Slack CLI login from suspicious IP address

This rule is part of a beta feature. To learn more, contact Support.

Set up the slack integration.

Goal

Detect when a Slack CLI login occurs from a suspicious IP address.

Strategy

This rule monitors Slack events for CLI logins that originate from suspicious or unusual IP addresses. A CLI login from a risky IP could indicate unauthorized access, especially if it originates from a Tor exit node or an IP previously associated with malicious activity.

Potential risks associated with suspicious CLI logins include:

  • Unauthorized access to Slack data, configurations, or admin-level actions.
  • Compromised user credentials allowing attackers to interact with the workspace through API calls.
  • Further infiltration into the organization’ systems or data exfiltration.

Triage and response

  1. Determine if the login is expected by:

    • Contacting the user {{@usr.email}} to confirm if they performed the CLI login from the identified IP address.
    • Checking Slack logs for unusual activities after the login, such as privilege escalations, data downloads, or unauthorized API interactions.
  2. If the login is deemed suspicious or unauthorized:

    • Begin your organization’s incident response process and investigate further.
    • Terminate the session immediately to prevent continued access to the Slack environment.
    • Reset the affected user’s credentials and enforce multi-factor authentication (MFA) to secure the account.
    • Review recent activity associated with the account to identify any other compromised sessions or suspicious behavior.
PREVIEWING: esther/docs-9518-update-example-control-sensitive-log-data