SlackAudit - Suspicious file downloaded

Back


Id	132b98a5-07e9-401a-9b6f-453e52a53979
Rulename	SlackAudit - Suspicious file downloaded.
Description	Detects potentialy suspicious downloads.
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSuspiciousFileDownloaded.yaml
Version	1.0.0
Arm template	132b98a5-07e9-401a-9b6f-453e52a53979.json

KQL

SlackAudit
| where DvcAction =~ 'file_downloaded'
| extend fe = split(EntityFileName, '.')
| where array_length(fe) > 2
| where fe[1] matches regex @"\D+"
| where strlen(fe[1]) < 5
| project EntityFileName, SrcUserName
| extend AccountCustomEntity = SrcUserName
| extend FileCustomEntity = EntityFileName

YAML

query: |
  SlackAudit
  | where DvcAction =~ 'file_downloaded'
  | extend fe = split(EntityFileName, '.')
  | where array_length(fe) > 2
  | where fe[1] matches regex @"\D+"
  | where strlen(fe[1]) < 5
  | project EntityFileName, SrcUserName
  | extend AccountCustomEntity = SrcUserName
  | extend FileCustomEntity = EntityFileName  
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Name
    columnName: FileCustomEntity
  entityType: File
triggerOperator: gt
description: |
    'Detects potentialy suspicious downloads.'
tactics:
- InitialAccess
severity: Medium
queryFrequency: 1h
kind: Scheduled
name: SlackAudit - Suspicious file downloaded.
triggerThreshold: 0
status: Available
id: 132b98a5-07e9-401a-9b6f-453e52a53979
requiredDataConnectors:
- connectorId: SlackAuditAPI
  dataTypes:
  - SlackAudit_CL
relevantTechniques:
- T1189
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSuspiciousFileDownloaded.yaml
queryPeriod: 1h

ARM