Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SlackAudit - Public link created for file which can contain sensitive information

SlackAudit - Public link created for file which can contain sensitive information

Back
Id279316e8-8965-47d2-9788-b94dc352c853
RulenameSlackAudit - Public link created for file which can contain sensitive information.
DescriptionDetects public links for files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys.
SeverityMedium
TacticsExfiltration
TechniquesT1048
Required data connectorsSlackAuditAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSensitiveFile.yaml
Version1.0.0
Arm template279316e8-8965-47d2-9788-b94dc352c853.json
Deploy To Azure
SlackAudit
| where Action =~ 'file_public_link_created'
| where EntityFileName == 'id_rsa' or EntityFileName contains 'password' or EntityFileName contains 'key' or EntityFileName contains '_key' or EntityFileName contains '.ssh' or EntityFileName endswith '.npmrc' or EntityFileName endswith '.muttrc' or EntityFileName contains 'config.json' or EntityFileName contains '.gitconfig' or EntityFileName endswith '.netrc' or EntityFileName endswith 'package.json' or EntityFileName endswith 'Gemfile' or EntityFileName endswith 'bower.json' or EntityFileName endswith 'config.gypi' or EntityFileName endswith 'travis.yml'
| extend AccountCustomEntity = SrcUserName
| extend IPCustomEntity = SrcIpAddr

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSensitiveFile.yaml
name: SlackAudit - Public link created for file which can contain sensitive information.
requiredDataConnectors:
- connectorId: SlackAuditAPI
  dataTypes:
  - SlackAudit_CL
severity: Medium
query: |
  SlackAudit
  | where Action =~ 'file_public_link_created'
  | where EntityFileName == 'id_rsa' or EntityFileName contains 'password' or EntityFileName contains 'key' or EntityFileName contains '_key' or EntityFileName contains '.ssh' or EntityFileName endswith '.npmrc' or EntityFileName endswith '.muttrc' or EntityFileName contains 'config.json' or EntityFileName contains '.gitconfig' or EntityFileName endswith '.netrc' or EntityFileName endswith 'package.json' or EntityFileName endswith 'Gemfile' or EntityFileName endswith 'bower.json' or EntityFileName endswith 'config.gypi' or EntityFileName endswith 'travis.yml'
  | extend AccountCustomEntity = SrcUserName
  | extend IPCustomEntity = SrcIpAddr  
kind: Scheduled
queryFrequency: 1h
tactics:
- Exfiltration
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
status: Available
relevantTechniques:
- T1048
triggerThreshold: 0
triggerOperator: gt
description: |
    'Detects public links for files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys.'
id: 279316e8-8965-47d2-9788-b94dc352c853
queryPeriod: 1h
version: 1.0.0