This rule detects any instances where a Slack workspace is detected as no longer enrolled or managed by the Enterprise Key Management (EKM) system. This situation can be critical as it indicates potential defense evasion techniques being employed by malactors aiming to weaken encryption controls. The rule looks for audit log entries that specifically denote the action of a workspace ('ekm_unenrolled'). It operates on data from Slack's audit logs and issues alerts when it detects a critical threshold event, which is defined as detecting the 'ekm_unenrolled' action. Additionally, the rule considers user logout events to ensure that un-enrollment does not coincide with an unauthorized user session ending, adding robustness to its monitoring capabilities. The use of certain keywords aids in identifying occurrences relevant to Slack, encryption management, and evasive actions. The rule's efficacy is emphasized by its critical severity level and backing by the MITRE ATT&CK framework reference (TA0005:T1600). Furthermore, the rule has a deduplication period of 60 minutes, maintaining efficient alerting without duplicate notifications over a brief window of time.