[New Rule] Excessive apps installed in Slack over short duration

Description

An excessive amount of apps were installed in Slack over short duration by a single user, which could indicate attempts to perform recon, discover, collect, or laterally move.

Target Ruleset

other

Target Rule Type

Threshold

Tested ECS Version

No response

Query

index pattern: * logs-slack.audit*

query

event.action:app_installed and slack.audit.entity.name:* and user.full_name:*

threshold: more than 5 unique installs of slack.audit.entity.name and user.full_name over 30m lookback, with an interval of 35m

New fields required in ECS/data sources for this rule?

slack.*

Related issues or PRs

No response

References

https://api.slack.com/admins/audit-logs-call#app

Redacted Example Data

No response

elastic / detection-rules

[New Rule] Excessive apps installed in Slack over short duration #4134

Description

Target Ruleset

Target Rule Type

Tested ECS Version

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Redacted Example Data