Anomalies Suspicious Volume Of AWS Write API Calls From A User Account
Query
// In the returned Query substitute
// reverse(split(reverse(tostring(UserIdentityArn)),"/",0))
// by
// split(UserIdentityArn,"/",0)[-1]
Anomalies
| where RuleName endswith "Suspicious volume of AWS write API calls from a user account" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"]
| project
TimeGenerated,
RuleName,
Description,
Query,
UserName,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinksExplanation
This query filters anomalies where the rule name ends with "Suspicious volume of AWS write API calls from a user account" and the rule status is not "Flighting". It then extends the Query column with the value from the first element of the ExtendedLinks array's DetailBladeInputs property. Finally, it projects several columns including TimeGenerated, RuleName, Description, Query, UserName, Score, AnomalyDetails, Entities, Tactics, Techniques, and ExtendedLinks.
Details

Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
AnomaliesRuleNameRuleStatusExtendedLinksTimeGeneratedDescriptionQueryUserNameScoreAnomalyDetailsEntitiesTacticsTechniques
Operators
whereendswith!=extendproject