Slack CLI login from suspicious IP address
Set up the slack integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when a Slack CLI login occurs from a suspicious IP address.
Strategy
This rule monitors Slack events for CLI logins that originate from suspicious or unusual IP addresses. A CLI login from a risky IP could indicate unauthorized access, especially if it originates from a Tor exit node or an IP previously associated with malicious activity.
Potential risks associated with suspicious CLI logins include:
- Unauthorized access to Slack data, configurations, or admin-level actions.
- Compromised user credentials allowing attackers to interact with the workspace through API calls.
- Further infiltration into the organization’ systems or data exfiltration.
Triage and response
Determine if the login is expected by:
- Contacting the user
{{@usr.email}}
to confirm if they performed the CLI login from the identified IP address. - Checking Slack logs for unusual activities after the login, such as privilege escalations, data downloads, or unauthorized API interactions.
If the login is deemed suspicious or unauthorized:
- Begin your organization’s incident response process and investigate further.
- Terminate the session immediately to prevent continued access to the Slack environment.
- Reset the affected user’s credentials and enforce multi-factor authentication (MFA) to secure the account.
- Review recent activity associated with the account to identify any other compromised sessions or suspicious behavior.