Panther has the ability to fetch Slack audit logs by querying the Audit Logs API. Panther will query the api every 1 minute.
In order for Panther to access the Slack API you need to create a new 'Slack App' and provide the app credentials to Panther.
Login to your Panther account
Go to Log analysis > Sources from the sidebar menu
Click Add Source
Select Slack from the list of available types
Enter a name for the source (e.g.
My Slack logs), then click Next
The next page asks you to enter the App Client ID and the Client Secret of a Slack App with access to your Slack Audit logs. Click on Copy Redirect URL and save it somewhere temporarily, as you will need it later.
In the following steps, you will be creating a Slack app with permissions to pull Audit logs from your Enterprise Grid workspaces. For security and availability reasons, we recommend creating a new Slack App that will be used only by Panther.
Go to Slack workspace sign-in
Sign in to a workspace belonging to the Enterprise grid you want to monitor. You must sign-in as an owner of the organization!
You will be presented with a screen displaying all the workspaces in your Enterprise Grid. Click Launch in Slack on a workspace you are interested to monitor. You will be signed-in to that workspace.
Go to Slack apps and click Create New App
Enter an App Name e.g.
Select the workspace you signed in earlier. Click on Create App.
The App will be created in the selected workspace but later you will be able to use to monitor the entire Enterprise Grid organization
Click OAuth & Permissions in the left navigation panel
Scroll down to the Redirect URLs section and add the
redirect url that you copied from the Panther wizard.
Click Add and then Save URLs
Scroll down to the section titled Scopes -> User Token Scopes. Add the
In the app's settings, select Manage Distribution from the left navigation. Under the section titled
Share Your App with Other Workspaces, select all four options
Click the green Activate Public Distribution button
Go to the Settings -> Basic Information in the left navigation panel
Go to App Credentials section. Copy Client ID and Client Secret
Go back to the Slack onboarding wizard in the Panther UI
Paste Client ID and Client Secret credentials of the Slack App you just created
Click Next. The credentials will be stored, encrypted, in the Panther backend
Click Save Source
Click Authorize. You will be redirected to a Slack page to install your app. Make sure you install it to the Enterprise Organization and not to a specific workspace!
Your new Slack Source should be healthy and ready to fetch audit logs from Slack!