The rule 'Slack EKM Slackbot Unenrolled' is designed to detect when a Slack workspace is no longer enrolled in the Enterprise Key Management (EKM) service, which is essential for organizations that require enhanced security for data management and compliance. The rule analyzes audit logs from Slack to monitor specific actions, particularly focusing on notifications that signal the unenrollment of the EKM Slackbot. If such a notification is sent, the rule triggers an alert due to the high severity associated with the disablement of an important security service. The rule contributes to the overall cybersecurity posture of an organization leveraging Slack, ensuring that any unauthorized changes to the EKM status are promptly identified. The rule leverages User Account and Slack Audit Logs as its primary data sources. The context provided in detected logs includes information about the actor initiating the unenrollment action, associated IP addresses, and user-agent strings, which help in correlating the event to potential security incidents.