An excessive amount of apps were installed in Slack over short duration by a single user, which could indicate attempts to perform recon, discover, collect, or laterally move.
Target Ruleset
other
Target Rule Type
Threshold
Tested ECS Version
No response
Query
index pattern: * logs-slack.audit*
query
event.action:app_installed and slack.audit.entity.name:* and user.full_name:*
threshold: more than 5 unique installs of slack.audit.entity.name and user.full_name over 30m lookback, with an interval of 35m
New fields required in ECS/data sources for this rule?
Description
An excessive amount of apps were installed in Slack over short duration by a single user, which could indicate attempts to perform recon, discover, collect, or laterally move.
Target Ruleset
other
Target Rule Type
Threshold
Tested ECS Version
No response
Query
* logs-slack.audit*
more than 5 unique installs of slack.audit.entity.name and user.full_name
over30m
lookback, with an interval of35m
New fields required in ECS/data sources for this rule?
slack.*
Related issues or PRs
No response
References
https://api.slack.com/admins/audit-logs-call#app
Redacted Example Data
No response