Slack

Required fields are in bold.

Slack.AuditLogs

Slack audit logs provide a view of the actions users perform in an Enterprise Grid organization. Reference: https://api.slack.com/enterprise/audit-logs‚Äč

Column

Type

Description

id

string

The event id

date_create

timestamp

Creation timestamp for the event

action

string

The action performed. See https://api.slack.com/enterprise/audit-logs#audit_logs_actions

actor

{ "type":string, "user":{ "id":string, "name":string, "email":string, "team":string } }

An actor will always be a user on a workspace and will be identified by their user ID, such as W123AB456.

entity

{ "type":string, "user":{ "id":string, "name":string, "email":string, "team":string }, "channel":{ "id":string, "name":string, "privacy":string, "is_shared":boolean, "is_org_shared":boolean, "teams_shared_with":[string] }, "file":{ "id":string, "name":string, "title":string, "filetype":string }, "app":{ "id":string, "name":string, "is_distributed":boolean, "is_directory_approved":boolean, "scopes":[string] }, "workspace":{ "id":string, "name":string, "domain":string }, "enterprise":{ "id":string, "name":string, "domain":string }, "workflow":{ "id":string, "name":string }, "message":{ "team":string, "channel":string, "timestamp":string } }

An entity is the thing that the actor has taken the action upon and it will be the Slack ID of the thing.

context

{ "ua":string, "ip_address":string, "location":{ "type":string, "id":string, "domain":string, "name":string } }

Context is the location that the actor took the action on the entity. It will always be either a Workspace or an Enterprise, with the appropriate ID.

details

string

Additional details about the audit log event

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_event_time

timestamp

Panther added standardize event time (UTC)

p_parse_time

timestamp

Panther added standardize log parse time (UTC)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row