Query Details
Anomalies Suspicious Volume Of Failed Login Attempts To AWS Console By Each Source IP Address
Query
Anomalies
| where RuleName endswith "Suspicious volume of failed login attempts to AWS Console by each source IP address" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"],
AttemptCount = toint(AnomalyDetails["Observables"][0]["Value"])
| project
TimeGenerated,
RuleName,
Description,
Query,
AttemptCount,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinks
Explanation
This query is looking for anomalies related to a suspicious volume of failed login attempts to the AWS Console. It filters out any anomalies that are in a "Flighting" status. It then extends the query to include the details of the anomaly and the number of login attempts. Finally, it projects several fields including the time generated, rule name, description, query, attempt count, score, anomaly details, entities, tactics, techniques, and extended links.
Details
Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
Anomalies,RuleName,RuleStatus,ExtendedLinks,Query,AttemptCount,TimeGenerated,Description,Score,AnomalyDetails,Entities,Tactics,Techniques
Operators
whereendswith!=extendtointproject