Slack Audit Solution

Solution: SlackAudit

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.5
Author	Microsoft - support@microsoft.com
First Published	2021-03-24
Last Updated	2025-12-17
Solution Folder	SlackAudit
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)

The Slack Audit solution provides the capability to ingest Slack Audit Records events into Microsoft Sentinel through the REST API. Refer to API documentation for more information.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

• Microsoft Sentinel Codeless Connector Framework

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s) (plus 2 discovered⚠️):

Slack ⚠️ 🔶
[DEPRECATED] Slack Audit ⚠️ 🔶
SlackAudit (via Codeless Connector Framework)

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 3 table(s):

Table	Used By Connectors	Used By Content
`SlackAuditNativePoller_CL` 🔶	Slack, [DEPRECATED] Slack Audit	Analytics, Hunting, Workbooks
`SlackAuditV2_CL`	SlackAudit (via Codeless Connector Framework), [DEPRECATED] Slack Audit	Analytics, Hunting, Workbooks
`SlackAudit_CL` 🔶	[DEPRECATED] Slack Audit	Analytics, Hunting, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 21 content item(s):

Content Type	Count
Hunting Queries	10
Analytic Rules	9
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
SlackAudit - Empty User Agent	Low	InitialAccess	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - Multiple archived files uploaded in short period of time	Low	Exfiltration	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - Multiple failed logins for user	Medium	CredentialAccess	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - Public link created for file which can contain sensitive information.	Medium	Exfiltration	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - Suspicious file downloaded.	Medium	InitialAccess	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - Unknown User Agent	Low	CommandAndControl	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - User email linked to account changed.	Medium	InitialAccess	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - User login after deactivated.	Medium	InitialAccess, Persistence, PrivilegeEscalation	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - User role changed to admin or owner	Low	Persistence, PrivilegeEscalation	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`

Hunting Queries

Name	Tactics	Tables Used
SlackAudit - Applications installed	InitialAccess	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - Deactivated users	Impact	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - Downloaded files stats	InitialAccess	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - Failed logins with unknown username	CredentialAccess	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - New User created	Persistence	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - Suspicious files downloaded	InitialAccess	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - Uploaded files stats	Exfiltration	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - User Permission Changed	PrivilegeEscalation	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - User logins by IP	InitialAccess, Persistence	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`
SlackAudit - Users joined channels without invites	InitialAccess, Persistence	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`

Workbooks

Name	Tables Used
SlackAudit	`SlackAuditNativePoller_CL` `SlackAuditV2_CL` `SlackAudit_CL`

Parsers

Name	Description	Tables Used
SlackAudit	-	`SlackAuditNativePoller_CL` (read) `SlackAuditV2_CL` (read) `SlackAudit_CL` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.5	12-12-2025	Updated the Parser yaml file.
3.0.4	28-07-2025	Removed Deprecated Data Connector.
3.0.3	30-06-2025	Moving CCF Data Connector to GA.
3.0.2	30-05-2025	Preview tag added to CCF Data Connector.
3.0.1	24-04-2025	Migrated the Function app Connector to CCP Data Connector and Updated the Parser.
3.0.0	23-08-2023	Manual deployment instructions updated for Data Connector & Convert Parser from text to yaml.