slack

Classification:

attack

Set up the slack integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a Slack audit anomaly event is raised.

Strategy

This rule monitors Slack audit logs for when a Slack anomaly event is raised. Anomaly events are a special part of the Audit Logs API that help surface unexpected user behaviors. There will be a reason code published for any anomalous event. Anomalous events can include:

  • Excessive number of file downloads.
  • A Tor exit node was used.
  • Anomalous behaviour from an administrator account.

Triage and response

  1. Determine if the behaviour is expected by:
    • Contacting the user for more information.
    • Check for other signals and logs generated by the impacted user {{@usr.email}}, and look for deviations in the geolocation, ASN, or device properties.
  2. If the activity is deemed malicious:
    • Begin your organization’s incident response process and investigate.