If you look at the AWS documentation and notes found in the references below, it will tell you "Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment".  You can also tell that multiple use cases share the same logic with the 719 and 720. To answer your question, I reverse engineered the use case and you can tell that it is simply using the standard algorithm with two deltas over "N". Knowing this, it means N=720 is the "number of sample results", aka DataPoints,  in the dataset that is being examined. 719 is actually "N-1" which is just applying the Bessel's Correction which is used to correct the bias in the estimation of the population variance. So basically, you are suppose to replace the N and the N-1 with the number of DataPoints in your actual search and not use 719 or 720. Also note, you can see that multiple use cases for AWS use the same logic in the references I listed below. This is likely because I know you can build use cases on top of the same logic but just change your main search and conditions a little bit to meet your criteria.  With that said, it is likely that these use cases were tested against the same dataset hence they all have the 719 and 720 in the logic.   AWS References: https://lantern.splunk.com/Security_Use_Case_Guidance/Threat_Intelligence_and_Threat_Hunting/Cloud_Security_Monitoring/Detecting_AWS_network_ACL_activity https://research.splunk.com/deprecated/detect_spike_in_aws_api_activity/ https://research.splunk.com/deprecated/detect_spike_in_security_group_activity/ https://research.splunk.com/deprecated/detect_spike_in_network_acl_activity/ Algorithm References: https://www.johndcook.com/blog/standard_deviation/ https://www.mathsisfun.com/data/standard-deviation.html https://jonisalonen.com/2013/deriving-welfords-method-for-computing-variance/ https://www.khanacademy.org/math/statistics-probability/summarizing-quantitative-data/variance-standard-deviation-population/a/calculating-standard-deviation-step-by-step https://opentextbc.ca/introstatopenstax/chapter/mean-or-expected-value-and-standard-deviation/ https://www.intmath.com/blog/mathematics/calculating-probability-with-mean-and-deviation-12536#:~:text=Conclusion,%2F%20%CF%83%20 https://www.math.arizona.edu/~rsims/ma464/standardnormaltable.pdf     ... View more

You may find that ML is overkill for this particular use-case. Consider Apache web logs, for example, which can be configured to include the RequestTimeSeconds, which is the time taken to process a request. You could then create an alert with something like the following: index=weblogs earliest=-30m@m | eventstats count, avg(RequestTimeSeconds) as avg_rts, stdev(RequestTimeSeconds) as stdev_rts by url | where RequestTimeSeconds>(2*stdev_avg+avg_rts) AND count>10 This will give you a list of URLs that have been accessed more than 10 times, and have occurrences where the time to respond has been over 2 standard deviations above the average (per each URL). You can extend this pattern to looking at SQL logs, authentication logs, etc... You can make a longer time window to develop baselines for, keep track on a daily/weekly/monthly basis, make the limits more than 2 standard deviations above the normal, require more than 10, aggregate based on source/client, etc... You will need to play around with these values to determine values that aren't too noisy, yet detect what you are looking for. ... View more

Hello @alemarzu  Thanks so much for the explanation, it is now better cleared out for me. Regards, ... View more

Hello @richgalloway, Thanks so much for replying back, Well I checked that information but there is no record to track whenever I change the status in the investigation feature. I was thinking that maybe with the audit index but I will need to look it closely. Thanks, ... View more