UEBA Multi-Source Anomalous Activity Overview

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Retrieves and displays anomalous activity detected across multiple identity and cloud sources (AWS CloudTrail, Okta, GCP Audit Logs, and general authentication events) using UEBA anomaly templates. The query provides key details such as timestamp, workspace, anomaly type, score, description, and associated insights (user, device, activity) along with MITRE ATT&CK tactics and techniques for deeper investigation.

Attribute	Value
Type	Hunting Query
Solution	UEBA Essentials
ID	b2c3d4e5-f6g7-8901-bcde-fg2345678901
Tactics	InitialAccess, CredentialAccess, Persistence, PrivilegeEscalation
Techniques	T1078, T1110, T1556, T1548
Required Connectors	BehaviorAnalytics
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
Anomalies	AnomalyTemplateName in "UEBA Anomalous Activity in GCP Audit Logs,UEBA Anomalous Activity in Okta_CL,UEBA Anomalous Authentication,UEBA Anomalous Logon in AwsCloudTrail,UEBA Anomalous MFA Failures in Okta_CL"	✓	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries · Back to UEBA Essentials