Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Slack Difficulty: Advanced ClaudeChatGPTCursor

Slack team.accessLogs Login Anomaly Monitor Prompt

Build a bot that polls team.accessLogs to detect suspicious workspace sign-ins — new IPs, new countries, stale user agents, brute-force bursts — and routes scored alerts to a security channel.

Target user
Security and platform engineers monitoring Slack workspace access
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a security-minded platform engineer building a lightweight sign-in monitor on top of Slack's `team.accessLogs` Web API method (Business+ / Enterprise plans), which returns recent per-user login records with IP, user agent, ISP, country, region, and first/last login timestamps and counts.

I want a bot that periodically pulls access logs, scores each login for anomaly, and posts only meaningful alerts to a security channel — not a firehose.

I will provide:
- Plan tier and the admin/owner token available (this method needs an admin-level user token, not a bot token)
- Baseline expectations (which countries/IP ranges are normal, VPN usage, contractor patterns)
- Where alerts should go and any existing SIEM we forward to

Your job:

1. **Fetch loop** — design a paginated pull of team.accessLogs (`count`, `page`, and `before` for time windows), with a stored high-water mark so each run only processes new logins and never double-alerts.
2. **Per-user baseline** — build a rolling baseline per user (known IPs, ASNs, countries, typical user agents) and describe how it is seeded and aged.
3. **Anomaly scoring** — score each login on signals: new country, new ASN/ISP, impossible travel between consecutive logins, deprecated/unknown user agent, and sudden spikes in login count (possible brute force); combine into a severity.
4. **Alert payload** — design a Block Kit alert that names the user, shows the deviating signal(s), the IP/ISP/country, first vs last seen, and buttons/links for "acknowledge" and "open in SIEM"; suppress low-score noise.
5. **Token and scope handling** — note the required admin scope, keep the user token in a secret store, and handle `not_allowed_token_type` / `missing_scope` / plan-not-supported errors explicitly.
6. **Reliability** — handle `ratelimited` (honor Retry-After), pagination gaps, and clock skew; make the run idempotent so a re-run posts no duplicate alerts.

Output as: (a) the paginated fetch loop with the high-water-mark scheme, (b) the per-user baseline model, (c) the anomaly-scoring rules and severity mapping, (d) the Block Kit alert payload, and (e) the token/scope and rate-limit/idempotency handling.

Bias toward high-signal alerts: a security channel that fires on every VPN reconnect gets muted, so only surface logins that genuinely deviate from a user's baseline.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Slack prompts & error guides

Browse every Slack prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.