responseElements.instancesSet.items{}.instanceId AS instanceId, responseElements.instancesSet.items{}.privateIpAddress AS privateIpAddress, responseElements.instancesSet.items{}.imageId AS amiID, responseElements.instancesSet.items{}.architecture AS architecture, responseElements.instancesSet.items{}.keyName AS keyName 
| table arn, awsRegion, instanceId, architecture, privateIpAddress, amiID, keyName

Next steps

The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.

In addition, Splunk Enterprise Security provides a number of other searches to help reinforce your Cloud Security posture, including:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.