Access and integration logs can be ingested through the same Slack log source in Panther, while audit logs must be ingested through a separate Slack log source. However, it is unlikely that you need to ingest all three types of logs, as audit logs are likely to contain all actions represented by access and integrations logs.
Panther will query the API every one minute. In order for Panther to access the Slack API, you need to create a new Slack source on Panther, create a Slack App, and provide the app credentials to Panther.
Video Walkthrough
Walkthrough video showing how to onboard Slack logs to Panther
How to onboard Slack logs to Panther
Create a new Slack Source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Slack," then click its tile.
On the slide-out panel, click Start Setup.
On the Configuration screen, enter values for the following fields:
Name: Enter a descriptive name for the source e.g., My Slack logs.
Select your Slack Plan: Choose from the following options:
Enterprise Grid: This option enables the source to receive Slack.AuditLogs.
On the Set Credentials page, Copy the Redirect URL and save it somewhere secure. You will need it in the next steps.
Keep this browser window open while you work through the next steps.
Create a new Slack App
Create a Slack app with permissions to pull logs from Slack. For security and availability reasons, we recommend creating a new Slack App that will be used only with Panther.
Follow the instructions below to create a Slack app that pulls Audit Logs into your Panther account. The Audit Logs API is available to customers with a Slack Enterprise plan only.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Note: The integration will incur limitations if:
the account of the user that installed the app to the organization is deactivated
the app was deleted, the access token was revoked, or the app credentials are rotated
Access logs for users on a Slack workspace. Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new. Panther will not update the date_last, count fields of an event.'
schema: Slack.AccessLogs
parser:
native:
name: Slack.AccessLogs
description: 'Access logs for users on a Slack workspace. Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new. Panther will not update the `date_last`, `count` fields of an event.'
referenceURL: https://api.slack.com/methods/team.accessLogs
fields:
- name: user_id
required: true
description: The id of the user accessing Slack.
type: string
- name: username
description: The username of the user accessing Slack.
type: string
indicators:
- username
- name: date_first
required: true
description: Unix timestamp of the first access log entry for this user, IP address, and user agent combination.
type: timestamp
timeFormat: unix
- name: date_last
required: true
description: 'Unix timestamp of the most recent access log entry for this user, IP address, and user agent combination. Note: Panther will not update this field even if it is updated in the Slack API.'
type: timestamp
timeFormat: unix
isEventTime: true
- name: count
required: true
description: 'The total number of access log entries for that combination. Note: Panther will not update this field even if it is updated in the Slack API.'
type: bigint
- name: ip
required: true
description: The IP address of the device used to access Slack.
type: string
indicators:
- ip
- name: user_agent
description: The reported user agent string from the browser or client application.
type: string
- name: isp
description: Best guess at the internet service provider owning the IP address.
type: string
- name: country
description: Best guesses on where the access originated, based on the IP address.
type: string
- name: region
description: Best guesses on where the access originated, based on the IP address.
type: string
Slack.AuditLogs
Slack audit logs provide a view of the actions users perform in an Enterprise organization.
schema: Slack.AuditLogs
parser:
native:
name: Slack.AuditLogs
description: Slack audit logs provide a view of the actions users perform in an Enterprise organization.
referenceURL: https://api.slack.com/enterprise/audit-logs
fields:
- name: id
required: true
description: The event id
type: string
- name: date_create
required: true
description: Creation timestamp for the event
type: timestamp
timeFormat: unix
isEventTime: true
- name: action
required: true
description: The action performed. See https://api.slack.com/enterprise/audit-logs#audit_logs_actions
type: string
- name: actor
required: true
description: An actor will always be a user on a workspace and will be identified by their user ID, such as W123AB456.
type: object
fields:
- name: type
required: true
description: The type of actor (always user)
type: string
- name: user
description: Information about the user
type: object
fields:
- name: id
required: true
description: The id of the user ('USLACKUSER' if no user performed the action)
type: string
- name: name
description: The user's display name
type: string
indicators:
- username
- name: email
description: The user's email
type: string
indicators:
- email
- name: team
description: The user's team
type: string
- name: entity
required: true
description: An entity is the thing that the actor has taken the action upon and it will be the Slack ID of the thing.
type: object
fields:
- name: type
required: true
description: The type of item that was affected by the action (user,channel,file,app,workspace,enterprise,message,workflow)
type: string
- name: user
description: Information about the affected user
type: object
fields:
- name: id
required: true
description: The id of the user ('USLACKUSER' if no user performed the action)
type: string
- name: name
description: The user's display name
type: string
indicators:
- username
- name: email
description: The user's email
type: string
indicators:
- email
- name: team
description: The user's team
type: string
- name: channel
description: Information about the affected channel
type: object
fields:
- name: id
required: true
description: The id of the channel
type: string
- name: name
description: The name of the channel
type: string
- name: privacy
description: The privacy mode of the channel
type: string
- name: is_shared
description: Whether the channel is shared
type: boolean
- name: is_org_shared
description: Whether the channel is shared in the organisation
type: boolean
- name: teams_shared_with
description: The teams the channel is shared with
type: array
element:
type: string
- name: file
description: Information about the affected file
type: object
fields:
- name: id
required: true
description: The id of the file
type: string
- name: name
description: The filename
type: string
- name: title
description: The file title
type: string
- name: filetype
description: The filetype
type: string
- name: app
description: Information about the affected app
type: object
fields:
- name: id
required: true
description: The id of the app
type: string
- name: name
description: The name of the app
type: string
- name: is_distributed
description: Whether the app is distributed
type: boolean
- name: is_directory_approved
description: Whether the app is in the approved apps directory
type: boolean
- name: scopes
description: The OAuth2 scopes the app requires
type: array
element:
type: string
- name: workspace
description: Information about the affected workspace
type: object
fields:
- name: id
required: true
description: The id of the workspace
type: string
- name: name
description: The name of the workspace
type: string
- name: domain
description: The workspace domain
type: string
- name: enterprise
description: Information about the affected enterprise
type: object
fields:
- name: id
required: true
description: The id of the enterprise
type: string
- name: name
description: The name of the enterprise
type: string
- name: domain
description: The enterprise domain
type: string
- name: workflow
description: Information about the affected workflow
type: object
fields:
- name: id
required: true
description: The id of the workflow
type: string
- name: name
description: The name of the workflow
type: string
- name: message
description: Information about the affected message
type: object
fields:
- name: team
description: The team the message was posted in
type: string
- name: channel
description: The channel the message was posted on
type: string
- name: timestamp
description: The timestamp of the message
type: string
- name: context
required: true
description: Context is the location that the actor took the action on the entity. It will always be either a Workspace or an Enterprise, with the appropriate ID.
type: object
fields:
- name: ua
description: The user agent used for the action
type: string
- name: ip_address
description: The ip address the action was performed from
type: string
indicators:
- ip
- name: location
description: The location that the actor took the action on the entity.
type: object
fields:
- name: type
required: true
description: The location type. It will always be either a Workspace or an Enterprise
type: string
- name: id
required: true
description: The location id
type: string
- name: domain
description: The location domain
type: string
- name: name
description: The location name
type: string
- name: details
description: Additional details about the audit log event
type: json
Slack.IntegrationLogs
Integration activity logs for a team, including when integrations are added, modified, and removed.
schema: Slack.IntegrationLogs
parser:
native:
name: Slack.IntegrationLogs
description: Integration activity logs for a team, including when integrations are added, modified and removed.
referenceURL: https://api.slack.com/methods/team.integrationLogs
fields:
- name: user_id
required: true
description: The id of the user performing the action.
type: string
- name: user_name
description: The username of the user performing the action.
type: string
indicators:
- username
- name: service_id
description: The service id for which this log is about.
type: string
- name: service_type
description: The service type for which this log is about.
type: string
- name: app_id
description: The app id for which this log is about.
type: string
- name: app_type
description: The app type for which this log is about.
type: string
- name: date
required: true
description: The date when the action happened.
type: timestamp
timeFormat: unix
isEventTime: true
- name: change_type
required: true
description: The type of this action (added, removed, enabled, disabled, updated).
type: string
- name: scope
description: The scope used for this action.
type: string
- name: channel
description: The related channel.
type: string
- name: reason
description: The reason of the disable action, populated if this event refers to such an action.
type: string
- name: rss_feed
description: True if this log entry is an RSS feed. If true, more RSS feed related fields will be present.
type: boolean
- name: rss_feed_change_type
description: The change type for the RSS feed.
type: string
- name: rss_feed_title
description: The title of the RSS feed.
type: string
- name: rss_feed_url
description: The url of the RSS feed.
type: string
