SlackAudit - Suspicious file downloaded

Back


Id	132b98a5-07e9-401a-9b6f-453e52a53979
Rulename	SlackAudit - Suspicious file downloaded.
Description	Detects potentialy suspicious downloads.
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSuspiciousFileDownloaded.yaml
Version	1.0.0
Arm template	132b98a5-07e9-401a-9b6f-453e52a53979.json

KQL

SlackAudit
| where DvcAction =~ 'file_downloaded'
| extend fe = split(EntityFileName, '.')
| where array_length(fe) > 2
| where fe[1] matches regex @"\D+"
| where strlen(fe[1]) < 5
| project EntityFileName, SrcUserName
| extend AccountCustomEntity = SrcUserName
| extend FileCustomEntity = EntityFileName

YAML

name: SlackAudit - Suspicious file downloaded.
query: |
  SlackAudit
  | where DvcAction =~ 'file_downloaded'
  | extend fe = split(EntityFileName, '.')
  | where array_length(fe) > 2
  | where fe[1] matches regex @"\D+"
  | where strlen(fe[1]) < 5
  | project EntityFileName, SrcUserName
  | extend AccountCustomEntity = SrcUserName
  | extend FileCustomEntity = EntityFileName  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: File
  fieldMappings:
  - columnName: FileCustomEntity
    identifier: Name
queryPeriod: 1h
version: 1.0.0
tactics:
- InitialAccess
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSuspiciousFileDownloaded.yaml
relevantTechniques:
- T1189
id: 132b98a5-07e9-401a-9b6f-453e52a53979
severity: Medium
requiredDataConnectors:
- connectorId: SlackAuditAPI
  dataTypes:
  - SlackAudit_CL
status: Available
description: |
    'Detects potentialy suspicious downloads.'
queryFrequency: 1h

ARM