For many organizations, Slack is one of the most essential messaging apps used for important and sensitive communications. Panther can collect, normalize, and monitor Slack audit logs to help you identify suspicious activity within your Slack workspace in real time. Your normalized log data is then retained to power future security investigations in a data lake powered by the cloud-native data platform, Snowflake.
Use Cases for Slack Logs
Panther can pull multiple log types directly from Slack via API queries, including Audit, Access, and Integration logs. Some common security use cases for Slack logs include:
- Monitoring changes to EKM, MFA, or SSO settings
- Alerting when a Slack organization is created or deleted
- Detecting when Slack Apps are added, removed, or modified
- Identifying when a potentially malicious file is shared
Onboarding Slack Logs in Panther
Panther is able to pull logs directly from Slack via API. The Slack Audit Log API is available to Slack customers with Enterprise plans, while the Access and Integration log APIs are available to all Slack paid plans. In order for Panther to access the Slack API, you simply need to create a new Slack log source within the Panther console, create a Slack App, and provide the app credentials to Panther.
For more details on onboarding Slack logs or for supported log schema, you can view our Slack documentation here.
Parsing, Normalizing, & Analyzing
As Panther ingests Slack logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows you to write detections, identify anomalies, and conduct investigations in the context of days, weeks, or months of data.
Panther applies normalization fields to log records, which standardizes names for attributes and enables you to correlate data across all of your log sources. Panther’s intuitive search tools - such as Query Builder, Data Explorer, and Indicator Search - allow you to investigate your normalized logs for suspicious activity or vulnerabilities. For more information on searching logs, check out our documentation on Investigations & Search.
Detection as Code
With Panther, you aren’t confined to restrictive detections or proprietary languages as seen in many SIEM solutions. Panther is built around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detections for your security team.
Pre-built detections for Slack are available by default in Panther, offering users immediate value for monitoring common IoCs and threats. You can explore our built-in detection coverage for Slack audit logs here.
Panther generates alerts when your detection rules or policies for Slack are triggered, and integrates with a variety of alert destinations to allow for intuitive management of any alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.
Alerts are categorized by five different severity levels: Info, Low, Medium, High, and Critical. Your security team has the ability to dynamically assign severity based on specific log event attributes.
If you have any questions about configuring or monitoring Slack logs in Panther, our customer support team is here to help. All customers have access to support via a dedicated Slack channel, email, or in-app messenger.
You can view our documentation on configuring and monitoring Slack logs here, or customers can sign up for the Panther Community to share best practices or custom detections for Slack logs.
The Ideal SIEM for Slack
With Panther, your team doesn’t have to waste time and resources on operational overhead, pay excessive costs to keep up with the growth of cloud app data or struggle with restrictive detection logic. Panther was founded by a team of security engineers who struggled with other SIEM solutions first-hand, and built an intuitive, cloud-native platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts. For a powerful, practical, and scalable SIEM solution for Slack, request a demo today.