Detection rules › Panther
Slack Private Channel Made Public
Detects when a channel that was previously private is made public
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098 Account Manipulation |
| Defense Impairment | T1222 File and Directory Permissions Modification |
| Exfiltration | T1567 Exfiltration Over Web Service |
Rule body yaml
AnalysisType: rule
Filename: slack_private_channel_made_public.py
RuleID: "Slack.AuditLogs.PrivateChannelMadePublic"
DisplayName: "Slack Private Channel Made Public"
Enabled: true
LogTypes:
- Slack.AuditLogs
Tags:
- Slack
- Defense Evasion
- File and Directory Permissions Modification
- Persistence
- Account Manipulation
- Exfiltration
- Exfiltration Over Web Service
Reports:
MITRE ATT&CK:
- TA0005:T1222
- TA0003:T1098
- TA0010:T1567
Severity: High
Description: Detects when a channel that was previously private is made public
Reference: https://slack.com/intl/en-gb/help/articles/213185467-Convert-a-channel-to-private-or-public
DedupPeriodMinutes: 60
Threshold: 1
SummaryAttributes:
- p_any_ip_addresses
- p_any_emails
Tests:
- Name: Private Channel Made Public
ExpectedResult: true
Log:
{
"action": "private_channel_converted_to_public",
"actor":
{
"type": "user",
"user":
{
"email": "user@example.com",
"id": "A012B3CDEFG",
"name": "username",
"team": "T01234N56GB",
},
},
"context":
{
"ip_address": "1.2.3.4",
"location":
{
"domain": "test-workspace",
"id": "T01234N56GB",
"name": "test-workspace",
"type": "workspace",
},
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
},
}
- Name: User Logout
ExpectedResult: false
Log:
{
"action": "user_logout",
"actor":
{
"type": "user",
"user":
{
"email": "user@example.com",
"id": "W012J3FEWAU",
"name": "primary-owner",
"team": "T01234N56GB",
},
},
"context":
{
"ip_address": "1.2.3.4",
"location":
{
"domain": "test-workspace-1",
"id": "T01234N56GB",
"name": "test-workspace-1",
"type": "workspace",
},
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
},
"date_create": "2022-07-28 15:22:32",
"entity":
{
"type": "user",
"user":
{
"email": "user@example.com",
"id": "W012J3FEWAU",
"name": "primary-owner",
"team": "T01234N56GB",
},
},
"id": "72cac009-9eb3-4dde-bac6-ee49a32a1789",
}
Detection logic
Condition
action eq "private_channel_converted_to_public"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
action | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
actor-name | actor.user.name |
actor-email | actor.user.email |
actor-ip | context.ip_address |
user-agent | context.ua |
name | entity.channel.name |