Skip to content

Slack Audit

Slack Audit

About

Slack is a proprietary business communication platform developed by American software company Slack Technologies. Slack offers many IRC-style features, including persistent chat rooms organized by topic, private groups, and direct messaging.

Product Details

Vendor URL: Slack is where the future works

Product Type: Messaging

Product Tier: Tier II

Integration Method: API

Integration URL: n/a

Log Guide: Slack Audit Logs

Parser Details

Log Format: Syslog

Expected Normalization Rate: 75%

Data Label: SLACK_AUDIT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field UDM Event Type
observer observer.hostname Observer
observer observer.ip Observer
user_email principal.user.userid Principal
usergroup principal.user.groupid Principal
user principal.user.user_display_name Principal
vendor metadata.vendor_name Metatdata
product metadata.product_name Metadata
version metadata.product_version Metadata
product_event metadata.product_event_type Metadata
GENERIC_EVENT/FILE_UNCATEGORIZED/USER_STATS/GROUP_UNCATEGORIZED metadata.event_type Metadata
filepath target.file.full_path Target
suser/filename metadata.description Metadata
src principal.hostname Principal
src principal.ip Principal
domain principal.administrative_domain Prinicpal
service target.administrative_domain Target
cs4 network.http.user_agent Network

Product Event Types

Description metadata.event_type
file_downloaded FILE_MOVE
file_shared FILE_MOVE
file_uploaded FILE_MOVE
user_channel_join USER_UNCATEGORIZED
user_channel_leave USER_UNCATEGORIZED
public_channel_created USER_RESOURCE_CREATION
public_channel_archive USER_RESOURCE_DELETION
private_channel_created USER_RESOURCE_CREATION
private_channel_archive USER_RESOURCE_DELETION
user_deactivated USER_DELETION
emoji_created GENERIC_EVENT

Log Sample

<14>2021-06-21T19:52:42.234+00:00 sysloghost SLACKAPI[0]: 2021-06-21T19:52:42.234Z SERVERNAME CEF:0|Slack|SlackAuditAPI|1.0|channel|private_channel_archive|Unknown|flexDate1=cs5 cs5=cs5 cs5Label=Event Time (Epoch UTC) externalId=extid categoryObject=user categoryDeviceGroup=SLACKGROUP categorySignificance=Slackbot categoryTechnique= sproc=channel suid=suid suser=username flexString1=private flexString1Label=Channel Privacy Type  categoryBehavior=false categoryOutcome=false  destinationServiceName=workspace cs1=HOSTNAME cs1Label=Location ID cs2=DOMAIN US cs2Label=Location Name cs3=LOCALDOMAIN cs3Label=Location Domain cs4= cs4Label=User Agent src=127.0.0.1 

Sample Parsing

metadata.event_timestamp = "2021-08-27T11:37:12Z"
metadata.event_type = "FILE_MOVE"
metadata.vendor_name = "Slack"
metadata.product_name = "SlackAuditAPI"
metadata.product_event_type = "file_downloaded"
metadata.ingested_timestamp = "2021-08-27T12:00:12.588656Z"
principal.hostname = "HOSTNAME"
principal.user.userid = "username"
principal.user.groupid = "ADMIN_GROUP"
principal.user.user_display_name = "John Doe"
principal.ip = "10.10.10.101"
principal.administrative_domain = "DOMAIN"
principal.namespace = "COMPANYNAME"
src.file.full_path = "filename"
src.file.mime_type = "jpg"
src.email = johndoe@domain.com
src.namespace = "domain.com"
target.file.full_path = "filename"
target.file.mime_type = "jpg"
target.resource.parent = "admin-channel"
target.resource.resource_subtype = "enterprise"
target.namespace = "admin-channel"
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0.18363; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.18.0 Chrome/91.0.4472.124 Electron/13.1.6 Safari/537.36 OS_Product/Workstation Sonic Slack_SSB/4.18.0"

Parser Alerting

This product currently does not have any Parser-based Alerting