---
title: Slack brute force attack failed logins then successful login
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Slack brute force attack failed logins
  then successful login
---

# Slack brute force attack failed logins then successful login
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1110-brute-force](https://attack.mitre.org/techniques/T1110) 
## Goal{% #goal %}

Detects a Slack user account that records more than five failed logins followed by a successful login within the sequence windows.

## Strategy{% #strategy %}

This rule monitors Slack audit logs (`source:slack`, `service:audit-logs-service`) using sequence detection grouped by `{{@usr.email}}`. It first evaluates `@evt.name:user_login_failed` counts over one hour, then requires `@evt.name:user_login` within the configured follow-on window so only the failed-then-success pattern raises a signal.

## Triage and response{% #triage-and-response %}

- Review Slack audit entries for `{{@usr.email}}` around the signal time to confirm whether failed attempts and the successful login share the same client, IP, and user agent.
- Check whether the account recently enrolled or reset a password, which can produce clustered failed attempts before a legitimate success.
- Verify whether multi-factor authentication completed for the successful login event and whether any MFA fatigue or push-deny patterns appear in nearby logs.
- If the activity is unexpected, treat the account as potentially compromised: reset credentials, revoke active sessions per your runbook, and scope for lateral movement or workspace policy changes tied to the same user.

## Changelog{% #changelog %}

- 11 June 2026: Rule created.
