Collect Slack audit logs

This document explains how to ingest Slack Audit Logs to Google Security Operations using Google Cloud Run functions. The parser handles two formats of Slack audit logs. It first normalizes boolean values and clears predefined fields. Then, it parses the "message" field as JSON, handling non-JSON messages by dropping them. Depending on the presence of specific fields (date_create and user_id), the parser applies different logic to map raw log fields to the UDM, including metadata, principal, network, target, and about information, and constructs a security result.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• Privileged access to Slack Enterprise Grid tenant and Admin Console
• Privileged access to GCP Cloud Run functions and Cloud Scheduler

Collect Slack Audit Logs prerequisites (App ID, OAuth Token, Organization ID)

1. Sign in to the Slack Admin Console for your Enterprise Grid organization.
2. Go to https://api.slack.com/apps and click Create New App > From scratch.
3. Enter the App Name and select your Development Slack Workspace.
4. Click Create App.
5. Navigate to OAuth & Permissions in the left sidebar.
6. Go to the Scopes section and add the following User Token Scope:
   • auditlogs:read
7. Click Install to Workspace > Allow.
8. Once installed, navigate to Org Level Apps > Install to Organization.
9. Authorize the app with an Organization Owner/Admin account.
10. Copy and securely save the User OAuth Token that starts with xoxp- (this is your SLACK_ADMIN_TOKEN).
11. Copy your Organization ID which can be found in the Slack Admin Console under Settings & Permissions > Organization settings.

Setting up the directory

1. Create a new directory on your local machine for the Cloud Run function deployment.
2. Download the following files from the Chronicle ingestion-scripts GitHub repository:
   • From the slack folder, download:
     • .env.yml
     • main.py
     • requirements.txt
   • From the root of the repository, download the entire common directory with all its files:
     • common/__init__.py
     • common/auth.py
     • common/env_constants.py
     • common/ingest.py
     • common/status.py
     • common/utils.py
3. Place all downloaded files into your deployment directory.

Your directory structure should look like this:

  deployment_directory/
  ├─common/
  │ ├─__init__.py
  │ ├─auth.py
  │ ├─env_constants.py
  │ ├─ingest.py
  │ ├─status.py
  │ └─utils.py
  ├─.env.yml
  ├─main.py
  └─requirements.txt

Create secrets in Google Secret Manager

1. In the Google Cloud console, go to Security > Secret Manager.
2. Click Create Secret.
3. Provide the following configuration details for the Chronicle service account:
   • Name: Enter chronicle-service-account.
   • Secret value: Paste the contents of your Google SecOps ingestion authentication JSON file.
4. Click Create secret.

5. Copy the secret resource name in the following format:

   projects/<PROJECT_ID>/secrets/chronicle-service-account/versions/latest
   

6. Click Create Secret again to create a second secret.

7. Provide the following configuration details for the Slack token:

   • Name: Enter slack-admin-token.
   • Secret value: Paste your Slack User OAuth Token (starting with xoxp-).

8. Click Create secret.

9. Copy the secret resource name in the following format:

     projects/<PROJECT_ID>/secrets/slack-admin-token/versions/latest
   

Setting the required runtime environment variables

1. Open the .env.yml file in your deployment directory.

2. Configure the environment variables with your values:

   CHRONICLE_CUSTOMER_ID: "<your-chronicle-customer-id>"
   CHRONICLE_REGION: us
   CHRONICLE_SERVICE_ACCOUNT: "projects/<PROJECT_ID>/secrets/chronicle-service-account/versions/latest"
   CHRONICLE_NAMESPACE: ""
   POLL_INTERVAL: "5"
   SLACK_ADMIN_TOKEN: "projects/<PROJECT_ID>/secrets/slack-admin-token/versions/latest"
   

   • Replace the following:
     • <your-chronicle-customer-id>: Your Google SecOps customer ID.
     • <PROJECT_ID>: Your Google Cloud project ID.
     • CHRONICLE_REGION: Set to your Google SecOps region. Valid values: us, asia-northeast1, asia-south1, asia-southeast1, australia-southeast1, europe, europe-west2, europe-west3, europe-west6, europe-west9, europe-west12, me-central1, me-central2, me-west1, northamerica-northeast2, southamerica-east1.
     • POLL_INTERVAL: Frequency interval (in minutes) at which the function executes. This duration must be the same as the Cloud Scheduler job interval.

3. Save the .env.yml file.

Deploying the Cloud Run function

1. Open a terminal or Cloud Shell in the Google Cloud console.

2. Navigate to your deployment directory:

   cd /path/to/deployment_directory
   

3. Execute the following command to deploy the Cloud Run function:

   gcloud functions deploy slack-audit-to-chronicle \
     --entry-point main \
     --trigger-http \
     --runtime python39 \
     --env-vars-file .env.yml \
     --timeout 300s \
     --memory 512MB \
     --service-account <SERVICE_ACCOUNT_EMAIL>
   

   • Replace <SERVICE_ACCOUNT_EMAIL> with the email address of the service account you want your Cloud Run function to use.

4. Wait for the deployment to complete.

5. Once deployed, note the function URL from the output.

Set up Cloud Scheduler

1. In the Google Cloud console, go to Cloud Scheduler > Create job.
2. Provide the following configuration details:
   • Name: Enter slack-audit-scheduler.
   • Region: Select the same region where you deployed the Cloud Run function.
   • Frequency: Enter */5 * * * * (runs every 5 minutes, matching the POLL_INTERVAL value).
   • Timezone: Select UTC.
   • Target type: Select HTTP.
   • URL: Enter the Cloud Run function URL from the deployment output.
   • HTTP method: Select POST.
   • Auth header: Select Add OIDC token.
   • Service account: Select the same service account used for the Cloud Run function.
3. Click Create.

UDM Mapping Table

Need more help? Get answers from Community members and Google SecOps professionals.