Slack Access Logs
Access Logs visualizations are an easy way to check for any unusual or suspicious sign-in activity.
ChaosSearch users have the ability to immediately get insights into their Slack Access Logs. Once indexed, the Access Logs are an easy way to check for any unusual or suspicious sign-in activity.
What can you see using Access Logs?
- The time and date of each new sign in
- The IP address of each device that has accessed each account
- A list of devices that have accessed each account
After the ChaosSearch object group is created for the Access Logs, you can start tracking when members are connected to and actively using Slack, when the user signs in to their account, and monitor when a user signs in with a unique IP address.
To help, ChaosSearch provides pre-built visualizations to import into your account to start tracking these metrics.
References Field
When creating these visualizations and the dashboard, you must change the "id": string in the reference field section. The "id" is the index ID that is generated once the system has completed its linking. Contact support for any questions.
Slack – Top IP by User Agent
{
"query": {
"query": "",
"language": "kuery"
},
"filter": [],
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index"
}
[
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "64c9e776-71b4-4102-8c4c-2dd4221ab670"
}
]
{
"vis": {
"params": {
"sort": {
"columnIndex": null,
"direction": null
}
}
}
}
{
"title": "Slack - Top IP by User Agent",
"type": "table",
"params": {
"perPage": 10,
"showPartialRows": false,
"showMetricsAtAllLevels": false,
"sort": {
"columnIndex": null,
"direction": null
},
"showTotal": false,
"totalFunc": "sum",
"dimensions": {
"metrics": [
{
"accessor": 0,
"format": {
"id": "number"
},
"params": {},
"aggType": "count"
}
],
"buckets": []
}
},
"aggs": [
{
"id": "1",
"enabled": true,
"type": "count",
"schema": "metric",
"params": {}
},
{
"id": "2",
"enabled": true,
"type": "terms",
"schema": "bucket",
"params": {
"field": "IP Address",
"order": "desc",
"size": 5,
"orderBy": "1",
"otherBucket": false,
"otherBucketLabel": "Other",
"missingBucket": false,
"missingBucketLabel": "Missing"
}
},
{
"id": "3",
"enabled": true,
"type": "terms",
"schema": "bucket",
"params": {
"field": "User Agent - Simple",
"order": "desc",
"size": 5,
"orderBy": "1",
"otherBucket": false,
"otherBucketLabel": "Other",
"missingBucket": false,
"missingBucketLabel": "Missing"
}
}
]
}
Slack – Access by User Agent
{
"query": {
"query": "",
"language": "kuery"
},
"filter": [],
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index"
}
[
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "64c9e776-71b4-4102-8c4c-2dd4221ab670"
}
]
{
"title": "Slack - Access by User Agent",
"type": "pie",
"params": {
"type": "pie",
"addTooltip": true,
"addLegend": true,
"legendPosition": "right",
"isDonut": true,
"labels": {
"show": false,
"values": true,
"last_level": true,
"truncate": 100
},
"dimensions": {
"metric": {
"accessor": 1,
"format": {
"id": "number"
},
"params": {},
"aggType": "count"
},
"buckets": [
{
"accessor": 0,
"format": {
"id": "terms",
"params": {
"id": "string",
"otherBucketLabel": "Other",
"missingBucketLabel": "Missing"
}
},
"params": {},
"aggType": "terms"
}
]
}
},
"aggs": [
{
"id": "1",
"enabled": true,
"type": "count",
"schema": "metric",
"params": {}
},
{
"id": "2",
"enabled": true,
"type": "terms",
"schema": "segment",
"params": {
"field": "User Agent - Full",
"order": "desc",
"size": 5,
"orderBy": "1",
"otherBucket": false,
"otherBucketLabel": "Other",
"missingBucket": false,
"missingBucketLabel": "Missing"
}
}
]
}
Slack – User Agent Access
{
"query": {
"query": "",
"language": "kuery"
},
"filter": [],
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index"
}
[
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "64c9e776-71b4-4102-8c4c-2dd4221ab670"
}
]
{
"title": "Slack Logs - User Agent Access",
"type": "pie",
"params": {
"type": "pie",
"addTooltip": true,
"addLegend": true,
"legendPosition": "top",
"isDonut": true,
"labels": {
"show": false,
"values": true,
"last_level": true,
"truncate": 100
},
"dimensions": {
"metric": {
"accessor": 1,
"format": {
"id": "number"
},
"params": {},
"aggType": "count"
},
"buckets": [
{
"accessor": 0,
"format": {
"id": "terms",
"params": {
"id": "string",
"otherBucketLabel": "Other",
"missingBucketLabel": "Missing"
}
},
"params": {},
"aggType": "terms"
}
]
}
},
"aggs": [
{
"id": "1",
"enabled": true,
"type": "count",
"schema": "metric",
"params": {}
},
{
"id": "2",
"enabled": true,
"type": "terms",
"schema": "segment",
"params": {
"field": "User Agent - Simple",
"order": "desc",
"size": 5,
"orderBy": "1",
"otherBucket": false,
"otherBucketLabel": "Other",
"missingBucket": false,
"missingBucketLabel": "Missing"
}
}
]
}
Slack Dashboard
{
"query": {
"query": "",
"language": "kuery"
},
"filter": []
}
{
"useMargins": false,
"hidePanelTitles": false
}
[
{
"gridData": {
"x": 0,
"y": 0,
"w": 15,
"h": 15,
"i": "1"
},
"version": "7.2.0",
"panelIndex": "1",
"embeddableConfig": {},
"panelRefName": "panel_0"
},
{
"gridData": {
"x": 31,
"y": 0,
"w": 17,
"h": 25,
"i": "2"
},
"version": "7.2.0",
"panelIndex": "2",
"embeddableConfig": {},
"panelRefName": "panel_1"
},
{
"gridData": {
"x": 16,
"y": 0,
"w": 14,
"h": 15,
"i": "3"
},
"version": "7.2.0",
"panelIndex": "3",
"embeddableConfig": {},
"panelRefName": "panel_2"
}
]
[
{
"name": "panel_0",
"type": "visualization",
"id": "83fef540-e9fe-11e9-83b6-3739304cf91e"
},
{
"name": "panel_1",
"type": "visualization",
"id": "a3610400-e9fe-11e9-83b6-3739304cf91e"
},
{
"name": "panel_2",
"type": "visualization",
"id": "6a351720-e9fe-11e9-83b6-3739304cf91e"
}
]
Updated 5 months ago