Slack

Required fields are in bold.

Slack.AccessLogs

Access logs for users on a Slack workspace. Reference: https://api.slack.com/methods/team.accessLogs

Column

Type

Description

user_id

string

The id of the user accessing Slack.

username

string

The username of the user accessing Slack.

date_first

timestamp

Unix timestamp of the first access log entry for this user, IP address, and user agent combination.

date_last

timestamp

Unix timestamp of the most recent access log entry for this user, IP address, and user agent combination.

count

bigint

The total number of access log entries for that combination.

ip

string

The IP address of the device used to access Slack.

user_agent

string

The reported user agent string from the browser or client application.

isp

string

Best guess at the internet service provider owning the IP address.

country

string

Best guesses on where the access originated, based on the IP address.

region

string

Best guesses on where the access originated, based on the IP address.

p_event_time

timestamp

Panther added standardized event time (UTC)

p_parse_time

timestamp

Panther added standardized log parse time (UTC)

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_usernames

[string]

Panther added field with collection of usernames associated with the row

Slack.AuditLogs

Slack audit logs provide a view of the actions users perform in an Enterprise Grid organization. Reference: https://api.slack.com/enterprise/audit-logs

Column

Type

Description

id

string

The event id

date_create

timestamp

Creation timestamp for the event

action

string

The action performed. See https://api.slack.com/enterprise/audit-logs#audit_logs_actions

actor

{ "type":string, "user":{ "id":string, "name":string, "email":string, "team":string } }

An actor will always be a user on a workspace and will be identified by their user ID, such as W123AB456.

entity

{ "type":string, "user":{ "id":string, "name":string, "email":string, "team":string }, "channel":{ "id":string, "name":string, "privacy":string, "is_shared":boolean, "is_org_shared":boolean, "teams_shared_with":[string] }, "file":{ "id":string, "name":string, "title":string, "filetype":string }, "app":{ "id":string, "name":string, "is_distributed":boolean, "is_directory_approved":boolean, "scopes":[string] }, "workspace":{ "id":string, "name":string, "domain":string }, "enterprise":{ "id":string, "name":string, "domain":string }, "workflow":{ "id":string, "name":string }, "message":{ "team":string, "channel":string, "timestamp":string } }

An entity is the thing that the actor has taken the action upon and it will be the Slack ID of the thing.

context

{ "ua":string, "ip_address":string, "location":{ "type":string, "id":string, "domain":string, "name":string } }

Context is the location that the actor took the action on the entity. It will always be either a Workspace or an Enterprise, with the appropriate ID.

details

string

Additional details about the audit log event

p_event_time

timestamp

Panther added standardized event time (UTC)

p_parse_time

timestamp

Panther added standardized log parse time (UTC)

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_emails

[string]

Panther added field with collection of email addresses associated with the row

p_any_usernames

[string]

Panther added field with collection of usernames associated with the row