Overview
The Slack integration polls the Slack Audit Logs API to ingest workspace and Enterprise Grid events:
- User logins, password resets, and MFA changes
- Channel creation, archiving, and membership changes
- App installations, scope grants, and bot activity
- Workspace and Enterprise admin policy changes
- File uploads and shared channel events
Available on Slack Enterprise Grid plans.
Prerequisites
- A Slack Enterprise Grid org with Org Owner or Org Admin privileges.
- Ability to create and install a Slack app at the org level.
Step 1: Create a Slack app
- Go to https://api.slack.com/apps and click Create New App → From scratch.
- Name it
Atatus SIEM, choose your Enterprise Grid org as the workspace, and click Create. - In OAuth & Permissions, scroll to User Token Scopes and add:
auditlogs:read
- Under OAuth Tokens, click Install to Organization.
- Approve the install request as the Org Owner.
- Copy the resulting OAuth Access Token (starts with
xoxp-).
Step 2: Connect Slack in Atatus
- In Atatus, go to Security → Cloud SIEM → Integrations.
- Locate the Slack card and click Connect.
- Fill in the form:
| Field | Description | Example |
|---|---|---|
| OAuth Token | The token created in Step 1. | xoxp-xxxxxxxxxxxx-... |
| Poll Interval (minutes) | How often to fetch new events. | 5 |
| Enabled | Turn collection on. | true |
- Click Connect.
Verification
- The Slack card shows Configured.
- Audit events appear in Security → Cloud SIEM → Audit Logs → Events with source
slack.
+1-415-800-4104