[New Rule] A user previewed multiple Slack rooms without joining in a short period

Description

A user previewed multiple Slack rooms without joining in a short period, which could be indicative of performing recon or attempting to locate sensitive information.

Similar to internal: 2243f3ae-62e0-4c36-acc4-7d25cfb07b66

Target Ruleset

other

Target Rule Type

Threshold

Tested ECS Version

No response

Query

This is dependent on the rule_id generated from #4135

index: .alerts-security.*
query:

user.email:* and kibana.alert.rule.rule_id:"rule-id-of-4135-bbr-rule"

threshold: user.email, source.ip, cardinality: slack.audit.entity.name,
timing: 3 occurrences over a 10 min lookback, with an interval of 5m

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

dependent on #4135

References

https://api.slack.com/admins/audit-logs-call

Redacted Example Data

No response

elastic / detection-rules

[New Rule] A user previewed multiple Slack rooms without joining in a short period #4136

Description

Target Ruleset

Target Rule Type

Tested ECS Version

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Redacted Example Data