Skip to content

[New Rule] Excessive apps installed in Slack over short duration #4134

New issue
New issue
Open
Open
[New Rule] Excessive apps installed in Slack over short duration#4134
Assignees
brokensound77
Labels
Integration: SlackRule: NewProposal for new ruleTeam: TRADEbacklog
@brokensound77

Description

@brokensound77
brokensound77
opened on Oct 3, 2024

Description

An excessive amount of apps were installed in Slack over short duration by a single user, which could indicate attempts to perform recon, discover, collect, or laterally move.

Target Ruleset

other

Target Rule Type

Threshold

Tested ECS Version

No response

Query

  • index pattern: * logs-slack.audit*
  • query
event.action:app_installed and slack.audit.entity.name:* and user.full_name:*
  • threshold: more than 5 unique installs of slack.audit.entity.name and user.full_name over 30m lookback, with an interval of 35m

New fields required in ECS/data sources for this rule?

slack.*

Related issues or PRs

No response

References

https://api.slack.com/admins/audit-logs-call#app

Redacted Example Data

No response

Metadata

Metadata

Assignees

Labels

Integration: SlackRule: NewProposal for new ruleTeam: TRADEbacklog

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions