---
title: Slack user role elevated to administrative privileges
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Slack user role elevated to
  administrative privileges
---

# Slack user role elevated to administrative privileges
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when a Slack [users role](https://slack.com/intl/en-gb/help/articles/360018112273-Types-of-roles-in-Slack) has been changed to an administrator or owner.

## Strategy{% #strategy %}

This rule monitors Slack audit logs for when a Slack user's role has been changed to an administrator or owner. Roles determine what people can see and do in Slack. There are administrative roles that are designed for people who are responsible for managing accounts and settings in Slack.

## Triage and response{% #triage-and-response %}

1. Determine if the change taken by `{{@usr.email}}` is authorized.
1. If the change was not authorized or was unexpected, begin your organization's incident response process and investigate.

## Changelog{% #changelog %}

- 8 May 2024 - update detection rule severity from Low to Medium.