Collect Slack audit logs

This document explains how to ingest Slack Audit Logs to Google Security Operations using Google Cloud Run functions. The parser handles two formats of Slack audit logs. It first normalizes boolean values and clears predefined fields. Then, it parses the "message" field as JSON, handling non-JSON messages by dropping them. Depending on the presence of specific fields ( date_create and user_id ), the parser applies different logic to map raw log fields to the UDM, including metadata, principal, network, target, and about information, and constructs a security result.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• Privileged access to Slack Enterprise Gridtenant and Admin Console
• Privileged access to GCPCloud Run functions and Cloud Scheduler

Collect Slack Audit Logs prerequisites (App ID, OAuth Token, Organization ID)

1. Sign in to the Slack Admin Consolefor your Enterprise Grid organization.
2. Go to https://api.slack.com/appsand click Create New App > From scratch.
3. Enter the App Nameand select your Development Slack Workspace.
4. Click Create App.
5. Navigate to OAuth & Permissionsin the left sidebar.
6. Go to the Scopessection and add the following User Token Scope:
   • auditlogs:read
7. Click Install to Workspace > Allow.
8. Once installed, navigate to Org Level Apps > Install to Organization.
9. Authorize the app with an Organization Owner/Adminaccount.
10. Copy and securely save the User OAuth Tokenthat starts with xoxp- (this is your SLACK_ADMIN_TOKEN).
11. Copy your Organization IDwhich can be found in the Slack Admin Console under Settings & Permissions > Organization settings.

Setting up the directory

1. Create a new directory on your local machine for the Cloud Run function deployment.
2. Download the following files from the Chronicle ingestion-scripts GitHub repository :
   • From the slackfolder, download:
     • .env.yml
     • main.py
     • requirements.txt
   • From the rootof the repository, download the entire commondirectory with all its files:
     • common/__init__.py
     • common/auth.py
     • common/env_constants.py
     • common/ingest.py
     • common/status.py
     • common/utils.py
3. Place all downloaded files into your deployment directory.

Your directory structure should look like this:

 deployment_directory/
  ├─common/
  │ ├─__init__.py
  │ ├─auth.py
  │ ├─env_constants.py
  │ ├─ingest.py
  │ ├─status.py
  │ └─utils.py
  ├─.env.yml
  ├─main.py
  └─requirements.txt 

Create secrets in Google Secret Manager

1. In the Google Cloud console, go to Security > Secret Manager.
2. Click Create Secret.
3. Provide the following configuration details for the Chronicle service account:
   • Name: Enter chronicle-service-account .
   • Secret value: Paste the contents of your Google SecOps ingestion authentication JSON file.
4. Click Create secret.

5. Copy the secret resource namein the following format:

    projects/<PROJECT_ID>/secrets/chronicle-service-account/versions/latest 
   

6. Click Create Secretagain to create a second secret.

7. Provide the following configuration details for the Slack token:

   • Name: Enter slack-admin-token .
   • Secret value: Paste your Slack User OAuth Token (starting with xoxp- ).

8. Click Create secret.

9. Copy the secret resource namein the following format:

    projects/<PROJECT_ID>/secrets/slack-admin-token/versions/latest 
   

Setting the required runtime environment variables

1. Open the .env.yml file in your deployment directory.

2. Configure the environment variables with your values:

     CHRONICLE_CUSTOMER_ID 
    : 
     
    "<your-chronicle-customer-id>" 
    CHRONICLE_REGION 
    : 
     
    us 
    CHRONICLE_SERVICE_ACCOUNT 
    : 
     
    "projects/<PROJECT_ID>/secrets/chronicle-service-account/versions/latest" 
    CHRONICLE_NAMESPACE 
    : 
     
    "" 
    POLL_INTERVAL 
    : 
     
    "5" 
    SLACK_ADMIN_TOKEN 
    : 
     
    "projects/<PROJECT_ID>/secrets/slack-admin-token/versions/latest" 
    
   

   • Replace the following:
     • <your-chronicle-customer-id> : Your Google SecOps customer ID.
     • <PROJECT_ID> : Your Google Cloud project ID.
     • CHRONICLE_REGION: Set to your Google SecOps region. Valid values: us , asia-northeast1 , asia-south1 , asia-southeast1 , australia-southeast1 , europe , europe-west2 , europe-west3 , europe-west6 , europe-west9 , europe-west12 , me-central1 , me-central2 , me-west1 , northamerica-northeast2 , southamerica-east1 .
     • POLL_INTERVAL: Frequency interval (in minutes) at which the function executes. This duration must be the same as the Cloud Scheduler job interval.

3. Save the .env.yml file.

Deploying the Cloud Run function

1. Open a terminal or Cloud Shellin the Google Cloud console.

2. Navigate to your deployment directory:

     cd 
     
   /path/to/deployment_directory 
   

3. Execute the following command to deploy the Cloud Run function:

    gcloud  
   functions  
   deploy  
   slack-audit-to-chronicle  
    \ 
     
   --entry-point  
   main  
    \ 
     
   --trigger-http  
    \ 
     
   --runtime  
   python39  
    \ 
     
   --env-vars-file  
   .env.yml  
    \ 
     
   --timeout  
   300s  
    \ 
     
   --memory  
   512MB  
    \ 
     
   --service-account  
   <SERVICE_ACCOUNT_EMAIL> 
   

   • Replace <SERVICE_ACCOUNT_EMAIL> with the email address of the service account you want your Cloud Run function to use.

4. Wait for the deployment to complete.

5. Once deployed, note the function URLfrom the output.

Set up Cloud Scheduler

1. In the Google Cloud console, go to Cloud Scheduler > Create job.
2. Provide the following configuration details:
   • Name: Enter slack-audit-scheduler .
   • Region: Select the same region where you deployed the Cloud Run function.
   • Frequency: Enter */5 * * * * (runs every 5 minutes, matching the POLL_INTERVAL value).
   • Timezone: Select UTC.
   • Target type: Select HTTP.
   • URL: Enter the Cloud Run function URL from the deployment output.
   • HTTP method: Select POST.
   • Auth header: Select Add OIDC token.
   • Service account: Select the same service account used for the Cloud Run function.
3. Click Create.

UDM Mapping Table

Need more help? Get answers from Community members and Google SecOps professionals.