SlackAudit - Public link created for file which can contain sensitive information

SlackAudit
| where Action =~ 'file_public_link_created'
| where EntityFileName == 'id_rsa' or EntityFileName contains 'password' or EntityFileName contains 'key' or EntityFileName contains '_key' or EntityFileName contains '.ssh' or EntityFileName endswith '.npmrc' or EntityFileName endswith '.muttrc' or EntityFileName contains 'config.json' or EntityFileName contains '.gitconfig' or EntityFileName endswith '.netrc' or EntityFileName endswith 'package.json' or EntityFileName endswith 'Gemfile' or EntityFileName endswith 'bower.json' or EntityFileName endswith 'config.gypi' or EntityFileName endswith 'travis.yml'
| extend AccountCustomEntity = SrcUserName
| extend IPCustomEntity = SrcIpAddr

id: 279316e8-8965-47d2-9788-b94dc352c853
tactics:
- Exfiltration
queryPeriod: 1h
triggerThreshold: 0
name: SlackAudit - Public link created for file which can contain sensitive information.
query: |
  SlackAudit
  | where Action =~ 'file_public_link_created'
  | where EntityFileName == 'id_rsa' or EntityFileName contains 'password' or EntityFileName contains 'key' or EntityFileName contains '_key' or EntityFileName contains '.ssh' or EntityFileName endswith '.npmrc' or EntityFileName endswith '.muttrc' or EntityFileName contains 'config.json' or EntityFileName contains '.gitconfig' or EntityFileName endswith '.netrc' or EntityFileName endswith 'package.json' or EntityFileName endswith 'Gemfile' or EntityFileName endswith 'bower.json' or EntityFileName endswith 'config.gypi' or EntityFileName endswith 'travis.yml'
  | extend AccountCustomEntity = SrcUserName
  | extend IPCustomEntity = SrcIpAddr  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1048
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSensitiveFile.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SlackAuditAPI
  dataTypes:
  - SlackAudit_CL
description: |
    'Detects public links for files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys.'
status: Available
version: 1.0.0
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/279316e8-8965-47d2-9788-b94dc352c853')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/279316e8-8965-47d2-9788-b94dc352c853')]",
      "properties": {
        "alertRuleTemplateName": "279316e8-8965-47d2-9788-b94dc352c853",
        "customDetails": null,
        "description": "'Detects public links for files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys.'\n",
        "displayName": "SlackAudit - Public link created for file which can contain sensitive information.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSensitiveFile.yaml",
        "query": "SlackAudit\n| where Action =~ 'file_public_link_created'\n| where EntityFileName == 'id_rsa' or EntityFileName contains 'password' or EntityFileName contains 'key' or EntityFileName contains '_key' or EntityFileName contains '.ssh' or EntityFileName endswith '.npmrc' or EntityFileName endswith '.muttrc' or EntityFileName contains 'config.json' or EntityFileName contains '.gitconfig' or EntityFileName endswith '.netrc' or EntityFileName endswith 'package.json' or EntityFileName endswith 'Gemfile' or EntityFileName endswith 'bower.json' or EntityFileName endswith 'config.gypi' or EntityFileName endswith 'travis.yml'\n| extend AccountCustomEntity = SrcUserName\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1048"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}