[New Rule] A user previewed multiple Slack rooms without joining in a short period

### Description

A user previewed multiple Slack rooms without joining in a short period, which could be indicative of performing recon or attempting to locate sensitive information.


Similar to internal: `2243f3ae-62e0-4c36-acc4-7d25cfb07b66`

### Target Ruleset

other

### Target Rule Type

Threshold

### Tested ECS Version

_No response_

### Query

This is dependent on the `rule_id` generated from #4135

* index: `.alerts-security.*`
* query:

```sql
user.email:* and kibana.alert.rule.rule_id:"rule-id-of-4135-bbr-rule" 
```

* threshold: `user.email`, `source.ip`, cardinality: `slack.audit.entity.name`,
* timing: 3 occurrences over a 10 min lookback, with an interval of 5m


### New fields required in ECS/data sources for this rule?

_No response_

### Related issues or PRs

dependent on #4135 

### References

https://api.slack.com/admins/audit-logs-call

### Redacted Example Data

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[New Rule] A user previewed multiple Slack rooms without joining in a short period #4136

Description

Target Ruleset

Target Rule Type

Tested ECS Version

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Redacted Example Data

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[New Rule] A user previewed multiple Slack rooms without joining in a short period #4136

Description

Description

Target Ruleset

Target Rule Type

Tested ECS Version

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Redacted Example Data

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions