Slack Token
Service Name: Slack
Service Description: Slack is a messaging app for business that connects people to the information they need. It transforms how organizations communicate by bringing people together to work as one unified team.
Service Address: https://slack.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the workspace level for Enterprise Grid customers.
Secret Access Scope: Grants programmatic access to Slack workspaces, allowing interaction with channels, messages, users, and other Slack resources based on the token's scopes.
Secret Revokement URL: https://slack.com/help/articles/215770388-Manage-API-tokens
Secret Example: xoxb-1234567890123-1234567890123-abcdefghijklmnopqrstuvwx
Suspicious Activity Investigation Instructions:
- Review Slack audit logs for unusual API calls or access patterns.
- Check for unauthorized app installations or integrations in your workspace.
- Monitor for unusual message posting, channel creation, or user management activities.
- Verify if the token was used from unusual geographic locations or IP addresses.
- Review the scopes associated with the token to understand its potential access level.
Mitigation Instructions:
- Navigate to the Slack API dashboard at https://api.slack.com/apps.
- Select the app associated with the compromised token.
- Go to the "OAuth & Permissions" section.
- Click "Regenerate" next to the compromised token to invalidate it.
- Alternatively, you can delete the entire app if it's no longer needed.
- For bot tokens, you can also remove the app from your workspace through workspace settings.
- Review and adjust the permissions scopes for any new tokens to follow the Principle of Least Privilege.
- Consider implementing IP restrictions for API access if you're on an Enterprise Grid plan.