The Slack Add-on for Splunk uses the Slack Audit Logs API to fetch Slack Enterprise Grid Audit Logs into Splunk.
The Audit Logs API is for monitoring the audit events happening in an Enterprise Grid organization to ensure continued compliance, to safeguard against any inappropriate system access, and to allow you to audit suspicious behavior within your enterprise.
The idea is to give Enterprise Grid organization owners the ability to query user actions in a workspace. With this API, you could:
Learn more about Monitoring with the Audit Logs API
The Audit Logs can only be queried by a Slack Enterprise Grid Account.
Note: The Slack Enterprise Grid Account is used to authorize the Slack Add-on for Splunk and generate the OAuth 2.0 access token.
This application can be installed an On-Prem or Cloud deployments of Splunk.
Install the TA on one of the Heavy Forwarder(s).
Create a support ticket with
APP-CERT reference to get the app installed on a Cloud instance OR follow the cloud-ops recommended set of actions to install non-published applications.
The configuration steps are common for on-prem and cloud. Please follow the following steps in order:
1. Open the Web UI for the Heavy Forwarder (or IDM).
2. Navigate to the Splunk Add on for Slack from the Manage Apps Section.
3. Click on Create New Input button on the top right corner.
4. Enter the following details:
- Name (required): Provide a unique name for the input.
- Interval (required): Provide a number in seconds for the query interval.
- Index (required): Select the index from the dropdown list. Set the default index to be
slack_audit, if using in conjunction with the Slack Audit App for Splunk.
- Start Time (required): Enter the time from which to begin querying, in the format
yyyy-mm-dd hh:mm:ss. The default has been set to
- Access Token (required): Use the ‘Add To Slack’ button to generate and access an API token for use with the Splunk Add On. (Alternatively, you can bring your own
xoxp-token with the
auditlogs:read scope. Please contact your Slack account team or firstname.lastname@example.org (Opens in new tab) for up to date instructions on how to generate the token.)
5. Click on
Add to save the input.
6. To check for any logs or errors, navigate to the
Search tab and enter the below search
Please be advised that using this integration is permitted subject to your obligations, including data privacy obligations, under your agreement with Splunk.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.