# Slack This guide walks through how to set up Slack as a log source in Scanner Collect, using direct API integration with the [Slack Audit Logs API](https://api.slack.com/admins/audit-logs). Scanner will authenticate using [OAuth 2.0](https://docs.slack.dev/authentication/installing-with-oauth) to pull audit logs from Slack. Slack audit logs capture security-relevant events across your Slack Enterprise organization, such as user logins, file downloads, channel creation, app installations, and changes to workspace settings. For a general overview of what audit logs are and how they can be used, see [Audit logs in Slack](https://slack.com/help/articles/360000394286-Audit-logs-in-Slack). We'll assume that you want Scanner to both store the logs in S3 and index them for search and detection. ## Prerequisites Before you begin, make sure you have: * **A Slack Enterprise Grid organization.** Audit logs are only available on the Enterprise Grid plan. * **Organization Owner permissions** in your Slack Enterprise Grid organization. Only organization owners can approve and install apps that access the Audit Logs API. * Permissions in Scanner to create the integration ### Step 1: Create a New Source In the Scanner UI, go to the Collect tab. * From the Overview page click the '+' icon in the upper right corner * Select create new **Collect Rule** * Choose **Slack**. * Select the **Log Type**: * **Slack: Audit** Logs - captures security and compliance events from the Slack Audit Logs API Click Continue. ### Step 2: Configure the Collect Rule Source * Set a **Display Name**, such as `my-org-slack-audit-logs-source`. Click Next. ### Step 3: Authenticate with Slack * If you've previously created a Slack connection for audit logs, select it from the list. * Otherwise, select **New Slack Connection** to authenticate with Slack, allowing the Scanner Slack app to access your Slack organization. Click Next. ### Step 4: Configure the Collect Rule Destination * Choose the S3 Bucket where the raw Slack audit logs should be stored. * (Optional) Enter a Bucket Prefix to organize the data path in your bucket. Click Next. ### Step 5: Index Logs to Scanner * Click "Index Logs to Scanner" to set up an index rule for the logs collected in your S3 Bucket. * Set a name for the index rule, such as `index-rule-for-my-org-slack-audit-logs-source`. Click Next. ### Step 6: Configure the Index Rule Origin * Select the S3 Bucket you configured in Step 4. * Provide the same Bucket Prefix you used in Step 4. * Use the default Log Format of JsonObjects / Gzip. Click Next. ### Step 7: Configure the Index Rule Destination * Choose the Scanner Index where logs will be made searchable, creating a new index if desired. * Leave the Source Label as the default: `slack` Click Next. ### Step 8: Transform and Enrich * Keep the default transformation steps: **Normalize to ECS - Slack** and **Parse JSON Columns** * The first step maps log fields to the Elastic Common Schema (ECS), making it easier to write cross-source queries and detection rules. * (Optional) Add additional transformation or enrichment steps if needed. Click Next. ### Step 9: Timestamp Extraction Leave the default timestamp extraction settings. Scanner will automatically extract timestamps from the Slack audit log events. Click Next. ### Step 10: Review and Create Review your configuration settings before creating the index rule. Click **Create Index Rule**. ## What Happens Next Once created: * Scanner will poll the Slack Audit Logs API every **5 minutes**. * New events will be written to your S3 bucket, under the specified key prefix. * Logs will then be indexed for search and detections using the Scanner index you selected in Step 7. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/slack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.