1. Slack Help Center
  2. Workspace administration
  3. Configure access & security
    4. Configure audit log anomaly event responses in Slack

Configure audit log anomaly event responses in Slack

In an Enterprise organization, you can use Slack audit logs to monitor usage in your organization. Audit logs include anomaly events, which serve as indicators of potentially unusual or suspicious user and app activity. You can configure an anomaly event response if you'd like Slack to automatically end a user's sessions across all devices for the following:

  • Accessing Slack from a Tor exit node*
  • Data scraping*
  • Excessive downloads
  • Stale or unexpected session cookies
  • Spoofed user agents
  • Unexpected API call volume
  • Unexpected user agents

*Enabled by default


Configure anomaly event responses

In general, you should consider investigating anomaly events in your audit logs to understand the circumstances of the activity before taking action. However, you can choose to automatically end a user's sessions when an anomaly event is detected to halt the potentially suspicious activity. If a user's sessions end in response to an anomaly event, they can immediately sign back into Slack using their usual login credentials.

  1. From your desktop, click your organization name in the sidebar.
  2. Hover over Tools & settings, then click Organization settings.
  3. From the left sidebar, select  Security, then click Security settings.
  4. Under Anomaly Event Response Settings, click Enable or Edit next to End user sessions automatically
  5. Click the toggle next to an anomaly event to select it. Check the box next to Exclude specific people or groups to prevent certain users' sessions from being ended when the event is detected.
  6. Click Enable or Save.

Note: Anomaly event responses you configure won't apply to external people in Slack Connect conversations.


Manage anomaly event response notifications

When a user's active sessions end in response to an anomaly event, they'll receive an email notification from Slack. You can decide whether the Org Primary Owner and Security Admins should also be notified, either by email or a notification in Slack. 

  1. From your desktop, click your organization name in the sidebar.
  2. Hover over Tools & settings, then click Organization settings.
  3. From the left sidebar, select  Security, then click Security settings.
  4. Under Anomaly Event Response Settings, click Enable or Edit next to Manage notifications.
  5. Click the toggle next to a notification type, then check or uncheck the box to decide who should receive notifications. 
  6. Click Enable or Save.
Who can use this feature?
  • Org Owners, Org Admins, and members with the Security Admin system role
  • Available on Enterprise plans

Awesome!

Thanks so much for your feedback!

If you’d like a member of our support team to respond to you, please send a note to feedback@slack.com.

Was this article helpful?Yes, thanks!Not really
Sorry about that! What did you find most unhelpful?
0/600
Submit article feedback

If you’d like a member of our support team to respond to you, please send a note to feedback@slack.com.

Oops! We're having trouble. Please try again later!