Knowledge BaseRelease NotesRequest Demo

Slack Logs

Panther supports pulling logs directly from Slack

Overview

Panther can pull the following Slack logs:

  • Audit logs, by querying the Audit Logs API.

    • The Audit Logs API is available to Slack customers with an Enterprise plan only.

  • Access logs, by querying the team.accessLogs API.

    • This API is available in all Slack paid plans.

    • Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new.

  • Integration logs, by querying the team.integrationLogs API.

    • This API is available in all Slack paid plans.

Panther will query the API every 1 minute. In order for Panther to access the Slack API, you need to create a new Slack source on Panther, create a Slack App, and provide the app credentials to Panther.

Video Walkthrough

Walkthrough video showing how to onboard Slack logs to Panther

How to onboard Slack logs to Panther

Create a new Slack Source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Select Slack from the list of available log sources. Click Start Setup.

  4. On the next screen, enter a descriptive name for the source e.g., My Slack logs.

  5. Enter a name for the source (e.g. My Slack logs) and then select your Slack plan.

    • The available log types depend on which plan you are subscribed to. To find your Slack plan, click the name of your Slack workspace at the top left of the Slack app.

  6. Click Setup.

  7. On the Set Credentials page, Copy the Redirect URL and save it somewhere secure. You will need it in the next steps.

  8. Keep this browser window open while you work through the next steps.

Create a new Slack App

Create a Slack app with permissions to pull logs from Slack. For security and availability reasons, we recommend creating a new Slack App that will be used only with Panther.

You can create an app for:

How to create a Slack App to pull Audit Logs

Follow the instructions below to create a Slack app that pulls Audit Logs into your Panther account. The Audit Logs API is available to customers with a Slack Enterprise plan only.

If you want to pull in Access or Integration logs, please see the next section: How to create a Slack App to pull Access or Integration logs.

  1. Sign in to the Slack workspace belonging to the Enterprise you want to monitor.

    • You must sign in as an owner of the organization.

  2. On the screen displaying all the workspaces in your Enterprise, click Launch in Slack on the workspace you want to monitor.

  3. Go to Slack apps and click Create New App, then click from scratch. In the Slack admin portal, the "Create an App" popup dialog is displayed. There are two options: From scratch, and From an app manifest (beta).

    • Enter an App Name e.g. Panther monitoring.

    • Select the workspace where you previously signed in.

    The "Create a Slack App" form shows a field for App Name, which has "Panther monitoring" written in it. There is a dropdown menu labeled "Development Slack Workspace". At the bottom of the page, there is a grey "Create App" button.

  4. Click Create App.

    • The App will be created in the selected workspace and later you will be able to monitor the entire Enterprise organization.

  5. In the left sidebar menu, click OAuth & Permissions.

  6. Scroll down to the Redirect URLs section.

  7. Click Add and enter the Redirect URL that you copied from the Panther Console in the previous section of this documentation. In Slack, the "Oauth and Permissions" tab on the left sidebar is highlighted. There is a red arrow pointing to a header in the middle of the page labeled "Redirect URLs." There is a red circle around a Redirect URL field.

  8. Click Save URLs.

  9. Scroll down to the User Token Scopes section. Add the auditlogs:read scope. In the Slack admin console, there is a header called "User Token Scopes." In the image, there is a red circle around a field labeled "Add permission by Scope or API Method...". The option "auditlogsread" is selected.

  10. In the left sidebar, go to Settings > Manage Distribution.

  11. Under the section titled "Share Your App with Other Workspaces," enable the following options:

    • Enable Features & Functionality

    • Add OAuth Redirect URLs

    • Remove Hard Coded Information

    • Use HTTPS For Your Features

  12. Click Activate Public Distribution.

    • Note: This does not make your Slack App accessible to other organizations. Slack requires this setting to pull audit logs. In the Slack admin portal, there is a section labeled "Share your App with Other Workspaces." It displays a list of steps, which all have green checkmarks next to them. At the bottom, there is a green button labeled "Activate Public Distribution."

  13. In the left sidebar, go to Settings > Basic Information.

  14. In the App Credentials section, Copy the Client ID and Client Secret.

  15. Follow the steps under Finalize Slack Onboarding in Panther to complete this process.

In the Slack admin console, the App Credentials page is open. There are fields for App ID, Date of App Creation, Client ID, Client Secret, and Signing Secret. There is a red circle around the Client ID and Client Secret fields.

How to create a Slack App to pull Access or Integration Logs

The Access Logs and Integration Logs API is available in all Slack paid plans.

If you want to pull in Audit logs, please see the previous section: How to create a Slack App to pull Audit Logs.

  1. Sign in to the Slack workspace you want to monitor.

    • You must sign in as an owner of the organization.

  2. On the screen displaying your workspaces, click Launch in Slack on the workspace you want to monitor.

  3. Go to Slack apps and click Create New App, then click from scratch. In the Slack admin portal, the "Create an App" popup dialog is displayed. There are two options: From scratch, and From an app manifest (beta).

    • Enter an App Name e.g. Panther monitoring.

    • Select the workspace where you previously signed in.

    The "Create a Slack App" form shows a field for App Name, which has "Panther monitoring" written in it. There is a dropdown menu labeled "Development Slack Workspace". At the bottom of the page, there is a grey "Create App" button.

  4. Click Create App.

    • The App will be created in the selected workspace.

  5. In the left sidebar menu, click OAuth & Permissions.

  6. Scroll down to the Redirect URLs section.

  7. Click Add and enter the Redirect URL that you copied from the Panther Console in the previous section of this documentation. In Slack, the "Oauth and Permissions" tab on the left sidebar is highlighted. There is a red arrow pointing to a header in the middle of the page labeled "Redirect URLs." There is a red circle around a Redirect URL field.

  8. Click Save URLs.

  9. Scroll down to the section titled Scopes > User Token Scopes. Add the admin scope.

  10. In the left sidebar, go to Settings > Basic Information.

  11. In the App Credentials section, Copy the Client ID and Client Secret. In the Slack admin console, the App Credentials page is open. There are fields for App ID, Date of App Creation, Client ID, Client Secret, and Signing Secret. There is a red circle around the Client ID and Client Secret fields.

  12. Follow the steps under Finalize Slack Onboarding in Panther to complete this process.

Finalize Slack onboarding in Panther

  1. Navigate back to the Panther Console.

  2. On the "Set Credentials" page, paste the Client ID from Slack into the Client ID field and the Client Secret from Slack into the Client Secret field.

  3. Click Setup.

  4. Click Save Source.

  5. On the Verify Setup screen, click Grant Access.

    • You will be redirected to a Slack page to install your app.

    • For Audit Logs, make sure you install it to the Enterprise Organization and not to a specific workspace!

  6. Click Allow.

  7. In the Panther Console, click Setup. You will be directed to a success screen:

    The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"

    • You can optionally enable one or more Detection Packs.

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

      The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day

Note: The integration will incur limitations if:

  • the account of the user that installed the app to the organization is deactivated

  • the app was deleted, the access token was revoked, or the app credentials are rotated

Panther-built detections

See Panther's built in rules for Slack in panther-analysis in Github.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

Slack.AccessLogs

Access logs for users on a Slack workspace. Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new. Panther will not update the date_last, count fields of an event.'

Reference: Slack Documentation on Access Logs.

Slack.AuditLogs

Slack audit logs provide a view of the actions users perform in an Enterprise organization.

Reference: Slack Documentation on Audit Logs.

Slack.IntegrationLogs

Integration activity logs for a team, including when integrations are added, modified, and removed.

Reference: Slack Documentation on Integration Logs.

PreviousSentinelOne LogsNextSnyk Logs

Last updated

Was this helpful?