baseline_of_security_group_activity_by_arn.yml

name: Baseline of Security Group Activity by ARN
id: fc0edd96-ff2b-48b0-9f1f-63da3783fd63
version: 1
date: '2018-04-17'
description: This search establishes, on a per-hour basis, the average and the standard
  deviation for the number of API calls related to security groups made by each user.
  Also recorded is the number of data points for each user. This table is then outputted
  to a lookup file to allow the detection search to operate quickly.
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
  and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
  inputs. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.
author: Bhavin Patel, Splunk
search: sourcetype=aws:cloudtrail `security_group_api_calls` | spath output=arn path=userIdentity.arn
  | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls)
  as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls,
  stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints,
  avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | stats
  count
tags:
  analytics_story:
  - AWS User Monitoring
  detections:
  - Detect Spike in Security Group Activity