Detection correlates message events in email and collaboration tools (e.g., Outlook, Teams) that contain regex-like patterns resembling credentials, API keys, or tokens. Anomalous forwarding or bulk copy activity of chat/email content containing secrets is flagged. Suspicious behavior includes users pasting secrets into direct messages or attaching config files with passwords.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | MessageSend, MessageRead, or FileAttached events containing credential-like patterns |
| Field | Description |
|---|---|
| RegexPatterns | Customizable credential-detection regex (e.g., API_KEY=, bearer token formats) depending on enterprise apps in use |
| AllowedDomains | Exclude known trusted domains or automated system-to-system messages |
| TimeWindow | Adjust correlation period for bulk credential sharing events |
Detection monitors SaaS collaboration tools (e.g., Slack, Zoom, Jira) for messages or files containing credential-like patterns, or for suspicious API calls retrieving bulk chat histories by non-admin users. Identifies adversary behavior chains where chat logs are queried via APIs or integration bots to systematically extract sensitive material.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | saas:slack | chat.postMessage, files.upload, or discovery API calls involving token/credential regex |
| User Account Authentication (DC0002) | saas:okta | Unusual OAuth app requesting message-read scopes for Slack/Teams/Jira |
| Field | Description |
|---|---|
| IntegrationScope | Tune to ignore known enterprise bots with message-read access (e.g., DLP scanners) |
| RegexPatterns | Customizable regex for detecting secret formats (JWT, OAuth tokens, SSH keys) |
| UserContext | Correlate with user role to filter developers vs standard users |