A user previewed multiple Slack rooms without joining in a short period, which could be indicative of performing recon or attempting to locate sensitive information.
Similar to internal: 2243f3ae-62e0-4c36-acc4-7d25cfb07b66
Target Ruleset
other
Target Rule Type
Threshold
Tested ECS Version
No response
Query
This is dependent on the rule_id generated from #4135
index: .alerts-security.*
query:
user.email:* and kibana.alert.rule.rule_id:"rule-id-of-4135-bbr-rule"
Description
A user previewed multiple Slack rooms without joining in a short period, which could be indicative of performing recon or attempting to locate sensitive information.
Similar to internal:
2243f3ae-62e0-4c36-acc4-7d25cfb07b66
Target Ruleset
other
Target Rule Type
Threshold
Tested ECS Version
No response
Query
This is dependent on the
rule_id
generated from #4135.alerts-security.*
user.email
,source.ip
, cardinality:slack.audit.entity.name
,New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
dependent on #4135
References
https://api.slack.com/admins/audit-logs-call
Redacted Example Data
No response