Query Details
Anomalies Suspicious Volume Of AWS Write API Calls From A User Account
Query
// In the returned Query substitute
// reverse(split(reverse(tostring(UserIdentityArn)),"/",0))
// by
// split(UserIdentityArn,"/",0)[-1]
Anomalies
| where RuleName endswith "Suspicious volume of AWS write API calls from a user account" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"]
| project
TimeGenerated,
RuleName,
Description,
Query,
UserName,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinks
Explanation
This query filters anomalies where the rule name ends with "Suspicious volume of AWS write API calls from a user account" and the rule status is not "Flighting". It then extends the Query column with the value from the first element of the ExtendedLinks array's DetailBladeInputs property. Finally, it projects several columns including TimeGenerated, RuleName, Description, Query, UserName, Score, AnomalyDetails, Entities, Tactics, Techniques, and ExtendedLinks.
Details
Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
Anomalies,RuleName,RuleStatus,ExtendedLinks,TimeGenerated,Description,Query,UserName,Score,AnomalyDetails,Entities,Tactics,Techniques
Operators
whereendswith!=extendproject