SlackAudit - Suspicious file downloaded

Back


Id	132b98a5-07e9-401a-9b6f-453e52a53979
Rulename	SlackAudit - Suspicious file downloaded.
Description	Detects potentialy suspicious downloads.
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSuspiciousFileDownloaded.yaml
Version	1.0.0
Arm template	132b98a5-07e9-401a-9b6f-453e52a53979.json

KQL

SlackAudit
| where DvcAction =~ 'file_downloaded'
| extend fe = split(EntityFileName, '.')
| where array_length(fe) > 2
| where fe[1] matches regex @"\D+"
| where strlen(fe[1]) < 5
| project EntityFileName, SrcUserName
| extend AccountCustomEntity = SrcUserName
| extend FileCustomEntity = EntityFileName

YAML

status: Available
queryFrequency: 1h
id: 132b98a5-07e9-401a-9b6f-453e52a53979
tactics:
- InitialAccess
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: FileCustomEntity
    identifier: Name
  entityType: File
requiredDataConnectors:
- connectorId: SlackAuditAPI
  dataTypes:
  - SlackAudit_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSuspiciousFileDownloaded.yaml
version: 1.0.0
query: |
  SlackAudit
  | where DvcAction =~ 'file_downloaded'
  | extend fe = split(EntityFileName, '.')
  | where array_length(fe) > 2
  | where fe[1] matches regex @"\D+"
  | where strlen(fe[1]) < 5
  | project EntityFileName, SrcUserName
  | extend AccountCustomEntity = SrcUserName
  | extend FileCustomEntity = EntityFileName  
description: |
    'Detects potentialy suspicious downloads.'
relevantTechniques:
- T1189
triggerThreshold: 0
queryPeriod: 1h
triggerOperator: gt
name: SlackAudit - Suspicious file downloaded.
severity: Medium
kind: Scheduled

ARM