Slack anomaly event

slack

Classification:

attack

Set up the slack integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Slack audit anomaly event is raised.

Strategy

This rule monitors Slack audit logs for when a Slack anomaly event is raised. Anomaly events are a special part of the Audit Logs API that help surface unexpected user behaviors. There will be a reason code published for any anomalous event. Anomalous events can include:

  • Excessive number of file downloads.
  • A Tor exit node was used.
  • Anomalous behaviour from an administrator account.

Triage and response

  1. Determine if the behaviour is expected by:
    • Contacting the user for more information.
    • Check for other signals and logs generated by the impacted user {{@usr.email}}, and look for deviations in the geolocation, ASN, or device properties.
  2. If the activity is deemed malicious:
    • Begin your organization’s incident response process and investigate.