Slack CLI login from suspicious IP address
Set up the slack integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when a Slack CLI login occurs from a suspicious IP address.
Strategy
This rule monitors Slack events for CLI logins that originate from suspicious or unusual IP addresses. A CLI login from a risky IP could indicate unauthorized access, especially if it originates from a Tor exit node or an IP previously associated with malicious activity.
Potential risks associated with suspicious CLI logins include:
- Unauthorized access to Slack data, configurations, or admin-level actions.
- Compromised user credentials allowing attackers to interact with the workspace through API calls.
- Further infiltration into the organization’ systems or data exfiltration.
Triage and response
Determine if the login is expected by:
- Contacting the user
{{@usr.email}}
to confirm if they performed the CLI login from the identified IP address. - Checking Slack logs for unusual activities after the login, such as privilege escalations, data downloads, or unauthorized API interactions.
If the login is deemed suspicious or unauthorized:
- Begin your organization’s incident response process and investigate further.
- Terminate the session immediately to prevent continued access to the Slack environment.
- Reset the affected user’s credentials and enforce multi-factor authentication (MFA) to secure the account.
- Review recent activity associated with the account to identify any other compromised sessions or suspicious behavior.