Slack legal hold policy modified
Description
AlphaSOC detected changes to Slack legal hold policies. Legal hold policies preserve messages and files from given members in Slack Enterprise Grid organizations. These policies override standard retention settings and prevent deletion or modification of content under hold.
Impact
Modifying legal hold policies can disrupt evidence preservation, potentially violating legal requirements and compliance obligations. Threat actors may alter these settings to destroy evidence of their activities or to prevent proper forensic investigation.
Severity
| Severity | Condition |
|---|---|
Low | Slack legal hold policy modified |
Investigation and Remediation
Review Slack audit logs to determine the identity of users who modified legal hold policies. Confirm whether these changes were authorized and properly documented through change management processes. Assess the scope of impact by examining affected users and channels. If unauthorized changes occurred, restore the previous legal hold settings immediately. Review Legal Holds Admin role assignments and implement stricter access controls if necessary. Document all findings and notify relevant stakeholders including legal and compliance teams.