Slack Socket Mode App Token
Service Name: Slack
Service Description: Slack is a messaging app for business that connects people to the information they need. By bringing people together to work as one unified team, Slack transforms the way organizations communicate.
Service Address: https://slack.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the workspace level by Enterprise Grid customers.
Secret Access Scope: Socket Mode App Tokens (xapp-) allow your app to receive events and interactive payloads over a WebSocket connection instead of HTTP, enabling apps to run behind a firewall without exposing public endpoints.
Secret Revokement URL: https://api.slack.com/apps > Select your app > Settings > Basic Information > App-Level Tokens > Revoke
Secret Example: xapp-1-A03GTNVFAGE-3256147388484- 9a1f3c18ef086a1eb402e24abb8eb98d7aa0abaf89f21659ddcf1b1dd85b2677
Suspicious Activity Investigation Instructions:
- Review the Slack Admin dashboard for unusual app installations or authorizations
- Check the app's event subscriptions and permissions in the Slack API dashboard
- Monitor WebSocket connection logs for unusual connection patterns or locations
- Review audit logs in Slack for actions performed by the app
- Check for unexpected bot messages or interactions in channels
Mitigation Instructions:
- Immediately revoke the compromised Socket Mode App Token through the Slack API dashboard
- Generate a new Socket Mode App Token if the app is still needed
- Review and potentially restrict the app's OAuth scopes and permissions
- Update your application code to use the new token
- Consider implementing IP restrictions if you're on an Enterprise Grid plan
- Review other apps and integrations for potential security issues
- Enable additional security features like two-factor authentication for all workspace admins