Open brokensound77 opened 5 days ago
Detects when a user logs into a newly seen country over the last 30d, which could potentially indicate account compromise.
Ref internal: 540bc789-be24-4dbc-970c-a16489661290
540bc789-be24-4dbc-970c-a16489661290
other
New Terms
No response
logs-slack.audit
event.action:user_login and source.ip:* and user.email:* and source.geo.country_iso_code:*
user.email
source.geo.country_iso_code
https://api.slack.com/admins/audit-logs-call
Description
Detects when a user logs into a newly seen country over the last 30d, which could potentially indicate account compromise.
Ref internal:
540bc789-be24-4dbc-970c-a16489661290Target Ruleset
other
Target Rule Type
New Terms
Tested ECS Version
No response
Query
logs-slack.audituser.email,source.geo.country_iso_codeNew fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
https://api.slack.com/admins/audit-logs-call
Redacted Example Data
No response