[Hunt Tuning] Fixing Sort Logic in Aviatrix Hunting Query (#4432)

* fixing sort logic error * Update hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit f1dee06)
elastic · Feb 4, 2025 · b8b209b · b8b209b
1 parent 05b43dc
commit b8b209b
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md b/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md
@@ -22,7 +22,7 @@ from logs-aws.cloudtrail-*
     and aws.cloudtrail.user_identity.arn like "*aviatrix-role*"
 | stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn
 | where activity_counts < 10
-| sort by activity_counts asc
+| sort activity_counts asc
 ```
 
 ## Notes

diff --git a/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml b/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml
@@ -25,5 +25,5 @@ from logs-aws.cloudtrail-*
     and aws.cloudtrail.user_identity.arn like "*aviatrix-role*"
 | stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn
 | where activity_counts < 10
-| sort by activity_counts asc
-''']
+| sort activity_counts asc
+''']