Slack data export download
Set up the slack integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when a Slack export, such as a channel export, manual export, or manual user export, is downloaded.
Strategy
This rule monitors Slack events for when a channel export, manual export, or manual user export is downloaded. These export actions involve downloading a significant amount of Slack data, including conversations, files, and user information. Unauthorized exports could indicate a potential data breach, insider threat, or misuse of administrative privileges.
Potential risks associated with these export actions include:
- Unauthorized access to and exfiltration of sensitive company data.
- Insider threats downloading and sharing confidential information.
- Exposure of private conversations, files, and user details to unauthorized parties.
Triage and response
Determine if the export download is expected by:
- Contacting the user or admin
{{@usr.email}}
who initiated the export to verify the legitimacy of the request. - Reviewing the context and scope of the export, including:
- The type of data exported (e.g., specific channels or user data).
- The time and date of the export and the business justification for the action.
- Checking Slack logs for other unusual or suspicious activity by the user, such as mass downloads, file sharing, or privilege escalation.
If the export is unauthorized or unexpected:
- Begin your organization’s incident response process and investigate further.
- Analyze the exported data for sensitive information, and determine the scope of exposure.
- Monitor for any further attempts to export data or download sensitive information across the workspace.