The security command should analyze CloudTrail and look for most common incidents.

A useful list of reference incidents can be found in https://github.com/easttimor/aws-incident-response#incidents