Slack user logout due to suspicious activity

This rule is part of a beta feature. To learn more, contact Support.

Set up the slack integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Alert when a Slack user is logged out due to a detected compromised account.

Strategy

This rule monitors Slack events for when a user is logged out as a result of a detected compromise. Slack may log out users if they detect suspicious behavior indicative of account takeover. This could involve actions like unusual login patterns or unauthorized access attempts.

Triage and response

  1. Determine if the behavior is expected by:

    • Contacting the user to confirm if they initiated any recent unusual actions.
    • Checking Slack logs and other relevant logs for the user {{@usr.email}}, focusing on: Geolocation, IP address, and ASN.
    • Determine if other actions were taken before being logged out such as file downloads and channel messages.
  2. If the activity is deemed malicious:

    • Begin your organization’s incident response process and investigate.
    • Force a password reset for the user.
    • Review and revoke any suspicious OAuth integrations tied to the user’s account.
    • Enable or enforce multi-factor authentication (MFA) if not already implemented for the user.