KQL Search

Query Details

Anomalies UEBA Anomalous Failed Sign In

Query

Anomalies
| where RuleName endswith "UEBA Anomalous Failed Sign-in" and RuleStatus != "Flighting"
| extend
    Query = ExtendedLinks[0]["DetailBladeInputs"]
| project
    TimeGenerated,
    RuleName,
    Description,
    Query,
    UserPrincipalName,
    ActivityInsights,
    DeviceInsights,
    UserInsights,
    Score,
    AnomalyDetails,
    Entities,
    Tactics,
    Techniques,
    ExtendedLinks

Explanation

This query is filtering anomalies based on a specific rule name and rule status. It then extends the query to include additional details and projects specific columns of data.

Details

Jose Sebastián Canós

Released: July 18, 2023

Tables

Anomalies

Keywords

Anomalies,RuleName,RuleStatus,Query,TimeGenerated,Description,UserPrincipalName,ActivityInsights,DeviceInsights,UserInsights,Score,AnomalyDetails,Entities,Tactics,Techniques,ExtendedLinks

Operators

whereendswith!=extendproject

KQL Search

Anomalies UEBA Anomalous Failed Sign In

Query

Explanation

Details

Actions