Slack has built-in anomaly detection for various suspicious events occurring around user accounts or the application. This detects the occurrence of the most concerning anomalous events.
Target Ruleset
other
Target Rule Type
ES|QL
Tested ECS Version
No response
Query
from logs-slack.audit*
| where event.action == "anomaly" and not slack.audit.details.reason == "ip_address"
| eval rule_name = concat("Slack Anomaly Detected: ", slack.audit.details.reason)
The rule name override would then need to be set for rule_name. This is immensely helpful in managing and triaging this alert.
New fields required in ECS/data sources for this rule?
Description
Slack has built-in anomaly detection for various suspicious events occurring around user accounts or the application. This detects the occurrence of the most concerning anomalous events.
Target Ruleset
other
Target Rule Type
ES|QL
Tested ECS Version
No response
Query
The rule name override would then need to be set for
rule_name
. This is immensely helpful in managing and triaging this alert.New fields required in ECS/data sources for this rule?
slack.*
Related issues or PRs
No response
References
Redacted Example Data
No response