Slack Audit Solution: Enhanced Detection Logic and Alert Enrichment

What Changed

Content Doctor recommendations applied across 9 analytic rules, 10 hunting queries, and the solution workbook. All detection logic received substantial improvements including enhanced KQL queries, custom alert details, and refined entity mappings.

Detection Logic

Primary data source: SlackAudit table
Core improvements across all rules:

• Added alertDetailsOverride sections with dynamic alert titles and descriptions
• Introduced customDetails for enriched context (user names, IP addresses, file details, action types)
• Enhanced entity mappings with cleaner field structures
• Improved KQL logic with better data type handling and filtering

Key logic enhancements:

• SlackAuditSensitiveFile: Added watchlist integration for AllowedFiles/AllowedUsers, expanded sensitive file detection patterns
• SlackAuditMultipleFailedLoginsForUser: Refined failed login thresholds and time bucketing
• SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod: Improved file extension detection with case-insensitive matching
• SlackAuditSuspiciousFileDownloaded: Enhanced file extension regex patterns for better accuracy

Hunting queries upgraded: All 10 queries received description improvements, enhanced tactics/techniques mapping, and refined KQL logic for better threat hunting coverage.

MITRE Mapping

Expanded MITRE ATT&CK coverage includes:

• T1567.002 (Exfiltration to Cloud Storage) added to sensitive file public link detection
• T1071.001 (Application Layer Protocol: Web Protocols) added to unknown user agent detection
• T1078.004 (Valid Accounts: Cloud Accounts) added to post-deactivation login detection
• T1098.003 (Account Manipulation: Additional Cloud Roles) added to multiple hunting queries

All technique mappings extracted from YAML relevantTechniques fields confirm comprehensive workspace security coverage.

Affected Files

Solutions/SlackAudit/Analytic Rules/SlackAuditEmptyUA.yaml
Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod.yaml
Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleFailedLoginsForUser.yaml
Solutions/SlackAudit/Analytic Rules/SlackAuditSensitiveFile.yaml
Solutions/SlackAudit/Analytic Rules/SlackAuditSuspiciousFileDownloaded.yaml
Solutions/SlackAudit/Analytic Rules/SlackAuditUnknownUA.yaml
Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml
Solutions/SlackAudit/Analytic Rules/SlackAuditUserEmailChanged.yaml
Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
Solutions/SlackAudit/Hunting Queries/SlackAuditApplicationsInstalled.yaml
Solutions/SlackAudit/Hunting Queries/SlackAuditDeactivatedUsers.yaml
Solutions/SlackAudit/Hunting Queries/SlackAuditDownloadedFilesByUser.yaml
Solutions/SlackAudit/Hunting Queries/SlackAuditFailedLoginsUnknownUsername.yaml
Solutions/SlackAudit/Hunting Queries/SlackAuditNewUsers.yaml
Solutions/SlackAudit/Hunting Queries/SlackAuditSuspiciousFilesDownloaded.yaml
Solutions/SlackAudit/Hunting Queries/SlackAuditUploadedFilesByUser.yaml
Solutions/SlackAudit/Hunting Queries/SlackAuditUserLoginsByIP.yaml
Solutions/SlackAudit/Hunting Queries/SlackAuditUserPermissionsChanged.yaml
Solutions/SlackAudit/Hunting Queries/SlackAuditUsersJoinedChannelsWithoutInvites.yaml
Solutions/SlackAudit/Workbooks/SlackAudit.json
(packaging artefacts: 3.0.6.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json)