Query Details
Anomalies Suspicious Volume Of Failed Login Attempts To AWS Console By Each Group User Account
Query
Anomalies
| where RuleName endswith "Suspicious volume of failed login attempts to AWS Console by each group user account" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"],
AttemptCount = toint(AnomalyDetails["Observables"][0]["Value"])
| project
TimeGenerated,
RuleName,
Description,
Query,
UserName,
AttemptCount,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinks
Explanation
This query is looking for anomalies related to a suspicious volume of failed login attempts to the AWS Console by each group user account. It filters out any anomalies that are in "Flighting" status. It then extends the query by extracting the detail blade inputs and the number of login attempts. Finally, it projects various fields including the time generated, rule name, description, query, username, attempt count, score, anomaly details, entities, tactics, techniques, and extended links.
Details
Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
Anomalies,RuleName,RuleStatus,ExtendedLinks,Query,AttemptCount,TimeGenerated,Description,UserName,Score,AnomalyDetails,Entities,Tactics,Techniques
Operators
whereendswith!=extendtointproject