Slack

Subscribe
Download 132
Last updated Dec 25, 2025

Slack Owner Role Granted To User

Detects Slack owner role change events in Slack audit logs.

Query

Extract logs where the event_name field matches role_change_to_owner, and extract entity.user.name into the target_user field.

| search event_name == "role_change_to_owner"
| eval target_user = valueof(valueof(entity, "user"), "name")

Message

  • Slack owner permission granted: Domain $context_domain ($user_name ➜ $target_user)

Output Field Order

  • _log_time, src_ip, context_type, context_name, user, user_name, user_email, event_name, entity, user_agent

Threat Analysis

  • Slack owner permissions provide the highest level of access, allowing changes to workspace-wide settings, member and role management, and security policy configuration.
  • If an attacker compromises an administrator account or abuses an internal account to grant owner permissions, they can maintain persistent control of the workspace and potentially expand the impact through further privilege assignments, audit log evasion, or security setting changes.
  • Since Slack is central to business communication and file sharing, unauthorized owner role assignments can lead to data exposure and erosion of organizational trust, requiring immediate verification.

False Positive

  • This detection may also trigger when workspace administrators legitimately transfer owner permissions or add new owners.
  • Owner role changes may occur due to organizational restructuring or operational policy updates, but because the frequency is low, it is recommended to review every occurrence.

Response Actions

  • Immediately verify whether the owner role assignment was authorized.
    • Review the initiating user account’s IP address, user agent, login history, and MFA status.
  • If the change was unauthorized, revoke the owner permission immediately and disable the account or invalidate sessions/tokens.
  • Investigate related events around the same time, such as member invitations, permission changes, app installations, or audit log configuration changes.
  • Review Slack security settings (enforce SSO, require MFA, minimize admin privileges) and strengthen governance procedures for managing owner permissions.

MITRE ATT&CK