Unexpected Slack API calls indicating credential testing activity
Description
AlphaSOC detected the unexpected_credential_testing event that indicates
potential credential testing activity. This behavior suggests that a threat
actor may be attempting to validate stolen or guessed credentials.
Impact
Credential testing can lead to unauthorized access to Slack workspaces, potentially exposing sensitive company communications, files, and data.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected Slack API calls indicating credential testing activity |
Investigation and Remediation
Review Slack audit logs to identify the source of these API calls and verify whether they were made by authorized personnel. If unauthorized activity is confirmed, investigate for any successful logins or suspicious actions following these attempts. For any accounts where unauthorized access is suspected, reset passwords.