I am looking to create a Splunk alert that posts to the Slack channel and mentions a particular user group so a badge appears next to the channel for all members of that particular group. For example: If the alert says 'host is down', I want the user group @prodSA to be mentioned in the alert so the. The Slack Add-on for Splunk uses the Slack Audit Logs API to fetch Slack Enterprise Grid Audit Logs into Splunk. Getting Started The Audit Logs API is for monitoring the audit events happening in an Enterprise Grid organization to ensure continued compliance, to safeguard against any inappropriate system access, and to allow you to audit.

The Slack Add-on for Splunk uses the Slack Audit Logs API to fetch Slack Enterprise Grid Audit Logs into Splunk.

Getting Started

The Audit Logs API is for monitoring the audit events happening in an Enterprise Grid organization to ensure continued compliance, to safeguard against any inappropriate system access, and to allow you to audit suspicious behavior within your enterprise.

Splunk slack

The idea is to give Enterprise Grid organization owners the ability to query user actions in a workspace. With this API, you could:

  • Automatically feed Slack access data into an SIEM or other auditing tool
  • Proactively monitor for potential security issues or malicious access attempts
  • Write custom apps to gain insight into how your organization uses Slack
Splunk Slack

Learn more about Monitoring with the Audit Logs API

Installation and Configuration Steps

This application can be installed an On-Prem or Cloud deployments of Splunk.

Installation Steps for on-prem

Splunk Wiki

Install the TA on one of the Heavy Forwarder(s). Ensure to copy over eventtypes.conf, props.conf and tags.conf over to your search head to make sure field aliases, event types and tags for data model mapping comes through.

Splunk wiki
Installation Steps for cloud

Splunk Slack Webhook Alert

Create a support ticket with APP-CERT reference to get the app installed on a Cloud instance OR follow the cloud-ops recommended set of actions to install non-published applications.

Splunk slack integration

Configuration steps

Splunk slack add on

The configuration steps are common for on-prem and cloud. Please follow the following steps in order:
1. Open the Web UI for the Heavy Forwarder (or IDM).
2. Navigate to the Splunk Add on for Slack from the Manage Apps Section. Be sure not to configure the inputs from the Data Inputs section of Splunk, as this could lead to some unexpected failures.
3. Navigate to the Configuration page of the Add-on and click on the Add button.
4. Enter a name in the Slack Account name textbox.
5. Click on the Add to Slack button to generate your Access Token, beginning with xoxp (with scope auditlogs:read). Follow the instructions below to generate this. If you brought your own, paste the Access Token here.
6. Click on Add to save this configuration.
7. Navigate to the Inputs tab.
8. Click on Create New Input button on the top right corner.
9. Enter the following details:
- Name (required): Provide a unique name for the input.
- Interval (required): Provide a number in seconds for the query interval.
- Index (required): Select the index from the dropdown list. Set the default index to be slack_audit, if using in conjuction with the Slack Audit App for Splunk.
- Start Time (required): Enter the time from which to begin querying, in the format yyyy-mm-dd hh:mm:ss. The default has been set to 2018-01-01 00:00:00.
- Enterprise Slack Account (required): Select the Account configured on Step 6.
10. Click on Add to save the input.
11. To check for any logs or errors, navigate to the Search tab and enter the below search index=_internal source='*ta_slack_add_on_for_splunk_*.log'.

Access Token Generation - Authentication Step

  1. Click on the Add to Slack button to initiate the Authentication flow.
  2. Sign into your organization's Enterprise Grid Slack account from the Sign in page. Please note : Audit logs can only be retrieved by the org owner in a Slack Enterprise account.
  3. You will be presented with a screen to authorize the Slack Audit API App to collect the audit log information from your Enterprise Grid account. Click on Content and info about you and the Administer Slack for your organization options to see what the app can view. Should you see this screen, skip step 4 and proceed onto 5.
  4. If you are not presented with the content in Step 3, close the dialog box and re-initiate the authentication process from Step 1.
  5. Click on Allow to generate your access token.
  6. The access token should now be generated. On the Access Token Generated page, click on the Copy Access Token button to copy the token to your clipboard and close the pop up window.
  7. Manually paste the Access token into the Access Token text box of your Input configuration page.
  8. The Access token should be about 79-80 characters long. If the character length of the pasted token isn't roughly the same size, re-initiate the authentication process to generate the token from Step 1.

Splunk Slack Channel

Pre-requisites, FAQ and Troubleshooting

Splunk Slack

  1. Initially, the sheer volume of audit logs could be large.
  2. The checkpoints used in the add-on reside in the KV store. Ensure sufficient permissions and access to the KV Store.
  3. If a run of the add-on stopped for any reason, a checkpoint for each input will be stored, with the name ending with _last_accessed_url. This is an indication of an error that must have occurred in the previous run. The input can be restarted (Disable the input first and then enable it) after the cause of failure has been fixed, so it picks up the run from the recorded last successful run.
  4. If using in conjuction with the Slack Audit App for Splunk, ensure the target index is configured as slack_audit, so that the dashboards on the app populate automatically.
  5. Ensure not to configure the inputs from the Data Inputs section of Splunk, as this could lead to some unexpected failures.
  6. If you observe that the field extraction of _time does not match the field date_create, ensure to add an additional line in props.conf under the slack:audit stanza like shown below and deploy it to all indexers.
    [slack:audit]
    TIME_PREFIX = 'date_create':




⇐ ⇐ Duo Microsoft Rdp
⇒ ⇒ Newgrounds Friday Night Game