Slack user logout due to suspicious activity

This rule is part of a beta feature. To learn more, contact Support.

Set up the slack integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Alert when a Slack user is logged out due to a detected compromised account.

Strategy

This rule monitors Slack events for when a user is logged out as a result of a detected compromise. Slack may log out users if they detect suspicious behavior indicative of account takeover. This could involve actions like unusual login patterns or unauthorized access attempts.

Triage and response

  1. Determine if the behavior is expected by:

    • Contacting the user to confirm if they initiated any recent unusual actions.
    • Checking Slack logs and other relevant logs for the user {{@usr.email}}, focusing on: Geolocation, IP address, and ASN.
    • Determine if other actions were taken before being logged out such as file downloads and channel messages.
  2. If the activity is deemed malicious:

    • Begin your organization’s incident response process and investigate.
    • Force a password reset for the user.
    • Review and revoke any suspicious OAuth integrations tied to the user’s account.
    • Enable or enforce multi-factor authentication (MFA) if not already implemented for the user.