Slack application with admin scopes added
Description
AlphaSOC detected the use of app_approved, app_installed, or
org_app_workspace_added actions. These API calls are associated with
installing or approving new applications in the Slack workspace.
Impact
This activity may indicate threat actors attempting to install unauthorized or malicious applications within the Slack environment to establish persistence. This could further lead to unauthorized access to sensitive information, data breaches, malicious changes to workspace or user permissions, or potential violations of compliance requirements.
Severity
| Severity | Condition |
|---|---|
Low | Slack application installed |
Medium | Slack application with admin scopes added |
Investigation and Remediation
Review the Slack audit logs to identify the specific application installed and the user who initiated the installation. Verify whether the application installation was authorized. If unauthorized, remove the application and investigate the environment for other potential signs of compromise.