A team member was logged out due to a compromised device
Description
AlphaSOC detected the user_logout_compromised action indicating a user was
logged out of Slack due to a compromised device.
Impact
When a device is flagged as compromised, this may indicate that threat actors have gained initial access to your organization's environment. This could lead to further compromise, including data breaches, malicious changes to workspace or user permissions, or potential violations of compliance requirements.
Severity
| Severity | Condition |
|---|---|
Medium | A team member was logged out due to a compromised device |
Investigation and Remediation
Review Slack logs for any unusual activity associated with the potentially compromised account. Verify whether the compromise took place and, if so, reset the user's Slack credentials. Conduct a broader security assessment of the organization's network to ensure the compromise hasn't spread beyond the initial device.