# Slack This guide walks through how to set up Slack as a log source in Scanner Collect, using direct API integration with the [Slack Audit Logs API](https://api.slack.com/admins/audit-logs). Scanner will authenticate using [OAuth 2.0](https://docs.slack.dev/authentication/installing-with-oauth) to pull audit logs from Slack. Slack audit logs capture security-relevant events across your Slack Enterprise organization, such as user logins, file downloads, channel creation, app installations, and changes to workspace settings. For a general overview of what audit logs are and how they can be used, see [Audit logs in Slack](https://slack.com/help/articles/360000394286-Audit-logs-in-Slack). We'll assume that you want Scanner to both store the logs in S3 and index them for search and detection. ## Prerequisites Before you begin, make sure you have: * **A Slack Enterprise Grid organization.** Audit logs are only available on the Enterprise Grid plan. * **Organization Owner permissions** in your Slack Enterprise Grid organization. Only organization owners can approve and install apps that access the Audit Logs API. * Permissions in Scanner to create the integration ### Step 1: Create a New Source In the Scanner UI, go to the Collect tab. * From the Overview page click the '+' icon in the upper right corner * Select create new **Collect Rule** * Choose **Slack**. * Select the **Log Type**: * **Slack: Audit** Logs - captures security and compliance events from the Slack Audit Logs API Click Continue. ### Step 2: Configure the Collect Rule Source * Set a **Display Name**, such as `my-org-slack-audit-logs-source`. Click Next. ### Step 3: Authenticate with Slack * If you've previously created a Slack connection for audit logs, select it from the list. * Otherwise, select **New Slack Connection** to authenticate with Slack, allowing the Scanner Slack app to access your Slack organization. Click Next. ### Step 4: Configure the Collect Rule Destination * Choose the S3 Bucket where the raw Slack audit logs should be stored. * (Optional) Enter a Bucket Prefix to organize the data path in your bucket. Click Next. ### Step 5: Index Logs to Scanner * Click "Index Logs to Scanner" to set up an index rule for the logs collected in your S3 Bucket. * Set a name for the index rule, such as `index-rule-for-my-org-slack-audit-logs-source`. Click Next. ### Step 6: Configure the Index Rule Origin * Select the S3 Bucket you configured in Step 4. * Provide the same Bucket Prefix you used in Step 4. * Use the default Log Format of JsonObjects / Gzip. Click Next. ### Step 7: Configure the Index Rule Destination * Choose the Scanner Index where logs will be made searchable, creating a new index if desired. * Leave the Source Label as the default: `slack` Click Next. ### Step 8: Transform and Enrich * Keep the default transformation steps: **Normalize to ECS - Slack** and **Parse JSON Columns** * The first step maps log fields to the Elastic Common Schema (ECS), making it easier to write cross-source queries and detection rules. * (Optional) Add additional transformation or enrichment steps if needed. Click Next. ### Step 9: Timestamp Extraction Leave the default timestamp extraction settings. Scanner will automatically extract timestamps from the Slack audit log events. Click Next. ### Step 10: Review and Create Review your configuration settings before creating the index rule. Click **Create Index Rule**. ## What Happens Next Once created: * Scanner will poll the Slack Audit Logs API every **5 minutes**. * New events will be written to your S3 bucket, under the specified key prefix. * Logs will then be indexed for search and detections using the Scanner index you selected in Step 7.