Slack is a team communication and collaboration tool. Onna integrates with Slack's Audits API to extract all related data and metadata from Slack user accounts including specific channels they've joined and/or private/multiparty chats. This feature allows Onna users to perform user-based Slack Enterprise collections for legal hold purposes and data preservation.
Type of Account Needed
To enable this type of collection, you'll need a Slack Enterprise Owner account
Onna's Slack Audit Logs integration can perform user-based collections. This type of collection can only be completed with a Slack Enterprise account. The person adding the integration must be an Organization Owner within their Slack environment.
All files available through the Audits API are synced, including, but not limited to:
All available workspaces where your specified user(s) are members. An organization on Slack Enterprise Grid can have multiple workspaces that can be accessed through this API
All channels your specified user(s) have joined both private and public
User(s) Messages posted on channels, direct messages (dms) and multiperson instant messages (mpim)
Edited and deleted messages (only available if 'Keep Everything' is selected as a setting in Slack Enterprise)
Files posted on channels, dms and mpims
Posts created in the files section, channels, dms and mpims
Snippets created in the files section, channels, dms and mpims
Files created in the files section, channels, dms and mpims
All Slack Emoji reactions (On initial sync), dms and mpims
Onna's sync modes
We currently support two syncing modes - one-time sync and auto-sync & archive.
One-time sync is sync that collects files in a source during a certain time range or up until the date the source was added. One-time sync shuts off the connection to the API once the sync is completed
Auto-sync & archive means that Onna will perform a full sync first and will continuously add any new files generated at the data source. The sync type does not delete files deleted from the data source
With the Audit Logs integration, Onna can be used to collect specific user accounts within an organization's workspace
Sync time depends on a number of factors including, but not limited to, the length of time the individual(s) has been active in Slack, the number of channels synced, how active the channels are, and the number of files shared in channels and direct message chains.
Data and metadata from the Slack Enterprise Grid account can be exported in eDiscovery ready format. Load files are available in a dat, CSV, or custom text file.
For this integration, you'll need to be an admin in Onna to have Slack Enterprise enabled.
Note: Only Enterprise Grid owners will be able to use the Audit API integration. This integration will only collect channels joined from the beginning of the Audit API records in March 2018 and onwards. Head to Slack for more details on Slack Roles & Permissions.
Once you're an admin on Onna and have Slack Enterprise enabled, you'll see it available as a source in the user dashboard.
Once you click on Slack Enterprise, it will open the following modal.
The first section covers the Source name. This is the name of your source in Onna. We've pre-filled it with the name of the source you're adding however this is entirely customizable.
The next section allows you to specify your Synchronization mode for the source and beneath that, you can set an optional start date for Auto-sync and archive mode or an optional start and end date for one-time syncs. Once you make your choices you can click Connect.
Next, you will need to Allow Onna to access your Slack workspace. Please enter your admin credentials if needed.
Next is your Configuration window, for user-based collections you want to make sure the Custodian Collections option is on.
Beneath the Custodian collection you can choose the types of messages to sync; Direct messages and Multiparty messages. You can also choose whether to select Public channels, Private channels, or both. Click next and that will take you to our next window where you can add accounts.
To add user accounts you can manually enter your desired accounts in our search bar or you can click Load user list in the upper right-hand corner.
Here you have the option to load your list of Enterprise user accounts or you can also upload a CSV file with email addresses of the users you would like to collect.
Note: The CSV file should not include column headers. The CSV file should only have one column that include the email addresses of the users as seen below.
If you upload an identity that does not exist, it will appear with a red x and require you to clear it before enabled the create button. Once you select your desired users you can click next.
Next will be your Workspaces window.
Here you can select your desired Workspaces to sync as well as the option to Sync Shared channels and the ability to Sync any workspace created in the future. Once satisfied click Next.
Now you have the Channels section. Here, you can select which Channels to include in your collection. Only specific channels that the selected user or users are a part of will be available for collection.
Once you are satisfied with your selection click done and your source will begin to sync. The Slack Enterprise account will be listed in your Sources.
Searching across the account
Files will be visible on the user dashboard. Results will begin populating as soon as the connection is made.
Channels and conversations are html files. A file is created for every 24hrs and is saved in UTC. The standard title for chat files will be:
Type of chat [e.g. channel, personal message], name of channel or person [e.g. general, random], participant(s) and date [YYYYMMDD]
Attachments that are sent through chats are extracted and processed separately.
Slack Files in Onna
On the left hand side you have the html file. You can see the naming convention mentioned before : Type of chat [e.g. channel, personal message] name of channel or person [e.g. general, random], participant(s) and date [YYYYMMDD]
Each message contains the user name and the time and date stamp (UTC) the message was sent. The most recent messages appear at the bottom.
The third message demonstrates the example of an attachment that has been shared through Slack. Onna offers a link to view the attachment separately and also lists the document in the document details tab on the right. The attachment will open in its native format, in this case PNG.
Edited & Deleted Messages
If you have 'Keep Everything' as a setting across public channels, private channels and direct messages in your workspace (only available for Slack Enterprise Grid), you will be able to see edited and deleted messages in Onna. Below is an example of how they are displayed:
We demonstrate edited messages in green and deleted messages in red. Starting from April 2019, Onna also started adding "Has Deletions" or "Has Edits" on conversations that have had deletes or edits. You can easily search for conversations that have been modified by searching "has deletions" or "has edits" through the search bar.
Slack Emoji reactions are also available for searching and exporting inside of Onna. To assist with your Emoji searches we have added the new keyword “has:reaction” to locate all of your Slack messages with Emoji content. To export those reactions, make sure to select Message List and “List of Messages,” under Source specific metadata in your Configuration window.
Slack Emoji Reactions
Slack Emoji reactions are also available for searching and exporting inside of Onna.
To assist with your Emoji searches we have added the new keyword “has:reaction” to locate all of your Slack messages with Emoji content.
To export those reactions, make sure to select Message List and “List of Messages,” under Source specific metadata in your Configuration window.
Back in the results screen, you are able to filter results by date range, categories, and/or extensions using the menu on the left.
From that same screen, you can also sort by different columns and choose other metadata fields to sort by using the toggle on the right hand side.
Clicking on the information icon on the top right will take you to the source details where you can see how many files it has and it's size.
At the bottom of your Source details panel is your origin details which can give more information regarding the settings chosen for your Slack sync. You can review your selected Sync-mode, whether future channels and users will be added as well as the threads synced in Synced threads. The source's time range, and when the source was last synced are also available as well.
For admin creators of the Slack Enterprise source, you will also be able to see a list of users that have been synced from that account by clicking the info icon and expanding Synced account in origin.
Click on Audits to see logs from collection and processing
You can learn how to see the source's collection audit logs in this article.
What are “active” participants in a Slack conversation?
Active participation is either being a sender of a message (or reply) or reacting to a message on that day.
Who is notified within Slack Enterprise when Onna is added as an application?
This depends on your settings! By default, the person who added the application is the one that receives the email through Slack.
Does Onna collect edited and deleted messages across everything?
Yes, if the account in question has "Store Everything" enabled across channels, private channels, and messages. There are some accounts that opt-out of storing everything which means that we cannot collect previously edited or deleted messages.
How can I identify the custodian to my files in my Slack Enterprise export?
For custodian-based collections, the export CSV will populate custodian values into Origin_List of users collected for the field.