Slack private channel converted to public

This rule is part of a beta feature. To learn more, contact Support.

Set up the slack integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Slack channel is changed from private to public.

Strategy

This rule monitors Slack events for when a channel’s privacy setting is modified from private to public. Changing a private channel to public can expose sensitive conversations, files, and information that were previously restricted. This action may be deliberate, accidental, or malicious, making it essential to track and verify the intent behind the change.

Potential risks associated with this change include:

  • Exposure of sensitive or confidential information to a wider audience.
  • Unintended sharing of critical discussions with external collaborators or users.
  • Increased risk of data leaks or breaches if the channel contains sensitive information.

Triage and response

  1. Determine if the channel change is expected by:

    • Contacting the channel owner or administrators to confirm if they authorized the change.
    • Reviewing Slack logs related to the user {{@usr.email}} who performed the change, focusing on:
      • The time of the change and surrounding activities.
      • Unusual behavior or other changes, such as role modifications or new members added to the channel.
    • Checking the content of the channel to assess whether it contains sensitive information that should not be public.
  2. If the activity is deemed unauthorized or malicious:

    • Begin your organization’s incident response process to investigate further.
    • Immediately revert the channel back to private if it contains sensitive data.
    • Review access permissions and ensure only trusted users can modify channel privacy settings.
    • Investigate if any unauthorized users accessed the channel while it was public and evaluate potential exposure.
PREVIEWING: esther/docs-9478-fix-split-after-example