Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the slack integration.

Goal

Detect when a Slack channel is changed from private to public.

Strategy

This rule monitors Slack events for when a channel’s privacy setting is modified from private to public. Changing a private channel to public can expose sensitive conversations, files, and information that were previously restricted. This action may be deliberate, accidental, or malicious, making it essential to track and verify the intent behind the change.

Potential risks associated with this change include:

• Exposure of sensitive or confidential information to a wider audience.
• Unintended sharing of critical discussions with external collaborators or users.
• Increased risk of data leaks or breaches if the channel contains sensitive information.

Triage and response

1. Determine if the channel change is expected by:

   • Contacting the channel owner or administrators to confirm if they authorized the change.
   • Reviewing Slack logs related to the user {{@usr.email}} who performed the change, focusing on:
     • The time of the change and surrounding activities.
     • Unusual behavior or other changes, such as role modifications or new members added to the channel.
   • Checking the content of the channel to assess whether it contains sensitive information that should not be public.

2. If the activity is deemed unauthorized or malicious:

   • Begin your organization’s incident response process to investigate further.
   • Immediately revert the channel back to private if it contains sensitive data.
   • Review access permissions and ensure only trusted users can modify channel privacy settings.
   • Investigate if any unauthorized users accessed the channel while it was public and evaluate potential exposure.