
Summary
The "Slack App Access Expanded" detection rule is designed to monitor and identify when a Slack application's permission scopes are modified to include broader capabilities. This can indicate potential privilege escalation or unauthorized access within a Slack workspace. The detection uses the Slack audit logs, specifically targeting actions related to app scope changes, such as 'app_scopes_expanded', 'app_resources_added', 'app_resources_granted', and 'bot_token_upgraded'. It analyzes specific fields like the email of the user who made the change, their IP address, and the previous and new scopes assigned to the Slack app. If these actions are detected within a short timeframe of each other, the rule helps in identifying and responding to possible malicious activities that can arise from unchecked app permissions or unauthorized resource modifications. This rule emphasizes valid actor actions while also noting user logout events that should not trigger alerts, thereby refining attack detection accuracy. A threshold of 1 is set to trigger alerts when any of the specified actions occur.
Categories
- Cloud
- Web
- Application
- Identity Management
Data Sources
- User Account
- Application Log
- Cloud Service
ATT&CK Techniques
- T1098
- T0123
Created: 2022-09-02