Slack

Subscribe
Download 125
Last updated Dec 25, 2025

Slack Owner Transferred

Detect Slack workspace owner transfer events in Slack audit logs.

Query

Extract logs where the value of the event_name field matches owner_transferred, and extract entity.user.name into the target_user field.

| search event_name == "owner_transferred"
| eval target_user = valueof(valueof(entity, "user"), "name")

Message

  • Slack owner transfer: domain $context_domain ($user_name ➜ $target_user)

Output field order

  • _log_time, src_ip, context_type, context_name, user, user_name, user_email, event_name, entity, user_agent

Threat Analysis

  • The Slack workspace Owner role has the highest level of administrative privileges, and an owner transfer (owner_transferred) indicates a full transfer of control over the workspace.
  • If an attacker uses a compromised admin/owner account to transfer ownership to themselves or an accomplice account, they can achieve both persistence and privilege escalation.
  • Once the attacker gains owner privileges, they can change security settings (SSO/MFA policies), access audit logs, install/approve apps, manage users/permissions, and expand data access—greatly increasing the risk of subsequent defense evasion and data exfiltration.
  • Although this event can occur during legitimate administrative activity, it is typically rare and has very high impact, so it should be treated as a high-severity event.

False Positives

  • Legitimate owner rotation due to organizational restructuring (team merges/splits, change of responsibility, etc.).
  • Administrative handover procedures due to the previous owner leaving the company or changing roles.
  • Owner transfer performed when an MSP/outsourced operator takes over workspace administration.
  • Owner transfer to an operations administrator during the initial setup of a newly created workspace.
  • Occurrences in test/pilot workspaces for validating administrative procedures.

Response Actions

  • Immediate verification

    • Confirm whether the initiator (user_name) and the target (target_user) are approved workspace administrators in the organization.
    • Verify the reason for the change (ticket/approval/request records) and validate that it followed the proper process.

  • Urgent actions if suspicious

    • If the transfer is unauthorized, immediately revert ownership and revoke any additional administrative privileges that may have been granted.
    • For the involved accounts (initiator and target), force session termination, require password reset, re-enroll MFA, and review SSO/IdP logs.

  • Additional hunting

    • Correlate related events for the same user/IP, including recent login failures (user_login_failed), anomalous logins, MFA/SSO setting changes, role/permission changes (permissions_assigned, role_change_to_owner), app installations/scope expansions (app_installed, app_scopes_expanded), and audit log searches (audit_logs_records_searched).

  • Prevention

    • Require multi-party approval (two-person approval) or ticket-based authorization for any owner changes.
    • Apply strong controls to owner accounts such as enforced MFA, SSO integration, minimizing the number of admin accounts, and privileged account separation (PAM).

MITRE ATT&CK