Monitoring your Slack Enterprise Grid for sensitive information
Project description
Slack Watchman for Enterprise Grid
About Slack Watchman for Enterprise Grid
Slack Watchman for Enterprise Grid uses the Slack Enterprise Grid DLP API to look for potentially sensitive data exposed in your Slack Enterprise.
Note: Slack Watchman for Enterprise Grid is designed for Enterprise Grid subscribers of Slack only. If you use Slack without an Enterprise subscription, you can use the standard version of Slack Watchman
Features
Slack Watchman for Enterprise Grid looks for:
- API Keys, Tokens & Service Accounts
- AWS, Azure, GCP, Google API, Slack (keys & webhooks), Twitter, Facebook, GitHub
- Generic Private keys
- Access Tokens, Bearer Tokens, Client Secrets, Private Tokens
- Files
- Certificate files
- Potentially interesting/malicious/sensitive files (.docm, .xlsm, .zip etc.)
- Executable files
- Keychain files
- Config files for popular services (Terraform, Jenkins, OpenVPN and more)
- Personal Data
- Leaked passwords
- Passport numbers, Dates of birth, Social security numbers, National insurance numbers, Drivers licence numbers (UK), Individual Taxpayer Identification Number
- CVs, salary information
- Financial data
- PayPal Braintree tokens, Bank card details, IBAN numbers, CUSIP numbers
- Budget files
It looks for this exposed data across all workspaces in the Enterprise, in the following locations:
- Public channels
- Private channels
- Draft messages
- Slack connect channels
- Direct messages
- Multi-person direct messages
Time based searching
Slack Watchman for Enterprise Grid can search through all messages sent in your Enterprise in the previous 24 hours. Limitations in the API, and data processing bottlenecks, don't allow for any further than 24 hours to be queried.
You can provide time periods to search for using the --hours
and --minutes
options at runtime. This means you can schedule running regularly, and in general little and often is the best approach.
Multiprocessing
Multiprocessing is used to search the potentially huge amount of data retrieved when getting all messages sent in an Enterprise. You can specify how many cores to use at runtime, and the more cores you use, the faster processing is generally done. That being said, you are still constrained by the API.
I have found the most efficient approach is to use between 8-12 cores.
You can specify cores using the optional flag --cores
at runtime. If this flag is not set, Slack Watchman will automatically use all available cores up to a maximum of 8.
Signatures
Slack Watchman uses custom YAML signatures to detect matches in Slack.
They follow this format:
---
filename:
enabled: [true|false]
meta:
name:
author:
date:
description: # what the search should find
severity: # rating out of 100
tombstone: [true|false]
scope:
- [files|messages]
file_types: # optional list for use with file searching*
locations: # what conversations to search in. Any combination of:
- public
- private
- connect
- im
- mpim
test_cases:
match_cases:
- # test case that should match the regex*
fail_cases:
- # test case that should not match the regex*
search_strings:
- # search query(s) to use in Slack
pattern: # Regex pattern to filter out false positives
There are Python tests to ensure signatures are formatted properly and that the Regex patterns work in the tests
dir
More information about signatures, and how you can add your own, is in the file docs/signatures.md
.
Requirements
Slack API token
To run Slack Watchman for Enterprise Grid, you will need a Slack API access token that is authorised to use the Enterprise DLP API.
To do this, you need to create a Slack App and install it at the organisation level.
The app needs to have the following User Token Scopes added:
discovery:read
discovery:write
team:read
users:read
Note: discovery:read
and discovery:write
can only be added to an app by Slack themselves, you will need to contact your Slack CSM. They will also provide you with instructions on how to install the app at organisation level and retrieve the access token.
Providing token
Provide the token in the environment variable SLACK_WATCHMAN_EG_TOKEN
Installation
You can install the latest stable version via pip:
python3 -m pip install slack-watchman-eg
Or build from source yourself, which is useful for if you intend to add your own signatures:
Download the release source files, then from the top level repository run:
python3 -m pip build
python3 -m pip install --force-reinstall dist/*.whl
Scripts for building and installing from source for Mac, Linux and Windows are in the scripts
directory
Usage
usage: slack-watchman-eg [-h] [--hours HOURS] [--minutes MINUTES] [--cores CORES] [--version] [--users] [--workspaces] [--sandbox] [--tombstone] [--tombstone-text-file TOMBSTONE_FILEPATH]
Monitoring your Slack Enterprise Grid for sensitive information
options:
-h, --help show this help message and exit
--hours HOURS How far back to search in whole hours between 1-24. Defaults to 1 if no acceptable value given
--minutes MINUTES How far back to search in whole minutes between 1-60
--cores CORES Number of cores to use between 1-12
--version show program's version number and exit
--users Find all users
--workspaces Find all workspaces
--sandbox Search using only sandbox signatures
--tombstone Tombstone (REMOVE) all matching messages
--tombstone-text-file TOMBSTONE_FILEPATH
Path to file containing custom tombstone notification text (Optional)
Other Watchman apps
You may be interested in the other apps in the Watchman family:
License
The source code for this project is released under the GNU General Public Licence. This project is not associated with Slack.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for slack_watchman_eg-1.0.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 7624512f1ddd9c2ce18930237833149b2ea67241e14a6bb0c4be84d270e3e03a |
|
MD5 | 3bf193a318eb8459a91919f1b09c045c |
|
BLAKE2b-256 | 47e5cda4a563522788add31e56e4472425c5c1c6b050de09d02d9df32a0f5e49 |