Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the slack integration.

Goal

Detect when a Slack export, such as a channel export, manual export, or manual user export, is downloaded.

Strategy

This rule monitors Slack events for when a channel export, manual export, or manual user export is downloaded. These export actions involve downloading a significant amount of Slack data, including conversations, files, and user information. Unauthorized exports could indicate a potential data breach, insider threat, or misuse of administrative privileges.

Potential risks associated with these export actions include:

• Unauthorized access to and exfiltration of sensitive company data.
• Insider threats downloading and sharing confidential information.
• Exposure of private conversations, files, and user details to unauthorized parties.

Triage and response

1. Determine if the export download is expected by:

   • Contacting the user or admin {{@usr.email}} who initiated the export to verify the legitimacy of the request.
   • Reviewing the context and scope of the export, including:
     • The type of data exported (e.g., specific channels or user data).
     • The time and date of the export and the business justification for the action.
   • Checking Slack logs for other unusual or suspicious activity by the user, such as mass downloads, file sharing, or privilege escalation.

2. If the export is unauthorized or unexpected:

   • Begin your organization’s incident response process and investigate further.
   • Analyze the exported data for sensitive information, and determine the scope of exposure.
   • Monitor for any further attempts to export data or download sensitive information across the workspace.