Classification:

attack

Tactic:

TA0040-impact

Technique:

T1531-account-access-removal

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects Slack workspace creation or deletion events.

Strategy

This rule monitors Slack audit logs for @evt.name:workspace_created and @evt.name:workspace_deleted events from the audit-logs-service.

Triage & Response

• Verify if {{@usr.email}} has authorization to create or delete workspaces.
• Check if the workspace action aligns with business requirements.
• Review the user’s permissions and role assignments.
• Assess the impact on data access and organizational structure.