[New Rule][BBR] A user previewed a Slack channel without joining

### Description

Detects when a user previews a Slack channel and does not join within a minute, which could be indicative of performing recon or attempting to locate sensitive information.

### Target Ruleset

other

### Target Rule Type

Event Correlation (EQL)

### Tested ECS Version

_No response_

### Query

Must first set the `event_category_override` to `slack.audit.entity.entity_type`

```sql
sequence by user.email, slack.audit.entity.name with maxspan=60s
  [channel where event.action == "public_channel_preview"]
  ![channel where event.action == "user_channel_join"]
```

### New fields required in ECS/data sources for this rule?

`slack.*`

### Related issues or PRs

_No response_

### References

https://api.slack.com/admins/audit-logs-call

### Redacted Example Data

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[New Rule][BBR] A user previewed a Slack channel without joining #4135

Description

Target Ruleset

Target Rule Type

Tested ECS Version

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Redacted Example Data

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[New Rule][BBR] A user previewed a Slack channel without joining #4135

Description

Description

Target Ruleset

Target Rule Type

Tested ECS Version

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Redacted Example Data

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions