Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SlackAudit - Public link created for file which can contain sensitive information

SlackAudit - Public link created for file which can contain sensitive information

Back
Id279316e8-8965-47d2-9788-b94dc352c853
RulenameSlackAudit - Public link created for file which can contain sensitive information.
DescriptionDetects public links for files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys.
SeverityMedium
TacticsExfiltration
TechniquesT1048
Required data connectorsSlackAuditAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSensitiveFile.yaml
Version1.0.0
Arm template279316e8-8965-47d2-9788-b94dc352c853.json
Deploy To Azure
SlackAudit
| where Action =~ 'file_public_link_created'
| where EntityFileName == 'id_rsa' or EntityFileName contains 'password' or EntityFileName contains 'key' or EntityFileName contains '_key' or EntityFileName contains '.ssh' or EntityFileName endswith '.npmrc' or EntityFileName endswith '.muttrc' or EntityFileName contains 'config.json' or EntityFileName contains '.gitconfig' or EntityFileName endswith '.netrc' or EntityFileName endswith 'package.json' or EntityFileName endswith 'Gemfile' or EntityFileName endswith 'bower.json' or EntityFileName endswith 'config.gypi' or EntityFileName endswith 'travis.yml'
| extend AccountCustomEntity = SrcUserName
| extend IPCustomEntity = SrcIpAddr

description: |
    'Detects public links for files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys.'
version: 1.0.0
relevantTechniques:
- T1048
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
status: Available
severity: Medium
name: SlackAudit - Public link created for file which can contain sensitive information.
triggerOperator: gt
query: |
  SlackAudit
  | where Action =~ 'file_public_link_created'
  | where EntityFileName == 'id_rsa' or EntityFileName contains 'password' or EntityFileName contains 'key' or EntityFileName contains '_key' or EntityFileName contains '.ssh' or EntityFileName endswith '.npmrc' or EntityFileName endswith '.muttrc' or EntityFileName contains 'config.json' or EntityFileName contains '.gitconfig' or EntityFileName endswith '.netrc' or EntityFileName endswith 'package.json' or EntityFileName endswith 'Gemfile' or EntityFileName endswith 'bower.json' or EntityFileName endswith 'config.gypi' or EntityFileName endswith 'travis.yml'
  | extend AccountCustomEntity = SrcUserName
  | extend IPCustomEntity = SrcIpAddr  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSensitiveFile.yaml
triggerThreshold: 0
queryFrequency: 1h
queryPeriod: 1h
tactics:
- Exfiltration
id: 279316e8-8965-47d2-9788-b94dc352c853
kind: Scheduled