
Summary
This detection rule monitors Slack audit logs to identify instances of user privilege escalation within a Slack workspace. An elevated privilege scenario occurs when a user is granted additional roles, such as 'Admin' or 'Owner', which allow for greater access and capabilities within the Slack environment. The rule is designed to trigger alerts specifically on certain actions logged in Slack, including:
1. **Owner Transferred**: When ownership of a Slack workspace is transferred between users.
2. **Permissions Assigned**: When various permissions are assigned to a user that elevate their access.
3. **Role Changes**: Specifically highlighting changes when a user is promoted to 'Admin' or 'Owner'.
The rule incorporates a deduplication period of 60 minutes to avoid multiple triggers for the same incident. Additionally, it sets a threshold of 1, meaning that even a single occurrence of any of the monitored actions will prompt an alert. The rule's high severity level emphasizes the critical nature of such privilege changes, as they could indicate a potential security breach or improper configuration. It leverages relevant fields like user email and ID to uniquely identify actors involved in the actions, alongside contextual information such as IP address and user agent to facilitate a full understanding of the circumstances surrounding the event. The implementation of this rule is pertinent for maintaining security protocols and to ensure that user privileges within Slack are appropriately monitored, preventing unauthorized access and protecting sensitive information.
Categories
- Cloud
- Identity Management
Data Sources
- User Account
- Application Log
- Cloud Service
ATT&CK Techniques
- T1098.003
- T0123
Created: 2022-09-02