detection-rules
detection-rules copied to clipboard
Published
20 hours ago •
elastic
elastic
[New Rule] An anomaly was detected with a Slack user
Description
Slack has built-in anomaly detection for various suspicious events occurring around user accounts or the application. This detects the occurrence of the most concerning anomalous events.
Target Ruleset
other
Target Rule Type
ES|QL
Tested ECS Version
No response
Query
from logs-slack.audit*
| where event.action == "anomaly" and not slack.audit.details.reason == "ip_address"
| eval rule_name = concat("Slack Anomaly Detected: ", slack.audit.details.reason)
The rule name override would then need to be set for rule_name. This is immensely helpful in managing and triaging this alert.
New fields required in ECS/data sources for this rule?
slack.*
Related issues or PRs
No response
References
- https://api.slack.com/admins/audit-logs-call#app
- https://api.slack.com/admins/audit-logs-anomaly
Redacted Example Data
No response
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![botelastic[bot] avatar](https://avatars.githubusercontent.com/u/6764390?v=4 "Published by a pub.dev verified publisher"){kind=small}