let threshold = 10;
SlackAudit
| where DvcAction =~ 'file_uploaded'
| extend FE = tolower(tostring(split(EntityFileName, '.')[-1]))
| where FE in~ ('tar', 'bz2', 'gz', 'tgz', 'z', 'tbz2', 'zst', 'zip', 'zipx', '7z', 'rar', 'sfx')
| summarize UploadCount = count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SrcUserName, bucket = bin(TimeGenerated, 15m)
| where UploadCount > threshold
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
tactics:
- Exfiltration
requiredDataConnectors:
- dataTypes:
- SlackAudit_CL
connectorId: SlackAuditAPI
id: 3db0cb83-5fa4-4310-a8a0-d8d66183f0bd
severity: Low
status: Available
query: |
let threshold = 10;
SlackAudit
| where DvcAction =~ 'file_uploaded'
| extend FE = tolower(tostring(split(EntityFileName, '.')[-1]))
| where FE in~ ('tar', 'bz2', 'gz', 'tgz', 'z', 'tbz2', 'zst', 'zip', 'zipx', '7z', 'rar', 'sfx')
| summarize UploadCount = count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SrcUserName, bucket = bin(TimeGenerated, 15m)
| where UploadCount > threshold
| extend AccountCustomEntity = SrcUserName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod.yaml
kind: Scheduled
queryPeriod: 1d
version: 1.0.1
name: SlackAudit - Multiple archived files uploaded in short period of time
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1567
description: |
'This query helps to detect when a user uploads multiple archived files in short period of time.'
triggerOperator: gt
