Slack user logout due to suspicious activity

This rule is part of a beta feature. To learn more, contact Support.
slack

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Set up the slack integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Alert when a Slack user is logged out due to a detected compromised account.

Strategy

This rule monitors Slack events for when a user is logged out as a result of a detected compromise. Slack may log out users if they detect suspicious behavior indicative of account takeover. This could involve actions like unusual login patterns or unauthorized access attempts.

Triage and response

  1. Determine if the behavior is expected by:

    • Contacting the user to confirm if they initiated any recent unusual actions.
    • Checking Slack logs and other relevant logs for the user {{@usr.email}}, focusing on: Geolocation, IP address, and ASN.
    • Determine if other actions were taken before being logged out such as file downloads and channel messages.

  2. If the activity is deemed malicious:

    • Begin your organization’s incident response process and investigate.
    • Force a password reset for the user.
    • Review and revoke any suspicious OAuth integrations tied to the user’s account.
    • Enable or enforce multi-factor authentication (MFA) if not already implemented for the user.