SlackAudit - Public link created for file which can contain sensitive information

let AllowedFiles = toscalar(_GetWatchlist('SlackAuditSensitiveFile_Allowlist_File') | summarize make_set(tostring(SearchKey)));
let AllowedUsers = toscalar(_GetWatchlist('SlackAuditSensitiveFile_Allowlist_Account') | summarize make_set(tostring(SearchKey)));
SlackAudit
| where Action =~ 'file_public_link_created'
| extend FileNameLower = tolower(EntityFileName), UserLower = tolower(SrcUserName)
| where EntityFileName in~ ('id_rsa')
    or FileNameLower has_any ('password', 'secret', 'token', 'credential', 'private key', 'api key')
    or FileNameLower has_any ('.ssh', '.npmrc', '.muttrc', '.gitconfig', '.netrc', 'package.json', 'Gemfile', 'bower.json', 'config.gypi', 'travis.yml', 'config.json')
| where isempty(AllowedFiles) or EntityFileName !in~ (AllowedFiles)
| where isempty(AllowedUsers) or UserLower !in~ (AllowedUsers)
| extend AccountCustomEntity = SrcUserName
| extend IPCustomEntity = SrcIpAddr

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
tactics:
- Exfiltration
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
alertDetailsOverride:
  alertDisplayNameFormat: Slack public link created for sensitive file {{EntityFileName}} by {{SrcUserName}}
  alertDescriptionFormat: Public link created for {{EntityFileName}} by {{SrcUserName}} from {{SrcIpAddr}}
id: 279316e8-8965-47d2-9788-b94dc352c853
severity: Medium
status: Available
customDetails:
  Action: Action
  SourceIP: SrcIpAddr
  FileName: EntityFileName
  SourceUser: SrcUserName
  ActorEntity: AccountCustomEntity
  IpEntity: IPCustomEntity
query: |
  let AllowedFiles = toscalar(_GetWatchlist('SlackAuditSensitiveFile_Allowlist_File') | summarize make_set(tostring(SearchKey)));
  let AllowedUsers = toscalar(_GetWatchlist('SlackAuditSensitiveFile_Allowlist_Account') | summarize make_set(tostring(SearchKey)));
  SlackAudit
  | where Action =~ 'file_public_link_created'
  | extend FileNameLower = tolower(EntityFileName), UserLower = tolower(SrcUserName)
  | where EntityFileName in~ ('id_rsa')
      or FileNameLower has_any ('password', 'secret', 'token', 'credential', 'private key', 'api key')
      or FileNameLower has_any ('.ssh', '.npmrc', '.muttrc', '.gitconfig', '.netrc', 'package.json', 'Gemfile', 'bower.json', 'config.gypi', 'travis.yml', 'config.json')
  | where isempty(AllowedFiles) or EntityFileName !in~ (AllowedFiles)
  | where isempty(AllowedUsers) or UserLower !in~ (AllowedUsers)
  | extend AccountCustomEntity = SrcUserName
  | extend IPCustomEntity = SrcIpAddr  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditSensitiveFile.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.1
name: SlackAudit - Public link created for file which can contain sensitive information.
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1048
- T1567.002
description: |
  'Detects public links created for files that may contain sensitive data such as passwords, authentication tokens,
  secret keys, or private configuration files. Tune exclusions using the SlackAuditSensitiveFile_Allowlist_File and SlackAuditSensitiveFile_Allowlist_Account
  watchlists when known benign files or accounts generate expected public-link activity.'  
triggerOperator: gt