Anomalies Suspicious Volume Of Logins To User Account With Elevated Token
Query
Anomalies
| where RuleName endswith "Suspicious volume of logins to user account with elevated token" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"],
LoginCount = toint(AnomalyDetails["Observables"][0]["Value"]),
ExpectedLoginCount = toint(AnomalyDetails["Observables"][0]["TypicalObservations"]["Expected count"])
| project
TimeGenerated,
RuleName,
Description,
Query,
UserName,
LoginCount,
ExpectedLoginCount,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinksExplanation
This query is looking for anomalies where the rule name ends with "Suspicious volume of logins to user account with elevated token" and the rule status is not "Flighting". It then extends the query to include additional information such as the login count, expected login count, and the query details. Finally, it projects various fields including the time generated, rule name, description, query, username, login count, expected login count, score, anomaly details, entities, tactics, techniques, and extended links.
Details

Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
AnomaliesRuleNameRuleStatusQueryLoginCountExpectedLoginCountTimeGeneratedDescriptionUserNameScoreAnomalyDetailsEntitiesTacticsTechniquesExtendedLinks
Operators
whereendswith!=extendtointproject