Slack app removed
Description
AlphaSOC detected the use of app_restricted, app_uninstalled, or
org_app_workspace_removed actions, which indicate that a Slack app has been
removed from a workspace or organization.
Impact
Unexpected removal of Slack applications may indicate unauthorized activity within the environment. This could lead to the disruption of critical workflows, loss of access to essential tools, or the removal of security applications that help protect the Slack environment. It may also indicate an attempt to cover tracks after a compromise or to prevent detection of malicious activities.
Severity
| Severity | Condition |
|---|---|
Low | Slack app removed |
Investigation and Remediation
Investigate the circumstances surrounding the app removal by reviewing Slack audit logs and identifying the user who performed the action. Verify whether the removal was authorized. If unauthorized, re-install the application and review the environment for other signs of potential compromise.