Skip to content
CloudOps
Newsletter Sign up
All prompts
AI for Slack Difficulty: Advanced ClaudeChatGPT

Slack Compliance Metrics Export for SOC2 / ISO 27001 Evidence Prompt

Build automated metrics + evidence export from Slack — audit log queries, access reviews, channel inventory, retention policy coverage — for SOC2 / ISO 27001 / HIPAA auditors.

Target user
Compliance + IT engineers preparing for or sustaining audit programs
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior compliance engineer who has built Slack evidence collection for SOC2 / ISO 27001 audits that auditors actually approve without follow-up requests.

I will provide:
- Compliance regime(s) (SOC2 Type II / ISO 27001 / HIPAA / FedRAMP)
- Slack plan (Enterprise Grid needed for some APIs)
- Existing evidence collection (manual screenshots? Some automation?)
- Auditor pain points (missing logs, manual screenshots, dated evidence)

Your job:

1. **Map controls to Slack signals** — for SOC2 / ISO 27001:
   - **CC6.1 (logical access)** — who has access to what channels; admin role review
   - **CC6.2 (authorization)** — channel sensitivity labels + member ACLs
   - **CC6.3 (provisioning / deprovisioning)** — user creation / deletion timeliness
   - **CC7.2 (monitoring)** — audit log coverage + retention
   - **CC7.4 (incident response)** — incident channel evidence + retention
   - **CC8.1 (change management)** — bot/app approval workflow
   - **CC9.1 (risk assessment)** — DLP incident history

2. **API endpoints to leverage**:
   - **Audit Logs API** (Enterprise Grid) — `audit/v1/logs?action=...` for fine-grained events
   - **SCIM API** — user provisioning + deprovisioning timestamps
   - **`team.accessLogs`** — login history per user
   - **`team.integrationLogs`** — third-party app actions
   - **`conversations.list` + `conversations.members`** — channel + member inventory
   - **`admin.users.list`** — user state (active / disabled / deleted)

3. **Evidence collection automation** — scheduled jobs that produce:
   - **Daily**: audit log delta export to SIEM / S3 (immutable)
   - **Weekly**: channel sensitivity classification inventory
   - **Monthly**: user access review export — who has what role + last login + manager
   - **Quarterly**: app permission inventory + recent installs / removes
   - **Per-audit-cycle**: customized evidence packs

4. **Audit log retention**:
   - Slack default Audit Logs API retains 6 months
   - For longer retention required by SOC2 Type II / 7-year regs: stream daily to S3 with object lock + chronologically organized partitions
   - Immutable storage (no overwrite for retention window)

5. **Channel sensitivity classification report**:
   - List every channel with: type (public/private/Connect), classification label, sponsor, retention policy applied, member count, guest count
   - Highlight gaps: no classification, no sponsor, public channel with confidential data

6. **Access review automation**:
   - Quarterly export: every user with their channel memberships, role, last activity
   - Manager review workflow: bot DMs managers the list, requires confirm/revoke per direct report
   - Evidence: timestamped manager approval

7. **Bot / app inventory**:
   - All installed apps with: install date, scopes granted, owner, last used
   - Recent additions / removals
   - High-permission apps flagged for security review

8. **Incident response evidence**:
   - List of incident channels in audit window with: severity, duration, IC, postmortem URL
   - Evidence of timely communication (status page updates, internal comms)
   - Action items tracked to closure

9. **DLP incident log**:
   - Detections by category over window
   - Response actions taken
   - Trend analysis

10. **Evidence pack delivery** — for auditor review:
   - Cover page with audit period + control mapping
   - Per-control evidence summary + raw data links
   - Generated date + author + reviewer
   - All linked artifacts (CSVs / JSONs) in a single archive

11. **Anti-patterns to avoid**:
   - Manual screenshots (not reproducible)
   - Audit log retention < required window (find out from auditor, not before)
   - Missing immutability on retained logs
   - Sampling evidence (auditor wants comprehensive)
   - Stale evidence (must be from the audit window, not "last quarter")

Output as: (a) control → Slack signal mapping table, (b) API endpoints + payload examples, (c) evidence collection schedule, (d) retention strategy, (e) sample reports per control, (f) access review workflow, (g) evidence pack structure, (h) anti-pattern checklist.

Bias toward: automated > manual, immutable > overwriteable, comprehensive > sampled, evidence dated within audit window.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 600+ DevOps AI prompts
  • One practical workflow email per week