If you look at the AWS documentation and notes found in the references below, it will tell you "Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment". You can also tell that multiple use cases share the same logic with the 719 and 720. To answer your question, I reverse engineered the use case and you can tell that it is simply using the standard algorithm with two deltas over "N". Knowing this, it means N=720 is the "number of sample results", aka DataPoints, in the dataset that is being examined. 719 is actually "N-1" which is just applying the Bessel's Correction which is used to correct the bias in the estimation of the population variance. So basically, you are suppose to replace the N and the N-1 with the number of DataPoints in your actual search and not use 719 or 720. Also note, you can see that multiple use cases for AWS use the same logic in the references I listed below. This is likely because I know you can build use cases on top of the same logic but just change your main search and conditions a little bit to meet your criteria. With that said, it is likely that these use cases were tested against the same dataset hence they all have the 719 and 720 in the logic. AWS References: https://lantern.splunk.com/Security_Use_Case_Guidance/Threat_Intelligence_and_Threat_Hunting/Cloud_Security_Monitoring/Detecting_AWS_network_ACL_activity https://research.splunk.com/deprecated/detect_spike_in_aws_api_activity/ https://research.splunk.com/deprecated/detect_spike_in_security_group_activity/ https://research.splunk.com/deprecated/detect_spike_in_network_acl_activity/ Algorithm References: https://www.johndcook.com/blog/standard_deviation/ https://www.mathsisfun.com/data/standard-deviation.html https://jonisalonen.com/2013/deriving-welfords-method-for-computing-variance/ https://www.khanacademy.org/math/statistics-probability/summarizing-quantitative-data/variance-standard-deviation-population/a/calculating-standard-deviation-step-by-step https://opentextbc.ca/introstatopenstax/chapter/mean-or-expected-value-and-standard-deviation/ https://www.intmath.com/blog/mathematics/calculating-probability-with-mean-and-deviation-12536#:~:text=Conclusion,%2F%20%CF%83%20 https://www.math.arizona.edu/~rsims/ma464/standardnormaltable.pdf
... View more