Slack CLI login from suspicious IP address

This rule is part of a beta feature. To learn more, contact Support.

Set up the slack integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Slack CLI login occurs from a suspicious IP address.

Strategy

This rule monitors Slack events for CLI logins that originate from suspicious or unusual IP addresses. A CLI login from a risky IP could indicate unauthorized access, especially if it originates from a Tor exit node or an IP previously associated with malicious activity.

Potential risks associated with suspicious CLI logins include:

  • Unauthorized access to Slack data, configurations, or admin-level actions.
  • Compromised user credentials allowing attackers to interact with the workspace through API calls.
  • Further infiltration into the organization’ systems or data exfiltration.

Triage and response

  1. Determine if the login is expected by:

    • Contacting the user {{@usr.email}} to confirm if they performed the CLI login from the identified IP address.
    • Checking Slack logs for unusual activities after the login, such as privilege escalations, data downloads, or unauthorized API interactions.
  2. If the login is deemed suspicious or unauthorized:

    • Begin your organization’s incident response process and investigate further.
    • Terminate the session immediately to prevent continued access to the Slack environment.
    • Reset the affected user’s credentials and enforce multi-factor authentication (MFA) to secure the account.
    • Review recent activity associated with the account to identify any other compromised sessions or suspicious behavior.
PREVIEWING: Cyril-Bouchiat/add-vm-package-explorer-doc