detection-rules
detection-rules copied to clipboard
Published
20 hours ago •
elastic
elastic
[New Rule] A user previewed multiple Slack rooms without joining in a short period
Description
A user previewed multiple Slack rooms without joining in a short period, which could be indicative of performing recon or attempting to locate sensitive information.
Similar to internal: 2243f3ae-62e0-4c36-acc4-7d25cfb07b66
Target Ruleset
other
Target Rule Type
Threshold
Tested ECS Version
No response
Query
This is dependent on the rule_id generated from #4135
- index:
.alerts-security.* - query:
user.email:* and kibana.alert.rule.rule_id:"rule-id-of-4135-bbr-rule"
- threshold:
user.email,source.ip, cardinality:slack.audit.entity.name, - timing: 3 occurrences over a 10 min lookback, with an interval of 5m
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
dependent on #4135
References
https://api.slack.com/admins/audit-logs-call
Redacted Example Data
No response
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![botelastic[bot] avatar](https://avatars.githubusercontent.com/u/6764390?v=4 "Published by a pub.dev verified publisher"){kind=small}