SlackAudit
| where TimeGenerated between (ago(14d) .. (1d))
| summarize max(TimeGenerated) by SrcUserName, SrcUserEmail
| join (SlackAudit
| where Action =~ 'user_login'
| project SrcIpAddr, SrcUserName, NewUserEmail = SrcUserEmail) on SrcUserName
| where NewUserEmail != SrcUserEmail
| extend AccountCustomEntity = SrcUserName
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
- SlackAudit_CL
connectorId: SlackAuditAPI
alertDetailsOverride:
alertDisplayNameFormat: Slack user email changed for {{SrcUserName}}
alertDescriptionFormat: Slack audit detected a user email change for {{SrcUserName}} from {{SrcUserEmail}} to {{NewUserEmail}}.
id: 9d85feb3-7f54-4181-b143-68abb1a86823
severity: Medium
status: Available
customDetails:
OriginalUserEmail: SrcUserEmail
SourceUserName: SrcUserName
NewUserEmail: NewUserEmail
SourceIpAddress: SrcIpAddr
query: |
SlackAudit
| where TimeGenerated between (ago(14d) .. (1d))
| summarize max(TimeGenerated) by SrcUserName, SrcUserEmail
| join (SlackAudit
| where Action =~ 'user_login'
| project SrcIpAddr, SrcUserName, NewUserEmail = SrcUserEmail) on SrcUserName
| where NewUserEmail != SrcUserEmail
| extend AccountCustomEntity = SrcUserName
| extend IPCustomEntity = SrcIpAddr
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserEmailChanged.yaml
kind: Scheduled
queryPeriod: 14d
version: 1.0.1
name: SlackAudit - User email linked to account changed.
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1078
description: |
'Detects when user email linked to account changes.'
triggerOperator: gt
