Unexpected Slack API actions from admin account
Description
AlphaSOC detected the unexpected_admin_action event in Slack, which indicates
anomalous behavior from an administrator account.
Impact
Unauthorized use of administrative Slack API actions can lead to unauthorized access to sensitive information, data breaches, malicious changes to workspace or user permissions, and potential violations of compliance requirements. Such activity may indicate that an admin account has been compromised.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected Slack API actions from admin account |
Investigation and Remediation
Investigate the specific actions performed. Review Slack audit logs to identify any unauthorized changes or suspicious patterns. Verify whether the actions were performed by a legitimate administrator. If unauthorized access is confirmed or suspected, sign the potentially compromised account out of all sessions, reset its credentials, and review its recent activity to identify and reverse any unauthorized changes.