Slack Access Logs

Cloud & SaaSAuthentication & AccessSlackCloud Control Plane

Location

Slack workspace or org administration > Access Logs

Description

User access records showing sign-ins and session activity against Slack workspaces, including client, IP, time, and authentication-relevant context available through the admin surface.

Forensic Value

Access logs are the main Slack evidence source for account-takeover investigations. They help determine which users authenticated from unfamiliar infrastructure, when suspicious sessions began, and whether activity lines up with the broader compromise timeline from identity-provider or endpoint evidence.

Tools Required

Slack Admin ConsoleSlack Enterprise administration

Collection Commands

Slack Admin Console

Workspace or org settings > Access Logs > Filter by user and date range, then export or preserve the resulting sign-in evidence

Collection Constraints

•Access-log availability varies by Slack plan and administrative scope, and it does not preserve full message or file activity.
•Long-term history may require prompt export or an external archival workflow before records age out.

MITRE ATT&CK Techniques

T1078.004T1556

References

View Access Logs for your workspace

Acquisition Methods

Slack Access Log Export

linux — cloud