The 'Slack EKM Config Changed' detection rule monitors changes to the Enterprise Key Management (EKM) configuration for a workspace within Slack. It aims to identify unauthorized modifications that could affect the logging capabilities of the Slack workspace. The rule is configured to trigger alerts when a logging setting is altered, specifically the action 'ekm_logging_config_set', which indicates a change in logging configuration. It evaluates user actions that meet specified conditions, ensuring that changes are legitimate and performed by authorized users. As part of its functionality, this rule leverages Slack's audit logs to preserve security postures and ensure compliance, as changes in logging configurations can hinder the ability to monitor activities, creating potential security gaps. The rule is categorized under high severity due to the critical nature of logging configurations in safeguarding data integrity and privacy. This detection utilizes a deduplication period of 60 minutes to prevent alert fatigue and focuses on a threshold of one detected event to trigger notifications. The expected behaviors outlined in associated test cases reinforce its capability to differentiate between legitimate actions and potentially malicious attempts, tying back to the MITRE ATT&CK framework under the tactics of defense evasion.