Slack Logs

Panther supports pulling logs directly from Slack

Overview

Panther can pull the following Slack logs:

Audit logs, by querying the Audit Logs API.
- The Audit Logs API is only available to Slack customers with an Enterprise Grid plan.
Access logs, by querying the team.accessLogs API.
- This API is available in all Slack paid plans.
- Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new.
Integration logs, by querying the team.integrationLogs API.
- This API is available in all Slack paid plans.

Access and integration logs can be ingested through the same Slack log source in Panther, while audit logs must be ingested through a separate Slack log source. However, it is unlikely that you need to ingest all three types of logs, as audit logs are likely to contain all actions represented by access and integrations logs.

Panther will query the API every one minute. In order for Panther to access the Slack API, you need to create a new Slack source on Panther, create a Slack App, and provide the app credentials to Panther.

Video Walkthrough

How to onboard Slack logs to Panther

Create a new Slack Source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Slack," then click its tile.
On the slide-out panel, click Start Setup.
On the Configuration screen, enter values for the following fields:
- Name: Enter a descriptive name for the source e.g., My Slack logs.
- Select your Slack Plan: Choose from the following options:
  - Enterprise Grid: This option enables the source to receive Slack.AuditLogs.
  - Standard/Plus: This option enables the source to receive Slack.AccessLogs and/or Slack.IntegrationLogs.
Click Setup.
On the Set Credentials page, Copy the Redirect URL and save it somewhere secure. You will need it in the next steps.
Keep this browser window open while you work through the next steps.

Create a new Slack App

Create a Slack app with permissions to pull logs from Slack. For security and availability reasons, we recommend creating a new Slack App that will be used only with Panther.

You can create an app for:

How to create a Slack App to pull Audit Logs

Follow the instructions below to create a Slack app that pulls Audit Logs into your Panther account. The Audit Logs API is available to customers with a Slack Enterprise plan only.

If you want to pull in Access or Integration logs, please see the next section: How to create a Slack App to pull Access or Integration logs.

Sign in to the Slack workspace belonging to the Enterprise you want to monitor.
- You must sign in as an owner of the organization.
On the screen displaying all the workspaces in your Enterprise, click Launch in Slack on the workspace you want to monitor.
- Enter an App Name e.g. Panther monitoring.
- Select the workspace where you previously signed in.
Click Create App.
- The App will be created in the selected workspace and later you will be able to monitor the entire Enterprise organization.
In the left sidebar menu, click OAuth & Permissions.
Scroll down to the Redirect URLs section.
Click Save URLs.
In the left sidebar, go to Settings > Manage Distribution.
Under the section titled "Share Your App with Other Workspaces," enable the following options:
- Enable Features & Functionality
- Add OAuth Redirect URLs
- Remove Hard Coded Information
- Use HTTPS For Your Features
Click Activate Public Distribution.
In the left sidebar, go to Settings > Basic Information.
In the App Credentials section, Copy the Client ID and Client Secret.
Follow the steps under Finalize Slack Onboarding in Panther to complete this process.

How to create a Slack App to pull Access or Integration Logs

The Access Logs and Integration Logs API is available in all Slack paid plans.

If you want to pull in Audit logs, please see the previous section: How to create a Slack App to pull Audit Logs.

Sign in to the Slack workspace you want to monitor.
- You must sign in as an owner of the organization.
On the screen displaying your workspaces, click Launch in Slack on the workspace you want to monitor.
- Enter an App Name e.g. Panther monitoring.
- Select the workspace where you previously signed in.
Click Create App.
- The App will be created in the selected workspace.
In the left sidebar menu, click OAuth & Permissions.
Scroll down to the Redirect URLs section.
Click Save URLs.
Scroll down to the section titled Scopes > User Token Scopes. Add the admin scope.
In the left sidebar, go to Settings > Basic Information.
Follow the steps under Finalize Slack Onboarding in Panther to complete this process.

Finalize Slack onboarding in Panther

Navigate back to the Panther Console.
On the "Set Credentials" page, paste the Client ID from Slack into the Client ID field and the Client Secret from Slack into the Client Secret field.
Click Setup.
Click Save Source.
On the Verify Setup screen, click Grant Access.
- You will be redirected to a Slack page to install your app.
- For Audit Logs, make sure you install it to the Enterprise Organization and not to a specific workspace!
Click Allow.
In the Panther Console, click Setup. You will be directed to a success screen:
- You can optionally enable one or more Detection Packs.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Note: The integration will incur limitations if:

the account of the user that installed the app to the organization is deactivated
the app was deleted, the access token was revoked, or the app credentials are rotated

Panther-built detections

See Panther's built in rules for Slack in panther-analysis in Github.

Supported log types

Slack.AccessLogs

Access logs for users on a Slack workspace. Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new. Panther will not update the date_last, count fields of an event.'

Reference: Slack Documentation on Access Logs.

schema: Slack.AccessLogs
parser:
    native:
        name: Slack.AccessLogs
description: 'Access logs for users on a Slack workspace. Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new. Panther will not update the `date_last`, `count` fields of an event.'
referenceURL: https://api.slack.com/methods/team.accessLogs
fields:
    - name: user_id
      required: true
      description: The id of the user accessing Slack.
      type: string
    - name: username
      description: The username of the user accessing Slack.
      type: string
      indicators:
        - username
    - name: date_first
      required: true
      description: Unix timestamp of the first access log entry for this user, IP address, and user agent combination.
      type: timestamp
      timeFormat: unix
    - name: date_last
      required: true
      description: 'Unix timestamp of the most recent access log entry for this user, IP address, and user agent combination. Note: Panther will not update this field even if it is updated in the Slack API.'
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: count
      required: true
      description: 'The total number of access log entries for that combination. Note: Panther will not update this field even if it is updated in the Slack API.'
      type: bigint
    - name: ip
      required: true
      description: The IP address of the device used to access Slack.
      type: string
      indicators:
        - ip
    - name: user_agent
      description: The reported user agent string from the browser or client application.
      type: string
    - name: isp
      description: Best guess at the internet service provider owning the IP address.
      type: string
    - name: country
      description: Best guesses on where the access originated, based on the IP address.
      type: string
    - name: region
      description: Best guesses on where the access originated, based on the IP address.
      type: string

Slack.AuditLogs

Slack audit logs provide a view of the actions users perform in an Enterprise organization.

Reference: Slack Documentation on Audit Logs.

schema: Slack.AuditLogs
parser:
    native:
        name: Slack.AuditLogs
description: Slack audit logs provide a view of the actions users perform in an Enterprise organization.
referenceURL: https://api.slack.com/enterprise/audit-logs
fields:
    - name: id
      required: true
      description: The event id
      type: string
    - name: date_create
      required: true
      description: Creation timestamp for the event
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: action
      required: true
      description: The action performed. See https://api.slack.com/enterprise/audit-logs#audit_logs_actions
      type: string
    - name: actor
      required: true
      description: An actor will always be a user on a workspace and will be identified by their user ID, such as W123AB456.
      type: object
      fields:
        - name: type
          required: true
          description: The type of actor (always user)
          type: string
        - name: user
          description: Information about the user
          type: object
          fields:
            - name: id
              required: true
              description: The id of the user ('USLACKUSER' if no user performed the action)
              type: string
            - name: name
              description: The user's display name
              type: string
              indicators:
                - username
            - name: email
              description: The user's email
              type: string
              indicators:
                - email
            - name: team
              description: The user's team
              type: string
    - name: entity
      required: true
      description: An entity is the thing that the actor has taken the action upon and it will be the Slack ID of the thing.
      type: object
      fields:
        - name: type
          required: true
          description: The type of item that was affected by the action (user,channel,file,app,workspace,enterprise,message,workflow)
          type: string
        - name: user
          description: Information about the affected user
          type: object
          fields:
            - name: id
              required: true
              description: The id of the user ('USLACKUSER' if no user performed the action)
              type: string
            - name: name
              description: The user's display name
              type: string
              indicators:
                - username
            - name: email
              description: The user's email
              type: string
              indicators:
                - email
            - name: team
              description: The user's team
              type: string
        - name: channel
          description: Information about the affected channel
          type: object
          fields:
            - name: id
              required: true
              description: The id of the channel
              type: string
            - name: name
              description: The name of the channel
              type: string
            - name: privacy
              description: The privacy mode of the channel
              type: string
            - name: is_shared
              description: Whether the channel is shared
              type: boolean
            - name: is_org_shared
              description: Whether the channel is shared in the organisation
              type: boolean
            - name: teams_shared_with
              description: The teams the channel is shared with
              type: array
              element:
                type: string
        - name: file
          description: Information about the affected file
          type: object
          fields:
            - name: id
              required: true
              description: The id of the file
              type: string
            - name: name
              description: The filename
              type: string
            - name: title
              description: The file title
              type: string
            - name: filetype
              description: The filetype
              type: string
        - name: app
          description: Information about the affected app
          type: object
          fields:
            - name: id
              required: true
              description: The id of the app
              type: string
            - name: name
              description: The name of the app
              type: string
            - name: is_distributed
              description: Whether the app is distributed
              type: boolean
            - name: is_directory_approved
              description: Whether the app is in the approved apps directory
              type: boolean
            - name: scopes
              description: The OAuth2 scopes the app requires
              type: array
              element:
                type: string
        - name: workspace
          description: Information about the affected workspace
          type: object
          fields:
            - name: id
              required: true
              description: The id of the workspace
              type: string
            - name: name
              description: The name of the workspace
              type: string
            - name: domain
              description: The workspace domain
              type: string
        - name: enterprise
          description: Information about the affected enterprise
          type: object
          fields:
            - name: id
              required: true
              description: The id of the enterprise
              type: string
            - name: name
              description: The name of the enterprise
              type: string
            - name: domain
              description: The enterprise domain
              type: string
        - name: workflow
          description: Information about the affected workflow
          type: object
          fields:
            - name: id
              required: true
              description: The id of the workflow
              type: string
            - name: name
              description: The name of the workflow
              type: string
        - name: message
          description: Information about the affected message
          type: object
          fields:
            - name: team
              description: The team the message was posted in
              type: string
            - name: channel
              description: The channel the message was posted on
              type: string
            - name: timestamp
              description: The timestamp of the message
              type: string
    - name: context
      required: true
      description: Context is the location that the actor took the action on the entity. It will always be either a Workspace or an Enterprise, with the appropriate ID.
      type: object
      fields:
        - name: ua
          description: The user agent used for the action
          type: string
        - name: ip_address
          description: The ip address the action was performed from
          type: string
          indicators:
            - ip
        - name: location
          description: The location that the actor took the action on the entity.
          type: object
          fields:
            - name: type
              required: true
              description: The location type. It will always be either a Workspace or an Enterprise
              type: string
            - name: id
              required: true
              description: The location id
              type: string
            - name: domain
              description: The location domain
              type: string
            - name: name
              description: The location name
              type: string
    - name: details
      description: Additional details about the audit log event
      type: json

Slack.IntegrationLogs

Integration activity logs for a team, including when integrations are added, modified, and removed.

Reference: Slack Documentation on Integration Logs.

schema: Slack.IntegrationLogs
parser:
    native:
        name: Slack.IntegrationLogs
description: Integration activity logs for a team, including when integrations are added, modified and removed.
referenceURL: https://api.slack.com/methods/team.integrationLogs
fields:
    - name: user_id
      required: true
      description: The id of the user performing the action.
      type: string
    - name: user_name
      description: The username of the user performing the action.
      type: string
      indicators:
        - username
    - name: service_id
      description: The service id for which this log is about.
      type: string
    - name: service_type
      description: The service type for which this log is about.
      type: string
    - name: app_id
      description: The app id for which this log is about.
      type: string
    - name: app_type
      description: The app type for which this log is about.
      type: string
    - name: date
      required: true
      description: The date when the action happened.
      type: timestamp
      timeFormat: unix
      isEventTime: true
    - name: change_type
      required: true
      description: The type of this action (added, removed, enabled, disabled, updated).
      type: string
    - name: scope
      description: The scope used for this action.
      type: string
    - name: channel
      description: The related channel.
      type: string
    - name: reason
      description: The reason of the disable action, populated if this event refers to such an action.
      type: string
    - name: rss_feed
      description: True if this log entry is an RSS feed. If true, more RSS feed related fields will be present.
      type: boolean
    - name: rss_feed_change_type
      description: The change type for the RSS feed.
      type: string
    - name: rss_feed_title
      description: The title of the RSS feed.
      type: string
    - name: rss_feed_url
      description: The url of the RSS feed.
      type: string

PreviousSentinelOne Logs NextSnyk Logs

Last updated 6 months ago

Was this helpful?