Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SlackAudit - Unknown User Agent

Back
Id3b11f06e-4afd-4ae6-8477-c61136619ac8
RulenameSlackAudit - Unknown User Agent
DescriptionThis query helps to detect who trying to connect to the Slack Workspace with unknown User Agent.
SeverityLow
TacticsCommandAndControl
TechniquesT1071
Required data connectorsSlackAuditAPI
KindScheduled
Query frequency24h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml
Version1.0.1
Arm template3b11f06e-4afd-4ae6-8477-c61136619ac8.json
Deploy To Azure
let lbperiod = 14d;
let known_UAs = SlackAudit
| where TimeGenerated > ago(lbperiod)
| where isnotempty(UserAgentOriginal)
| summarize makeset(UserAgentOriginal);
SlackAudit
| where UserAgentOriginal !in (known_UAs)
| extend AccountCustomEntity = SrcUserName
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
name: SlackAudit - Unknown User Agent
queryFrequency: 24h
tactics:
- CommandAndControl
relevantTechniques:
- T1071
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml
id: 3b11f06e-4afd-4ae6-8477-c61136619ac8
queryPeriod: 14d
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
kind: Scheduled
query: |
  let lbperiod = 14d;
  let known_UAs = SlackAudit
  | where TimeGenerated > ago(lbperiod)
  | where isnotempty(UserAgentOriginal)
  | summarize makeset(UserAgentOriginal);
  SlackAudit
  | where UserAgentOriginal !in (known_UAs)
  | extend AccountCustomEntity = SrcUserName  
triggerOperator: gt
severity: Low
description: |
    'This query helps to detect who trying to connect to the Slack Workspace with unknown User Agent.'
triggerThreshold: 0
version: 1.0.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3b11f06e-4afd-4ae6-8477-c61136619ac8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3b11f06e-4afd-4ae6-8477-c61136619ac8')]",
      "properties": {
        "alertRuleTemplateName": "3b11f06e-4afd-4ae6-8477-c61136619ac8",
        "customDetails": null,
        "description": "'This query helps to detect who trying to connect to the Slack Workspace with unknown User Agent.'\n",
        "displayName": "SlackAudit - Unknown User Agent",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml",
        "query": "let lbperiod = 14d;\nlet known_UAs = SlackAudit\n| where TimeGenerated > ago(lbperiod)\n| where isnotempty(UserAgentOriginal)\n| summarize makeset(UserAgentOriginal);\nSlackAudit\n| where UserAgentOriginal !in (known_UAs)\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT24H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}