Anomalies Suspicious Volume Of Logins To User Account By Logon Types
Query
Anomalies
| where RuleName endswith "Suspicious volume of logins to user account by logon types" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"],
LogonType = tostring(AnomalyDetails["Observables"][1]["Value"]),
LoginCount = toint(AnomalyDetails["Observables"][0]["Value"]),
ExpectedLoginCount = toint(AnomalyDetails["Observables"][0]["TypicalObservations"]["Expected count"])
| project
TimeGenerated,
RuleName,
Description,
Query,
UserName,
LogonType,
LoginCount,
ExpectedLoginCount,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinksExplanation
This query is looking for anomalies related to a suspicious volume of logins to user accounts based on different logon types. It filters out any anomalies that are in a "Flighting" status. It then extends the query to include additional information such as the logon type, login count, and expected login count. Finally, it projects various fields including the time generated, rule name, description, query, username, logon type, login count, expected login count, score, anomaly details, entities, tactics, techniques, and extended links.
Details

Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
AnomaliesRuleNameRuleStatusExtendedLinksQueryLogonTypeLoginCountExpectedLoginCountTimeGeneratedDescriptionUserNameScoreAnomalyDetailsEntitiesTacticsTechniques
Operators
whereendswith!=extendtostringtointproject