Slack API calls from an unexpected client
Description
AlphaSOC detected an unexpected_client event in Slack, indicating API calls
from a client that is not typically associated with this user. This event
suggests that Slack API calls are being made from an unusual or unrecognized
application or device.
Impact
The use of an unexpected client to access the Slack API can indicate a potential compromise of user credentials. This can lead to unauthorized access to sensitive data, data exfiltration, or other malicious activities.
Severity
| Severity | Condition |
|---|---|
Low | Slack API calls from an unexpected client |
Investigation and Remediation
Review Slack audit logs to find the user associated with the unexpected client, investigate their activity, and verify whether it was authorized. If unauthorized, reset affected user credentials and conduct a thorough security assessment for other signs of potential compromise.