Anomalies UEBA Anomalous Failed Sign In
Query
Anomalies
| where RuleName endswith "UEBA Anomalous Failed Sign-in" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"]
| project
TimeGenerated,
RuleName,
Description,
Query,
UserPrincipalName,
ActivityInsights,
DeviceInsights,
UserInsights,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinksExplanation
This query is filtering anomalies based on a specific rule name and rule status. It then extends the query to include additional details and projects specific columns of data.
Details

Jose Sebastián Canós
Released: July 18, 2023
Tables
Anomalies
Keywords
AnomaliesRuleNameRuleStatusQueryTimeGeneratedDescriptionUserPrincipalNameActivityInsightsDeviceInsightsUserInsightsScoreAnomalyDetailsEntitiesTacticsTechniquesExtendedLinks
Operators
whereendswith!=extendproject