Skip to main content

Monitor Slack Audit Logs

Learning Objectives

After completing this unit, you’ll be able to:

  • Understand the benefits of Slack audit logs.
  • Access Slack audit logs.
  • Identify key components and features of Slack Audit Log Dashboard.
  • Interpret log entries to monitor workspace activities.

Why Are Slack Audit Logs Helpful?

Slack audit logs help you ensure security and compliance in your Slack workspace. For example, if you suspect an employee has downloaded unauthorized data before leaving the company, or there’s unusual activity on a user’s Slack account, you can use audit logs to investigate and view detailed information about each event in your workspace.

They provide a detailed record of activities within your Slack workspace and are crucial for:

  • Monitoring user activities.
  • Detecting unusual or unauthorized actions.
  • Ensuring compliance with organizational policies.

It’s easy to access audit logs right from Slack.

Access the Slack Audit Log Dashboard

To access Slack audit logs:

  1. Ensure you have the necessary admin permissions to view audit logs.
  2. Navigate to Tools & settings | Administration | Manage Audit Logs.

Discover Audit Log Features

Now that you know how to access Slack audit logs, let’s take a look at some important features.

  • Filter (1): Allows you to narrow down log entries based on specific criteria such as date range, user, or action type.
  • Audit Logs tab (2): Displays detailed information about each recorded event, including the timestamp, the user involved (acting user), the affected entity (for example, another user or your workspace) and the action taken.
  • Security Detections tab (3): Highlights anomalous events Slack has detected and flagged as‌ suspicious. These entries include the action made by the acting user, and the IP address and geolocation of that user at that time.
  • Data Exports (4): Enables you to export audit logs in bulk either to a CSV file with overview data or a JSON file containing every log entry’s raw log details.

Audit logs page important features indicated.

Interpret Audit Log Entries

Each log entry provides valuable information to help you monitor and secure your workspace. Look for these key details when you review an audit log entry to help you interpret the events.

  • Timestamp (1): When the event occurred.
  • User (2): The individual who performed the action.
  • Action (3): The specific activity that was recorded (user login, message deletion, and so forth).
  • IP Address (4): The IP address from which the action was performed.

Adit logs page with key details indicated.

View an overview of this data in the Audit Logs dashboard table. Or, access the log entry’s raw JSON details by selecting View Full Log Details from the dropdown button.

Audit Logs in Action

Let’s take a look at two scenarios where audit logs help Slack admins identify and investigate activity that seems suspicious or problematic.

Identifying Suspicious Activity

Sarah, a Slack administrator for a midsize company, receives an alert about unusual activity occurring from her employee Johann’s Slack accounts. She decides to investigate.

First, Sarah navigates to her workspace’s Audit Logs dashboard and selects the Security Detections tab. She filters the results to display audit logs pertaining to Johann’s user account only, and notices that Johann’s account has triggered several ip_address security detections. She toggles back to the main Audit Logs tab, keeping her filters set to display logs for Johann only. While scanning all of Johann’s logs, she notices:

  • Multiple logs containing unfamiliar IP addresses
  • Several file downloads

Sarah cross-references these IP addresses with her company’s VPN logs and confirms they don’t originate from an approved location or ASN.

Based on this information, Sarah immediately deactivates Johann’s account to prevent it from continued access to the workspace and to give her time to continue her investigation as to how and why Johann’s account is displaying signs of compromise.

Using both the Audit Logs and Security Detections tabs of the Audit Logs dashboard gives Sarah comprehensive visibility into the chronological record of actions Johann’s account took within Slack while originating from unknown IP addresses. Slack’s audit logs data and security detections are also recorded in real-time letting Sarah identify and mitigate security concerns with speed and efficiency. She uses the dashboard filters to narrow her focus to investigate and assess Johann’s account status.

Since she was familiar with Slack audit logs, Sarah was able to quickly identify suspicious activity, gather evidence, and take immediate action to protect company data.

Investigating Unauthorized Data Access

Eric’s company has reported concerns about potential unauthorized data access and exfiltration from their Slack Grid organization. They suspect that a recently terminated employee may have downloaded a large amount of sensitive data before leaving the company. Eric, part of his company’s security department, is tasked with investigating these concerns.

Eric navigates to his organization’s Audit Logs dashboard and selects the Security Detections tab. He filters the results to display log entries with the former employee as the acting user. Eric confirms that the former employee has generated an excessive_downloads security detection alert.

To get more details about this event, he clicks ••• → View Full Log Details.

  • In the resulting window, he can read the context section within the log’s raw details.
  • He confirms the user-agent and IP address the user is attributed to when they performed the excessive download (what device was the company’s data first downloaded to).
  • He also confirms the timestamp the security detection was identified at in the details section’s action_timestamp field.

In this scenario, Eric substantiates a claim that a terminated employee exfiltrated data from his company’s Slack workspace and he was able to assemble pertinent metadata associated with that event. Using data points like the IP address and user-agent of the former employee assists in further investigations or determining next steps.

Eric can also view a chronological timeline of the former employee’s Slack activity before and after the security detection by toggling to the Audit Logs tab while still filtering for that user and the day the detection occurred on. This helps determine what the former employee was able to do with their Slack account before their access was severed. This information can be crucial for the company to understand the extent of any potential data breach and help inform them on what appropriate actions should follow to mitigate their risk.

Now you know a few ways to use audit logs. Follow these best practices for auditing to ensure ongoing Slack security and compliance at your company.

  • Security monitoring: Regularly review audit logs and flagged security detections; identify and respond to suspicious activities.
  • Compliance audits: Ensure that all workspace activities comply with organizational policies and regulations. Data can be exported if needed for further review or submission to external compliance systems.
  • Incident investigation: Use audit logs to investigate and resolve security incidents or policy violations.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback