Slack
This guide walks through how to set up Slack as a log source in Scanner Collect, using direct API integration with the Slack Audit Logs API. Scanner will authenticate using OAuth 2.0 to pull audit logs from Slack.
Slack audit logs capture security-relevant events across your Slack Enterprise organization, such as user logins, file downloads, channel creation, app installations, and changes to workspace settings. For a general overview of what audit logs are and how they can be used, see Audit logs in Slack.
We'll assume that you want Scanner to both store the logs in S3 and index them for search and detection.
Prerequisites
Before you begin, make sure you have:
A Slack Enterprise Grid organization. Audit logs are only available on the Enterprise Grid plan.
Organization Owner permissions in your Slack Enterprise Grid organization. Only organization owners can approve and install apps that access the Audit Logs API.
Permissions in Scanner to create the integration
Step 1: Create a New Source
In the Scanner UI, go to the Collect tab.
From the Overview page click the '+' icon in the upper right corner
Select create new Collect Rule
Choose Slack.
Select the Log Type:
Slack: Audit Logs - captures security and compliance events from the Slack Audit Logs API
Click Continue.
Step 2: Configure the Collect Rule Source
Set a Display Name, such as
my-org-slack-audit-logs-source.
Click Next.
Step 3: Authenticate with Slack
If you've previously created a Slack connection for audit logs, select it from the list.
Otherwise, select New Slack Connection to authenticate with Slack, allowing the Scanner Slack app to access your Slack organization.
Click Next.
Step 4: Configure the Collect Rule Destination
Choose the S3 Bucket where the raw Slack audit logs should be stored.
(Optional) Enter a Bucket Prefix to organize the data path in your bucket.
Click Next.
Step 5: Index Logs to Scanner
Click "Index Logs to Scanner" to set up an index rule for the logs collected in your S3 Bucket.
Set a name for the index rule, such as
index-rule-for-my-org-slack-audit-logs-source.
Click Next.
Step 6: Configure the Index Rule Origin
Select the S3 Bucket you configured in Step 4.
Provide the same Bucket Prefix you used in Step 4.
Use the default Log Format of JsonObjects / Gzip.
Click Next.
Step 7: Configure the Index Rule Destination
Choose the Scanner Index where logs will be made searchable, creating a new index if desired.
Leave the Source Label as the default:
slack
Click Next.
Step 8: Transform and Enrich
Keep the default transformation steps: Normalize to ECS - Slack and Parse JSON Columns
The first step maps log fields to the Elastic Common Schema (ECS), making it easier to write cross-source queries and detection rules.
(Optional) Add additional transformation or enrichment steps if needed.
Click Next.
Step 9: Timestamp Extraction
Leave the default timestamp extraction settings. Scanner will automatically extract timestamps from the Slack audit log events.
Click Next.
Step 10: Review and Create
Review your configuration settings before creating the index rule.
Click Create Index Rule.
What Happens Next
Once created:
Scanner will poll the Slack Audit Logs API every 5 minutes.
New events will be written to your S3 bucket, under the specified key prefix.
Logs will then be indexed for search and detections using the Scanner index you selected in Step 7.
Last updated
Was this helpful?