1. Slack Help Centre
  2. Workspace administration
  3. Configure access & security
    4. Configure audit log anomaly event responses in Slack

Configure audit log anomaly event responses in Slack

In an Enterprise organisation, you can use Slack audit logs to monitor usage in your organisation. Audit logs include anomaly events, which serve as indicators of potentially unusual or suspicious user and app activity. You can configure an anomaly event response if you’d like Slack to automatically end a user’s sessions across all devices for the following:

  • Accessing Slack from a Tor exit node*
  • Data scraping*
  • Excessive downloads
  • Stale or unexpected session cookies
  • Spoofed user agents
  • Unexpected API call volume
  • Unexpected user agents

*Enabled by default


Configure anomaly event responses

In general, you should consider investigating anomaly events in your audit logs to understand the circumstances of the activity before taking action. However, you can choose to automatically end a user’s sessions when an anomaly event is detected to halt the potentially suspicious activity. If a user’s sessions end in response to an anomaly event, they can immediately sign back in to Slack using their usual login credentials.

  1. From your desktop, click your organisation name in the sidebar.
  2. Hover over Tools & settings, then click Organisation settings.
  3. From the left-hand sidebar, select  Security, then click Security settings.
  4. Under Anomaly event response settings, click Enable or Edit next to End user sessions automatically
  5. Click the toggle next to an anomaly event to select it. Tick the box next to Exclude specific people or groups to prevent certain users’ sessions from being ended when the event is detected.
  6. Click Enable or Save.

Note: Anomaly event responses that you configure won’t apply to external people in Slack Connect conversations.


Manage anomaly event response notifications

When a user’s active sessions end in response to an anomaly event, they’ll receive an email notification from Slack. You can decide whether the org primary owner and security admins should also be notified, either via email or a notification in Slack. 

  1. From your desktop, click your organisation name in the sidebar.
  2. Hover over Tools & settings, then click Organisation settings.
  3. From the left-hand sidebar, select  Security, then click Security settings.
  4. Under Anomaly event response settings, click Enable or Edit next to Manage notifications.
  5. Click the toggle next to a notification type, then tick or untick the box to decide who should receive notifications. 
  6. Click Enable or Save.
Who can use this feature?
  • Org owners, org admins and members with the security admin system role
  • Available on Enterprise subscriptions

Nice one!

Thanks a lot for your feedback!

If you’d like a member of our support team to respond to you, please send a message to feedback@slack.com.

Was this article helpful?Yes, thanks!Not really
Sorry about that. What did you find most unhelpful?
0/600
Submit article feedback

If you’d like a member of our support team to respond to you, please send a message to feedback@slack.com.

Whoops! We’re having some problems. Please try again later.