detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard

Published 20 hours ago verified publisher icon elastic

[New Rule] Excessive apps installed in Slack over short duration

Open brokensound77 opened this issue 1 year ago • 1 comments

Description

An excessive amount of apps were installed in Slack over short duration by a single user, which could indicate attempts to perform recon, discover, collect, or laterally move.

Target Ruleset

other

Target Rule Type

Threshold

Tested ECS Version

No response

Query

  • index pattern: * logs-slack.audit*
  • query
event.action:app_installed and slack.audit.entity.name:* and user.full_name:*
  • threshold: more than 5 unique installs of slack.audit.entity.name and user.full_name over 30m lookback, with an interval of 35m

New fields required in ECS/data sources for this rule?

slack.*

Related issues or PRs

No response

References

https://api.slack.com/admins/audit-logs-call#app

Redacted Example Data

No response

brokensound77 avatar Oct 03 '24 15:10 brokensound77

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Dec 02 '24 16:12 botelastic[bot]