Slack identity provider config modified
Description
AlphaSOC detected modifications to Slack identity provider (IDP) configuration settings. Threat actors can modify IDP configurations to manipulate access controls, enabling unauthorized workspace and channel access.
Impact
Changes to IDP configuration may allow adversaries to bypass authentication controls and gain unauthorized access to workspaces and channels. This can lead to extraction of sensitive communications and files while maintaining persistent access through modified settings. Threat actors can impersonate legitimate users and move laterally through the organization's Slack infrastructure.
Severity
| Severity | Condition |
|---|---|
Low | Slack identity provider config modified |
Investigation and Remediation
Review Slack audit logs to identify configuration changes and associated users. Verify changes against approved change management processes. If compromise is confirmed, reset IDP configurations to the previous state and revoke affected user credentials. Examine workspace and channel access for unauthorized members. Implement monitoring controls to alert on future IDP configuration changes.