Anomalies Suspicious Volume Of AWS API Calls From Non AWS Source IP Address From A User Account Id Per Workspace On A Daily Basis
Query
Anomalies
| where RuleName endswith "Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"],
CallCount = toint(AnomalyDetails["Observables"][0]["Value"]),
ExpectedCallCount = toint(AnomalyDetails["Observables"][0]["TypicalObservations"]["Expected count"])
| project
TimeGenerated,
RuleName,
Description,
Query,
UserName,
CallCount,
ExpectedCallCount,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinksExplanation
This query is looking for anomalies related to suspicious volumes of AWS API calls from non-AWS source IP addresses for a specific user account in each workspace on a daily basis. It excludes any anomalies that are in the "Flighting" status. The query then extends the results to include additional information such as the query details, the number of API calls, the expected number of API calls, and other relevant fields. Finally, it projects the selected fields for further analysis.
Details

Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
AnomaliesRuleNameRuleStatusExtendedLinksQueryCallCountAnomalyDetailsTimeGeneratedDescriptionUserNameExpectedCallCountScoreEntitiesTacticsTechniques
Operators
whereendswith!=extendtointproject