A user has downloaded an excessive amount of files in Slack over a short period, which could indicate attempts to perform recon, discovery, or exfil.
This could potentially be considered as a BBR as well
Similar to internal: ba20c1de-1728-4a59-9afa-b7e502d359a4
Target Ruleset
other
Target Rule Type
Threshold
Tested ECS Version
No response
Query
index: logs-slack.audit*
query:
event.action:file_downloaded and
not slack.audit.entity.filetype:(image/* or video/* or application/vnd* or audio/* or "application/x-iwork-keynote-sffkey" or application/x-iwork-numbers-sffnumbers or application/msword or "application/pdf")
Description
A user has downloaded an excessive amount of files in Slack over a short period, which could indicate attempts to perform recon, discovery, or exfil.
This could potentially be considered as a BBR as well
Similar to internal:
ba20c1de-1728-4a59-9afa-b7e502d359a4
Target Ruleset
other
Target Rule Type
Threshold
Tested ECS Version
No response
Query
logs-slack.audit*
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
https://api.slack.com/admins/audit-logs-call
Redacted Example Data
No response