detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard

Published 20 hours ago verified publisher icon elastic

[New Rule][BBR] A user logged into Slack from a new country

Open brokensound77 opened this issue 1 year ago • 1 comments

Description

Detects when a user logs into a newly seen country over the last 30d, which could potentially indicate account compromise.

Ref internal: 540bc789-be24-4dbc-970c-a16489661290

Target Ruleset

other

Target Rule Type

New Terms

Tested ECS Version

No response

Query

  • index: logs-slack.audit
  • query:
event.action:user_login and source.ip:* and user.email:* and source.geo.country_iso_code:*
  • new terms: user.email, source.geo.country_iso_code
  • timing: 30m lookback, 15m interval, 30d history window

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

https://api.slack.com/admins/audit-logs-call

Redacted Example Data

No response

brokensound77 avatar Oct 03 '24 17:10 brokensound77

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Dec 02 '24 17:12 botelastic[bot]