SlackAudit - User login after deactivated
| Id | e6e99dcb-4dff-48d2-8012-206ca166b36b |
| Rulename | SlackAudit - User login after deactivated. |
| Description | Detects when a Slack user account was deactivated and the same user identity later authenticated again within the detection window, which may indicate account reactivation, unauthorized access, or use of a deactivated account. Analyst triage should review the deactivation time, subsequent login time, EntityUserEmail, and EntityUserId to determine whether the login was expected. This rule uses the SlackAuditAPI connector and SlackAudit_CL data type. |
| Severity | Medium |
| Tactics | InitialAccess Persistence PrivilegeEscalation |
| Techniques | T1078 T1078.004 |
| Required data connectors | SlackAuditAPI |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml |
| Version | 1.0.1 |
| Arm template | e6e99dcb-4dff-48d2-8012-206ca166b36b.json |
let lbperiod_max_d = 14d;
let lbperiod_min_d = 1d;
let lb_time_max_h = 24h;
SlackAudit
| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
| where Action =~ 'user_deactivated'
| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
| project deactivation_time, EntityUserEmail, EntityUserId
| join (SlackAudit
| where TimeGenerated > ago(lb_time_max_h)
| where Action =~ 'user_login'
| summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
| project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
| where EntityUserEmail == SrcUserEmail
| where deactivation_time < new_login_time
| extend AccountCustomEntity = SrcUserEmail
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
requiredDataConnectors:
- dataTypes:
- SlackAudit_CL
connectorId: SlackAuditAPI
alertDetailsOverride:
alertDisplayNameFormat: 'Slack user login after deactivation: {{AccountCustomEntity}}'
alertDescriptionFormat: User {{AccountCustomEntity}} logged in after deactivation; review deactivation_time {{deactivation_time}} and new_login_time {{new_login_time}}.
id: e6e99dcb-4dff-48d2-8012-206ca166b36b
severity: Medium
status: Available
customDetails:
SlackUserId: EntityUserId
NewLoginTime: new_login_time
DeactivationTime: deactivation_time
SlackUserEmail: EntityUserEmail
query: |
let lbperiod_max_d = 14d;
let lbperiod_min_d = 1d;
let lb_time_max_h = 24h;
SlackAudit
| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
| where Action =~ 'user_deactivated'
| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
| project deactivation_time, EntityUserEmail, EntityUserId
| join (SlackAudit
| where TimeGenerated > ago(lb_time_max_h)
| where Action =~ 'user_login'
| summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
| project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
| where EntityUserEmail == SrcUserEmail
| where deactivation_time < new_login_time
| extend AccountCustomEntity = SrcUserEmail
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
kind: Scheduled
queryPeriod: 14d
version: 1.0.1
name: SlackAudit - User login after deactivated.
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1078
- T1078.004
description: |
'Detects when a Slack user account was deactivated and the same user identity later authenticated again within
the detection window, which may indicate account reactivation, unauthorized access, or use of a deactivated account. Analyst
triage should review the deactivation time, subsequent login time, EntityUserEmail, and EntityUserId to determine whether
the login was expected. This rule uses the SlackAuditAPI connector and SlackAudit_CL data type.'
triggerOperator: gt