Slack team.accessLogs Login Anomaly Monitor Prompt
Build a bot that polls team.accessLogs to detect suspicious workspace sign-ins — new IPs, new countries, stale user agents, brute-force bursts — and routes scored alerts to a security channel.
- Target user
- Security and platform engineers monitoring Slack workspace access
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a security-minded platform engineer building a lightweight sign-in monitor on top of Slack's `team.accessLogs` Web API method (Business+ / Enterprise plans), which returns recent per-user login records with IP, user agent, ISP, country, region, and first/last login timestamps and counts. I want a bot that periodically pulls access logs, scores each login for anomaly, and posts only meaningful alerts to a security channel — not a firehose. I will provide: - Plan tier and the admin/owner token available (this method needs an admin-level user token, not a bot token) - Baseline expectations (which countries/IP ranges are normal, VPN usage, contractor patterns) - Where alerts should go and any existing SIEM we forward to Your job: 1. **Fetch loop** — design a paginated pull of team.accessLogs (`count`, `page`, and `before` for time windows), with a stored high-water mark so each run only processes new logins and never double-alerts. 2. **Per-user baseline** — build a rolling baseline per user (known IPs, ASNs, countries, typical user agents) and describe how it is seeded and aged. 3. **Anomaly scoring** — score each login on signals: new country, new ASN/ISP, impossible travel between consecutive logins, deprecated/unknown user agent, and sudden spikes in login count (possible brute force); combine into a severity. 4. **Alert payload** — design a Block Kit alert that names the user, shows the deviating signal(s), the IP/ISP/country, first vs last seen, and buttons/links for "acknowledge" and "open in SIEM"; suppress low-score noise. 5. **Token and scope handling** — note the required admin scope, keep the user token in a secret store, and handle `not_allowed_token_type` / `missing_scope` / plan-not-supported errors explicitly. 6. **Reliability** — handle `ratelimited` (honor Retry-After), pagination gaps, and clock skew; make the run idempotent so a re-run posts no duplicate alerts. Output as: (a) the paginated fetch loop with the high-water-mark scheme, (b) the per-user baseline model, (c) the anomaly-scoring rules and severity mapping, (d) the Block Kit alert payload, and (e) the token/scope and rate-limit/idempotency handling. Bias toward high-signal alerts: a security channel that fires on every VPN reconnect gets muted, so only surface logins that genuinely deviate from a user's baseline.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Slack Certificate Expiration Notifications Prompt
Detect and notify on TLS / SSH / code-signing certificate expirations in Slack — discovery, multi-window alerts, renewal automation hooks, owner routing, and post-renewal validation.
-
Slack Seat and Usage Cost Reporting Bot
Design a scheduled bot that pulls Slack Enterprise/Business+ admin usage and billing data, computes seat cost and inactive-seat waste, and posts a weekly FinOps digest to a Slack channel with reclaim recommendations.
-
Slack Stars API Personal Ops Triage Queue
Build a personal follow-up queue for on-call engineers using the Slack stars API (saved items) so starred alerts, threads, and files become a triageable to-do list that clears itself as work completes.
-
Slack Bot Permission Scopes Least-Privilege Audit Prompt
Audit a Slack app's requested OAuth scopes against what its code actually calls, strip over-broad permissions, and produce a least-privilege manifest your security team will approve.
More Slack prompts & error guides
Browse every Slack prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.