Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This query detects Slack audit events where a user role is changed to admin or owner, indicating potential privilege escalation or persistence activity. It monitors role change actions in Slack audit logs and maps the affected user as the primary account entity for investigation.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | SlackAudit |
| ID | be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e |
| Severity | Low |
| Status | Available |
| Kind | Scheduled |
| Tactics | Persistence, PrivilegeEscalation |
| Techniques | T1098, T1078 |
| Required Connectors | SlackAuditAPI |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
SlackAuditNativePoller_CL 🔶 |
? | ✓ | ? |
SlackAuditV2_CL |
✓ | ✓ | ✓ |
SlackAudit_CL 🔶 |
? | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊