detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard

Published 20 hours ago verified publisher icon elastic

[New Rule][BBR] A user previewed a Slack channel without joining

Open brokensound77 opened this issue 1 year ago • 1 comments

Description

Detects when a user previews a Slack channel and does not join within a minute, which could be indicative of performing recon or attempting to locate sensitive information.

Target Ruleset

other

Target Rule Type

Event Correlation (EQL)

Tested ECS Version

No response

Query

Must first set the event_category_override to slack.audit.entity.entity_type

sequence by user.email, slack.audit.entity.name with maxspan=60s
  [channel where event.action == "public_channel_preview"]
  ![channel where event.action == "user_channel_join"]

New fields required in ECS/data sources for this rule?

slack.*

Related issues or PRs

No response

References

https://api.slack.com/admins/audit-logs-call

Redacted Example Data

No response

brokensound77 avatar Oct 03 '24 15:10 brokensound77

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Dec 02 '24 16:12 botelastic[bot]