Slack Audit Logs

Cloud & SaaSCommunicationSlackCloud Control PlaneSIEM / Log Aggregator

Location

Slack Admin > Audit Logs or Slack Audit Logs API

Description

Administrative audit events for Slack covering workspace and organization changes, app installations, channel governance actions, user and guest management, retention changes, and selected security-relevant administrative activity.

Forensic Value

Slack Audit Logs are essential for tracing tenant-level changes, privileged administrative actions, and app installation events that may expand data exposure or weaken controls. They also provide high-value context in insider threat and collaboration-platform compromise cases.

Tools Required

Slack Admin ConsoleSlack Audit Logs APISIEM

Collection Commands

Slack Audit Logs API

GET /audit/v1/logs?oldest=1709251200&latest=1709856000 with a Slack audit token, then preserve the paginated JSON responses

Slack Admin Console

Security > Audit Logs > Filter by actor, action, and date range > Export the resulting evidence set

Collection Constraints

  • Slack audit logging availability depends on Slack plan and organization features; not every workspace has the same audit surface.
  • Audit logs record administrative activity and governance actions, not the full content of messages or files by themselves.

MITRE ATT&CK Techniques

T1098T1078.004T1528

References

Slack Audit Logs APIAudit logs in Slack

Related Blockers

Cloud or Container Logging Coverage Missing

The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.

SaaS Audit Retention Expired Before Collection

The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.

SaaS Audit Logging Not Enabled or Not Licensed

The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.