Detects when a user previews a Slack channel and does not join within a minute, which could be indicative of performing recon or attempting to locate sensitive information.
Target Ruleset
other
Target Rule Type
Event Correlation (EQL)
Tested ECS Version
No response
Query
Must first set the event_category_override to slack.audit.entity.entity_type
sequence by user.email, slack.audit.entity.name with maxspan=60s
[channel where event.action == "public_channel_preview"]
![channel where event.action == "user_channel_join"]
New fields required in ECS/data sources for this rule?
Description
Detects when a user previews a Slack channel and does not join within a minute, which could be indicative of performing recon or attempting to locate sensitive information.
Target Ruleset
other
Target Rule Type
Event Correlation (EQL)
Tested ECS Version
No response
Query
Must first set the
event_category_override
toslack.audit.entity.entity_type
New fields required in ECS/data sources for this rule?
slack.*
Related issues or PRs
No response
References
https://api.slack.com/admins/audit-logs-call
Redacted Example Data
No response