Slack

  • Updated on Mar 5, 2025
  • Published on May 30, 2023
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Slack Audit Logs

slack_audit_logs

NDJSON

API

Slack Users

slack_users

NDJSON

API

Slack Files

slack_files

NDJSON

API

Overview

imageSlack is a SaaS instant messaging program for professional and organizational communications, as well as a community platform.

Integrating Slack into Hunters allows the collection and ingestion of key data types into the data lake. Furthermore, the data is mapped to the Hunters' detection engine and allows investigation and correlation to other related signals.

Supported data types

📘Note

For Slack Enterprise Organizations that have more than one workspace, Hunters currently support only Slack Audit Logs.

Slack Audit Logs

Table name: slack_audit_logs

Slack Audit Logs are a crucial feature for administrators looking to monitor and audit actions within their Slack workspace. These logs provide a comprehensive record of operations performed by users and the system, including changes to workspace settings, user management activities, app installations, and access permissions modifications.

Learn more here.

Slack Users

Table name: slack_users

Slack User Logs are detailed records of individual user activities within the Slack platform. These logs capture a wide array of actions, including messages sent, channels joined or left, files uploaded, and interactions with integrated apps. The purpose of maintaining such logs is multifold: they offer insights into user behavior, facilitate the monitoring of compliance with organizational policies, and assist in security audits by tracking potential unauthorized or suspicious activities.

Learn more here.

Slack Files

Table name: slack_files

Slack File Logs provide detailed information about file activities within the Slack environment. These logs track when users upload, download, share, or delete files, offering insights into how information is shared and managed across the platform. By maintaining a comprehensive record of file transactions, Slack File Logs are essential for data management, security, and compliance purposes.

Learn more here.

Send data to Hunters

Hunters supports the collection of logs from Slack using API.

To connect Slack logs:

  1. Retrieve the API key by following these steps:

    1. Log into your Slack Workspace with an Admin access.

    2. Create a new Slack Application named "Hunters API Integration". Click here to learn more.

    3. In the app settings, select OAuth & Permissions from the left navigation.

    4. Scroll down to Scopes > User Token Scopes and then click Add an OAuth Scope.

    5. Choose the relevant scopes with respect to the available plan and required data types (see breakdown below).

    6. Install the application.

      image
      After installation, a user API token will be automatically generated, in the following format:xoxp-123456789123-987654321098-135791357913-a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6. The token will also appear under the OAuth & Permissions section.

  2. Complete the process on the Hunters platform, following this guide.

     

⚠️ Attention

  • In case additional scopes are added to the same application in the future, a re-installation of the app is required, which results in a new token being generated. The old token needs to be replaced with the new one on the Hunters platform.

  • In the table below you can find the required scopes per data type. Data types that require an additional license are turned off by default in the Hunters UI.

    Data Type

    Required Scope

    Additional License Required

    Slack Audit Logs

    auditlogs:read

    Enterprise Grid

    Slack Users

    users:read

    Slack Files

    files:read

Expected format

Logs are expected in JSON format.

Slack Audit Logs Sample

{"id": "12341", "date_create": 1678949258, "action": "file_downloaded", "actor": {"type": "user", "user": {"id": "12343", "name": "Name A", "email": "user1@test.com", "team": "12345"}}, "entity": {"type": "file", "file": {"id": "12347", "name": "image.png", "filetype": "image/png", "title": "image.png"}}, "context": {"location": {"type": "workspace", "id": "123410", "name": "test.com", "domain": "test.com"}, "ua": "com.tinyspeck.chatlyio/23.03.30 (iPhone; iOS 12.1.1; Scale/1.00)", "ip_address": "12.123.12.123", "session_id": 123413}, "details": {"url_private": "https://files.slack.com/files-pri/12345/image.png"}}

Slack Files Sample

{"id": "12341", "created": 1679238067, "timestamp": 1679238067, "name": "image.png", "title": "image", "mimetype": "image/png", "filetype": "png", "pretty_type": "PNG", "user": "12343", "user_team": "12345", "editable": false, "size": 39243, "mode": "hosted", "is_external": false, "external_type": "", "is_public": true, "public_url_shared": false, "display_as_bot": false, "username": "", "url_private": "https://files.slack.com/files-pri/1234-1234/image.png", "url_private_download": "https://files.slack.com/files-pri/1234-12347/download/image.png", "media_display_type": "unknown", "thumb_64": "https://files.slack.com/files-tmb/1234-1239-12341/image_64.png", "thumb_80": "https://files.slack.com/files-tmb/TDV50RZM0-F04U7MERKRD-12344/image_80.png", "thumb_360": "https://files.slack.com/files-tmb/TDV50RZM0-F04U7MERKRD-12342/image_360.png", "thumb_360_w": 360, "thumb_360_h": 266, "thumb_480": "https://files.slack.com/files-tmb/TDV50RZM0-F04U7MERKRD-12343/image_480.png", "thumb_480_w": 480, "thumb_480_h": 355, "thumb_160": "https://files.slack.com/files-tmb/TDV50RZM0-F04U7MERKRD-12344/image_160.png", "original_w": 570, "original_h": 421, "thumb_tiny": "AwAjADDSzz/9ajP1/KkP3qSgB2R7/lRn6/lTaKAHZ/zijP8AnFNpR/12347/12349/Z", "permalink": "https://org.slack.com/files/U042F1VFN7P/12343/image.png", "permalink_public": "https://slack-files.com/TDV50RZM0-F04U7MERKRD-1233", "channels": ["123414"], "groups": [], "ims": [], "comments_count": 0}

Slack Users Sample

{"id": "A00B111CDEF", "team_id": "TEAMID123", "name": "name1", "deleted": false, "color": "9f69e7", "real_name": "name1", "tz": "Asia/Kolkata", "tz_label": "India Standard Time", "tz_offset": 19800, "profile": {"title": "", "phone": "", "skype": "", "real_name": "name1", "real_name_normalized": "name1", "display_name": "", "display_name_normalized": "", "fields": null, "status_text": "", "status_emoji": "", "status_emoji_display_info": [], "status_expiration": 0, "avatar_hash": "g123a4d5a6a7", "first_name": "name1", "last_name": "", "image_24": "https://test.example.com/avatar/122a3d4a5a6666ac7c8eedcf99b0d11e.jpg", "image_32": "https://test.example.com/avatar/122a3d4a5a6666ac7c8eedcf99b0d11e2.jpg", "image_48": "https://test.example.com/avatar/122a3d4a5a6666ac7c8eedcf99b0d11e3.jpg", "image_72": "https://test.example.com/avatar/122a3d4a5a6666ac7c8eedcf99b0d11e4.jpg", "status_text_canonical": "", "team": "TEAMID123"}, "is_admin": true, "is_owner": true, "is_primary_owner": true, "is_restricted": false, "is_ultra_restricted": false, "is_bot": false, "is_app_user": false, "updated": 1667874680, "is_email_confirmed": true, "has_2fa": false, "who_can_share_contact_card": "EVERYONE"}