Detect Slack app installation events in Slack audit logs.

Query

Extract logs where the value of the event_name field matches app_installed, and extract entity.app.name into the app field.

| search event_name == "app_installed"
| eval app = valueof(valueof(entity, "app"), "name")

Message

• Slack app installed: domain $context_domain, user $user_name, app $app

Output field order

• _log_time, src_ip, context_type, context_name, user, user_name, user_email, event_name, app, entity, user_agent

Threat Analysis

• An attacker can install a malicious or suspicious app (OAuth app, bot, workflow app, etc.) in a Slack workspace using a legitimate user account (including a compromised account), thereby establishing a persistence mechanism.
• The installed app can access messages, files, channels, and user information within the granted OAuth scope, and can later be abused for collection and exfiltration.
• In particular, attackers may expand the permission scope after installation (app_scopes_expanded) or preserve tokens (app_token_preserved) to maintain long-term access.
• If the organization’s app installation policy (allowlist/approval) is weak, attackers can masquerade as normal app installation activity, which may delay detection and response.

False Positive Scenarios

• A user installs a collaboration tool required for business purposes (e.g., Jira, Google Drive, Zoom).
• A Slack administrator or IT staff deploys a pre-approved app or installs it in a test environment.
• The event occurs when reinstalling a previously used app or during app update/reconnection processes.
• A user installs an official Slack Marketplace app (verified apps).

Response Actions

• Immediate verification
  • Identify the installed app name (app), vendor/publisher, and the installer (user), and confirm the installation purpose with the user.
  • Review the OAuth scopes requested and the actual permissions granted (especially sensitive scopes such as channels:history, files:read, users:read, chat:write, admin.*).
• Block/containment
  • If the app is not approved or its purpose is unclear, immediately uninstall the app (app_uninstalled) and invalidate its tokens.
  • If possible, force the user session to log out and require password reset / MFA re-enrollment.
• Additional hunting
  • Check whether there were preceding login failures (user_login_failed) or anomalous logins (user_login anomaly) from the same user/IP.
  • Correlate related events after installation such as scope expansion (app_scopes_expanded), token preservation (app_token_preserved), file downloads (file_downloaded), and external sharing (file_shared).
• Prevention
  • Restrict app installations using an allowlist plus admin approval, and enable admin notifications/approval workflows for new app installations.
  • Regularly review installed apps in the workspace and remove unused apps.

MITRE ATT&CK

• Tactic

  • Persistence

• Technique

  • Name: Cloud Application Integration
  • ID: T1671
  • Reference URL: https://attack.mitre.org/techniques/T1671/