[New Rule] A user has downloaded an excessive amount of files in Slack over a short period

Description

A user has downloaded an excessive amount of files in Slack over a short period, which could indicate attempts to perform recon, discovery, or exfil.

This could potentially be considered as a BBR as well

Similar to internal: ba20c1de-1728-4a59-9afa-b7e502d359a4

Target Ruleset

other

Target Rule Type

Threshold

Tested ECS Version

No response

Query

index: logs-slack.audit*
query:

event.action:file_downloaded and 
  not slack.audit.entity.filetype:(image/* or video/* or application/vnd* or  audio/* or "application/x-iwork-keynote-sffkey" or application/x-iwork-numbers-sffnumbers or application/msword or "application/pdf")

threshold:

cardinality:
    - field: slack.audit.entity.name
      value: 4
field:
    - user.email
    - source.ip
value: 1

timing: lookback: 30m, interval 15m

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

https://api.slack.com/admins/audit-logs-call

Redacted Example Data

No response

elastic / detection-rules

[New Rule] A user has downloaded an excessive amount of files in Slack over a short period #4137

Description

Target Ruleset

Target Rule Type

Tested ECS Version

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Redacted Example Data