Access and integration logs can be ingested through the same Slack log source in Panther, while audit logs must be ingested through a separate Slack log source. However, it is unlikely that you need to ingest all three types of logs, as audit logs are likely to contain all actions represented by access and integrations logs.
Panther will query the API every one minute. In order for Panther to access the Slack API, you need to create a new Slack source on Panther, create a Slack App, and provide the app credentials to Panther.
Video Walkthrough
How to onboard Slack logs to Panther
Create a new Slack Source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Slack," then click its tile.
On the slide-out panel, click Start Setup.
On the Configuration screen, enter values for the following fields:
Name: Enter a descriptive name for the source e.g., My Slack logs.
Select your Slack Plan: Choose from the following options:
Enterprise Grid: This option enables the source to receive Slack.AuditLogs.
On the Set Credentials page, Copy the Redirect URL and save it somewhere secure. You will need it in the next steps.
Keep this browser window open while you work through the next steps.
Create a new Slack App
Create a Slack app with permissions to pull logs from Slack. For security and availability reasons, we recommend creating a new Slack App that will be used only with Panther.
Follow the instructions below to create a Slack app that pulls Audit Logs into your Panther account. The Audit Logs API is available to customers with a Slack Enterprise plan only.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Note: The integration will incur limitations if:
the account of the user that installed the app to the organization is deactivated
the app was deleted, the access token was revoked, or the app credentials are rotated
Access logs for users on a Slack workspace. Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new. Panther will not update the date_last, count fields of an event.'
schema:Slack.AccessLogsparser:native:name:Slack.AccessLogsdescription:'Access logs for users on a Slack workspace. Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new. Panther will not update the `date_last`, `count` fields of an event.'referenceURL:https://api.slack.com/methods/team.accessLogsfields: - name:user_idrequired:truedescription:The id of the user accessing Slack.type:string - name:usernamedescription:The username of the user accessing Slack.type:stringindicators: - username - name:date_firstrequired:truedescription:Unix timestamp of the first access log entry for this user, IP address, and user agent combination.type:timestamptimeFormat:unix - name:date_lastrequired:truedescription:'Unix timestamp of the most recent access log entry for this user, IP address, and user agent combination. Note: Panther will not update this field even if it is updated in the Slack API.'type:timestamptimeFormat:unixisEventTime:true - name:countrequired:truedescription:'The total number of access log entries for that combination. Note: Panther will not update this field even if it is updated in the Slack API.'type:bigint - name:iprequired:truedescription:The IP address of the device used to access Slack.type:stringindicators: - ip - name:user_agentdescription:The reported user agent string from the browser or client application.type:string - name:ispdescription:Best guess at the internet service provider owning the IP address.type:string - name:countrydescription:Best guesses on where the access originated, based on the IP address.type:string - name:regiondescription:Best guesses on where the access originated, based on the IP address.type:string
Slack.AuditLogs
Slack audit logs provide a view of the actions users perform in an Enterprise organization.
schema:Slack.AuditLogsparser:native:name:Slack.AuditLogsdescription:Slack audit logs provide a view of the actions users perform in an Enterprise organization.referenceURL:https://api.slack.com/enterprise/audit-logsfields: - name:idrequired:truedescription:The event idtype:string - name:date_createrequired:truedescription:Creation timestamp for the eventtype:timestamptimeFormat:unixisEventTime:true - name:actionrequired:truedescription:The action performed. See https://api.slack.com/enterprise/audit-logs#audit_logs_actionstype:string - name:actorrequired:truedescription:An actor will always be a user on a workspace and will be identified by their user ID, such as W123AB456.type:objectfields: - name:typerequired:truedescription:The type of actor (always user)type:string - name:userdescription:Information about the usertype:objectfields: - name:idrequired:truedescription:The id of the user ('USLACKUSER' if no user performed the action)type:string - name:namedescription:The user's display nametype:stringindicators: - username - name:emaildescription:The user's emailtype:stringindicators: - email - name:teamdescription:The user's teamtype:string - name:entityrequired:truedescription:An entity is the thing that the actor has taken the action upon and it will be the Slack ID of the thing.type:objectfields: - name:typerequired:truedescription:The type of item that was affected by the action (user,channel,file,app,workspace,enterprise,message,workflow)type:string - name:userdescription:Information about the affected usertype:objectfields: - name:idrequired:truedescription:The id of the user ('USLACKUSER' if no user performed the action)type:string - name:namedescription:The user's display nametype:stringindicators: - username - name:emaildescription:The user's emailtype:stringindicators: - email - name:teamdescription:The user's teamtype:string - name:channeldescription:Information about the affected channeltype:objectfields: - name:idrequired:truedescription:The id of the channeltype:string - name:namedescription:The name of the channeltype:string - name:privacydescription:The privacy mode of the channeltype:string - name:is_shareddescription:Whether the channel is sharedtype:boolean - name:is_org_shareddescription:Whether the channel is shared in the organisationtype:boolean - name:teams_shared_withdescription:The teams the channel is shared withtype:arrayelement:type:string - name:filedescription:Information about the affected filetype:objectfields: - name:idrequired:truedescription:The id of the filetype:string - name:namedescription:The filenametype:string - name:titledescription:The file titletype:string - name:filetypedescription:The filetypetype:string - name:appdescription:Information about the affected apptype:objectfields: - name:idrequired:truedescription:The id of the apptype:string - name:namedescription:The name of the apptype:string - name:is_distributeddescription:Whether the app is distributedtype:boolean - name:is_directory_approveddescription:Whether the app is in the approved apps directorytype:boolean - name:scopesdescription:The OAuth2 scopes the app requirestype:arrayelement:type:string - name:workspacedescription:Information about the affected workspacetype:objectfields: - name:idrequired:truedescription:The id of the workspacetype:string - name:namedescription:The name of the workspacetype:string - name:domaindescription:The workspace domaintype:string - name:enterprisedescription:Information about the affected enterprisetype:objectfields: - name:idrequired:truedescription:The id of the enterprisetype:string - name:namedescription:The name of the enterprisetype:string - name:domaindescription:The enterprise domaintype:string - name:workflowdescription:Information about the affected workflowtype:objectfields: - name:idrequired:truedescription:The id of the workflowtype:string - name:namedescription:The name of the workflowtype:string - name:messagedescription:Information about the affected messagetype:objectfields: - name:teamdescription:The team the message was posted intype:string - name:channeldescription:The channel the message was posted ontype:string - name:timestampdescription:The timestamp of the messagetype:string - name:contextrequired:truedescription:Context is the location that the actor took the action on the entity. It will always be either a Workspace or an Enterprise, with the appropriate ID.type:objectfields: - name:uadescription:The user agent used for the actiontype:string - name:ip_addressdescription:The ip address the action was performed fromtype:stringindicators: - ip - name:locationdescription:The location that the actor took the action on the entity.type:objectfields: - name:typerequired:truedescription:The location type. It will always be either a Workspace or an Enterprisetype:string - name:idrequired:truedescription:The location idtype:string - name:domaindescription:The location domaintype:string - name:namedescription:The location nametype:string - name:detailsdescription:Additional details about the audit log eventtype:json
Slack.IntegrationLogs
Integration activity logs for a team, including when integrations are added, modified, and removed.
schema:Slack.IntegrationLogsparser:native:name:Slack.IntegrationLogsdescription:Integration activity logs for a team, including when integrations are added, modified and removed.referenceURL:https://api.slack.com/methods/team.integrationLogsfields: - name:user_idrequired:truedescription:The id of the user performing the action.type:string - name:user_namedescription:The username of the user performing the action.type:stringindicators: - username - name:service_iddescription:The service id for which this log is about.type:string - name:service_typedescription:The service type for which this log is about.type:string - name:app_iddescription:The app id for which this log is about.type:string - name:app_typedescription:The app type for which this log is about.type:string - name:daterequired:truedescription:The date when the action happened.type:timestamptimeFormat:unixisEventTime:true - name:change_typerequired:truedescription:The type of this action (added, removed, enabled, disabled, updated).type:string - name:scopedescription:The scope used for this action.type:string - name:channeldescription:The related channel.type:string - name:reasondescription:The reason of the disable action, populated if this event refers to such an action.type:string - name:rss_feeddescription:True if this log entry is an RSS feed. If true, more RSS feed related fields will be present.type:boolean - name:rss_feed_change_typedescription:The change type for the RSS feed.type:string - name:rss_feed_titledescription:The title of the RSS feed.type:string - name:rss_feed_urldescription:The url of the RSS feed.type:string
Go to Slack apps and click Create New App, then click from scratch.
Click Add and enter the Redirect URL that you copied from the Panther Console in the previous section of this documentation.
Scroll down to the User Token Scopes section. Add the auditlogs:read scope.
Note: This does not make your Slack App accessible to other organizations. Slack requires this setting to pull audit logs.
Go to Slack apps and click Create New App, then click from scratch.
Click Add and enter the Redirect URL that you copied from the Panther Console in the previous section of this documentation.
In the App Credentials section, Copy the Client ID and Client Secret.