Anomalies Suspicious Volume Of Failed Login Attempts To AWS Console By Each Group User Account
Query
Anomalies
| where RuleName endswith "Suspicious volume of failed login attempts to AWS Console by each group user account" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"],
AttemptCount = toint(AnomalyDetails["Observables"][0]["Value"])
| project
TimeGenerated,
RuleName,
Description,
Query,
UserName,
AttemptCount,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinksExplanation
This query is looking for anomalies related to a suspicious volume of failed login attempts to the AWS Console by each group user account. It filters out any anomalies that are in "Flighting" status. It then extends the query by extracting the detail blade inputs and the number of login attempts. Finally, it projects various fields including the time generated, rule name, description, query, username, attempt count, score, anomaly details, entities, tactics, techniques, and extended links.
Details

Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
AnomaliesRuleNameRuleStatusExtendedLinksQueryAttemptCountTimeGeneratedDescriptionUserNameScoreAnomalyDetailsEntitiesTacticsTechniques
Operators
whereendswith!=extendtointproject