Cloud API Calls From Previously Unseen User Roles

Description

This search looks for new commands from each user role.

   Help

Cloud API Calls From Previously Unseen User Roles Help

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search Previously Seen Cloud API Calls Per User Role - Initial to build the initial table of user roles, commands, and times. You must also enable the second baseline search Previously Seen Cloud API Calls Per User Role - Update to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the cloud_api_calls_from_previously_unseen_user_roles_activity_window macro. You can also provide additional filtering for this search by customizing the cloud_api_calls_from_previously_unseen_user_roles_filter

   Search

Open in Search

   Baseline Generation Searches

This detection relies on the following searches to generate the baseline lookup.

  • Previously Seen Cloud API Calls Per User Role - Initial
  • Previously Seen Cloud API Calls Per User Role - Update