Evaluate your SIEM
Get the guideComplete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
September 12, 2019
Slack is a popular cloud-based set of software tools and online services that provides for secure collaboration across teams, departments, offices, and countries. We are happy to announce support for monitoring Slack workspaces with the new Sumo Logic app for Slack.
In this post, we’ll provide an overview of how Sumo Logic’s integration with Slack works and how to leverage it to:
In this section, we first talk about how to collect Slack logs and then understand how to best make use of the data via our app dashboards.
Slack exposes various API’s to fetch different kinds of logs for a slack workspace. All API’s use a Slack authentication token. Log types are made available based on various Slack plans.
Log Type | Free plan | Standard plan | Free plan | Enterprise plan |
User logs | ✓ | ✓ | ✓ | ✓ |
Public Channel logs | ✓ | ✓ | ✓ | ✓ |
Public Message logs | ✓ | ✓ | ✓ | ✓ |
Access logs | ✓ | ✓ | ✓ | |
Audit logs | ✓ |
Sumo Logic provides a collector agent for collecting these logs in real time. The collector agent allows you to configure the types of logs you want collected and can be deployed either as an AWS Lambda function or a script running on a Linux machine. Once configured, the collector then sends data periodically to Sumo Logic via an HTTP Source as shown below:
After collection is configured, you can then install the Slack app from the Sumo Logic app catalog. For additional details, please see the help page on how to collect data and these instructions on how to install the application.
Now let’s take a look at some examples of how to make use of the dashboards in the application.
The Slack - Members dashboard shows trends for total members, active members, and messages by workspace as shown below:
At first, panels will show all members and guests data. In order to track guest activity, use the Restricted - Multi channel guests or the UltraRestricted - Single channel guests filters.
You can then use the Top Members Activity to track information around how each guest is using your workspace in terms of the number of channels they are a part of, messages sent, and total files and attachments uploaded. Monitoring this kind of activity is useful especially while investigating the root cause of a security incident; for example, when malware is injected in the organization by an external source.
To further investigate guest activity related to files downloaded, uploaded, app installs, and app modifications, use the Guest File Activity and Guest App Activity panels in the Slack - File and App Audit dashboard as shown below:
If your organization has specific policies related to granting certain kinds of access to individuals outside of your organization, use the Guest Activity panel in the Slack - User Audit dashboard to identify all administrative activities related to guest users.
As part of best security practices, it is well understood that two-factor authentication should be enabled for all users. To determine the number of users that have two factor authentication enabled or disabled, use the 2FA by Workspace panel in Slack - Members dashboard.
Let’s look into how the Slack app can be used to monitor administrative actions. If you are on the Slack Enterprise plan and have multiple workspace and administrators, you will want to monitor all settings-related changes to authentication settings and ensure the actions are in line with your expectations.
To do so, use the Workspace - SSO and 2FA Setting Changes in the Slack - Workspace Audit dashboard to understand the details of who made the changes as shown below.
To monitor all users whose role are changed to owner, admin, user or guest use the Role Changed panel in the Slack - User Audit dashboard as shown below.
Slack has a number of integrations with the outside technologies such as GitHub, JIRA, and Google Drive, and a Slack workspace can have several of these applications installed. Monitoring all installed apps becomes a tedious task when you have multiple workspaces or a number of applications installed.
Use theSlack - Bots dashboard to get an overview of all the apps installed on multiple workspaces.
Using the Bot Summary panels, you can identify how many channels an app is a part of, and the number of messages, files, and attachments the app is associated with.
You can also use the Slack - Public Messages to identify all messages, files and attachments posted by a specific bot.
In this blog post, we show you examples of how to use the Sumo Logic Slack app to monitor Slack workspaces to:
If you don’t have a Sumo Logic account yet, you can sign up for a free trial today.
Reduce downtime and move from reactive to proactive monitoring.
Build, run, and secure modern applications and cloud infrastructures.
Start free trial