detection.wiki

Detection rules › Panther

Slack Microsoft Intune Mobile Device Management Disabled

Severity
critical
Log types
Slack.AuditLogs
Tags
Slack, Defense Evasion, Impair Defenses, Disable or Modify Tools, Mobile Security, Data Loss Prevention
Reference
https://slack.com/intl/en-gb/help/articles/6495319642387-Set-up-Slack-for-Intune-mobile-apps
Source
github.com/panther-labs/panther-analysis

Detects when Microsoft Intune MDM integration is disabled for Slack, removing mobile security controls and enabling data exfiltration via unmanaged devices. Intune enforces policies preventing copy/paste to unmanaged apps, requires device encryption, blocks jailbroken devices, and enables remote wipe. Disabling these controls allows unrestricted Slack access from personal or compromised devices without security restrictions.

MITRE ATT&CK coverage

TacticTechniques
StealthT1562.001 Impair Defenses: Disable or Modify Tools
ExfiltrationT1567 Exfiltration Over Web Service

Rule body yaml

AnalysisType: rule
Filename: slack_intune_mdm_disabled.py
RuleID: "Slack.AuditLogs.IntuneMDMDisabled"
DisplayName: "Slack Microsoft Intune Mobile Device Management Disabled"
Enabled: true
LogTypes:
  - Slack.AuditLogs
Tags:
  - Slack
  - Defense Evasion
  - Impair Defenses
  - Disable or Modify Tools
  - Mobile Security
  - Data Loss Prevention
Reports:
  MITRE ATT&CK:
    - TA0005:T1562.001
    - TA0010:T1567
Severity: Critical
Description: >
  Detects when Microsoft Intune MDM integration is disabled for Slack, removing mobile security controls and enabling data exfiltration via unmanaged devices. Intune enforces policies preventing copy/paste to unmanaged apps, requires device encryption, blocks jailbroken devices, and enables remote wipe. Disabling these controls allows unrestricted Slack access from personal or compromised devices without security restrictions.
Reference: https://slack.com/intl/en-gb/help/articles/6495319642387-Set-up-Slack-for-Intune-mobile-apps
Runbook: |
  1. Query Slack audit logs for all security control modifications by actor.user.email in the 30 days around this event including EKM changes, data retention policy modifications, export permission changes, and session management settings to identify a pattern of defense evasion
  2. Search Slack audit logs for mobile app login events, file downloads, and data exports during the period when Intune MDM was disabled to detect potential data exfiltration via unmanaged mobile devices
  3. Review Microsoft Intune admin logs and Azure AD audit logs for correlated suspicious activity by the same actor such as removing devices from management or disabling other mobile security policies
DedupPeriodMinutes: 60
Threshold: 1
SummaryAttributes:
  - p_any_ip_addresses
  - p_any_emails
Tests:
  - Name: Intune Disabled
    ExpectedResult: true
    Log:
      {
        "action": "intune_disabled",
        "actor":
          {
            "type": "user",
            "user":
              {
                "email": "user@example.com",
                "id": "A012B3CDEFG",
                "name": "username",
                "team": "T01234N56GB",
              },
          },
        "context":
          {
            "ip_address": "1.2.3.4",
            "location":
              {
                "domain": "test-workspace",
                "id": "T01234N56GB",
                "name": "test-workspace",
                "type": "workspace",
              },
            "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
          },
      }
  - Name: User Logout
    ExpectedResult: false
    Log:
      {
        "action": "user_logout",
        "actor":
          {
            "type": "user",
            "user":
              {
                "email": "user@example.com",
                "id": "W012J3FEWAU",
                "name": "primary-owner",
                "team": "T01234N56GB",
              },
          },
        "context":
          {
            "ip_address": "1.2.3.4",
            "location":
              {
                "domain": "test-workspace-1",
                "id": "T01234N56GB",
                "name": "test-workspace-1",
                "type": "workspace",
              },
            "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
          },
        "date_create": "2022-07-28 15:22:32",
        "entity":
          {
            "type": "user",
            "user":
              {
                "email": "user@example.com",
                "id": "W012J3FEWAU",
                "name": "primary-owner",
                "team": "T01234N56GB",
              },
          },
        "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789",
      }

Detection logic

Condition

action eq "intune_disabled"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
actioneq
  • intune_disabled

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
actor-nameactor.user.name
actor-emailactor.user.email
actor-ipcontext.ip_address
user-agentcontext.ua
domaincontext.location.domain