Slack Token
Service Name: Slack
Service Description: Slack is a business communication platform offering many IRC-style features, including persistent chat rooms (channels) organized by topic, private groups, and direct messaging, as well as voice and video calls.
Service Address: https://slack.com/
Validation Type: API Auth
IP Allow list: IP restrictions are available at the workspace level through Enterprise Grid plans.
Secret Access Scope: Grants programmatic access to Slack workspaces, allowing operations like sending messages, accessing channels, and interacting with users based on the token's scopes.
Secret Revokement URL: https://slack.com/help/articles/215770388-Manage-API-tokens
Secret Example: xoxp-1234567890-1234567890-1234567890-abcdef1234567890abcdef1234567890
Suspicious Activity Investigation Instructions:
- Review Slack audit logs for unusual activity (Admin dashboard > Tools > Audit logs).
- Check for unauthorized messages or file uploads from the token.
- Verify if the token has been used from unusual IP addresses or locations.
- Review the apps and integrations connected to your Slack workspace.
- Check for any data exports or unusual API calls made with the token.
Mitigation Instructions:
- Immediately revoke the compromised token by going to your Slack App's management page.
- For user tokens: Have the user visit api.slack.com/apps and revoke the token.
- For bot tokens: Go to the app management page, select the app, and regenerate the token.
- Review and adjust the scopes assigned to the application to follow the Principle of Least Privilege.
- Enable IP restrictions for your Slack workspace if available on your plan.
- Implement token rotation practices for your Slack applications.
- Consider implementing Slack Enterprise Key Management for additional security.