Slack is a team communication and collaboration tool. Onna integrates with Slack's Audits API to extract all related data and metadata from Slack user accounts including specific channels they've joined and/or private/multiparty chats. This feature allows Onna users to perform user-based Slack Enterprise collections for legal hold purposes and data preservation.

Integration Features

Type of Account Needed

  • To enable this type of collection, you'll need a Slack Enterprise Owner account

Files Collected

Onna's Slack Audit Logs integration can perform user-based collections. This type of collection can only be completed with a Slack Enterprise account. The person adding the integration must be an Organization Owner within their Slack environment.

All files available through the Audits API are synced, including, but not limited to:

  • All available workspaces where your specified user(s) are members. An organization on Slack Enterprise Grid can have multiple workspaces that can be accessed through this API

  • All channels your specified user(s) have joined both private and public

  • User(s) Messages posted on channels, direct messages (dms) and multiperson instant messages (mpim)

  • Edited and deleted messages (only available if 'Keep Everything' is selected as a setting in Slack Enterprise)

  • Files posted on channels, dms and mpims

  • Recorded Slack audio and video clips

  • Posts created in the files section, channels, dms and mpims

  • Snippets created in the files section, channels, dms and mpims

  • Files created in the files section, channels, dms and mpims

  • All Slack Emoji reactions (On initial sync), dms and mpims

Onna's sync modes

We currently support two syncing modes - one-time sync and auto-sync & archive.

  • One-time sync is sync that collects files in a source during a certain time range or up until the date the source was added. One-time sync shuts off the connection to the API once the sync is completed

  • Auto-sync & archive means that Onna will perform a full sync first and will continuously add any new files generated at the data source. The sync type does not delete files deleted from the data source

With the Audit Logs integration, Onna can be used to collect specific user accounts within an organization's workspace

Sync Time

Sync time depends on a number of factors including, but not limited to, the length of time the individual(s) has been active in Slack, the number of channels synced, how active the channels are, and the number of files shared in channels and direct message chains.

Data Exports

Data and metadata from the Slack Enterprise Grid account can be exported in eDiscovery ready format. Load files are available in a dat, CSV, or custom text file.

How-To Guide

For this integration, you'll need to be an admin in Onna to have Slack Enterprise enabled.

Note: Only Enterprise Grid owners will be able to use the Audit API integration. This integration will only collect channels joined from the beginning of the Audit API records in March 2018 and onwards. Head to Slack for more details on Slack Roles & Permissions.

Once you're an admin on Onna and have Slack Enterprise enabled, you'll see it available as a source in the user dashboard.

Once you click on Slack Enterprise, it will open the following modal.

The first section covers the Source name. This is the name of your source in Onna. We've pre-filled it with the name of the source you're adding however this is entirely customizable.

The next section allows you to specify your Synchronization mode for the source and beneath that, you can set an optional start date for Auto-sync and archive mode or an optional start and end date for one-time syncs. Once you make your choices you can click Connect.

Next, you will need to Allow Onna to access your Slack workspace. Please enter your admin credentials if needed.

Next is your Configuration window, for user-based collections you want to make sure the Custodian Collections option is on.

Beneath the Custodian collection you can choose the types of messages to sync; Direct messages and Multiparty messages. You can also choose whether to select Public channels, Private channels, or both. Click next and that will take you to our next window where you can add accounts.

To add user accounts you can manually enter your desired accounts in our search bar or you can click Load user list in the upper right-hand corner.

Here you have the option to load your list of Enterprise user accounts or you can also upload a CSV file with email addresses of the users you would like to collect.

Note: The CSV file should not include column headers. The CSV file should only have one column that include the email addresses of the users as seen below.

If you upload an identity that does not exist, it will appear with a red x and require you to clear it before enabled the create button. Once you select your desired users you can click next.

Next will be your Workspaces window.

You will see the list of workspaces that you can expand and select/deselect.

Loading large numbers of Organization-wide and Multi-workspace channels can take a significant amount of time across large enterprise accounts. For Organization-wide and Multi-workspace channels you have the option to not load, load all, or load only those channels for selected workspaces:

1) Do Not Load - This option will not load any organization or multi-workspace channels;

2) Load All - This will load all organization and multi-workspace channels independent of the workspaces selected

3) Load only those for selected workspaces - This option will load all organization-wide channels, but filter the multi-workspace channels to include only those from the selected workspaces. In order to filter these channels, a number of requests need to be made, which causes this option to take the longest.

Beneath that you can choose to sync multi-workspace channels and externally shared channels for the selected workspace. On this page, you can also choose whether to sync workspaces created in the future if your source is in auto-sync and archive.

Next, you have the Channels section. Here, you can select which Channels to include in your collection. Only specific channels that the selected user or users are a part of will be available for collection.

Once you are satisfied with your selection click done and your source will begin to sync. The Slack Enterprise account will be listed in your Sources.

Searching across the account
Files will be visible on the user dashboard. Results will begin populating as soon as the connection is made.

Channels and conversations are html files. A file is created for every 24hrs and is saved in UTC. The standard title for chat files will be:

Type of chat [e.g. channel, personal message], name of channel or person [e.g. general, random], participant(s) and date [YYYYMMDD]

Attachments that are sent through chats are extracted and processed separately.

Slack Files in Onna

On the left hand side you have the html file. You can see the naming convention mentioned before : Type of chat [e.g. channel, personal message] name of channel or person [e.g. general, random], participant(s) and date [YYYYMMDD]

Each message contains the user name and the time and date stamp (UTC) the message was sent. The most recent messages appear at the bottom.

The third message demonstrates the example of an attachment that has been shared through Slack. Onna offers a link to view the attachment separately and also lists the document in the document details tab on the right. The attachment will open in its native format, in this case PNG.

Edited & Deleted Messages
If you have 'Keep Everything' as a setting across public channels, private channels and direct messages in your workspace (only available for Slack Enterprise Grid), you will be able to see edited and deleted messages in Onna. Below is an example of how they are displayed:

We demonstrate edited messages in green and deleted messages in red. Starting from April 2019, Onna also started adding "Has Deletions" or "Has Edits" on conversations that have had deletes or edits. You can easily search for conversations that have been modified by searching "has deletions" or "has edits" through the search bar.

Slack Emoji reactions are also available for searching and exporting inside of Onna. To assist with your Emoji searches we have added the new keyword “has:reaction” to locate all of your Slack messages with Emoji content. To export those reactions, make sure to select Message List and “List of Messages,” under Source specific metadata in your Configuration window.

Slack Emoji Reactions

Slack Emoji reactions are also available for searching and exporting inside of Onna.

To assist with your Emoji searches we have added the new keyword “has:reaction” to locate all of your Slack messages with Emoji content.

To export those reactions, make sure to select Message List and “List of Messages,” under Source specific metadata in your Configuration window.

Back in the results screen, you are able to filter results by date range, categories, and/or extensions using the menu on the left.

From that same screen, you can also sort by different columns and choose other metadata fields to sort by using the toggle on the right hand side.

Clicking on the information icon on the top right will take you to the source details where you can see how many files it has and it's size.

At the bottom of your Source details panel is your origin details which can give more information regarding the settings chosen for your Slack sync. You can review your selected Sync-mode, whether future channels and users will be added as well as the threads synced in Synced threads. The source's time range, and when the source was last synced are also available as well.

For admin creators of the Slack Enterprise source, you will also be able to see a list of users that have been synced from that account by clicking the info icon and expanding Synced account in origin.

Click on Audits to see logs from collection and processing

You can learn how to see the source's collection audit logs in this article.


What are “active” participants in a Slack conversation?

Active participation is either being a sender of a message (or reply) or reacting to a message on that day.

Who is notified within Slack Enterprise when Onna is added as an application?
This depends on your settings! By default, the person who added the application is the one that receives the email through Slack.

Does Onna collect edited and deleted messages across everything?
Yes, if the account in question has "Store Everything" enabled across channels, private channels, and messages. There are some accounts that opt-out of storing everything which means that we cannot collect previously edited or deleted messages.

How can I identify the custodian to my files in my Slack Enterprise export?

For custodian-based collections, the export CSV will populate custodian values into Origin_List of users collected for the field.

Can Onna tell us who responded with an emoji reaction?

Yes, you can export with the message list option in your metadata export configuration settings and view which users sent which emoji reactions in your MessageList_List of messages field.

Can Onna collect Slack calls and Huddles?

For Slack calls & Huddles we are able to collect the user who initiated the call, timestamp when the call took place, and the URL of the call. Information such as the in meeting chat & transcript of the call is not available. Please note that Slack does not support the ability to record or transcribe Slack calls/Huddles. Additional information can be found in Slack's help center.

Can Onna capture and replay Slack audio/video recordings?

Yes, Onna will capture & process the new Slack audio/video recording feature that can be sent within channels, DM's, and MPIM. Once the Slack conversations has successfully synced into Onna the recordings will be available to play & view within Onna.

Have a question that we haven't answered here? Interested in collecting from Slack Enterprise?

Did this answer your question?