Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SlackAudit - User role changed to admin or owner

SlackAudit - User role changed to admin or owner

Back
Idbe6c5fc9-2ac3-43e6-8fb0-cb139e04e43e
RulenameSlackAudit - User role changed to admin or owner
DescriptionThis query detects Slack audit events where a user role is changed to admin or owner, indicating potential privilege

escalation or persistence activity. It monitors role change actions in Slack audit logs and maps the affected user as the

primary account entity for investigation.
SeverityLow
TacticsPersistence
PrivilegeEscalation
TechniquesT1098
T1078
Required data connectorsSlackAuditAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml
Version1.0.1
Arm templatebe6c5fc9-2ac3-43e6-8fb0-cb139e04e43e.json
Deploy To Azure
SlackAudit
| where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')
| extend AccountCustomEntity = SrcUserName

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
tactics:
- Persistence
- PrivilegeEscalation
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
alertDetailsOverride:
  alertDisplayNameFormat: Slack user role changed to {{AccountCustomEntity}}
  alertDescriptionFormat: Slack role change action {{DvcAction}} affected user {{AccountCustomEntity}}
id: be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e
severity: Low
status: Available
customDetails:
  AffectedUser: AccountCustomEntity
  Action: DvcAction
query: |
  SlackAudit
  | where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')
  | extend AccountCustomEntity = SrcUserName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.1
name: SlackAudit - User role changed to admin or owner
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1098
- T1078
description: |
  'This query detects Slack audit events where a user role is changed to admin or owner, indicating potential privilege
  escalation or persistence activity. It monitors role change actions in Slack audit logs and maps the affected user as the
  primary account entity for investigation.'  
triggerOperator: gt