LogoLogo
Knowledge BaseCommunityRelease NotesRequest Demo
  • Overview
  • Quick Start
    • Onboarding Guide
  • Data Sources & Transports
    • Supported Logs
      • 1Password Logs
      • Apache Logs
      • AppOmni Logs
      • Asana Logs
      • Atlassian Logs
      • Auditd Logs
      • Auth0 Logs
      • AWS Logs
        • AWS ALB
        • AWS Aurora
        • AWS CloudFront
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS Config
        • AWS EKS
        • AWS GuardDuty
        • AWS Security Hub
        • Amazon Security Lake
        • AWS S3
        • AWS Transit Gateway
        • AWS VPC
        • AWS WAF
      • Azure Monitor Logs
      • Bitwarden Logs
      • Box Logs
      • Carbon Black Logs
      • Cisco Umbrella Logs
      • Cloudflare Logs
      • CrowdStrike Logs
        • CrowdStrike Falcon Data Replicator
        • CrowdStrike Event Streams
      • Docker Logs
      • Dropbox Logs
      • Duo Security Logs
      • Envoy Logs
      • Fastly Logs
      • Fluentd Logs
      • GCP Logs
      • GitHub Logs
      • GitLab Logs
      • Google Workspace Logs
      • Heroku Logs
      • Jamf Pro Logs
      • Juniper Logs
      • Lacework Logs
        • Lacework Alert Channel Webhook
        • Lacework Export
      • Material Security Logs
      • Microsoft 365 Logs
      • Microsoft Entra ID Audit Logs
      • Microsoft Graph Logs
      • MongoDB Atlas Logs
      • Netskope Logs
      • Nginx Logs
      • Notion Logs
      • Okta Logs
      • OneLogin Logs
      • Orca Security Logs (Beta)
      • Osquery Logs
      • OSSEC Logs
      • Proofpoint Logs
      • Push Security Logs
      • Rapid7 Logs
      • Salesforce Logs
      • SentinelOne Logs
      • Slack Logs
      • Snowflake Audit Logs (Beta)
      • Snyk Logs
      • Sophos Logs
      • Sublime Security Logs
      • Suricata Logs
      • Sysdig Logs
      • Syslog Logs
      • Tailscale Logs
      • Teleport Logs
      • Tenable Vulnerability Management Logs
      • Thinkst Canary Logs
      • Tines Logs
      • Tracebit Logs
      • Windows Event Logs
      • Wiz Logs
      • Zeek Logs
      • Zendesk Logs
      • Zoom Logs
      • Zscaler Logs
        • Zscaler ZIA
        • Zscaler ZPA
    • Custom Logs
      • Log Schema Reference
      • Transformations
      • Script Log Parser (Beta)
      • Fastmatch Log Parser
      • Regex Log Parser
      • CSV Log Parser
    • Data Transports
      • HTTP Source
      • AWS Sources
        • S3 Source
        • CloudWatch Logs Source
        • SQS Source
          • SNS Source
        • EventBridge
      • Google Cloud Sources
        • Cloud Storage (GCS) Source
        • Pub/Sub Source
      • Azure Blob Storage Source
    • Monitoring Log Sources
    • Ingestion Filters
      • Raw Event Filters
      • Normalized Event Filters (Beta)
    • Data Pipeline Tools
      • Chronosphere Onboarding Guide
      • Cribl Onboarding Guide
      • Fluent Bit Onboarding Guide
        • Fluent Bit Configuration Examples
      • Fluentd Onboarding Guide
        • General log forwarding via Fluentd
        • MacOS System Logs to S3 via Fluentd
        • Syslog to S3 via Fluentd
        • Windows Event Logs to S3 via Fluentd (Legacy)
        • GCP Audit to S3 via Fluentd
      • Observo Onboarding Guide
      • Tarsal Onboarding Guide
    • Tech Partner Log Source Integrations
  • Detections
    • Using Panther-managed Detections
      • Detection Packs
    • Rules and Scheduled Rules
      • Writing Python Detections
        • Python Rule Caching
        • Data Models
        • Global Helper Functions
      • Modifying Detections with Inline Filters (Beta)
      • Derived Detections (Beta)
        • Using Derived Detections to Avoid Merge Conflicts
      • Using the Simple Detection Builder
      • Writing Simple Detections
        • Simple Detection Match Expression Reference
        • Simple Detection Error Codes
    • Correlation Rules (Beta)
      • Correlation Rule Reference
    • PyPanther Detections (Beta)
      • Creating PyPanther Detections
      • Registering, Testing, and Uploading PyPanther Detections
      • Managing PyPanther Detections in the Panther Console
      • PyPanther Detections Style Guide
      • pypanther Library Reference
      • Using the pypanther Command Line Tool
    • Signals
    • Policies
    • Testing
      • Data Replay (Beta)
    • Framework Mapping and MITRE ATT&CK® Matrix
  • Cloud Security Scanning
    • Cloud Resource Attributes
      • AWS
        • ACM Certificate
        • CloudFormation Stack
        • CloudWatch Log Group
        • CloudTrail
        • CloudTrail Meta
        • Config Recorder
        • Config Recorder Meta
        • DynamoDB Table
        • EC2 AMI
        • EC2 Instance
        • EC2 Network ACL
        • EC2 SecurityGroup
        • EC2 Volume
        • EC2 VPC
        • ECS Cluster
        • EKS Cluster
        • ELBV2 Application Load Balancer
        • GuardDuty Detector
        • GuardDuty Detector Meta
        • IAM Group
        • IAM Policy
        • IAM Role
        • IAM Root User
        • IAM User
        • KMS Key
        • Lambda Function
        • Password Policy
        • RDS Instance
        • Redshift Cluster
        • Route 53 Domains
        • Route 53 Hosted Zone
        • S3 Bucket
        • WAF Web ACL
  • Alerts & Destinations
    • Alert Destinations
      • Amazon SNS Destination
      • Amazon SQS Destination
      • Asana Destination
      • Blink Ops Destination
      • Custom Webhook Destination
      • Discord Destination
      • GitHub Destination
      • Google Pub/Sub Destination (Beta)
      • Incident.io Destination
      • Jira Cloud Destination
      • Jira Data Center Destination (Beta)
      • Microsoft Teams Destination
      • Mindflow Destination
      • OpsGenie Destination
      • PagerDuty Destination
      • Rapid7 Destination
      • ServiceNow Destination (Custom Webhook)
      • Slack Bot Destination
      • Slack Destination (Webhook)
      • Splunk Destination (Beta)
      • Tines Destination
      • Torq Destination
    • Assigning and Managing Alerts
      • Managing Alerts in Slack
    • Alert Runbooks
      • Panther-managed Policies Runbooks
        • AWS CloudTrail Is Enabled In All Regions
        • AWS CloudTrail Sending To CloudWatch Logs
        • AWS KMS CMK Key Rotation Is Enabled
        • AWS Application Load Balancer Has Web ACL
        • AWS Access Keys Are Used Every 90 Days
        • AWS Access Keys are Rotated Every 90 Days
        • AWS ACM Certificate Is Not Expired
        • AWS Access Keys not Created During Account Creation
        • AWS CloudTrail Has Log Validation Enabled
        • AWS CloudTrail S3 Bucket Has Access Logging Enabled
        • AWS CloudTrail Logs S3 Bucket Not Publicly Accessible
        • AWS Config Is Enabled for Global Resources
        • AWS DynamoDB Table Has Autoscaling Targets Configured
        • AWS DynamoDB Table Has Autoscaling Enabled
        • AWS DynamoDB Table Has Encryption Enabled
        • AWS EC2 AMI Launched on Approved Host
        • AWS EC2 AMI Launched on Approved Instance Type
        • AWS EC2 AMI Launched With Approved Tenancy
        • AWS EC2 Instance Has Detailed Monitoring Enabled
        • AWS EC2 Instance Is EBS Optimized
        • AWS EC2 Instance Running on Approved AMI
        • AWS EC2 Instance Running on Approved Instance Type
        • AWS EC2 Instance Running in Approved VPC
        • AWS EC2 Instance Running On Approved Host
        • AWS EC2 Instance Running With Approved Tenancy
        • AWS EC2 Instance Volumes Are Encrypted
        • AWS EC2 Volume Is Encrypted
        • AWS GuardDuty is Logging to a Master Account
        • AWS GuardDuty Is Enabled
        • AWS IAM Group Has Users
        • AWS IAM Policy Blocklist Is Respected
        • AWS IAM Policy Does Not Grant Full Administrative Privileges
        • AWS IAM Policy Is Not Assigned Directly To User
        • AWS IAM Policy Role Mapping Is Respected
        • AWS IAM User Has MFA Enabled
        • AWS IAM Password Used Every 90 Days
        • AWS Password Policy Enforces Complexity Guidelines
        • AWS Password Policy Enforces Password Age Limit Of 90 Days Or Less
        • AWS Password Policy Prevents Password Reuse
        • AWS RDS Instance Is Not Publicly Accessible
        • AWS RDS Instance Snapshots Are Not Publicly Accessible
        • AWS RDS Instance Has Storage Encrypted
        • AWS RDS Instance Has Backups Enabled
        • AWS RDS Instance Has High Availability Configured
        • AWS Redshift Cluster Allows Version Upgrades
        • AWS Redshift Cluster Has Encryption Enabled
        • AWS Redshift Cluster Has Logging Enabled
        • AWS Redshift Cluster Has Correct Preferred Maintenance Window
        • AWS Redshift Cluster Has Sufficient Snapshot Retention Period
        • AWS Resource Has Minimum Number of Tags
        • AWS Resource Has Required Tags
        • AWS Root Account Has MFA Enabled
        • AWS Root Account Does Not Have Access Keys
        • AWS S3 Bucket Name Has No Periods
        • AWS S3 Bucket Not Publicly Readable
        • AWS S3 Bucket Not Publicly Writeable
        • AWS S3 Bucket Policy Does Not Use Allow With Not Principal
        • AWS S3 Bucket Policy Enforces Secure Access
        • AWS S3 Bucket Policy Restricts Allowed Actions
        • AWS S3 Bucket Policy Restricts Principal
        • AWS S3 Bucket Has Versioning Enabled
        • AWS S3 Bucket Has Encryption Enabled
        • AWS S3 Bucket Lifecycle Configuration Expires Data
        • AWS S3 Bucket Has Logging Enabled
        • AWS S3 Bucket Has MFA Delete Enabled
        • AWS S3 Bucket Has Public Access Block Enabled
        • AWS Security Group Restricts Ingress On Administrative Ports
        • AWS VPC Default Security Group Restricts All Traffic
        • AWS VPC Flow Logging Enabled
        • AWS WAF Has Correct Rule Ordering
        • AWS CloudTrail Logs Encrypted Using KMS CMK
      • Panther-managed Rules Runbooks
        • AWS CloudTrail Modified
        • AWS Config Service Modified
        • AWS Console Login Failed
        • AWS Console Login Without MFA
        • AWS EC2 Gateway Modified
        • AWS EC2 Network ACL Modified
        • AWS EC2 Route Table Modified
        • AWS EC2 SecurityGroup Modified
        • AWS EC2 VPC Modified
        • AWS IAM Policy Modified
        • AWS KMS CMK Loss
        • AWS Root Activity
        • AWS S3 Bucket Policy Modified
        • AWS Unauthorized API Call
    • Tech Partner Alert Destination Integrations
  • Investigations & Search
    • Search
      • Search Filter Operators
    • Data Explorer
      • Data Explorer SQL Search Examples
        • CloudTrail logs queries
        • GitHub Audit logs queries
        • GuardDuty logs queries
        • Nginx and ALB Access logs queries
        • Okta logs queries
        • S3 Access logs queries
        • VPC logs queries
    • Visualization and Dashboards
      • Custom Dashboards (Beta)
      • Panther-Managed Dashboards
    • Standard Fields
    • Saved and Scheduled Searches
      • Templated Searches
        • Behavioral Analytics and Anomaly Detection Template Macros (Beta)
      • Scheduled Search Examples
    • Search History
    • Data Lakes
      • Snowflake
        • Snowflake Configuration for Optimal Search Performance
      • Athena
  • PantherFlow (Beta)
    • PantherFlow Quick Reference
    • PantherFlow Statements
    • PantherFlow Operators
      • Datatable Operator
      • Extend Operator
      • Join Operator
      • Limit Operator
      • Project Operator
      • Range Operator
      • Sort Operator
      • Search Operator
      • Summarize Operator
      • Union Operator
      • Visualize Operator
      • Where Operator
    • PantherFlow Data Types
    • PantherFlow Expressions
    • PantherFlow Functions
      • Aggregation Functions
      • Date/time Functions
      • String Functions
      • Array Functions
      • Math Functions
      • Control Flow Functions
      • Regular Expression Functions
      • Snowflake Functions
      • Data Type Functions
      • Other Functions
    • PantherFlow Example Queries
      • PantherFlow Examples: Threat Hunting Scenarios
      • PantherFlow Examples: SOC Operations
      • PantherFlow Examples: Panther Audit Logs
  • Enrichment
    • Custom Lookup Tables
      • Creating a GreyNoise Lookup Table
      • Lookup Table Examples
        • Using Lookup Tables: 1Password UUIDs
      • Lookup Table Specification Reference
    • Identity Provider Profiles
      • Okta Profiles
      • Google Workspace Profiles
    • Anomali ThreatStream
    • IPinfo
    • Tor Exit Nodes
    • TrailDiscover (Beta)
  • Panther AI (Beta)
  • System Configuration
    • Role-Based Access Control
    • Identity & Access Integrations
      • Azure Active Directory SSO
      • Duo SSO
      • G Suite SSO
      • Okta SSO
        • Okta SCIM
      • OneLogin SSO
      • Generic SSO
    • Panther Audit Logs
      • Querying and Writing Detections for Panther Audit Logs
      • Panther Audit Log Actions
    • Notifications and Errors (Beta)
      • System Errors
    • Panther Deployment Types
      • SaaS
      • Cloud Connected
        • Configuring Snowflake for Cloud Connected
        • Configuring AWS for Cloud Connected
        • Pre-Deployment Tools
      • Legacy Configurations
        • Snowflake Connected (Legacy)
        • Customer-configured Snowflake Integration (Legacy)
        • Self-Hosted Deployments (Legacy)
          • Runtime Environment
  • Panther Developer Workflows
    • Panther Developer Workflows Overview
    • Using panther-analysis
      • Public Fork
      • Private Clone
      • Panther Analysis Tool
        • Install, Configure, and Authenticate with the Panther Analysis Tool
        • Panther Analysis Tool Commands
        • Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool
      • CI/CD for Panther Content
        • Deployment Workflows Using Panther Analysis Tool
          • Managing Panther Content via CircleCI
          • Managing Panther Content via GitHub Actions
        • Migrating to a CI/CD Workflow
    • Panther API
      • REST API (Beta)
        • Alerts
        • Alert Comments
        • API Tokens
        • Data Models
        • Globals
        • Log Sources
        • Queries
        • Roles
        • Rules
        • Scheduled Rules
        • Simple Rules
        • Policies
        • Users
      • GraphQL API
        • Alerts & Errors
        • Cloud Account Management
        • Data Lake Queries
        • Log Source Management
        • Metrics
        • Schemas
        • Token Rotation
        • User & Role Management
      • API Playground
    • Terraform
      • Managing AWS S3 Log Sources with Terraform
      • Managing HTTP Log Sources with Terraform
    • pantherlog Tool
    • Converting Sigma Rules
  • Resources
    • Help
      • Operations
      • Security and Privacy
        • Security Without AWS External ID
      • Glossary
      • Legal
    • Panther System Architecture
Powered by GitBook
On this page
  • Overview
  • Video Walkthrough
  • How to onboard Slack logs to Panther
  • Create a new Slack Source in Panther
  • Create a new Slack App
  • How to create a Slack App to pull Audit Logs
  • How to create a Slack App to pull Access or Integration Logs
  • Finalize Slack onboarding in Panther
  • Panther-built detections
  • Supported log types
  • Slack.AccessLogs
  • Slack.AuditLogs
  • Slack.IntegrationLogs

Was this helpful?

  1. Data Sources & Transports
  2. Supported Logs

Slack Logs

Panther supports pulling logs directly from Slack

PreviousSentinelOne LogsNextSnowflake Audit Logs (Beta)

Last updated 7 months ago

Was this helpful?

Overview

Panther can pull the following Slack logs:

  • Audit logs, by querying the .

    • The Audit Logs API is only available to Slack customers with an plan.

  • Access logs, by querying the .

    • This API is available in all Slack paid plans.

    • Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new.

  • Integration logs, by querying the .

    • This API is available in all Slack paid plans.

Access and integration logs can be ingested through the same Slack log source in Panther, while audit logs must be ingested through a separate Slack log source. However, it is unlikely that you need to ingest all three types of logs, as are likely to contain all actions represented by access and integrations logs.

Panther will query the API every one minute. In order for Panther to access the Slack API, you need to create a new Slack source on Panther, create a Slack App, and provide the app credentials to Panther.

Video Walkthrough

How to onboard Slack logs to Panther

Create a new Slack Source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Slack," then click its tile.

  4. On the slide-out panel, click Start Setup.

  5. On the Configuration screen, enter values for the following fields:

    • Name: Enter a descriptive name for the source e.g., My Slack logs.

    • Select your Slack Plan: Choose from the following options:

  6. Click Setup.

  7. On the Set Credentials page, Copy the Redirect URL and save it somewhere secure. You will need it in the next steps.

  8. Keep this browser window open while you work through the next steps.

Create a new Slack App

Create a Slack app with permissions to pull logs from Slack. For security and availability reasons, we recommend creating a new Slack App that will be used only with Panther.

You can create an app for:

How to create a Slack App to pull Audit Logs

Follow the instructions below to create a Slack app that pulls Audit Logs into your Panther account. The Audit Logs API is available to customers with a Slack Enterprise plan only.

    • You must sign in as an owner of the organization.

  1. On the screen displaying all the workspaces in your Enterprise, click Launch in Slack on the workspace you want to monitor.

    • Enter an App Name e.g. Panther monitoring.

    • Select the workspace where you previously signed in.

  2. Click Create App.

    • The App will be created in the selected workspace and later you will be able to monitor the entire Enterprise organization.

  3. In the left sidebar menu, click OAuth & Permissions.

  4. Scroll down to the Redirect URLs section.

  5. Click Save URLs.

  6. In the left sidebar, go to Settings > Manage Distribution.

  7. Under the section titled "Share Your App with Other Workspaces," enable the following options:

    • Enable Features & Functionality

    • Add OAuth Redirect URLs

    • Remove Hard Coded Information

    • Use HTTPS For Your Features

  8. Click Activate Public Distribution.

  9. In the left sidebar, go to Settings > Basic Information.

  10. In the App Credentials section, Copy the Client ID and Client Secret.

How to create a Slack App to pull Access or Integration Logs

The Access Logs and Integration Logs API is available in all Slack paid plans.

    • You must sign in as an owner of the organization.

  1. On the screen displaying your workspaces, click Launch in Slack on the workspace you want to monitor.

    • Enter an App Name e.g. Panther monitoring.

    • Select the workspace where you previously signed in.

  2. Click Create App.

    • The App will be created in the selected workspace.

  3. In the left sidebar menu, click OAuth & Permissions.

  4. Scroll down to the Redirect URLs section.

  5. Click Save URLs.

  6. Scroll down to the section titled Scopes > User Token Scopes. Add the admin scope.

  7. In the left sidebar, go to Settings > Basic Information.

Finalize Slack onboarding in Panther

  1. Navigate back to the Panther Console.

  2. On the "Set Credentials" page, paste the Client ID from Slack into the Client ID field and the Client Secret from Slack into the Client Secret field.

  3. Click Setup.

  4. Click Save Source.

  5. On the Verify Setup screen, click Grant Access.

    • You will be redirected to a Slack page to install your app.

    • For Audit Logs, make sure you install it to the Enterprise Organization and not to a specific workspace!

  6. Click Allow.

  7. In the Panther Console, click Setup. You will be directed to a success screen:

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Note: The integration will incur limitations if:

  • the account of the user that installed the app to the organization is deactivated

  • the app was deleted, the access token was revoked, or the app credentials are rotated

Panther-built detections

Supported log types

Slack.AccessLogs

Access logs for users on a Slack workspace. Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new. Panther will not update the date_last, count fields of an event.'

schema: Slack.AccessLogs
parser:
    native:
        name: Slack.AccessLogs
description: 'Access logs for users on a Slack workspace. Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new. Panther will not update the `date_last`, `count` fields of an event.'
referenceURL: https://api.slack.com/methods/team.accessLogs
fields:
    - name: user_id
      required: true
      description: The id of the user accessing Slack.
      type: string
    - name: username
      description: The username of the user accessing Slack.
      type: string
      indicators:
        - username
    - name: date_first
      required: true
      description: Unix timestamp of the first access log entry for this user, IP address, and user agent combination.
      type: timestamp
      timeFormat: unix
    - name: date_last
      required: true
      description: 'Unix timestamp of the most recent access log entry for this user, IP address, and user agent combination. Note: Panther will not update this field even if it is updated in the Slack API.'
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: count
      required: true
      description: 'The total number of access log entries for that combination. Note: Panther will not update this field even if it is updated in the Slack API.'
      type: bigint
    - name: ip
      required: true
      description: The IP address of the device used to access Slack.
      type: string
      indicators:
        - ip
    - name: user_agent
      description: The reported user agent string from the browser or client application.
      type: string
    - name: isp
      description: Best guess at the internet service provider owning the IP address.
      type: string
    - name: country
      description: Best guesses on where the access originated, based on the IP address.
      type: string
    - name: region
      description: Best guesses on where the access originated, based on the IP address.
      type: string

Slack.AuditLogs

Slack audit logs provide a view of the actions users perform in an Enterprise organization.

schema: Slack.AuditLogs
parser:
    native:
        name: Slack.AuditLogs
description: Slack audit logs provide a view of the actions users perform in an Enterprise organization.
referenceURL: https://api.slack.com/enterprise/audit-logs
fields:
    - name: id
      required: true
      description: The event id
      type: string
    - name: date_create
      required: true
      description: Creation timestamp for the event
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: action
      required: true
      description: The action performed. See https://api.slack.com/enterprise/audit-logs#audit_logs_actions
      type: string
    - name: actor
      required: true
      description: An actor will always be a user on a workspace and will be identified by their user ID, such as W123AB456.
      type: object
      fields:
        - name: type
          required: true
          description: The type of actor (always user)
          type: string
        - name: user
          description: Information about the user
          type: object
          fields:
            - name: id
              required: true
              description: The id of the user ('USLACKUSER' if no user performed the action)
              type: string
            - name: name
              description: The user's display name
              type: string
              indicators:
                - username
            - name: email
              description: The user's email
              type: string
              indicators:
                - email
            - name: team
              description: The user's team
              type: string
    - name: entity
      required: true
      description: An entity is the thing that the actor has taken the action upon and it will be the Slack ID of the thing.
      type: object
      fields:
        - name: type
          required: true
          description: The type of item that was affected by the action (user,channel,file,app,workspace,enterprise,message,workflow)
          type: string
        - name: user
          description: Information about the affected user
          type: object
          fields:
            - name: id
              required: true
              description: The id of the user ('USLACKUSER' if no user performed the action)
              type: string
            - name: name
              description: The user's display name
              type: string
              indicators:
                - username
            - name: email
              description: The user's email
              type: string
              indicators:
                - email
            - name: team
              description: The user's team
              type: string
        - name: channel
          description: Information about the affected channel
          type: object
          fields:
            - name: id
              required: true
              description: The id of the channel
              type: string
            - name: name
              description: The name of the channel
              type: string
            - name: privacy
              description: The privacy mode of the channel
              type: string
            - name: is_shared
              description: Whether the channel is shared
              type: boolean
            - name: is_org_shared
              description: Whether the channel is shared in the organisation
              type: boolean
            - name: teams_shared_with
              description: The teams the channel is shared with
              type: array
              element:
                type: string
        - name: file
          description: Information about the affected file
          type: object
          fields:
            - name: id
              required: true
              description: The id of the file
              type: string
            - name: name
              description: The filename
              type: string
            - name: title
              description: The file title
              type: string
            - name: filetype
              description: The filetype
              type: string
        - name: app
          description: Information about the affected app
          type: object
          fields:
            - name: id
              required: true
              description: The id of the app
              type: string
            - name: name
              description: The name of the app
              type: string
            - name: is_distributed
              description: Whether the app is distributed
              type: boolean
            - name: is_directory_approved
              description: Whether the app is in the approved apps directory
              type: boolean
            - name: scopes
              description: The OAuth2 scopes the app requires
              type: array
              element:
                type: string
        - name: workspace
          description: Information about the affected workspace
          type: object
          fields:
            - name: id
              required: true
              description: The id of the workspace
              type: string
            - name: name
              description: The name of the workspace
              type: string
            - name: domain
              description: The workspace domain
              type: string
        - name: enterprise
          description: Information about the affected enterprise
          type: object
          fields:
            - name: id
              required: true
              description: The id of the enterprise
              type: string
            - name: name
              description: The name of the enterprise
              type: string
            - name: domain
              description: The enterprise domain
              type: string
        - name: workflow
          description: Information about the affected workflow
          type: object
          fields:
            - name: id
              required: true
              description: The id of the workflow
              type: string
            - name: name
              description: The name of the workflow
              type: string
        - name: message
          description: Information about the affected message
          type: object
          fields:
            - name: team
              description: The team the message was posted in
              type: string
            - name: channel
              description: The channel the message was posted on
              type: string
            - name: timestamp
              description: The timestamp of the message
              type: string
    - name: context
      required: true
      description: Context is the location that the actor took the action on the entity. It will always be either a Workspace or an Enterprise, with the appropriate ID.
      type: object
      fields:
        - name: ua
          description: The user agent used for the action
          type: string
        - name: ip_address
          description: The ip address the action was performed from
          type: string
          indicators:
            - ip
        - name: location
          description: The location that the actor took the action on the entity.
          type: object
          fields:
            - name: type
              required: true
              description: The location type. It will always be either a Workspace or an Enterprise
              type: string
            - name: id
              required: true
              description: The location id
              type: string
            - name: domain
              description: The location domain
              type: string
            - name: name
              description: The location name
              type: string
    - name: details
      description: Additional details about the audit log event
      type: json

Slack.IntegrationLogs

Integration activity logs for a team, including when integrations are added, modified, and removed.

schema: Slack.IntegrationLogs
parser:
    native:
        name: Slack.IntegrationLogs
description: Integration activity logs for a team, including when integrations are added, modified and removed.
referenceURL: https://api.slack.com/methods/team.integrationLogs
fields:
    - name: user_id
      required: true
      description: The id of the user performing the action.
      type: string
    - name: user_name
      description: The username of the user performing the action.
      type: string
      indicators:
        - username
    - name: service_id
      description: The service id for which this log is about.
      type: string
    - name: service_type
      description: The service type for which this log is about.
      type: string
    - name: app_id
      description: The app id for which this log is about.
      type: string
    - name: app_type
      description: The app type for which this log is about.
      type: string
    - name: date
      required: true
      description: The date when the action happened.
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: change_type
      required: true
      description: The type of this action (added, removed, enabled, disabled, updated).
      type: string
    - name: scope
      description: The scope used for this action.
      type: string
    - name: channel
      description: The related channel.
      type: string
    - name: reason
      description: The reason of the disable action, populated if this event refers to such an action.
      type: string
    - name: rss_feed
      description: True if this log entry is an RSS feed. If true, more RSS feed related fields will be present.
      type: boolean
    - name: rss_feed_change_type
      description: The change type for the RSS feed.
      type: string
    - name: rss_feed_title
      description: The title of the RSS feed.
      type: string
    - name: rss_feed_url
      description: The url of the RSS feed.
      type: string

Enterprise Grid: This option enables the source to receive .

Standard/Plus: This option enables the source to receive and/or .

If you want to pull in Access or Integration logs, please see the next section: .

belonging to the Enterprise you want to monitor.

Go to and click Create New App, then click from scratch.

Click Add and enter the Redirect URL that you copied from the Panther Console in the previous section of this documentation.

Scroll down to the User Token Scopes section. Add the auditlogs:read scope.

Note: This does not make your Slack App accessible to other organizations. Slack requires this setting to pull .

Follow the steps under to complete this process.

If you want to pull in Audit logs, please see the previous section: .

you want to monitor.

Go to and click Create New App, then click from scratch.

Click Add and enter the Redirect URL that you copied from the Panther Console in the previous section of this documentation.

In the App Credentials section, Copy the Client ID and Client Secret.

Follow the steps under to complete this process.

You can optionally enable one or more .

See Panther's built in .

Reference:

Reference:

Reference:

Sign in to the Slack workspace
Finalize Slack Onboarding in Panther
Sign in to the Slack workspace
Finalize Slack Onboarding in Panther
Detection Packs
rules for Slack in panther-analysis in Github
Slack Documentation on Access Logs.
Slack Documentation on Audit Logs.
Slack Documentation on Integration Logs.
Slack.AuditLogs
Slack.AccessLogs
Slack.IntegrationLogs
Audit logs
Access or Integration logs
How to create a Slack App to pull Access or Integration logs
How to create a Slack App to pull Audit Logs
Audit Logs API
Enterprise Grid
team.accessLogs API
team.integrationLogs API
audit logs
Walkthrough video showing how to onboard Slack logs to Panther
Slack apps
audit logs
Slack apps
The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"
The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day
In the Slack admin console, the App Credentials page is open. There are fields for App ID, Date of App Creation, Client ID, Client Secret, and Signing Secret. There is a red circle around the Client ID and Client Secret fields.