Slack

Communication and Collaboration

Slack - Messaging platform designed for team communication.

Provider: Slack Technologies

Detection Rule MITRE Tactic MITRE Technique Criticality
Suspicious Login from Unusual Location Initial Access T1078: Valid Accounts High
Investigation Actions (Slack APIs) auth API to retrieve user login history (IP, device).

users.info API to confirm user details and permissions.

Incident Creation Criteria Failed login attempts from unusual IP or country.

Logins outside business hours.

Login attempts exceeding X failures within Y minutes from a new IP or location.

Excessive Failed Logins Credential Access T1110: Brute Force High
Investigation Actions (Slack APIs) auth API to retrieve login failure logs.

users.list API to correlate across user base.

Check for repeated failures within specific timeframes.

Incident Creation Criteria X failed login attempts within Y minutes.

Detect lockout or deactivation of account due to failed attempts.

Creation of Public Channels Persistence T1546: Event Subscription Medium
Investigation Actions (Slack APIs) conversations.list API to review channels created.

conversations.info API to verify privacy status.

Track who created the channel.

Incident Creation Criteria New public channels created by unauthorized users.

Channels created with suspicious naming conventions (e.g., "finance," "security").

Unauthorized Third-Party App Integrations Persistence T1136: Create Account High
Investigation Actions (Slack APIs) apps.list API to check for recently installed apps.

apps.permissions API to inspect permissions granted to the app.

Cross-check with allowed apps list.

Incident Creation Criteria Apps installed that request sensitive permissions (e.g., message read/write, file access).

Apps installed by users without admin privileges.

File Upload with Sensitive Content Exfiltration T1071: Application Layer Protocol High
Investigation Actions (Slack APIs) files.list API to retrieve uploaded files.

conversations.files API to inspect file sharing in channels.

Review file content via DLP tools.

Incident Creation Criteria File types flagged by DLP inspection (e.g., .csv, .xls, .docx) containing PII, financials.

Files shared in public channels or external workspaces.

Keyword Monitoring for Sensitive Terms Collection T1119: Automated Collection Medium
Investigation Actions (Slack APIs) search.messages API to scan messages for keywords.

users.conversations API to find channels/DMs with flagged users.

Identify risky conversations.

Incident Creation Criteria Keywords like "password," "credentials," "security breach" detected in discussions.

Sensitive conversations happening outside approved channels or with external users.

Keyword Monitoring for Sensitive Terms Collection T1119: Automated Collection Medium
Investigation Actions (Slack APIs) search.messages API to scan messages for keywords.

users.conversations API to find channels/DMs with flagged users.

Identify risky conversations.

Incident Creation Criteria Keywords like "password," "credentials," "security breach" detected in discussions.

Sensitive conversations happening outside approved channels or with external users.

Frequent Message Deletions Defense Evasion T1070: Indicator Removal on Host Medium
Investigation Actions (Slack APIs) search.messages API to find deleted messages.

conversations.history API to retrieve deleted message counts.

Check for bulk deletions by a user.

Incident Creation Criteria More than X messages deleted within Y minutes by the same user.

Message deletions after uploading/sharing sensitive information.

Suspicious App Permissions Change Persistence T1543: Create or Modify System Process High
Investigation Actions (Slack APIs) apps.permissions API to detect permission changes.

users.admins.list API to cross-check admin-initiated changes.

Review critical app permissions.

Incident Creation Criteria Sensitive permissions (e.g., message access, workspace read/write) modified.

Permission changes initiated by users without admin roles.

Account Takeover Attempts Credential Access T1556: Modify Authentication Process Critical
Investigation Actions (Slack APIs) auth API to retrieve login and MFA history.

users.admins.list API to check account privilege changes.

Track suspicious IP, MFA failures.

Incident Creation Criteria Multiple failed MFA attempts.

Successful login from unusual location after failed attempts.

High-privilege accounts compromised or accessed from unknown locations.

Privileged User Activity Monitoring Privilege Escalation T1078: Valid Accounts High
Investigation Actions (Slack APIs) users.admins.list API to identify privileged users.

search.messages API to track high-privilege account activity.

Inspect app permissions.

Incident Creation Criteria Privileged accounts accessing sensitive data or making unauthorized app integrations.

Privileged user activities outside of regular working hours.

APIs and Their Scopes

Detections Name API Required Scope Required Usage
Suspicious Login from Unusual Location auth.revoke users:read Retrieves user authentication history, including login attempts, device info, and IP addresses.

users.info

users:read

Fetches detailed information about a user, including their roles and permissions.

Excessive Failed Logins auth.revoke users:read Tracks login failures for a user, helps to correlate repeated failures, and checks for anomalies.

users.list

users:read

Retrieves a list of all users in the workspace for correlation and verification of account statuses.

Creation of Public Channels conversations.list conversations:read Lists all channels (public/private) within the workspace, helping to detect newly created channels.

conversations.info

conversations:read

Provides detailed information about a specific channel, including whether it’s public or private, who created it, and other metadata.

Unauthorized Third-Party App Integrations apps.list admin.apps:read or apps:read Lists all installed apps in the workspace, helping to detect unauthorized app installations.

apps.permissions.info

admin.apps:read or apps:read

Retrieves the permissions an app has been granted (e.g., file access, message read/write), important for detecting risky app integrations.

File Upload with Sensitive Content files.list files:read Lists all files uploaded by users in the workspace, allowing investigation of specific files and file types (e.g., .csv, .xls, .docx).

conversations.files

files:read and conversations:read

Retrieves all files shared in specific channels, useful for auditing files shared in public or external channels.

Keyword Monitoring for Sensitive Terms search.messages search:read Searches messages across channels and DMs for specific keywords (e.g., "password," "breach"), aiding in sensitive term detection.

users.conversations

conversations:read

Lists conversations that a specific user is part of, aiding in finding sensitive discussions in unauthorized channels.

Keyword Monitoring for Sensitive Terms search.messages search:read Searches messages across channels and DMs for specific keywords (e.g., "password," "breach"), aiding in sensitive term detection.

users.conversations

conversations:read

Lists conversations that a specific user is part of, aiding in finding sensitive discussions in unauthorized channels.

Frequent Message Deletions search.messages search:read Searches for messages that have been deleted, helping to detect users deleting messages frequently to potentially cover up malicious activity.

conversations.history

conversations:history

Retrieves the message history of a channel or DM, including deleted messages, providing a full audit trail.

Suspicious App Permissions Change apps.permissions.info admin.apps:read or apps:read Retrieves permission information for installed apps, helping to detect unauthorized or risky permission changes.
Account Takeover Attempts auth.revoke users:read Retrieves login and MFA history, helping to detect suspicious logins or authentication anomalies (e.g., failed MFA attempts).
users.admins.list admin.users:read Lists all admins in the workspace, useful for cross-checking changes to high-privilege accounts or detecting privilege escalation.
Privileged User Activity Monitoring users.admins.list admin.users:read Identifies privileged users, allowing monitoring of their actions, especially in sensitive areas like security discussions or critical app integrations.
search.messages search:read Searches for messages sent by privileged users, detecting suspicious or unauthorized activities.

Reports and Widgets for CISO

Report Name Widgets Description
Login Anomaly Report Suspicious Logins by Location Number of logins by location (flagging unusual ones)

Failed vs. Successful Logins Over Time

Top Users with Failed Logins

Login attempts (failed vs. successful) over time

Users with the most failed login attempts

Sensitive Data Sharing Report Files Shared in Public Channels File name, channel, file type, sharing date, user

Sensitive Files by Keyword Detection

File Upload Trends Over Time

Sensitive files detected by DLP or keyword rules

Number of files uploaded per day/week/month

Channel Creation & Access Report New Channels Created by Type (Public/Private) Number of new public/private channels

Top Channel Creators

Active Channels with Sensitive Discussions

Username, number of channels created

Channels flagged for sensitive content or keywords

App Integration Risk Report Recently Installed Third-Party Apps App name, install date, permissions, risk level

Apps by Risk Level

Unauthorized App Installation

Number of apps per risk level (high, medium, low)

Instances of unauthorized app installations

Privileged User Monitoring Report Privileged User Logins (Success/Failure) Username, login success/failure, time, location

Admin Permission Changes

Privileged User Activity in Sensitive Channels

Changes in admin permissions or privilege escalations

Activity level of privileged users in flagged channels

Incident Investigation Summary Ongoing Investigations Incident type, status, priority

Incident Response Timeline

Incident detection to resolution time

Keyword Detection & Monitoring Sensitive Keyword Usage by Channel Frequency of keyword usage in monitored channels

Top Users Mentioning Sensitive Keywords

Username, keyword, timestamp, channel

File Sharing Insights Top File Types Shared (Sensitive/Non-Sensitive) File type distribution (e.g., .pdf, .csv, .docx)

Public Channels with Sensitive Files Shared

Channels and users sharing sensitive files publicly