Building Slack’s Anomaly Event Response

This post introduces Slack's Anomaly Event Response (AER), a proactive security system that automatically terminates user sessions upon detecting suspicious behavior.

• •AER monitors billions of daily Slack events using rule-based heuristics and dynamic thresholds calibrated per organization to detect threats like Tor exit node access, excessive downloads, data scraping, and session fingerprint mismatches
• •A three-tier architecture handles detection, decision-making, and response orchestration asynchronously to minimize detection-to-response time from hours/days to minutes
• •The decision framework analyzes audit payloads and session history to avoid termination loops while ensuring persistent malicious behavior is caught
• •Upon triggering, AER generates a user_sessions_reset_by_anomaly_event_response audit log and routes notifications to the acting user, Org Primary Owner, and Security Admins with deduplication logic
• •Available to all Enterprise Grid customers out-of-the-box, AER is c