Slack Audit¶
About¶
Slack is a proprietary business communication platform developed by American software company Slack Technologies. Slack offers many IRC-style features, including persistent chat rooms organized by topic, private groups, and direct messaging.
Product Details¶
Vendor URL: Slack is where the future works
Product Type: Messaging
Product Tier: Tier II
Integration Method: API
Integration URL: n/a
Log Guide: Slack Audit Logs
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 75%
Data Label: SLACK_AUDIT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field | UDM Event Type |
|---|---|---|
| observer | observer.hostname | Observer |
| observer | observer.ip | Observer |
| user_email | principal.user.userid | Principal |
| usergroup | principal.user.groupid | Principal |
| user | principal.user.user_display_name | Principal |
| vendor | metadata.vendor_name | Metatdata |
| product | metadata.product_name | Metadata |
| version | metadata.product_version | Metadata |
| product_event | metadata.product_event_type | Metadata |
| GENERIC_EVENT/FILE_UNCATEGORIZED/USER_STATS/GROUP_UNCATEGORIZED | metadata.event_type | Metadata |
| filepath | target.file.full_path | Target |
| suser/filename | metadata.description | Metadata |
| src | principal.hostname | Principal |
| src | principal.ip | Principal |
| domain | principal.administrative_domain | Prinicpal |
| service | target.administrative_domain | Target |
| cs4 | network.http.user_agent | Network |
Product Event Types¶
| Description | metadata.event_type |
|---|---|
| file_downloaded | FILE_MOVE |
| file_shared | FILE_MOVE |
| file_uploaded | FILE_MOVE |
| user_channel_join | USER_UNCATEGORIZED |
| user_channel_leave | USER_UNCATEGORIZED |
| public_channel_created | USER_RESOURCE_CREATION |
| public_channel_archive | USER_RESOURCE_DELETION |
| private_channel_created | USER_RESOURCE_CREATION |
| private_channel_archive | USER_RESOURCE_DELETION |
| user_deactivated | USER_DELETION |
| emoji_created | GENERIC_EVENT |
Log Sample¶
<14>2021-06-21T19:52:42.234+00:00 sysloghost SLACKAPI[0]: 2021-06-21T19:52:42.234Z SERVERNAME CEF:0|Slack|SlackAuditAPI|1.0|channel|private_channel_archive|Unknown|flexDate1=cs5 cs5=cs5 cs5Label=Event Time (Epoch UTC) externalId=extid categoryObject=user categoryDeviceGroup=SLACKGROUP categorySignificance=Slackbot categoryTechnique= sproc=channel suid=suid suser=username flexString1=private flexString1Label=Channel Privacy Type categoryBehavior=false categoryOutcome=false destinationServiceName=workspace cs1=HOSTNAME cs1Label=Location ID cs2=DOMAIN US cs2Label=Location Name cs3=LOCALDOMAIN cs3Label=Location Domain cs4= cs4Label=User Agent src=127.0.0.1
Sample Parsing¶
metadata.event_timestamp = "2021-08-27T11:37:12Z"
metadata.event_type = "FILE_MOVE"
metadata.vendor_name = "Slack"
metadata.product_name = "SlackAuditAPI"
metadata.product_event_type = "file_downloaded"
metadata.ingested_timestamp = "2021-08-27T12:00:12.588656Z"
principal.hostname = "HOSTNAME"
principal.user.userid = "username"
principal.user.groupid = "ADMIN_GROUP"
principal.user.user_display_name = "John Doe"
principal.ip = "10.10.10.101"
principal.administrative_domain = "DOMAIN"
principal.namespace = "COMPANYNAME"
src.file.full_path = "filename"
src.file.mime_type = "jpg"
src.email = johndoe@domain.com
src.namespace = "domain.com"
target.file.full_path = "filename"
target.file.mime_type = "jpg"
target.resource.parent = "admin-channel"
target.resource.resource_subtype = "enterprise"
target.namespace = "admin-channel"
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0.18363; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.18.0 Chrome/91.0.4472.124 Electron/13.1.6 Safari/537.36 OS_Product/Workstation Sonic Slack_SSB/4.18.0"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming soon