SlackAudit - Empty User Agent

Back


Id	04528635-a5f1-438b-ab74-21ca7bc3aa32
Rulename	SlackAudit - Empty User Agent
Description	This query shows connections to the Slack Workspace with empty User Agent.
Severity	Low
Tactics	InitialAccess
Techniques	T1133
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditEmptyUA.yaml
Version	1.0.0
Arm template	04528635-a5f1-438b-ab74-21ca7bc3aa32.json

KQL

SlackAudit
| where isempty(UserAgentOriginal)
| extend AccountCustomEntity = SrcUserName

YAML

status: Available
id: 04528635-a5f1-438b-ab74-21ca7bc3aa32
query: |
  SlackAudit
  | where isempty(UserAgentOriginal)
  | extend AccountCustomEntity = SrcUserName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditEmptyUA.yaml
description: |
    'This query shows connections to the Slack Workspace with empty User Agent.'
name: SlackAudit - Empty User Agent
relevantTechniques:
- T1133
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
triggerThreshold: 0
severity: Low
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
queryFrequency: 1d
queryPeriod: 1d
version: 1.0.0
kind: Scheduled
tactics:
- InitialAccess
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/04528635-a5f1-438b-ab74-21ca7bc3aa32')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/04528635-a5f1-438b-ab74-21ca7bc3aa32')]",
      "properties": {
        "alertRuleTemplateName": "04528635-a5f1-438b-ab74-21ca7bc3aa32",
        "customDetails": null,
        "description": "'This query shows connections to the Slack Workspace with empty User Agent.'\n",
        "displayName": "SlackAudit - Empty User Agent",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditEmptyUA.yaml",
        "query": "SlackAudit\n| where isempty(UserAgentOriginal)\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}