[New Rule] A user has downloaded an excessive amount of files in Slack over a short period

[brokensound77]

Description

A user has downloaded an excessive amount of files in Slack over a short period, which could indicate attempts to perform recon, discovery, or exfil.

This could potentially be considered as a BBR as well

Similar to internal: ba20c1de-1728-4a59-9afa-b7e502d359a4

Target Ruleset

other

Target Rule Type

Threshold

Tested ECS Version

No response

Query

• index: logs-slack.audit*
• query:

event.action:file_downloaded and 
  not slack.audit.entity.filetype:(image/* or video/* or application/vnd* or  audio/* or "application/x-iwork-keynote-sffkey" or application/x-iwork-numbers-sffnumbers or application/msword or "application/pdf")

• threshold:

cardinality:
        - field: slack.audit.entity.name
          value: 4
    field:
        - user.email
        - source.ip
    value: 1

• timing: lookback: 30m, interval 15m

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

https://api.slack.com/admins/audit-logs-call

Redacted Example Data

No response

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic]

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.