detection.wiki

Detection rules › Panther

Slack Anomaly Detected

Severity
low
Log types
Slack.AuditLogs
Tags
Slack, Command and Control, Application Layer Protocol
Reference
https://api.slack.com/admins/audit-logs-anomaly
Source
github.com/panther-labs/panther-analysis

Passthrough for anomalies detected by Slack

MITRE ATT&CK coverage

TacticTechniques
Command & ControlT1071 Application Layer Protocol

Rule body yaml

AnalysisType: rule
Filename: slack_passthrough_anomaly.py
RuleID: "Slack.AuditLogs.PassthroughAnomaly"
DisplayName: "Slack Anomaly Detected"
Enabled: true
LogTypes:
  - Slack.AuditLogs
Severity: Low
Reports:
  MITRE ATT&CK:
    - TA0011:T1071
Description: Passthrough for anomalies detected by Slack
DedupPeriodMinutes: 60
Threshold: 1
Reference: 
  https://api.slack.com/admins/audit-logs-anomaly
SummaryAttributes:
  - p_any_ip_addresses
  - p_any_emails
Tags:
  - Slack
  - Command and Control
  - Application Layer Protocol
Tests:
  - Name: Name
    ExpectedResult: true
    Log:
      {
        "action": "anomaly",
        "actor": {
          "type": "user",
          "user": {
            "email": "user@example.com",
            "id": "W012J3FEWAU",
            "name": "primary-owner",
            "team": "T01234N56GB"
          }
        },
        "context": {
          "ip_address": "1.2.3.4",
          "location": {
            "domain": "test-workspace-1",
            "id": "T01234N56GB",
            "name": "test-workspace-1",
            "type": "workspace"
          },
          "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
        }
      }
  - Name: User Logout
    ExpectedResult: false
    Log:
      {
        "action": "user_logout",
        "actor": {
          "type": "user",
          "user": {
            "email": "user@example.com",
            "id": "W012J3FEWAU",
            "name": "primary-owner",
            "team": "T01234N56GB"
          }
        },
        "context": {
          "ip_address": "1.2.3.4",
          "location": {
            "domain": "test-workspace-1",
            "id": "T01234N56GB",
            "name": "test-workspace-1",
            "type": "workspace"
          },
          "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
        },
        "date_create": "2022-07-28 15:22:32",
        "entity": {
          "type": "user",
          "user": {
            "email": "user@example.com",
            "id": "W012J3FEWAU",
            "name": "primary-owner",
            "team": "T01234N56GB"
          }
        },
        "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789"
      }
  - Name: Session Fingerprint
    ExpectedResult: true
    Log:
      {
        "action": "anomaly",
        "actor": {
          "type": "user",
          "user": {
            "email": "user@example.com",
            "id": "W012J3FEWAU",
            "name": "primary-owner",
            "team": "T01234N56GB"
          }
        },
        "context": {
          "ip_address": "1.2.3.4",
          "location": {
            "domain": "test-workspace-1",
            "id": "T01234N56GB",
            "name": "test-workspace-1",
            "type": "workspace"
          },
          "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
        },
        "date_create": "2024-08-19 13:54:53.000000000",
        "details": {
          "action_timestamp": 1724075641026703,
          "location": "London, UK",
          "previous_ip_address": "",
          "previous_ua": "",
          "reason": [
            "session_fingerprint"
          ]
        },
        "entity": {
          "type": "user",
          "user": {
            "email": "user@example.com",
            "id": "W012J3FEWAU",
            "name": "primary-owner",
            "team": "T01234N56GB"
          }
        },
        "id": "95edcb27-132a-4420-9229-783b38a16b5a",
        "p_event_time": "2024-08-19 13:54:53.000000000",
        "p_log_type": "Slack.AuditLogs"
      }

Detection logic

Condition

action eq "anomaly"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
actioneq
  • anomaly

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
actor-nameactor.user.name
actor-emailactor.user.email
actor-ipcontext.ip_address
user-agentcontext.ua