Anomalies Suspicious Volume Of Failed Login Attempts To AWS Console By Each Source IP Address
Query
Anomalies
| where RuleName endswith "Suspicious volume of failed login attempts to AWS Console by each source IP address" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"],
AttemptCount = toint(AnomalyDetails["Observables"][0]["Value"])
| project
TimeGenerated,
RuleName,
Description,
Query,
AttemptCount,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinksExplanation
This query is looking for anomalies related to a suspicious volume of failed login attempts to the AWS Console. It filters out any anomalies that are in a "Flighting" status. It then extends the query to include the details of the anomaly and the number of login attempts. Finally, it projects several fields including the time generated, rule name, description, query, attempt count, score, anomaly details, entities, tactics, techniques, and extended links.
Details

Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
AnomaliesRuleNameRuleStatusExtendedLinksQueryAttemptCountTimeGeneratedDescriptionScoreAnomalyDetailsEntitiesTacticsTechniques
Operators
whereendswith!=extendtointproject