UEBA Multi-Source Anomalous Activity Overview

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Retrieves and displays anomalous activity detected across multiple identity and cloud sources (AWS CloudTrail, Okta, GCP Audit Logs, and general authentication events) using UEBA anomaly templates. The query provides key details such as timestamp, workspace, anomaly type, score, description, and associated insights (user, device, activity) along with MITRE ATT&CK tactics and techniques for deeper investigation.

Attribute	Value
Type	Hunting Query
Solution	UEBA Essentials
ID	b2c3d4e5-f6g7-8901-bcde-fg2345678901
Tactics	InitialAccess, CredentialAccess, Persistence, PrivilegeEscalation
Techniques	T1078, T1110, T1556, T1548
Required Connectors	BehaviorAnalytics
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
Anomalies	✓	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries · Back to UEBA Essentials