Description
The Slack integration currently collects audit logs via the audit data stream, capturing
point-in-time security events. It does not provide an entity inventory.
This issue tracks the addition of a new users data stream to the Slack integration. The goal
is to collect Slack Enterprise Grid user records as entity assets, enabling ECS
user.entity.* field population for use in Elastic Security's entity analytics workflows.
Scope
The new data stream targets Slack Enterprise Grid organisations. It is intentionally scoped
to user entities only.
Endpoint selection
Two Slack API endpoints are candidates for user inventory collection:
| Capability |
users.list |
admin.users.list |
| Plan requirement |
Any (Free, Business+, Enterprise) |
Enterprise Grid only |
| Token type |
Bot or User token |
User token (xoxp-) only |
| Required scope |
users:read, users:read.email |
admin.users:read |
| Rate limit |
Tier 2 (20 req/min) |
Tier 4 (100 req/min) |
date_created |
No |
Yes (Unix timestamp) |
deactivated_ts |
No (boolean deleted only) |
Yes (Unix timestamp) |
workspaces[] |
Indirect, requires org token |
Yes, explicit array |
has_sso |
No |
Yes |
has_2fa |
Yes, plus two_factor_type |
Yes |
| Full profile (title, phone, timezone) |
Yes |
No |
| Pagination cursor location |
response_metadata.next_cursor |
next_cursor (top-level) |
Decision: admin.users.list The Slack integration already requires Enterprise Grid
for the audit stream, so no new plan requirement is introduced. The Tier 4 rate limit
(5× faster than users.list) is meaningful for large orgs. It also provides date_created,
deactivated_ts, workspaces[], and has_sso, which are directly relevant to entity
lifecycle and relationship mapping. Profile fields available via users.list (title, phone,
timezone) are not required for the ECS entity fields in scope.
Endpoints
The new data stream hits the following Slack API endpoints:
GET https://slack.com/api/admin.users.list as primary source; cursor-paginated user
roster. Returns next_cursor at the top level of the response (not inside
response_metadata).
GET https://slack.com/api/usergroups.list?include_users=true; it fetched once per
collection cycle to resolve group membership. Returns all usergroups with flat member ID
arrays; no pagination.
Authentication
An org-level user token (xoxp-) is required, with the following scopes:
admin.users:read — access to admin.users.list
usergroups:read — access to usergroups.list
The same token type is already required by the audit data stream (auditlogs:read scope).
Both scope sets can be granted on a single Slack app token, or configured separately per
data stream — this is an open decision (see below).
Collection behaviour
- Interval: Default
24h (full org snapshot once daily, configurable)
- Page size: Up to 1000 users per request (Slack maximum)
- Group membership:
usergroups.list is called once at the start of each collection
cycle. The CEL program holds the group-to-members mapping in state and enriches each user
record with their group names before emitting events.
Description
The Slack integration currently collects audit logs via the
auditdata stream, capturingpoint-in-time security events. It does not provide an entity inventory.
This issue tracks the addition of a new
usersdata stream to the Slack integration. The goalis to collect Slack Enterprise Grid user records as entity assets, enabling ECS
user.entity.*field population for use in Elastic Security's entity analytics workflows.Scope
The new data stream targets Slack Enterprise Grid organisations. It is intentionally scoped
to user entities only.
Endpoint selection
Two Slack API endpoints are candidates for user inventory collection:
users.listadmin.users.listxoxp-) onlyusers:read,users:read.emailadmin.users:readdate_createddeactivated_tsdeletedonly)workspaces[]has_ssohas_2fatwo_factor_typeresponse_metadata.next_cursornext_cursor(top-level)Decision:
admin.users.listThe Slack integration already requires Enterprise Gridfor the
auditstream, so no new plan requirement is introduced. The Tier 4 rate limit(5× faster than
users.list) is meaningful for large orgs. It also providesdate_created,deactivated_ts,workspaces[], andhas_sso, which are directly relevant to entitylifecycle and relationship mapping. Profile fields available via
users.list(title, phone,timezone) are not required for the ECS entity fields in scope.
Endpoints
The new data stream hits the following Slack API endpoints:
GET https://slack.com/api/admin.users.listas primary source; cursor-paginated userroster. Returns
next_cursorat the top level of the response (not insideresponse_metadata).GET https://slack.com/api/usergroups.list?include_users=true; it fetched once percollection cycle to resolve group membership. Returns all usergroups with flat member ID
arrays; no pagination.
Authentication
An org-level user token (
xoxp-) is required, with the following scopes:admin.users:read— access toadmin.users.listusergroups:read— access tousergroups.listThe same token type is already required by the
auditdata stream (auditlogs:readscope).Both scope sets can be granted on a single Slack app token, or configured separately per
data stream — this is an open decision (see below).
Collection behaviour
24h(full org snapshot once daily, configurable)usergroups.listis called once at the start of each collectioncycle. The CEL program holds the group-to-members mapping in state and enriches each user
record with their group names before emitting events.