Slack

Panther has the ability to fetch Slack audit logs by querying the Audit Logs API. Panther will query the api every 1 minute.

  • Please note the Audit Logs API is only available to Slack workspaces on Slack Enterprise Grid.

    The Audit Logs API is not available in the Free, Standard, or Plus plans.

  • Only an owner of the Slack organization can perform the steps below!

In order for Panther to access the Slack API you need to create a new 'Slack App' and provide the app credentials to Panther.

Create a new Slack Source in Panther

  1. Login to your Panther account

  2. Go to Log analysis > Sources from the sidebar menu

  3. Click Add Source

  4. Select Slack from the list of available types

  5. Enter a name for the source (e.g. My Slack logs), then click Next

  6. The next page asks you to enter the App Client ID and the Client Secret of a Slack App with access to your Slack Audit logs. Click on Copy Redirect URL and save it somewhere temporarily, as you will need it later.

Create a new Slack App

In the following steps, you will be creating a Slack app with permissions to pull Audit logs from your Enterprise Grid workspaces. For security and availability reasons, we recommend creating a new Slack App that will be used only by Panther.

  1. Sign in to a workspace belonging to the Enterprise grid you want to monitor. You must sign-in as an owner of the organization!

  2. You will be presented with a screen displaying all the workspaces in your Enterprise Grid. Click Launch in Slack on a workspace you are interested to monitor. You will be signed-in to that workspace.

  3. Go to Slack apps and click Create New App

  4. Enter an App Name e.g. Panther monitoring

  5. Select the workspace you signed in earlier. Click on Create App.

    The App will be created in the selected workspace but later you will be able to use to monitor the entire Enterprise Grid organization

  6. Click OAuth & Permissions in the left navigation panel

  7. Scroll down to the Redirect URLs section and add the redirect url that you copied from the Panther wizard.

    Click Add and then Save URLs

  8. Scroll down to the section titled Scopes -> User Token Scopes. Add the auditlogs:read scope

  9. In the app's settings, select Manage Distribution from the left navigation. Under the section titled

    Share Your App with Other Workspaces, select all four options

  10. Click the green Activate Public Distribution button

  11. Go to the Settings -> Basic Information in the left navigation panel

  12. Go to App Credentials section. Copy Client ID and Client Secret

Finalize Slack onboarding in Panther

  1. Go back to the Slack onboarding wizard in the Panther UI

  2. Paste Client ID and Client Secret credentials of the Slack App you just created

  3. Click Next. The credentials will be stored, encrypted, in the Panther backend

  4. Click Save Source

  5. Click Authorize. You will be redirected to a Slack page to install your app. Make sure you install it to the Enterprise Organization and not to a specific workspace!

  6. Click Allow

  7. Your new Slack Source should be healthy and ready to fetch audit logs from Slack!

Note: The integration will stop working if:

  • the account of the user that installed the app to the organization is deactivated

  • the app was deleted, the access token was revoked, or the app credentials are rotated