icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Slack Add-on for Splunk
SHA256 checksum (slack-add-on-for-splunk_109.tgz) 584454ec2f178bf5d2a1c9ff873a44acd855811b355bc0d86505962d58abd60b
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Slack Add-on for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
This add-on is designed to provide comprehensive data collection and field extraction for Slack Enterprise Grid Organization Audit Logs.

Slack Add-on for Splunk

The Slack Add-on for Splunk uses the Slack Audit Logs API to fetch Slack Enterprise Grid Audit Logs into Splunk.

Getting Started

The Audit Logs API is for monitoring the audit events happening in an Enterprise Grid organization to ensure continued compliance, to safeguard against any inappropriate system access, and to allow you to audit suspicious behavior within your enterprise.

The idea is to give Enterprise Grid organization owners the ability to query user actions in a workspace. With this API, you could:

  • Automatically feed Slack access data into an SIEM or other auditing tool
  • Proactively monitor for potential security issues or malicious access attempts
  • Write custom apps to gain insight into how your organization uses Slack

Learn more about Monitoring with the Audit Logs API

Installation and Configuration Steps

This application can be installed an On-Prem or Cloud deployments of Splunk.

Installation Steps for on-prem

Install the TA on one of the Heavy Forwarder(s). Ensure to copy over eventtypes.conf, props.conf and tags.conf over to your search head to make sure field aliases, event types and tags for data model mapping comes through.

Installation Steps for cloud

Create a support ticket with APP-CERT reference to get the app installed on a Cloud instance OR follow the cloud-ops recommended set of actions to install non-published applications.

Configuration steps

The configuration steps are common for on-prem and cloud. Please follow the following steps in order:
1. Open the Web UI for the Heavy Forwarder (or IDM).
2. Navigate to the Splunk Add on for Slack from the Manage Apps Section. Be sure not to configure the inputs from the Data Inputs section of Splunk, as this could lead to some unexpected failures.
3. Navigate to the Configuration page of the Add-on and click on the Add button.
4. Enter a name in the Slack Account name textbox.
5. Click on the Add to Slack button to generate your Access Token, beginning with xoxp (with scope auditlogs:read). Follow the instructions below to generate this. If you brought your own, paste the Access Token here.
6. Click on Add to save this configuration.
7. Navigate to the Inputs tab.
8. Click on Create New Input button on the top right corner.
9. Enter the following details:
- Name (required): Provide a unique name for the input.
- Interval (required): Provide a number in seconds for the query interval.
- Index (required): Select the index from the dropdown list. Set the default index to be slack_audit, if using in conjuction with the Slack Audit App for Splunk.
- Start Time (required): Enter the time from which to begin querying, in the format yyyy-mm-dd hh:mm:ss. The default has been set to 2018-01-01 00:00:00.
- Enterprise Slack Account (required): Select the Account configured on Step 6.
10. Click on Add to save the input.
11. To check for any logs or errors, navigate to the Search tab and enter the below search index=_internal source="*ta_slack_add_on_for_splunk_*.log".

Access Token Generation - Authentication Step

  1. Click on the Add to Slack button to initiate the Authentication flow.
  2. Sign into your organization's Enterprise Grid Slack account from the Sign in page. Please note : Audit logs can only be retrieved by the org owner in a Slack Enterprise account.
  3. You will be presented with a screen to authorize the Slack Audit API App to collect the audit log information from your Enterprise Grid account. Click on Content and info about you and the Administer Slack for your organization options to see what the app can view. Should you see this screen, skip step 4 and proceed onto 5.
  4. If you are not presented with the content in Step 3, close the dialog box and re-initiate the authentication process from Step 1.
  5. Click on Allow to generate your access token.
  6. The access token should now be generated. On the Access Token Generated page, click on the Copy Access Token button to copy the token to your clipboard and close the pop up window.
  7. Manually paste the Access token into the Access Token text box of your Input configuration page.
  8. The Access token should be about 79-80 characters long. If the character length of the pasted token isn't roughly the same size, re-initiate the authentication process to generate the token from Step 1.

Pre-requisites, FAQ and Troubleshooting

  1. Initially, the sheer volume of audit logs could be large.
  2. The checkpoints used in the add-on reside in the KV store. Ensure sufficient permissions and access to the KV Store.
  3. If a run of the add-on stopped for any reason, a checkpoint for each input will be stored, with the name ending with _last_accessed_url. This is an indication of an error that must have occurred in the previous run. The input can be restarted (Disable the input first and then enable it) after the cause of failure has been fixed, so it picks up the run from the recorded last successful run.
  4. If using in conjuction with the Slack Audit App for Splunk, ensure the target index is configured as slack_audit, so that the dashboards on the app populate automatically.
  5. Ensure not to configure the inputs from the Data Inputs section of Splunk, as this could lead to some unexpected failures.
  6. If you observe that the field extraction of _time does not match the field date_create, ensure to add an additional line in props.conf under the slack:audit stanza like shown below and deploy it to all indexers.
    [slack:audit]
    TIME_PREFIX = \"date_create\"\:

Release Notes

Version 1.0.9
Sept. 12, 2020

Fixed timestamp recognition to point to date_create field

329
Installs
365
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.