Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SlackAudit - Empty User Agent

Back
Id04528635-a5f1-438b-ab74-21ca7bc3aa32
RulenameSlackAudit - Empty User Agent
DescriptionThis query shows connections to the Slack Workspace with empty User Agent.
SeverityLow
TacticsInitialAccess
TechniquesT1133
Required data connectorsSlackAuditAPI
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditEmptyUA.yaml
Version1.0.0
Arm template04528635-a5f1-438b-ab74-21ca7bc3aa32.json
Deploy To Azure
SlackAudit
| where isempty(UserAgentOriginal)
| extend AccountCustomEntity = SrcUserName
status: Available
id: 04528635-a5f1-438b-ab74-21ca7bc3aa32
query: |
  SlackAudit
  | where isempty(UserAgentOriginal)
  | extend AccountCustomEntity = SrcUserName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditEmptyUA.yaml
description: |
    'This query shows connections to the Slack Workspace with empty User Agent.'
name: SlackAudit - Empty User Agent
relevantTechniques:
- T1133
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
triggerThreshold: 0
severity: Low
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
queryFrequency: 1d
queryPeriod: 1d
version: 1.0.0
kind: Scheduled
tactics:
- InitialAccess
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/04528635-a5f1-438b-ab74-21ca7bc3aa32')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/04528635-a5f1-438b-ab74-21ca7bc3aa32')]",
      "properties": {
        "alertRuleTemplateName": "04528635-a5f1-438b-ab74-21ca7bc3aa32",
        "customDetails": null,
        "description": "'This query shows connections to the Slack Workspace with empty User Agent.'\n",
        "displayName": "SlackAudit - Empty User Agent",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditEmptyUA.yaml",
        "query": "SlackAudit\n| where isempty(UserAgentOriginal)\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}