KQL Search

Query Details

Anomalies Suspicious Volume Of AWS API Calls From Non AWS Source IP Address From A User Account Id Per Workspace On A Daily Basis

Query

Anomalies
| where RuleName endswith "Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis" and RuleStatus != "Flighting"
| extend
    Query = ExtendedLinks[0]["DetailBladeInputs"],
    CallCount = toint(AnomalyDetails["Observables"][0]["Value"]),
    ExpectedCallCount = toint(AnomalyDetails["Observables"][0]["TypicalObservations"]["Expected count"])
| project
    TimeGenerated,
    RuleName,
    Description,
    Query,
    UserName,
    CallCount,
    ExpectedCallCount,
    Score,
    AnomalyDetails,
    Entities,
    Tactics,
    Techniques,
    ExtendedLinks

Explanation

This query is looking for anomalies related to suspicious volumes of AWS API calls from non-AWS source IP addresses for a specific user account in each workspace on a daily basis. It excludes any anomalies that are in the "Flighting" status. The query then extends the results to include additional information such as the query details, the number of API calls, the expected number of API calls, and other relevant fields. Finally, it projects the selected fields for further analysis.

Details

Jose Sebastián Canós

Released: December 15, 2022

Tables

Anomalies

Keywords

Anomalies,RuleName,RuleStatus,ExtendedLinks,Query,CallCount,AnomalyDetails,TimeGenerated,Description,UserName,ExpectedCallCount,Score,Entities,Tactics,Techniques

Operators

whereendswith!=extendtointproject

KQL Search

Anomalies Suspicious Volume Of AWS API Calls From Non AWS Source IP Address From A User Account Id Per Workspace On A Daily Basis

Query

Explanation

Details

Actions