SlackAudit - Unknown User Agent

Back


Id	3b11f06e-4afd-4ae6-8477-c61136619ac8
Rulename	SlackAudit - Unknown User Agent
Description	This query helps to detect who trying to connect to the Slack Workspace with unknown User Agent.
Severity	Low
Tactics	CommandAndControl
Techniques	T1071
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	24h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml
Version	1.0.1
Arm template	3b11f06e-4afd-4ae6-8477-c61136619ac8.json

KQL

let lbperiod = 14d;
let known_UAs = SlackAudit
| where TimeGenerated > ago(lbperiod)
| where isnotempty(UserAgentOriginal)
| summarize makeset(UserAgentOriginal);
SlackAudit
| where UserAgentOriginal !in (known_UAs)
| extend AccountCustomEntity = SrcUserName

YAML

relevantTechniques:
- T1071
name: SlackAudit - Unknown User Agent
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
triggerThreshold: 0
id: 3b11f06e-4afd-4ae6-8477-c61136619ac8
tactics:
- CommandAndControl
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml
queryPeriod: 14d
kind: Scheduled
queryFrequency: 24h
severity: Low
status: Available
description: |
    'This query helps to detect who trying to connect to the Slack Workspace with unknown User Agent.'
query: |
  let lbperiod = 14d;
  let known_UAs = SlackAudit
  | where TimeGenerated > ago(lbperiod)
  | where isnotempty(UserAgentOriginal)
  | summarize makeset(UserAgentOriginal);
  SlackAudit
  | where UserAgentOriginal !in (known_UAs)
  | extend AccountCustomEntity = SrcUserName  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3b11f06e-4afd-4ae6-8477-c61136619ac8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3b11f06e-4afd-4ae6-8477-c61136619ac8')]",
      "properties": {
        "alertRuleTemplateName": "3b11f06e-4afd-4ae6-8477-c61136619ac8",
        "customDetails": null,
        "description": "'This query helps to detect who trying to connect to the Slack Workspace with unknown User Agent.'\n",
        "displayName": "SlackAudit - Unknown User Agent",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml",
        "query": "let lbperiod = 14d;\nlet known_UAs = SlackAudit\n| where TimeGenerated > ago(lbperiod)\n| where isnotempty(UserAgentOriginal)\n| summarize makeset(UserAgentOriginal);\nSlackAudit\n| where UserAgentOriginal !in (known_UAs)\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT24H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}