let lbperiod = 14d;
let known_UAs = SlackAudit
| where TimeGenerated > ago(lbperiod)
| where isnotempty(UserAgentOriginal)
| summarize makeset(UserAgentOriginal);
SlackAudit
| where UserAgentOriginal !in (known_UAs)
| extend AccountCustomEntity = SrcUserName
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
entityType: Account
triggerOperator: gt
tactics:
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml
version: 1.0.1
query: |
let lbperiod = 14d;
let known_UAs = SlackAudit
| where TimeGenerated > ago(lbperiod)
| where isnotempty(UserAgentOriginal)
| summarize makeset(UserAgentOriginal);
SlackAudit
| where UserAgentOriginal !in (known_UAs)
| extend AccountCustomEntity = SrcUserName
triggerThreshold: 0
relevantTechniques:
- T1071
queryPeriod: 14d
status: Available
severity: Low
kind: Scheduled
name: SlackAudit - Unknown User Agent
queryFrequency: 24h
id: 3b11f06e-4afd-4ae6-8477-c61136619ac8
description: |
'This query helps to detect who trying to connect to the Slack Workspace with unknown User Agent.'
requiredDataConnectors:
- dataTypes:
- SlackAudit_CL
connectorId: SlackAuditAPI
