Skip to main content
Register now for TDX! Join the must-attend event to experience what’s next and learn how to build it.

Use Discovery and Audit Logs APIs

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe common use cases for the Audit Logs API.
  • Describe the use case for the Legal Holds API and how you can manage legal holds with the Discovery API.

Audit Logs API

Enterprise Grid customers can use the Audit Logs API to ensure compliance, audit suspicious behavior, and safeguard system access. The API records changes and usage to keep orgs secure.

Developers can build apps to poll the Audit Logs API on schedule and push events to SIEM tools like Splunk or Sumo Logic. The Audit Logs API is used for monitoring the audit events that happen on an Enterprise Grid organization. Org owners can use apps that use this API to query user actions in a workspace.

With this API, an org owner can:

  • Automatically feed Slack access data into an SIEM or other auditing tool.
  • Proactively monitor for security issues or malicious access attempts.
  • Write custom apps to gather insight into how their organization uses Slack.

The read-only Audit Logs API tracks 150+ event types across categories (channel, user, app, file, workflow). It provides org-level insights, but it can’t monitor message/file content. An endpoint lists all available actions.

Note

Note:

While the Audit Logs API is helpful for monitoring your Slack Enterprise Grid’s security-related events, it doesn’t let you retrieve any message or file content.

Note

Recommended reading:

Learn more about the methods of the Audit Logs API, paying particular attention to the fields and data points that can be fetched.

What You Need to Know to Use the Audit Logs API

  • To use the Audit Logs API, an application requesting the auditlogs:read scope must be installed by an org owner on their Enterprise Grid org. The resulting user token (which starts with xoxp-) is an org-level token.
  • The Audit Logs API returns results for all workspaces and users across the whole organization.
  • There are rate limits for the Audit Logs API. It allows up to 50 requests per minute, including sporadic bursts, also known as Tier 3 rate limiting.

Note

Recommended reading:

Optional reading:

Review Slack Connect: Data loss prevention

Discovery API

While conversations.history monitors channels per workspace (limited by app access), Enterprise+ customers use the Discovery API suite for org-wide message and channel monitoring and export for the eDiscovery or DLP apps. Org owners must request Slack to enable the Discovery API and adddiscovery.* scopes to apps. Once enabled, they can install org-level apps to export or act on messages and files.

There are two types of third-party partner apps that use the Discovery API.

  • eDiscovery: Export Slack messages and files to third-party warehouses for search, archiving, and retrieval.
  • Data loss prevention (DLP): Scan and redact confidential information (such as credit cards, SSNs) in messages and files that violate predefined policies.

A Quick Guide to Using Slack's Discovery API Solutions

1. Evaluate Your Needs

Choose eDiscovery or DLP based on organizational needs. Here are some scenarios to help you select the right Discovery API solution.

  • eDiscovery: Use for legal cases or to meet compliance for record retention.
    Features include:
    • Read-only access to messages and files
    • Can't quarantine, remove, or tag within Slack
    • Manage Legal Hold policies via Discovery and Legal Holds APIs
    • Data is archived in an external warehouse (doesn’t affect workspace interaction)
  • Data loss prevention (DLP): Secure data by detecting and removing threats with the DLP tools.
    Features include:
    • Read/write access to Slack org
    • Block sharing of confidential info (SSNs,and so on)
    • Authorized personnel enforce policies on messages and files
    • Review and remove quarantined content

2. Choose a Partner

Many enterprises want to connect all of their cloud solutions with Slack. Slack works with many third-party eDiscovery and DLP partners to enable this. Here's a list of our current third-party partners to choose from.

eDiscovery

DLP Partners

  • Archive360
  • Arctera Insight Capture/Merge 1
  • Aware
  • Behavox
  • Bloomberg Vault
  • Casepoint
  • Disco Hold (formerly Congruity)
  • DMS
  • Everlaw
  • Exterro
  • Global Relay
  • Hadrius
  • Hanzo
  • Logikcull
  • MirrorWeb
  • Nuix
  • Onna
  • OpenText Axcelerate
  • Pagefreezer
  • Proofpoint
  • Red Deer
  • Relativity
  • Smarsh
  • SteelEye
  • Theta Lake
  • Transcend
  • ZL Technologies
  • 17a-4 DataParser
  • Astrix Security
  • Avanan
  • Aware
  • BigID
  • Bitglass
  • CloudLock
  • DoControl
  • Entro Security
  • FireEye
  • Fortra (formerly Digital Guardian)
  • Gamma
  • Lookout
  • Metomic
  • McAfee VISION Cloud
    (Skyhigh for Slack)
  • Netskope
  • Nightfall (formerly Watchtower)
  • Obsidian Security
  • Palo Alto Networks
  • Polymer
  • Proofpoint
  • Reco.ai
  • Symantec
  • Theta Lake
  • Zscaler

3. Data Access and Format

The Discovery API retrieves messages and files from any Enterprise+ workspace, from creation date to present. Edits and deletions are tracked only after enabling the retention policy. Data returns are in JSON format. Connect to third-party eDiscovery or DLP apps for other formats.

Recap

In this unit, you learned how to use the Audit Logs API for security monitoring and the Discovery API for eDiscovery and DLP use cases—and how the Legal Holds API fits into the picture. Overall, you explored how Admin API automates core Slack admin tasks, such as managing app approvals and user roles.

Resources

Teilen Sie Ihr Trailhead-Feedback über die Salesforce-Hilfe.

Wir würden uns sehr freuen, von Ihren Erfahrungen mit Trailhead zu hören: Sie können jetzt jederzeit über die Salesforce-Hilfe auf das neue Feedback-Formular zugreifen.

Weitere Infos Weiter zu "Feedback teilen"