Monitoring the Slack Audit Logs API for Security and Compliance
Slack is a juicy target and a compliance scope you probably ignore. Here's how to stream the Audit Logs API into your SIEM and alert on the events that actually matter.
- #slack
- #audit-logs
- #security
- #compliance
- #siem
- #devops
Slack is where your team discusses incidents, pastes the occasional credential they shouldn’t, and where a compromised account can quietly read months of operational context. For most organizations it’s a high-value target that nobody monitors, sitting outside the SIEM, generating no alerts. That’s a gap — and Slack’s Audit Logs API is how you close it.
The Audit Logs API (available on Enterprise Grid) streams a structured record of administrative and security-relevant actions across your workspaces: logins, app installs, channel creation, permission changes, file downloads, and more. Treated right, it’s a feed you pipe into your existing detection pipeline. Treated wrong, it’s an unused capability you’ll wish you’d turned on after an incident. Here’s how to do the former.
What the Audit Logs API gives you
The API exposes an actions endpoint returning a stream of audit events, each with an actor (who), an action (what), an entity (the target), and a context (IP, location, user agent). Actions are namespaced and granular — user_login, user_login_failed, app_installed, app_scopes_expanded, file_downloaded, public_channel_created, guest_created, role_change_to_owner, and many more.
You authenticate with an org-level token carrying the auditlogs:read scope and paginate through events since a given timestamp:
curl "https://api.slack.com/audit/v1/logs?oldest=1718150400&limit=200" \
-H "Authorization: Bearer $SLACK_AUDIT_TOKEN"
The response cursor lets you page forward, and you poll on an interval (or consume the streaming option) to keep your copy current. The key design choice: persist the events somewhere queryable — your SIEM, a log warehouse, an object store — rather than reading them ad hoc. Audit value comes from history and correlation, neither of which you get by curling the endpoint when you’re already worried.
The events worth alerting on
Streaming everything is necessary; alerting on everything is noise. These are the events I wire to actual alerts:
app_installedandapp_scopes_expanded— a new app or a scope expansion is how a malicious or careless integration gets a foothold. Alert and review every one.role_change_to_owner/role_change_to_admin— privilege escalation. Should be rare and always expected. If it’s not expected, it’s an incident.user_login_failedspikes — repeated failures from one actor or IP is credential stuffing. Threshold-alert it.- Logins from anomalous geographies or new ASNs — the context field carries IP and location; flag logins that don’t fit the user’s pattern.
guest_createdand external sharing changes — every external participant is expanded attack surface.file_downloadedat volume — a single account pulling many files is a data-exfil signature.
Everything else streams to storage for forensics but doesn’t page anyone. The discipline is the same as alert tuning anywhere: alert on the few things that mean “act now,” archive the rest.
A simple collector
You don’t need a vendor connector to start. A small scheduled job that pages new events and ships them to your SIEM does the job:
import requests, time
def fetch_audit(token, oldest, cursor=None):
params = {"oldest": oldest, "limit": 200}
if cursor:
params["cursor"] = cursor
r = requests.get(
"https://api.slack.com/audit/v1/logs",
headers={"Authorization": f"Bearer {token}"},
params=params, timeout=15,
)
r.raise_for_status()
data = r.json()
for entry in data.get("entries", []):
ship_to_siem(entry) # forward to your pipeline
return data.get("response_metadata", {}).get("next_cursor")
Track the last-seen timestamp so you don’t re-ingest, honor the rate limits (the audit endpoint is rate-limited like any other — back off on 429), and run it under a supervisor so a crash self-heals. Forward each entry in your SIEM’s expected format and let your existing detection rules do the correlation.
Detections that earn their keep
Once events are in your SIEM, the high-value detections are correlations across actions:
- App install followed quickly by bulk file downloads — a classic malicious-integration pattern.
- Admin role grant from an IP that’s never logged in before — escalation from an unfamiliar source.
- Login success immediately after a burst of failures from the same actor — a brute force that finally landed.
- Off-hours owner-level changes — privileged change outside business hours deserves a human glance.
These are exactly the patterns your SIEM is good at and that no human watching a raw feed would catch. The Audit Logs API is the data source; your detection engine is the brain.
Where AI helps (and where it doesn’t)
The audit feed is verbose and bursty, which makes it a reasonable target for AI summarization — a daily digest that reads the day’s notable events and produces “three things worth your attention” beats a human scanning thousands of lines. But keep the model on the read-and-summarize side of the line: it should surface and explain, not decide what’s malicious and auto-revoke. Real enforcement stays deterministic and human-reviewed. A saved digest prompt in your prompt library makes the daily summary a one-liner.
Don’t forget the basics around it
The API is the detection layer, but it sits on top of hygiene you should already have: enforce SSO and 2FA, review installed apps quarterly, restrict who can install apps and create external connections, and scope your own audit token to read-only. The Audit Logs API tells you when something went wrong; the configuration is what makes “went wrong” rare.
Turn it on this quarter
If you’re on Enterprise Grid and not ingesting audit logs, that’s the gap to close. Stand up a collector, ship events to your SIEM, and wire alerts for app installs, role escalations, and failed-login spikes. You’ll have visibility into a high-value target you’re currently flying blind on — and you’ll be very glad to have the history the next time someone asks “what did that compromised account touch?”
For more on hardening and operating Slack as serious infrastructure, see our other AI for Slack guides.
Download the Free 500-Prompt DevOps AI Toolkit
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.