Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SlackAudit - Public link created for file which can contain sensitive information

SlackAudit - Public link created for file which can contain sensitive information

Back
Id279316e8-8965-47d2-9788-b94dc352c853
RulenameSlackAudit - Public link created for file which can contain sensitive information.
DescriptionDetects public links for files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys.
SeverityMedium
TacticsExfiltration
TechniquesT1048
Required data connectorsSlackAuditAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSensitiveFile.yaml
Version1.0.0
Arm template279316e8-8965-47d2-9788-b94dc352c853.json
Deploy To Azure
SlackAudit
| where Action =~ 'file_public_link_created'
| where EntityFileName == 'id_rsa' or EntityFileName contains 'password' or EntityFileName contains 'key' or EntityFileName contains '_key' or EntityFileName contains '.ssh' or EntityFileName endswith '.npmrc' or EntityFileName endswith '.muttrc' or EntityFileName contains 'config.json' or EntityFileName contains '.gitconfig' or EntityFileName endswith '.netrc' or EntityFileName endswith 'package.json' or EntityFileName endswith 'Gemfile' or EntityFileName endswith 'bower.json' or EntityFileName endswith 'config.gypi' or EntityFileName endswith 'travis.yml'
| extend AccountCustomEntity = SrcUserName
| extend IPCustomEntity = SrcIpAddr

queryPeriod: 1h
description: |
    'Detects public links for files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys.'
kind: Scheduled
query: |
  SlackAudit
  | where Action =~ 'file_public_link_created'
  | where EntityFileName == 'id_rsa' or EntityFileName contains 'password' or EntityFileName contains 'key' or EntityFileName contains '_key' or EntityFileName contains '.ssh' or EntityFileName endswith '.npmrc' or EntityFileName endswith '.muttrc' or EntityFileName contains 'config.json' or EntityFileName contains '.gitconfig' or EntityFileName endswith '.netrc' or EntityFileName endswith 'package.json' or EntityFileName endswith 'Gemfile' or EntityFileName endswith 'bower.json' or EntityFileName endswith 'config.gypi' or EntityFileName endswith 'travis.yml'
  | extend AccountCustomEntity = SrcUserName
  | extend IPCustomEntity = SrcIpAddr  
tactics:
- Exfiltration
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSensitiveFile.yaml
id: 279316e8-8965-47d2-9788-b94dc352c853
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
triggerThreshold: 0
status: Available
relevantTechniques:
- T1048
name: SlackAudit - Public link created for file which can contain sensitive information.
severity: Medium
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
queryFrequency: 1h