Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SlackAudit - Unknown User Agent

Back
Id3b11f06e-4afd-4ae6-8477-c61136619ac8
RulenameSlackAudit - Unknown User Agent
DescriptionThis query helps to detect who trying to connect to the Slack Workspace with unknown User Agent.
SeverityLow
TacticsCommandAndControl
TechniquesT1071
Required data connectorsSlackAuditAPI
KindScheduled
Query frequency24h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml
Version1.0.1
Arm template3b11f06e-4afd-4ae6-8477-c61136619ac8.json
Deploy To Azure
let lbperiod = 14d;
let known_UAs = SlackAudit
| where TimeGenerated > ago(lbperiod)
| where isnotempty(UserAgentOriginal)
| summarize makeset(UserAgentOriginal);
SlackAudit
| where UserAgentOriginal !in (known_UAs)
| extend AccountCustomEntity = SrcUserName
kind: Scheduled
query: |
  let lbperiod = 14d;
  let known_UAs = SlackAudit
  | where TimeGenerated > ago(lbperiod)
  | where isnotempty(UserAgentOriginal)
  | summarize makeset(UserAgentOriginal);
  SlackAudit
  | where UserAgentOriginal !in (known_UAs)
  | extend AccountCustomEntity = SrcUserName  
relevantTechniques:
- T1071
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 14d
tactics:
- CommandAndControl
id: 3b11f06e-4afd-4ae6-8477-c61136619ac8
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml
description: |
    'This query helps to detect who trying to connect to the Slack Workspace with unknown User Agent.'
queryFrequency: 24h
name: SlackAudit - Unknown User Agent
severity: Low
version: 1.0.1
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3b11f06e-4afd-4ae6-8477-c61136619ac8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3b11f06e-4afd-4ae6-8477-c61136619ac8')]",
      "properties": {
        "alertRuleTemplateName": "3b11f06e-4afd-4ae6-8477-c61136619ac8",
        "customDetails": null,
        "description": "'This query helps to detect who trying to connect to the Slack Workspace with unknown User Agent.'\n",
        "displayName": "SlackAudit - Unknown User Agent",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml",
        "query": "let lbperiod = 14d;\nlet known_UAs = SlackAudit\n| where TimeGenerated > ago(lbperiod)\n| where isnotempty(UserAgentOriginal)\n| summarize makeset(UserAgentOriginal);\nSlackAudit\n| where UserAgentOriginal !in (known_UAs)\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT24H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}