Slack enterprise workspace created or deleted

slack

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1531-account-access-removal

Set up the slack integration.

Goal

Detects Slack workspace creation or deletion events.

Strategy

This rule monitors Slack audit logs for @evt.name:workspace_created and @evt.name:workspace_deleted events from the audit-logs-service.

Triage & Response

  • Verify if {{@usr.email}} has authorization to create or delete workspaces.
  • Check if the workspace action aligns with business requirements.
  • Review the user’s permissions and role assignments.
  • Assess the impact on data access and organizational structure.