detection.wiki

Detection rules › Elastic

AWS Access Token Used from Multiple Addresses

Status
production
Severity
medium
Time window
32m
Group by
Esql.aws_cloudtrail_user_identity_access_key_id, Esql.time_window_date_trunc
Author
Elastic
Source
github.com/elastic/detection-rules

This rule identifies potentially suspicious activity by detecting instances where a single IAM user's temporary session token is accessed from multiple IP addresses within a short time frame. Such behavior may suggest that an adversary has compromised temporary credentials and is utilizing them from various locations. To enhance detection accuracy and minimize false positives, the rule incorporates criteria that evaluate unique IP addresses, user agents, cities, and networks. These additional checks help distinguish between legitimate distributed access patterns and potential credential misuse. Detected activities are classified into different types based on the combination of unique indicators, with each classification assigned a fidelity score reflecting the likelihood of malicious behavior. High fidelity scores are given to patterns most indicative of threats, such as multiple unique IPs, networks, cities, and user agents. Medium and low fidelity scores correspond to less severe patterns, enabling security teams to effectively prioritize alerts.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078.004 Valid Accounts: Cloud Accounts
StealthT1078.004 Valid Accounts: Cloud Accounts

Rule body elastic

[metadata]
creation_date = "2025/04/11"
integration = ["aws"]
maturity = "production"
min_stack_version = "9.2.0"
min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0"
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
This rule identifies potentially suspicious activity by detecting instances where a single IAM user's temporary session
token is accessed from multiple IP addresses within a short time frame. Such behavior may suggest that an adversary has
compromised temporary credentials and is utilizing them from various locations. To enhance detection accuracy and
minimize false positives, the rule incorporates criteria that evaluate unique IP addresses, user agents, cities, and
networks. These additional checks help distinguish between legitimate distributed access patterns and potential
credential misuse. Detected activities are classified into different types based on the combination of unique
indicators, with each classification assigned a fidelity score reflecting the likelihood of malicious behavior. High
fidelity scores are given to patterns most indicative of threats, such as multiple unique IPs, networks, cities, and
user agents. Medium and low fidelity scores correspond to less severe patterns, enabling security teams to effectively
prioritize alerts.
"""
false_positives = [
    """
    Highly distributed environments (e.g., globally deployed automation or edge nodes) may cause a single IAM user to
    appear from multiple IPs. Review the geolocation, network context, and user agent patterns to rule out benign use.
    This rule automatically excludes console login sessions, reducing false positives from legitimate console-based access across VPN or network changes.
    """,
]
from = "now-32m"
interval = "15m"
language = "esql"
license = "Elastic License v2"
name = "AWS Access Token Used from Multiple Addresses"
note = """## Triage and analysis

### Investigating AWS Access Token Used from Multiple Addresses

Access tokens are bound to a single user. Usage from multiple IP addresses may indicate the token was stolen and used elsewhere. By correlating this with additional detection criteria like multiple user agents, different cities, and different networks, we can improve the fidelity of the rule and help to eliminate false positives associated with expected behavior, like dual-stack IPV4/IPV6 usage.

### Possible investigation steps

- **Identify the IAM User**: Examine the `aws.cloudtrail.user_identity.arn` stored in `user_id` and correlate with the `source.ips` stored in `ip_list` and `unique_ips` count to determine how widely the token was used.
- **Correlate Additional Detection Context**: Examine `activity_type` and `fidelity_score` to determine additional cities, networks or user agents associated with the token usage.
- **Determine Access Key Type**: Examine the `access_key_id` to determine whether the token is short-term (beginning with ASIA) or long-term (beginning with AKIA).
- **Check Recent MFA Events**: Determine whether the user recently enabled MFA, registered devices, or assumed a role using this token.
- **Review Workload Context**: Confirm whether the user was expected to be active across multiple cities, networks or user agent environments.
- **Trace Adversary Movement**: Pivot to related actions (e.g., `s3:ListBuckets`, `iam:ListUsers`, `sts:GetCallerIdentity`) to track further enumeration.

### False positive analysis

- Automation frameworks that rotate through multiple IPs or cloud functions with dynamic egress IPs may cause this alert to fire.
- Confirm geolocation and workload context before escalating.

### Response and remediation

- **Revoke the Token**: Disable or rotate the IAM credentials and invalidate the temporary session token.
- **Audit the Environment**: Look for signs of lateral movement or data access during the token's validity.
- **Strengthen Controls**: Require MFA for high-privilege actions, restrict access via policy conditions (e.g., IP range or device).

### Additional information

- [IAM Long-Term Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
- [STS Temporary Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
- [Using MFA with Temporary Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
- [AWS Threat Detection Use Cases](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html)
"""
references = ["https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"]
risk_score = 47
rule_id = "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Data Source: AWS IAM",
    "Data Source: AWS CloudTrail",
    "Tactic: Initial Access",
    "Use Case: Identity and Access Audit",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "esql"

query = '''
from logs-aws.cloudtrail* metadata _id, _version, _index
| where data_stream.dataset == "aws.cloudtrail"
  and aws.cloudtrail.user_identity.arn is not null
  and aws.cloudtrail.user_identity.type == "IAMUser"
  and source.ip is not null
  and aws.cloudtrail.user_identity.access_key_id is not null
  and not aws.cloudtrail.session_credential_from_console == "true"
  and not (
    user_agent.original like "*Terraform*" or
    user_agent.original like "*Ansible*" or
    user_agent.original like "*Pulumi*"
  )
  and `source.as.organization.name` != "AMAZON-AES"
  and not ((
    `source.as.organization.name` == "AMAZON-02" and aws.cloudtrail.event_category == "Data"))
  and event.provider not in (
    "health.amazonaws.com", "monitoring.amazonaws.com", "notifications.amazonaws.com",
    "ce.amazonaws.com", "cost-optimization-hub.amazonaws.com",
    "servicecatalog-appregistry.amazonaws.com", "securityhub.amazonaws.com", 
    "account.amazonaws.com", "budgets.amazonaws.com", "freetier.amazonaws.com", "support.amazonaws.com",
    "support-console.amazonaws.com"
  )

| eval
  Esql.time_window_date_trunc = date_trunc(30 minutes, @timestamp),
  Esql.aws_cloudtrail_user_identity_arn = aws.cloudtrail.user_identity.arn,
  Esql.aws_cloudtrail_user_identity_access_key_id = aws.cloudtrail.user_identity.access_key_id,
  Esql.source_ip = source.ip,
  Esql.user_agent_original = user_agent.original,
  Esql.source_ip_string = to_string(source.ip),
  Esql.source_ip_user_agent_pair = concat(Esql.source_ip_string, " - ", user_agent.original),
  Esql.source_ip_city_pair = concat(Esql.source_ip_string, " - ", source.geo.city_name),
  Esql.source_geo_city_name = source.geo.city_name,
  Esql.source_network_org_name = `source.as.organization.name`,
  Esql.source_ip_network_pair = concat(Esql.source_ip_string, "-", `source.as.organization.name`),
  Esql.event_timestamp = @timestamp,
  Esql.data_stream_namespace = data_stream.namespace

| stats
  Esql.event_action_values = values(event.action),
  Esql.event_provider_count_distinct = count_distinct(event.provider),
  Esql.event_provider_values = values(event.provider),
  Esql.aws_cloudtrail_user_identity_access_key_id_values = values(Esql.aws_cloudtrail_user_identity_access_key_id),
  Esql.aws_cloudtrail_user_identity_arn_values = values(Esql.aws_cloudtrail_user_identity_arn),
  Esql.source_ip_values = values(Esql.source_ip),
  Esql.user_agent_original_values = values(Esql.user_agent_original),
  Esql.source_ip_user_agent_pair_values = values(Esql.source_ip_user_agent_pair),
  Esql.source_geo_city_name_values = values(Esql.source_geo_city_name),
  Esql.source_ip_city_pair_values = values(Esql.source_ip_city_pair),
  Esql.source_network_org_name_values = values(Esql.source_network_org_name),
  Esql.source_ip_network_pair_values = values(Esql.source_ip_network_pair),
  Esql.source_ip_count_distinct = count_distinct(Esql.source_ip),
  Esql.user_agent_original_count_distinct = count_distinct(Esql.user_agent_original),
  Esql.source_geo_city_name_count_distinct = count_distinct(Esql.source_geo_city_name),
  Esql.source_network_org_name_count_distinct = count_distinct(Esql.source_network_org_name),
  Esql.data_stream_namespace_values = values(Esql.data_stream_namespace),
  Esql.timestamp_first_seen = min(Esql.event_timestamp),
  Esql.timestamp_last_seen = max(Esql.event_timestamp),
  Esql.event_count = count()
  by Esql.time_window_date_trunc, Esql.aws_cloudtrail_user_identity_access_key_id

| eval
  Esql.activity_type = case(
    Esql.source_ip_count_distinct >= 2 and Esql.source_network_org_name_count_distinct >= 2 and Esql.source_geo_city_name_count_distinct >= 2 and Esql.user_agent_original_count_distinct >= 2, "multiple_ip_network_city_user_agent",
    Esql.source_ip_count_distinct >= 2 and Esql.source_network_org_name_count_distinct >= 2 and Esql.source_geo_city_name_count_distinct >= 2, "multiple_ip_network_city",
    Esql.source_ip_count_distinct >= 2 and Esql.source_geo_city_name_count_distinct >= 2, "multiple_ip_and_city",
    Esql.source_ip_count_distinct >= 2 and Esql.source_network_org_name_count_distinct >= 2, "multiple_ip_and_network",
    Esql.source_ip_count_distinct >= 2 and Esql.user_agent_original_count_distinct >= 2, "multiple_ip_and_user_agent",
    "normal_activity"
  ),
  Esql.activity_fidelity_score = case(
    Esql.activity_type == "multiple_ip_network_city_user_agent", "high",
    Esql.activity_type == "multiple_ip_network_city", "high",
    Esql.activity_type == "multiple_ip_and_city", "medium",
    Esql.activity_type == "multiple_ip_and_network", "medium",
    Esql.activity_type == "multiple_ip_and_user_agent", "low"
  )

| keep
  Esql.time_window_date_trunc,
  Esql.activity_type,
  Esql.activity_fidelity_score,
  Esql.event_count,
  Esql.timestamp_first_seen,
  Esql.timestamp_last_seen,
  Esql.aws_cloudtrail_user_identity_arn_values,
  Esql.aws_cloudtrail_user_identity_access_key_id_values,
  Esql.event_provider_count_distinct,
  Esql.event_action_values,
  Esql.event_provider_values,
  Esql.source_ip_values,
  Esql.user_agent_original_values,
  Esql.source_ip_user_agent_pair_values,
  Esql.source_geo_city_name_values,
  Esql.source_ip_city_pair_values,
  Esql.source_network_org_name_values,
  Esql.source_ip_network_pair_values,
  Esql.source_ip_count_distinct,
  Esql.user_agent_original_count_distinct,
  Esql.source_geo_city_name_count_distinct,
  Esql.source_network_org_name_count_distinct,
  Esql.data_stream_namespace_values

| where Esql.activity_fidelity_score == "high" and Esql.event_provider_count_distinct > 1

// this rule only alerts for "high" fidelity cases, to broaden the rule scope to include all activity
// change the final condition to 
// | where Esql.activity_type != "normal_activity" and Esql.event_provider_count_distinct > 1

'''

[rule.investigation_fields]
field_names = [
      "Esql.timestamp_first_seen",
      "Esql.timestamp_last_seen",
      "Esql.activity_type",
      "Esql.activity_fidelity_score",
      "Esql.event_count",
      "Esql.aws_cloudtrail_user_identity_arn_values",
      "Esql.aws_cloudtrail_user_identity_access_key_id_values",
      "Esql.event_action_values",
      "Esql.event_provider_values",
      "Esql.source_ip_values",
      "Esql.user_agent_original_values",
      "Esql.source_ip_user_agent_pair_values",
      "Esql.source_geo_city_name_values",
      "Esql.source_ip_city_pair_values",
      "Esql.source_network_org_name_values",
      "Esql.source_ip_network_pair_values",
      "Esql.source_ip_count_distinct",
      "Esql.user_agent_original_count_distinct",
      "Esql.source_geo_city_name_count_distinct",
      "Esql.source_network_org_name_count_distinct",
      "Esql.data_stream_namespace_values"
]


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

Stages and Predicates

Stage 1: from

from logs-aws.cloudtrail* metadata _id, _version, _index

Stage 2: where

| where data_stream.dataset == "aws.cloudtrail"
  and aws.cloudtrail.user_identity.arn is not null
  and aws.cloudtrail.user_identity.type == "IAMUser"
  and source.ip is not null
  and aws.cloudtrail.user_identity.access_key_id is not null
  and not aws.cloudtrail.session_credential_from_console == "true"
  and not (
    user_agent.original like "*Terraform*" or
    user_agent.original like "*Ansible*" or
    user_agent.original like "*Pulumi*"
  )
  and `source.as.organization.name` != "AMAZON-AES"
  and not ((
    `source.as.organization.name` == "AMAZON-02" and aws.cloudtrail.event_category == "Data"))
  and event.provider not in (
    "health.amazonaws.com", "monitoring.amazonaws.com", "notifications.amazonaws.com",
    "ce.amazonaws.com", "cost-optimization-hub.amazonaws.com",
    "servicecatalog-appregistry.amazonaws.com", "securityhub.amazonaws.com", 
    "account.amazonaws.com", "budgets.amazonaws.com", "freetier.amazonaws.com", "support.amazonaws.com",
    "support-console.amazonaws.com"
  )

Stage 3: eval

| eval
  Esql.time_window_date_trunc = date_trunc(30 minutes, @timestamp),
  Esql.aws_cloudtrail_user_identity_arn = aws.cloudtrail.user_identity.arn,
  Esql.aws_cloudtrail_user_identity_access_key_id = aws.cloudtrail.user_identity.access_key_id,
  Esql.source_ip = source.ip,
  Esql.user_agent_original = user_agent.original,
  Esql.source_ip_string = to_string(source.ip),
  Esql.source_ip_user_agent_pair = concat(Esql.source_ip_string, " - ", user_agent.original),
  Esql.source_ip_city_pair = concat(Esql.source_ip_string, " - ", source.geo.city_name),
  Esql.source_geo_city_name = source.geo.city_name,
  Esql.source_network_org_name = `source.as.organization.name`,
  Esql.source_ip_network_pair = concat(Esql.source_ip_string, "-", `source.as.organization.name`),
  Esql.event_timestamp = @timestamp,
  Esql.data_stream_namespace = data_stream.namespace

Stage 4: stats

| stats
  Esql.event_action_values = values(event.action),
  Esql.event_provider_count_distinct = count_distinct(event.provider),
  Esql.event_provider_values = values(event.provider),
  Esql.aws_cloudtrail_user_identity_access_key_id_values = values(Esql.aws_cloudtrail_user_identity_access_key_id),
  Esql.aws_cloudtrail_user_identity_arn_values = values(Esql.aws_cloudtrail_user_identity_arn),
  Esql.source_ip_values = values(Esql.source_ip),
  Esql.user_agent_original_values = values(Esql.user_agent_original),
  Esql.source_ip_user_agent_pair_values = values(Esql.source_ip_user_agent_pair),
  Esql.source_geo_city_name_values = values(Esql.source_geo_city_name),
  Esql.source_ip_city_pair_values = values(Esql.source_ip_city_pair),
  Esql.source_network_org_name_values = values(Esql.source_network_org_name),
  Esql.source_ip_network_pair_values = values(Esql.source_ip_network_pair),
  Esql.source_ip_count_distinct = count_distinct(Esql.source_ip),
  Esql.user_agent_original_count_distinct = count_distinct(Esql.user_agent_original),
  Esql.source_geo_city_name_count_distinct = count_distinct(Esql.source_geo_city_name),
  Esql.source_network_org_name_count_distinct = count_distinct(Esql.source_network_org_name),
  Esql.data_stream_namespace_values = values(Esql.data_stream_namespace),
  Esql.timestamp_first_seen = min(Esql.event_timestamp),
  Esql.timestamp_last_seen = max(Esql.event_timestamp),
  Esql.event_count = count()
  by Esql.time_window_date_trunc, Esql.aws_cloudtrail_user_identity_access_key_id

Stage 5: eval

| eval
  Esql.activity_type = case(
    Esql.source_ip_count_distinct >= 2 and Esql.source_network_org_name_count_distinct >= 2 and Esql.source_geo_city_name_count_distinct >= 2 and Esql.user_agent_original_count_distinct >= 2, "multiple_ip_network_city_user_agent",
    Esql.source_ip_count_distinct >= 2 and Esql.source_network_org_name_count_distinct >= 2 and Esql.source_geo_city_name_count_distinct >= 2, "multiple_ip_network_city",
    Esql.source_ip_count_distinct >= 2 and Esql.source_geo_city_name_count_distinct >= 2, "multiple_ip_and_city",
    Esql.source_ip_count_distinct >= 2 and Esql.source_network_org_name_count_distinct >= 2, "multiple_ip_and_network",
    Esql.source_ip_count_distinct >= 2 and Esql.user_agent_original_count_distinct >= 2, "multiple_ip_and_user_agent",
    "normal_activity"
  ),
  Esql.activity_fidelity_score = case(
    Esql.activity_type == "multiple_ip_network_city_user_agent", "high",
    Esql.activity_type == "multiple_ip_network_city", "high",
    Esql.activity_type == "multiple_ip_and_city", "medium",
    Esql.activity_type == "multiple_ip_and_network", "medium",
    Esql.activity_type == "multiple_ip_and_user_agent", "low"
  )
Esql.activity_fidelity_score =
ifEsql.activity_type == "multiple_ip_network_city_user_agent""high"
elifEsql.activity_type == "multiple_ip_network_city""high"
elifEsql.activity_type == "multiple_ip_and_city""medium"
elifEsql.activity_type == "multiple_ip_and_network""medium"
else"low"
Esql.activity_type =
ifEsql.source_ip_count_distinct >= 2 and Esql.source_network_org_name_count_distinct >= 2 and Esql.source_geo_city_name_count_distinct >= 2 and Esql.user_agent_original_count_distinct >= 2"multiple_ip_network_city_user_agent"
elifEsql.source_ip_count_distinct >= 2 and Esql.source_network_org_name_count_distinct >= 2 and Esql.source_geo_city_name_count_distinct >= 2"multiple_ip_network_city"
elifEsql.source_ip_count_distinct >= 2 and Esql.source_geo_city_name_count_distinct >= 2"multiple_ip_and_city"
elifEsql.source_ip_count_distinct >= 2 and Esql.source_network_org_name_count_distinct >= 2"multiple_ip_and_network"
elifEsql.source_ip_count_distinct >= 2 and Esql.user_agent_original_count_distinct >= 2"multiple_ip_and_user_agent"
else"normal_activity"

Stage 6: keep

| keep
  Esql.time_window_date_trunc,
  Esql.activity_type,
  Esql.activity_fidelity_score,
  Esql.event_count,
  Esql.timestamp_first_seen,
  Esql.timestamp_last_seen,
  Esql.aws_cloudtrail_user_identity_arn_values,
  Esql.aws_cloudtrail_user_identity_access_key_id_values,
  Esql.event_provider_count_distinct,
  Esql.event_action_values,
  Esql.event_provider_values,
  Esql.source_ip_values,
  Esql.user_agent_original_values,
  Esql.source_ip_user_agent_pair_values,
  Esql.source_geo_city_name_values,
  Esql.source_ip_city_pair_values,
  Esql.source_network_org_name_values,
  Esql.source_ip_network_pair_values,
  Esql.source_ip_count_distinct,
  Esql.user_agent_original_count_distinct,
  Esql.source_geo_city_name_count_distinct,
  Esql.source_network_org_name_count_distinct,
  Esql.data_stream_namespace_values

Stage 7: where

| where Esql.activity_fidelity_score == "high" and Esql.event_provider_count_distinct > 1

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
aws.cloudtrail.event_categoryeqData
source.as.organization.nameeqAMAZON-02
user_agent.originalmatchAnsible
user_agent.originalmatchPulumi
user_agent.originalmatchTerraform
aws.cloudtrail.session_credential_from_consoleeqtrue
event.providerinaccount.amazonaws.com, budgets.amazonaws.com, ce.amazonaws.com, cost-optimization-hub.amazonaws.com, freetier.amazonaws.com, health.amazonaws.com, monitoring.amazonaws.com, notifications.amazonaws.com, securityhub.amazonaws.com, servicecatalog-appregistry.amazonaws.com, support-console.amazonaws.com, support.amazonaws.com

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Esql.activity_fidelity_scoreeq
  • high
Esql.event_provider_count_distinctgt
  • 1
aws.cloudtrail.user_identity.access_key_idis_not_null
  • (no value, null check)
aws.cloudtrail.user_identity.arnis_not_null
  • (no value, null check)
aws.cloudtrail.user_identity.typeeq
  • IAMUser
data_stream.dataseteq
  • aws.cloudtrail
source.as.organization.namene
  • AMAZON-AES
source.ipis_not_null
  • (no value, null check)

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
Esql.time_window_date_truncKEEP Esql.time_window_date_trunc
Esql.activity_typeKEEP Esql.activity_type
Esql.activity_fidelity_scoreKEEP Esql.activity_fidelity_score
Esql.event_countKEEP Esql.event_count
Esql.timestamp_first_seenKEEP Esql.timestamp_first_seen
Esql.timestamp_last_seenKEEP Esql.timestamp_last_seen
Esql.aws_cloudtrail_user_identity_arn_valuesKEEP Esql.aws_cloudtrail_user_identity_arn_values
Esql.aws_cloudtrail_user_identity_access_key_id_valuesKEEP Esql.aws_cloudtrail_user_identity_access_key_id_values
Esql.event_provider_count_distinctKEEP Esql.event_provider_count_distinct
Esql.event_action_valuesKEEP Esql.event_action_values
Esql.event_provider_valuesKEEP Esql.event_provider_values
Esql.source_ip_valuesKEEP Esql.source_ip_values
Esql.user_agent_original_valuesKEEP Esql.user_agent_original_values
Esql.source_ip_user_agent_pair_valuesKEEP Esql.source_ip_user_agent_pair_values
Esql.source_geo_city_name_valuesKEEP Esql.source_geo_city_name_values
Esql.source_ip_city_pair_valuesKEEP Esql.source_ip_city_pair_values
Esql.source_network_org_name_valuesKEEP Esql.source_network_org_name_values
Esql.source_ip_network_pair_valuesKEEP Esql.source_ip_network_pair_values
Esql.source_ip_count_distinctKEEP Esql.source_ip_count_distinct
Esql.user_agent_original_count_distinctKEEP Esql.user_agent_original_count_distinct
Esql.source_geo_city_name_count_distinctKEEP Esql.source_geo_city_name_count_distinct
Esql.source_network_org_name_count_distinctKEEP Esql.source_network_org_name_count_distinct
Esql.data_stream_namespace_valuesKEEP Esql.data_stream_namespace_values