RunReveal
SourcesSource Types

Slack Audit Logs

Slack audit logs provide comprehensive visibility into user activities and administrative actions within your Slack workspace. These logs capture events such as user logins, message deletions, channel modifications, app installations, and permission changes. They help administrators monitor workspace activity, ensure compliance, and investigate security incidents.

Slack source in RunReveal

RunReveal will backfill your audit logs since March 2018 (the earliest available from Slack). Once the processor has caught up, RunReveal imports new audit logs roughly every 60 seconds.

Slack audit logs require a Pro plan subscription in RunReveal and any Enterprise-level plan in Slack (e.g. Enterprise Select, Enterprise Grid). Make sure your Slack workspace meets these requirements before proceeding with setup.

Prerequisites

Before setting up Slack audit logs, ensure you have:

  • A RunReveal Pro plan subscription
  • A Slack Enterprise workspace subscription (any Enterprise plan, e.g. Enterprise Select or Enterprise Grid)
  • Administrative access to your Slack workspace, including the ability to install apps at the organization level
  • Permission to create and configure Slack apps

Access

RunReveal authenticates using a Slack user token obtained through OAuth. Configure your Slack app with the following scopes:

ScopeTypePurpose
auditlogs:readUser Token ScopeRead audit events from your Enterprise organization
users:readBot Token Scope(Enterprise Grid only) Required when the app is installed as an org-level app

The auditlogs:read token must be granted by an Owner of the Enterprise organization. Audit logs are org-wide rather than per-workspace, so the OAuth flow must install the app on the organization, not just a single workspace.

Infrastructure

RunReveal connects to Slack using the domain that matches your organization. For commercial Slack, leave Use GovSlack unchecked. For GovSlack, enable the Use GovSlack checkbox on the source page so RunReveal uses the slack-gov.com endpoints for OAuth and audit log polling.

EnvironmentSlack domainOAuth authorizeAudit logs API
Commercial (default)slack.comhttps://slack.com/oauth/v2/authorizehttps://api.slack.com/audit/v1/logs
GovSlackslack-gov.comhttps://slack-gov.com/oauth/v2/authorizehttps://api.slack-gov.com/audit/v1/logs

GovSlack runs on a separate, isolated domain from commercial Slack. Create your Slack app on api.slack-gov.com/apps for GovSlack tenants — apps and credentials from commercial Slack cannot be used across environments.

Setup

Step 1: Create a Slack App

  1. Navigate to the Slack apps dashboard for your environment:
  2. Sign in with your Slack workspace credentials.
  3. Click "Create New App" and select "From scratch".
  4. Give your app a descriptive name (e.g., "RunReveal Audit Logs") and select the workspace you wish to use for audit log collection.
  5. Click "Create App" to proceed.

Step 2: Configure OAuth Scopes

  1. In your newly created Slack app, navigate to "OAuth & Permissions" in the left sidebar.
  2. Scroll down to "Scopes" section and expand "User Token Scopes".
  3. Click "Add an OAuth Scope" and select "auditlogs:read" from the list.
  4. Click "Save Changes" to apply the configuration.

Step 3: Get App Credentials

  1. Navigate to "Basic Information" in the left sidebar of your Slack app.
  2. Copy the "Client ID" and "Client Secret" values - you'll need these for the RunReveal configuration.

Keep your Client Secret secure and never share it publicly. This credential provides access to your Slack audit logs.

Step 4: Start RunReveal Source Creation

  1. Navigate to the RunReveal UI and go to the source creation page.
  2. Select "Slack" as your source type.
  3. Provide a descriptive name for your Slack source.
  4. Enter the Client ID and Client Secret from your Slack app.
  5. If your organization uses GovSlack, check Use GovSlack so RunReveal connects to slack-gov.com instead of slack.com.
  6. RunReveal will provide you with a redirect URL — copy this URL.

Connect Slack source in RunReveal

Step 5: Configure OAuth Redirect URL

  1. Return to your Slack app's "OAuth & Permissions" page.
  2. Under "Redirect URLs", click "Add New Redirect URL" and paste the redirect URL provided by RunReveal.
  3. Click "Save Changes".

Step 6: Complete OAuth Flow

  1. Return to the RunReveal source creation page and continue with the setup.
  2. Click "Connect Source" to finish the setup.
  3. This should redirect you to Slack to allow permission for the integration. Click "Allow" and it should redirect back to RunReveal.

Enterprise Grid: Org-Level App Steps

If you're using Slack Enterprise Grid (or another Enterprise plan with org-level apps), complete these additional steps so the app can read audit logs across your organization:

Add Bot Scope

  1. In your Slack app, navigate to "OAuth & Permissions" in the left sidebar.
  2. Scroll down to "Scopes" section and expand "Bot Token Scopes".
  3. Click "Add an OAuth Scope" and select "users:read" from the list.
  4. Click "Save Changes" to apply the configuration.

Make the App an Org-Level App

  1. In your Slack app, navigate to "Org Level Apps" in the left sidebar under the "Features" section.
  2. Click the "Enable Org-Readiness" button.
  3. This makes your app an organization-level app, allowing it to function properly across your Enterprise Grid organization.

Slack Org Level Apps Configuration

Verify It's Working

Once added, the source logs should begin flowing within a minute.

You can validate we are receiving your logs by running the following SQL query:

SELECT * FROM runreveal.slack_logs LIMIT 1

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: slack_logs (59 columns)

ColumnType
workspaceIDString
sourceIDString
sourceTypeString
sourceTTLUInt32
receivedAtDateTime
idString
eventTimeDateTime
eventNameString
eventIDString
srcIPString
srcASCountryCodeString
srcASNumberUInt32
srcASOrganizationString
srcCityString
srcConnectionTypeString
srcISPString
srcLatitudeFloat64
srcLongitudeFloat64
srcUserTypeString
dstIPString
dstASCountryCodeString
dstASNumberUInt32
dstASOrganizationString
dstCityString
dstConnectionTypeString
dstISPString
dstLatitudeFloat64
dstLongitudeFloat64
dstUserTypeString
actorMap(String, String)
ColumnType
tagsMap(String, String)
resourcesArray(String)
serviceNameString
enrichmentsArray(Tuple(data Map(String, String), name String, provider String, type String, value String))
readOnlyBool
rawLogString
slackIdString
dateCreateDateTime
actionString
actorTypeString
actorUserIdString
actorUserNameString
actorUserEmailString
entityTypeString
entityUserIdString
entityUserNameString
entityUserEmailString
entityFileIdString
entityFileNameString
entityFileTitleString
entityFileTypeString
locationTypeString
locationIdString
locationNameString
locationDomainString
userAgentString
ipAddressString
sessionIdString
detailsString

Troubleshooting

If you encounter issues with the setup:

  • Ensure your Slack workspace has an Enterprise plan (e.g. Enterprise Select or Enterprise Grid)
  • Verify the OAuth redirect URL is correctly configured in both Slack and RunReveal
  • Check that the auditlogs:read scope is properly added to your Slack app
  • Confirm the token was granted by an Owner of the Enterprise organization (org-wide install, not a single workspace)
  • For GovSlack, confirm Use GovSlack is checked and your app was created on api.slack-gov.com/apps — commercial Slack apps and credentials do not work with GovSlack
  • Confirm your RunReveal account has a Pro plan subscription

For additional help, contact RunReveal support.

Previous

ServiceNow

Next

Snowflake

On this page