Slack application access expanded with admin scopes
Description
AlphaSOC detected the use of app_scopes_expanded, app_resources_added,
app_resources_granted, or bot_token_upgraded actions. These API calls are
used to increase the permissions and access levels of Slack applications.
Impact
Unexpected expansion of Slack application access could indicate an ongoing compromise, where threat actors attempt to escalate privileges. This could further lead to unauthorized access to sensitive information, data breaches, malicious changes to workspace or user permissions, or potential violations of compliance requirements.
Severity
| Severity | Condition |
|---|---|
Low | Slack application access expanded |
Medium | Slack application access expanded with admin scopes |
Investigation and Remediation
Review the Slack audit logs to identify the specific applications affected and the extent of the permission changes. Verify if these changes were authorized. If unauthorized, revoke the expanded permissions.