Detection rules › Panther
Slack Denial of Service via Session Invalidation
Detects potential DoS attacks via excessive session invalidation when administrators reset user sessions 60+ times within 24 hours. Repeated session termination prevents users from maintaining Slack access, disrupting communication and productivity. Legitimate session resets for incident response or troubleshooting typically occur 1-3 times, so reaching the 60-event threshold indicates malicious intent.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1499.003 Endpoint Denial of Service: Application Exhaustion Flood |
Rule body yaml
AnalysisType: rule
Filename: slack_application_dos.py
RuleID: "Slack.AuditLogs.ApplicationDoS"
DisplayName: "Slack Denial of Service via Session Invalidation"
Enabled: true
LogTypes:
- Slack.AuditLogs
Tags:
- Slack
- Impact
- Endpoint Denial of Service
- Application Exhaustion Flood
Reports:
MITRE ATT&CK:
- TA0040:T1499.003
Severity: Critical
Description: >
Detects potential DoS attacks via excessive session invalidation when administrators reset user sessions 60+ times within 24 hours. Repeated session termination prevents users from maintaining Slack access, disrupting communication and productivity. Legitimate session resets for incident response or troubleshooting typically occur 1-3 times, so reaching the 60-event threshold indicates malicious intent.
Reference: https://slack.com/intl/en-gb/help/articles/115005223763-Manage-session-duration-#pro-and-business+-subscriptions-2
Runbook: |
1. Query Slack audit logs for all actions by actor.user.email in the 7 days around this event to identify other malicious activities such as unauthorized user removals, workspace settings changes, data exports, or app installations indicating compromised admin account
2. Review the total number of session reset events targeting entity.user.name and the time span to calculate the frequency and determine if this represents a sustained denial of service attack
3. Search Slack audit logs for session reset patterns targeting other users to determine if this is an isolated incident or part of a broader campaign affecting multiple users
DedupPeriodMinutes: 1440
Threshold: 60
SummaryAttributes:
- action
- p_any_ip_addresses
- p_any_emails
Tests:
- Name: User Session Reset By Admin
ExpectedResult: true
Log:
{
"action": "user_session_reset_by_admin",
"actor":
{
"type": "user",
"user":
{
"email": "admin@example.com",
"id": "W012J3FEWAU",
"name": "primary-owner",
"team": "T01234N56GB",
},
},
"entity":
{
"type": "user",
"user":
{
"email": "target@example.com",
"id": "U987654321",
"name": "target-user",
"team": "T01234N56GB",
},
},
"context":
{
"ip_address": "1.2.3.4",
"location":
{
"domain": "test-workspace-1",
"id": "T01234N56GB",
"name": "test-workspace-1",
"type": "workspace",
},
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
},
}
- Name: Bulk Session Reset By Admin
ExpectedResult: true
Log:
{
"action": "bulk_session_reset_by_admin",
"actor":
{
"type": "user",
"user":
{
"email": "admin@example.com",
"id": "W012J3FEWAU",
"name": "workspace-admin",
"team": "T01234N56GB",
},
},
"entity":
{
"type": "user",
"user":
{
"email": "target@example.com",
"id": "U987654321",
"name": "target-user",
"team": "T01234N56GB",
},
},
"context":
{
"ip_address": "5.6.7.8",
"location":
{
"domain": "test-workspace-1",
"id": "T01234N56GB",
"name": "test-workspace-1",
"type": "workspace",
},
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
},
}
- Name: User Session Invalidated
ExpectedResult: true
Log:
{
"action": "user_session_invalidated",
"actor":
{
"type": "user",
"user":
{
"email": "admin@example.com",
"id": "W012J3FEWAU",
"name": "security-admin",
"team": "T01234N56GB",
},
},
"entity":
{
"type": "user",
"user":
{
"email": "victim@example.com",
"id": "U555666777",
"name": "victim-user",
"team": "T01234N56GB",
},
},
"context":
{
"ip_address": "10.0.0.1",
"location":
{
"domain": "test-workspace-1",
"id": "T01234N56GB",
"name": "test-workspace-1",
"type": "workspace",
},
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36",
},
}
- Name: Other Action
ExpectedResult: false
Log:
{
"action": "organization_created",
"actor":
{
"type": "user",
"user":
{
"email": "user@example.com",
"id": "A012B3CDEFG",
"name": "username",
"team": "T01234N56GB",
},
},
"context":
{
"ip_address": "1.2.3.4",
"location":
{
"domain": "test-workspace",
"id": "T01234N56GB",
"name": "test-workspace",
"type": "workspace",
},
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
},
}
Detection logic
Condition
action in ["bulk_session_reset_by_admin", "user_session_invalidated", "user_session_reset_by_admin"]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
action | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
actor-name | actor.user.name |
actor-email | actor.user.email |
actor-ip | context.ip_address |
user-agent | context.ua |
action | |
name | entity.user.name |