1. Slack Help Centre
  2. Workspace administration
  3. Configure access & security
    4. Configure audit log anomaly event responses in Slack

Configure audit log anomaly event responses in Slack

On the Enterprise Grid subscription, you can use the Slack audit logs to monitor usage in your organisation. Audit logs include anomaly events, which serve as indicators of potentially unusual or suspicious user and app activity. You can configure an anomaly event response if you’d like Slack to automatically end a user’s sessions across all devices for the following:

  • Accessing Slack from a Tor exit node
  • Data scraping
  • Excessive downloads
  • Stale or unexpected session cookies
  • Unexpected API call volume
  • Unexpected user agents


Configure anomaly event responses

In general, you should consider investigating anomaly events in your audit logs to understand the circumstances of the activity before taking action. However, you can choose to automatically end a user’s sessions when an anomaly event is detected to halt the potentially suspicious activity. If a user’s sessions end in response to an anomaly event, they can immediately sign back in to Slack using their usual sign-in credentials.

  1. From your desktop, click your organisation name in the sidebar.
  2. Hover over Tools & settings, then click Organisation settings.
  3. From the left-hand sidebar, select  Security, then click Security settings.
  4. Under Anomaly event response settings, click Enable or Edit.
  5. Tick or untick the box next to Automatically end user sessions in response to anomaly events, then select the anomaly events.
  6. Click Enable or Save.

Note: Anomaly event responses that you configure won’t apply to external people in Slack Connect conversations.


Manage anomaly event response notifications

When a user’s active sessions end in response to an anomaly event, they’ll receive an email notification from Slack. You can decide whether the org primary owner and security admins should also be notified, and whether they receive an email or a notification in Slack. 

  1. From your desktop, click your organisation name in the sidebar.
  2. Hover over Tools & settings, then click Organisation settings.
  3. From the left-hand sidebar, select  Security, then click Security settings.
  4. Under Anomaly event response settings, click Enable or Edit.
  5. Tick the box next to Automatically end user sessions in response to anomaly events, then select which anomaly events should automatically end user sessions.
  6. Under Send notifications to, select who should be notified, and tick the box next to the type of notification they’ll receive.
  7. Click Enable or Save.
Who can use this feature?
  • Org owners, org admins and members with the security admin system role
  • Available on the Enterprise Grid subscription

Nice one!

Thanks a lot for your feedback!

If you’d like a member of our support team to respond to you, please send a message to feedback@slack.com.

Was this article helpful?Yes, thanks!Not really
Sorry about that. What did you find most unhelpful?
0/600
Submit article feedback

If you’d like a member of our support team to respond to you, please send a message to feedback@slack.com.

Whoops! We’re having some problems. Please try again later.