What Changed

Enhanced UEBA Essentials solution from 20 to 26 hunting queries by adding 6 new multi-cloud detection capabilities targeting AWS, GCP, and Okta platforms. Significant improvements to existing queries and typo corrections throughout the solution.

New Multi-Cloud Detection Coverage

  • Anomalous AWS Console Login Without MFA from Uncommon Country: Detects console access without MFA from unusual geographic locations
  • Anomalous First-Time Device Logon: MDE integration for detecting new device connections and first-time IP associations
  • Anomalous GCP IAM Activity: Monitors privilege escalation and IAM modifications in Google Cloud Platform
  • Anomalous High-Privileged Role Assignment: Enhanced detection for privilege escalation attempts
  • Anomalous Okta First-Time or Uncommon Actions: Identifies unusual Okta administrative activities and geographic anomalies
  • UEBA Multi-Source Anomalous Activity Overview: Unified view across AWS CloudTrail, Okta, GCP Audit Logs, and authentication events

MITRE Mapping

  • T1078: Valid Accounts (AWS, Okta, GCP authentication anomalies)
  • T1110: Brute Force (failed login pattern detection)
  • T1098: Account Manipulation (privilege escalation detection)
  • T1548: Abuse Elevation Control Mechanism (GCP IAM anomalies)
  • T1021: Remote Services (device logon anomalies)
  • T1556: Modify Authentication Process (Okta configuration changes)

Affected Files

Solutions/UEBA Essentials/Hunting Queries/Anomalous AWS Console Login Without MFA from Uncommon Country.yaml
Solutions/UEBA Essentials/Hunting Queries/Anomalous First-Time Device Logon.yaml
Solutions/UEBA Essentials/Hunting Queries/Anomalous GCP IAM Activity.yaml
Solutions/UEBA Essentials/Hunting Queries/Anomalous High-Privileged Role Assignment.yaml
Solutions/UEBA Essentials/Hunting Queries/Anomalous Okta First-Time or Uncommon Actions.yaml
Solutions/UEBA Essentials/Hunting Queries/UEBA Multi-Source Anomalous Activity Overview.yaml
(16 existing queries updated with enhanced entity mappings and improved accuracy)
(packaging artefacts: Data/Solution_UEBA.json, Package/*.json, documentation files)