Slack

Subscribe
Download 125
Last updated Dec 25, 2025

Slack Login From New Location

Detect Slack login events from IP addresses with no history over the past 6 months in Slack audit logs.

Query

From logs where the value of the event_name field matches user_login, extract logs that are not included in the Slack Login Locations behavior profile, which is based on login IP address statistics over the past 6 months. Additionally, convert the IP address to country and ASN information for use in message generation.

| search event_name == "user_login"
| matchbehavior guid="d2935dc2-377b-47a2-b6b6-faa00ad4e3ff" invert=t verify=f
| lookup geoip src_ip output country as src_country, asn as src_asn

Message

  • Slack login IP address change: user $user_name, ASN $src_asn

Output field order

  • _time, context_id, context_domain, user, user_name, user_email, src_ip, src_country, src_asn, user_agent

Threat Analysis

  • An attacker may log in to the workspace using a compromised Slack account (or SSO account), and a login attempt from an IP address with no prior history can be an indicator of initial access via account takeover, credential stuffing, phishing, or session hijacking.
  • Legitimate users typically connect from relatively consistent networks (corporate, home, or mobile ranges), so a login from an IP address unseen in the last 6 months is a high-value behavior-based anomaly.
  • After a successful login, the attacker may leverage the account to perform privilege escalation, establish persistence (e.g., app installation or token preservation), and evade defenses (e.g., changing MFA/SSO settings).
  • Risk increases significantly when the ASN corresponds to cloud/hosting/anonymous infrastructure (VPN, proxy, Tor exit), or when the country differs from the user’s usual login locations.

False Positives

  • The user logs in from a new region/country due to remote work, business travel, or overseas work.
  • A new IP address is assigned due to ISP changes (mobile data, dynamic home ISP IPs, VPN usage).
  • The public IP address changes due to changes or newly introduced corporate VPN/proxy/security gateways.
  • Login traffic is routed through different IP ranges due to SSO integration changes or IdP policies.
  • The behavior profile lacks sufficient baseline data due to a new employee or a new device.
  • The event occurs on a test account during security assessments or exercises (red team / penetration testing).

Response Actions

  • Immediate verification

    • Confirm with the user (user_name) whether the login attempt was legitimate, and verify the location/device/network context (travel, VPN usage, etc.).
    • Check whether src_country and src_asn align with the user’s usual patterns, and specifically determine whether the ASN is cloud/hosting infrastructure.

  • Actions if suspicious

    • If the login is deemed suspicious, immediately force session termination, require a password reset, re-enroll MFA, or trigger forced re-authentication on the SSO/IdP side.
    • Correlate related events for the same account, such as recent login failures (user_login_failed), password reset requests (user_password_reset_requested), MFA/SSO setting changes, role/permission changes, and app installations/scope expansions.

  • Additional hunting

    • Check whether the same src_ip or the same ASN has been used for login attempts against other user accounts to assess credential stuffing or mass account attacks.
    • Track high-risk activities occurring shortly after the login, such as file downloads/external sharing, Slack Connect setting changes, and audit log searches.

MITRE ATT&CK