Slack
Communication and Collaboration
Slack - Messaging platform designed for team communication.
Provider: Slack Technologies
Detection Rule | MITRE Tactic | MITRE Technique | Criticality | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Suspicious Login from Unusual Location | Initial Access | T1078: Valid Accounts | High | ||||||||
|
|||||||||||
Excessive Failed Logins | Credential Access | T1110: Brute Force | High | ||||||||
|
|||||||||||
Creation of Public Channels | Persistence | T1546: Event Subscription | Medium | ||||||||
|
|||||||||||
Unauthorized Third-Party App Integrations | Persistence | T1136: Create Account | High | ||||||||
|
|||||||||||
File Upload with Sensitive Content | Exfiltration | T1071: Application Layer Protocol | High | ||||||||
|
|||||||||||
Keyword Monitoring for Sensitive Terms | Collection | T1119: Automated Collection | Medium | ||||||||
|
|||||||||||
Keyword Monitoring for Sensitive Terms | Collection | T1119: Automated Collection | Medium | ||||||||
|
|||||||||||
Frequent Message Deletions | Defense Evasion | T1070: Indicator Removal on Host | Medium | ||||||||
|
|||||||||||
Suspicious App Permissions Change | Persistence | T1543: Create or Modify System Process | High | ||||||||
|
|||||||||||
Account Takeover Attempts | Credential Access | T1556: Modify Authentication Process | Critical | ||||||||
|
|||||||||||
Privileged User Activity Monitoring | Privilege Escalation | T1078: Valid Accounts | High | ||||||||
|
APIs and Their Scopes
Detections Name | API Required | Scope Required | Usage |
---|---|---|---|
Suspicious Login from Unusual Location | auth.revoke | users:read | Retrieves user authentication history, including login attempts, device info, and IP addresses. |
users.info |
users:read |
Fetches detailed information about a user, including their roles and permissions. |
|
Excessive Failed Logins | auth.revoke | users:read | Tracks login failures for a user, helps to correlate repeated failures, and checks for anomalies. |
users.list |
users:read |
Retrieves a list of all users in the workspace for correlation and verification of account statuses. |
|
Creation of Public Channels | conversations.list | conversations:read | Lists all channels (public/private) within the workspace, helping to detect newly created channels. |
conversations.info |
conversations:read |
Provides detailed information about a specific channel, including whether it’s public or private, who created it, and other metadata. |
|
Unauthorized Third-Party App Integrations | apps.list | admin.apps:read or apps:read | Lists all installed apps in the workspace, helping to detect unauthorized app installations. |
apps.permissions.info |
admin.apps:read or apps:read |
Retrieves the permissions an app has been granted (e.g., file access, message read/write), important for detecting risky app integrations. |
|
File Upload with Sensitive Content | files.list | files:read | Lists all files uploaded by users in the workspace, allowing investigation of specific files and file types (e.g., .csv, .xls, .docx). |
conversations.files |
files:read and conversations:read |
Retrieves all files shared in specific channels, useful for auditing files shared in public or external channels. |
|
Keyword Monitoring for Sensitive Terms | search.messages | search:read | Searches messages across channels and DMs for specific keywords (e.g., "password," "breach"), aiding in sensitive term detection. |
users.conversations |
conversations:read |
Lists conversations that a specific user is part of, aiding in finding sensitive discussions in unauthorized channels. |
|
Keyword Monitoring for Sensitive Terms | search.messages | search:read | Searches messages across channels and DMs for specific keywords (e.g., "password," "breach"), aiding in sensitive term detection. |
users.conversations |
conversations:read |
Lists conversations that a specific user is part of, aiding in finding sensitive discussions in unauthorized channels. |
|
Frequent Message Deletions | search.messages | search:read | Searches for messages that have been deleted, helping to detect users deleting messages frequently to potentially cover up malicious activity. |
conversations.history |
conversations:history |
Retrieves the message history of a channel or DM, including deleted messages, providing a full audit trail. |
|
Suspicious App Permissions Change | apps.permissions.info | admin.apps:read or apps:read | Retrieves permission information for installed apps, helping to detect unauthorized or risky permission changes. |
Account Takeover Attempts | auth.revoke | users:read | Retrieves login and MFA history, helping to detect suspicious logins or authentication anomalies (e.g., failed MFA attempts). |
users.admins.list | admin.users:read | Lists all admins in the workspace, useful for cross-checking changes to high-privilege accounts or detecting privilege escalation. | |
Privileged User Activity Monitoring | users.admins.list | admin.users:read | Identifies privileged users, allowing monitoring of their actions, especially in sensitive areas like security discussions or critical app integrations. |
search.messages | search:read | Searches for messages sent by privileged users, detecting suspicious or unauthorized activities. |
Reports and Widgets for CISO
Report Name | Widgets | Description |
---|---|---|
Login Anomaly Report | Suspicious Logins by Location | Number of logins by location (flagging unusual ones) |
Failed vs. Successful Logins Over Time Top Users with Failed Logins |
Login attempts (failed vs. successful) over time Users with the most failed login attempts |
|
Sensitive Data Sharing Report | Files Shared in Public Channels | File name, channel, file type, sharing date, user |
Sensitive Files by Keyword Detection File Upload Trends Over Time |
Sensitive files detected by DLP or keyword rules Number of files uploaded per day/week/month |
|
Channel Creation & Access Report | New Channels Created by Type (Public/Private) | Number of new public/private channels |
Top Channel Creators Active Channels with Sensitive Discussions |
Username, number of channels created Channels flagged for sensitive content or keywords |
|
App Integration Risk Report | Recently Installed Third-Party Apps | App name, install date, permissions, risk level |
Apps by Risk Level Unauthorized App Installation |
Number of apps per risk level (high, medium, low) Instances of unauthorized app installations |
|
Privileged User Monitoring Report | Privileged User Logins (Success/Failure) | Username, login success/failure, time, location |
Admin Permission Changes Privileged User Activity in Sensitive Channels |
Changes in admin permissions or privilege escalations Activity level of privileged users in flagged channels |
|
Incident Investigation Summary | Ongoing Investigations | Incident type, status, priority |
Incident Response Timeline |
Incident detection to resolution time |
|
Keyword Detection & Monitoring | Sensitive Keyword Usage by Channel | Frequency of keyword usage in monitored channels |
Top Users Mentioning Sensitive Keywords |
Username, keyword, timestamp, channel |
|
File Sharing Insights | Top File Types Shared (Sensitive/Non-Sensitive) | File type distribution (e.g., .pdf, .csv, .docx) |
Public Channels with Sensitive Files Shared |
Channels and users sharing sensitive files publicly |