Slack Incident Response: Audit Logs, Session Revocation, and Channel Exposure Scoping

Cybersecurity

A practitioner Slack IR runbook covering Enterprise Grid audit logs, session revocation, channel exposure mapping, file download forensics, integration app review, and member device review.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 11, 2024 · 7 min read

Slack incidents look harmless until you remember what is in those DMs and channels. Customer lists, deal terms, incident bridges, credentials shared 'just for a minute'. The IR runbook below assumes Enterprise Grid licensing because that is where audit logs are exposed via API.

1. The audit logs API

Enterprise Grid exposes audit logs through the discovery.* and audit-logs.* endpoints. The audit logs API streams actions like user_login, user_login_failed, file_downloaded, file_shared, channel_archive, app_installed, app_token_revoked, and session_revoked.

GET https://api.slack.com/audit/v1/logs?action=file_downloaded&oldest=1716940800&limit=200

Pull a 30-day window for the suspect user filtered to file_downloaded, file_shared_to_unknown, and channel_join. Plot the downloads on a timeline. A burst of file_downloaded events outside the user's working hours, from a new device, is your incident clock.

2. Session revocation

Slack sessions can outlive password resets. Use admin.users.session.reset to terminate all active sessions for the user across all workspaces in the Enterprise Grid. This forces re-authentication on every device.

POST https://slack.com/api/admin.users.session.reset with user_id=U12345 and mobile_only=false and web_only=false

Combine with admin.users.setStatus(deactivate=true) if you need to lock the account fully. For SCIM-provisioned tenants, doing it through the IdP propagates faster.

3. Channel exposure scoping

When an account is compromised, the data exposure scope is every channel that user was a member of. Pull channel membership via conversations.list and filter to channels containing the user. For each, classify by sensitivity.

• Public channels: anyone in workspace could have already seen; the additional exposure from the incident is small.
• Private channels: contents exposed during the compromise window; treat as breached.
• DM and Group DM: highest sensitivity; assume the attacker read everything.

For each high-sensitivity channel, export the message history for the compromise window via discovery.conversations.history. The export becomes part of your evidence package and your customer notification scoping.

4. File download forensics

Slack files are accessed via signed URLs. The audit log captures file_downloaded with the file ID, channel context, and user agent. Cross-reference with files.info to see the file name, type, and original uploader. A PDF named 'Q2 forecast' downloaded by a junior account that has no reason to read it is the kind of pattern this query catches.

files.info?file=F0ABC then audit-logs?action=file_downloaded&entity_id=F0ABC for full access history

5. Integration apps and bot tokens

Bot tokens and incoming webhooks are persistence mechanisms attackers love. Inventory installed apps at the workspace and Enterprise level. For each, check the audit log for app_installed, app_scopes_expanded, and app_token_revoked events in the incident window.

Apps installed by the compromised user are revoked. Apps installed by admins in the window are reviewed for scope creep, particularly anything with channels:history, files:read, or admin scopes.

6. Member device review and recovery

Slack tracks active devices per user. From the Admin Console, view the user's session list and device list. Any device the user does not recognize is removed. After that, the recovery sequence is straightforward: SSO password reset upstream, fresh MFA enrollment, and a workspace-wide announcement if the compromised channels included broad audiences.

Slack IR is not glamorous and it is rarely the headline incident. It is the place where your real exposure lives because that is where your people communicate. Treat it with the same seriousness as your CRM.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.