[New Rule][BBR] A user logged into Slack from a new country

[brokensound77]

Description

Detects when a user logs into a newly seen country over the last 30d, which could potentially indicate account compromise.

Ref internal: 540bc789-be24-4dbc-970c-a16489661290

Target Ruleset

other

Target Rule Type

New Terms

Tested ECS Version

No response

Query

• index: logs-slack.audit
• query:

event.action:user_login and source.ip:* and user.email:* and source.geo.country_iso_code:*

• new terms: user.email, source.geo.country_iso_code
• timing: 30m lookback, 15m interval, 30d history window

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

https://api.slack.com/admins/audit-logs-call

Redacted Example Data

No response

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.