The 'Slack App Removed' detection rule is designed to monitor and alert on the removal of applications within a Slack workspace. When a Slack app is removed, various actions can be logged, including 'app_restricted', 'app_uninstalled', and 'org_app_workspace_removed'. This detection mechanism leverages audit logs from Slack to identify these events. The rule has a medium severity level and employs a de-duplication period of 60 minutes, meaning if multiple events are detected within this window, only one alert will be triggered. The rule incorporates different types of log entries, expecting specific actions to be logged correlated with the user accounts and their respective activities. If a user logs out or performs other actions unrelated to app removal, this rule does not generate an alert. It helps organizations maintain oversight of their Slack applications and detect potential unauthorized removal of integrations that could signify a security concern or operational disruption. The rule also maps to specific MITRE ATT&CK techniques related to impact and defense evasion, providing a framework for understanding the cybersecurity risks associated with the removal of applications.