Slack Access Logs

Access Logs are an easy way to check for any unusual or suspicious sign-in activity

CHAOSSEARCH Users have the ability to immediately get insights into their Slack Access Logs. Once indexed the access logs are an easy way to check for any unusual or suspicious sign-in activity.

What can you see using Access Logs?

  • The time and date of each new sign in
  • The IP address of each device that has accessed each account
  • A list of devices that have accessed each account

Once the Object Group is created, you can start tracking when members are connected to and actively using Slack, when the user signs in to their account, and monitor when a user signs in with a unique IP address.

To help, CHAOSSEARCH provides pre-built visualizations to import into your account to start tracking these metrics.

References Field

When creating these visualizations and the dashboard, it's required to change the "id": string in the reference field section. This "id" is the index id that is generated once the system has completed its linking. Contact support for any questions.

Slack - Top IP by User Agent

{
  "query": {
    "query": "",
    "language": "kuery"
  },
  "filter": [],
  "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index"
}
[
  {
    "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
    "type": "index-pattern",
    "id": "64c9e776-71b4-4102-8c4c-2dd4221ab670"
  }
]
{
  "vis": {
    "params": {
      "sort": {
        "columnIndex": null,
        "direction": null
      }
    }
  }
}
{
  "title": "Slack - Top IP by User Agent",
  "type": "table",
  "params": {
    "perPage": 10,
    "showPartialRows": false,
    "showMetricsAtAllLevels": false,
    "sort": {
      "columnIndex": null,
      "direction": null
    },
    "showTotal": false,
    "totalFunc": "sum",
    "dimensions": {
      "metrics": [
        {
          "accessor": 0,
          "format": {
            "id": "number"
          },
          "params": {},
          "aggType": "count"
        }
      ],
      "buckets": []
    }
  },
  "aggs": [
    {
      "id": "1",
      "enabled": true,
      "type": "count",
      "schema": "metric",
      "params": {}
    },
    {
      "id": "2",
      "enabled": true,
      "type": "terms",
      "schema": "bucket",
      "params": {
        "field": "IP Address",
        "order": "desc",
        "size": 5,
        "orderBy": "1",
        "otherBucket": false,
        "otherBucketLabel": "Other",
        "missingBucket": false,
        "missingBucketLabel": "Missing"
      }
    },
    {
      "id": "3",
      "enabled": true,
      "type": "terms",
      "schema": "bucket",
      "params": {
        "field": "User Agent - Simple",
        "order": "desc",
        "size": 5,
        "orderBy": "1",
        "otherBucket": false,
        "otherBucketLabel": "Other",
        "missingBucket": false,
        "missingBucketLabel": "Missing"
      }
    }
  ]
}

Slack - Access by User Agent

{
  "query": {
    "query": "",
    "language": "kuery"
  },
  "filter": [],
  "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index"
}
[
  {
    "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
    "type": "index-pattern",
    "id": "64c9e776-71b4-4102-8c4c-2dd4221ab670"
  }
]
{
  "title": "Slack - Access by User Agent",
  "type": "pie",
  "params": {
    "type": "pie",
    "addTooltip": true,
    "addLegend": true,
    "legendPosition": "right",
    "isDonut": true,
    "labels": {
      "show": false,
      "values": true,
      "last_level": true,
      "truncate": 100
    },
    "dimensions": {
      "metric": {
        "accessor": 1,
        "format": {
          "id": "number"
        },
        "params": {},
        "aggType": "count"
      },
      "buckets": [
        {
          "accessor": 0,
          "format": {
            "id": "terms",
            "params": {
              "id": "string",
              "otherBucketLabel": "Other",
              "missingBucketLabel": "Missing"
            }
          },
          "params": {},
          "aggType": "terms"
        }
      ]
    }
  },
  "aggs": [
    {
      "id": "1",
      "enabled": true,
      "type": "count",
      "schema": "metric",
      "params": {}
    },
    {
      "id": "2",
      "enabled": true,
      "type": "terms",
      "schema": "segment",
      "params": {
        "field": "User Agent - Full",
        "order": "desc",
        "size": 5,
        "orderBy": "1",
        "otherBucket": false,
        "otherBucketLabel": "Other",
        "missingBucket": false,
        "missingBucketLabel": "Missing"
      }
    }
  ]
}

Slack - User Agent Access

{
  "query": {
    "query": "",
    "language": "kuery"
  },
  "filter": [],
  "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index"
}
[
  {
    "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
    "type": "index-pattern",
    "id": "64c9e776-71b4-4102-8c4c-2dd4221ab670"
  }
]
{
  "title": "Slack Logs - User Agent Access",
  "type": "pie",
  "params": {
    "type": "pie",
    "addTooltip": true,
    "addLegend": true,
    "legendPosition": "top",
    "isDonut": true,
    "labels": {
      "show": false,
      "values": true,
      "last_level": true,
      "truncate": 100
    },
    "dimensions": {
      "metric": {
        "accessor": 1,
        "format": {
          "id": "number"
        },
        "params": {},
        "aggType": "count"
      },
      "buckets": [
        {
          "accessor": 0,
          "format": {
            "id": "terms",
            "params": {
              "id": "string",
              "otherBucketLabel": "Other",
              "missingBucketLabel": "Missing"
            }
          },
          "params": {},
          "aggType": "terms"
        }
      ]
    }
  },
  "aggs": [
    {
      "id": "1",
      "enabled": true,
      "type": "count",
      "schema": "metric",
      "params": {}
    },
    {
      "id": "2",
      "enabled": true,
      "type": "terms",
      "schema": "segment",
      "params": {
        "field": "User Agent - Simple",
        "order": "desc",
        "size": 5,
        "orderBy": "1",
        "otherBucket": false,
        "otherBucketLabel": "Other",
        "missingBucket": false,
        "missingBucketLabel": "Missing"
      }
    }
  ]
}

Slack Dashboard

{
  "query": {
    "query": "",
    "language": "kuery"
  },
  "filter": []
}
{
  "useMargins": false,
  "hidePanelTitles": false
}
[
  {
    "gridData": {
      "x": 0,
      "y": 0,
      "w": 15,
      "h": 15,
      "i": "1"
    },
    "version": "7.2.0",
    "panelIndex": "1",
    "embeddableConfig": {},
    "panelRefName": "panel_0"
  },
  {
    "gridData": {
      "x": 31,
      "y": 0,
      "w": 17,
      "h": 25,
      "i": "2"
    },
    "version": "7.2.0",
    "panelIndex": "2",
    "embeddableConfig": {},
    "panelRefName": "panel_1"
  },
  {
    "gridData": {
      "x": 16,
      "y": 0,
      "w": 14,
      "h": 15,
      "i": "3"
    },
    "version": "7.2.0",
    "panelIndex": "3",
    "embeddableConfig": {},
    "panelRefName": "panel_2"
  }
]
[
  {
    "name": "panel_0",
    "type": "visualization",
    "id": "83fef540-e9fe-11e9-83b6-3739304cf91e"
  },
  {
    "name": "panel_1",
    "type": "visualization",
    "id": "a3610400-e9fe-11e9-83b6-3739304cf91e"
  },
  {
    "name": "panel_2",
    "type": "visualization",
    "id": "6a351720-e9fe-11e9-83b6-3739304cf91e"
  }
]

Updated about a month ago

Slack Access Logs


Access Logs are an easy way to check for any unusual or suspicious sign-in activity

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.