Slack event alert types

Chronicle provides over 25 different event types that can be configured within the "Events" page in the Chronicle dashboard. Here's some more information on the different events available and why customers find them useful:

Apps

App Added / Updated / Granted Rights
Triggered when an app is added to your workspace, updated, or granted permissions by a user, typically triggered by adding an app to Slack.
Who uses this? Security-conscious teams of all sizes that have several users with permission to add an app to Slack. 
Why set up this alert? Knowing when a new app is added or given unexpected permissions is key to mitigating the risk that Slack apps can expose to your workspace and company.

App Removed / Disabled
Triggered when an app is removed or disabled in your workspace.
Who uses this? Security-conscious teams of all sizes that have several users with permission to remove an app from Slack.
Why set up this alert? For security purposes, maintain an exact log of when apps are removed or disabled or be alerted when a highly used app is unexpectedly disabled or removed.
 

Channels

Channel Archived / Unarchived
Triggered when a channel is archived or unarchived by a user.
Who uses this? Teams who rarely create new channels or archive existing ones.
Why set up this alert? Having a log of channel archives/unarchives in one place can help alert admins to unusual behavior, and bring attention when an old channel is unarchived and put back into use.

Channel Created
Triggered when a channel is created.
Who uses this? Teams who create channels in special circumstances such as for customer inquiries, or escalating internal issues.
Why set up this alert? Maintain a log of exactly when and who created a channel to understand where discussions are happening.

Channel Deleted
Triggered when a channel is deleted.
Who uses this? Teams that want to ensure channels are only archived and never deleted to prevent messages from being lost.
Why set up this alert? Have admins alerted when a channel is deleted, and understand when and how frequently channels are deleted.

Channel Renamed
Triggered when a channel is renamed.
Who uses this? Teams who maintain specific channel naming rules.
Why set up this alert? Keep an eye on channel names so admins can quickly be alerted to any changes and ensure they follow naming requirements.
 

Emojis

Emoji Deleted / Uploaded
Triggered when a user adds a new emoji or removes an existing one.
Who uses this? Teams who want to monitor emojis for content appropriate for a workplace setting.
Why set up this alert? Have admins monitor new emojis as they are added to ensure they are appropriate.
 

Files

File Public Link Created / Restricted
Triggered when a user shares a file publicly or removes a file's public link.
Who uses this? Teams who make use of public links to share files from Slack publicly.
Why set up this alert? Keep an eye on users sharing files that should not be shared publicly, or restricting access to a file that must be shared publicly.

File Shared / Unshared
Triggered when a user shares a file in a channel, or deletes the message which shares the file in a channel.
Who uses this? Teams who treat files in Slack as very sensitive.
Why set up this alert? It allows admins to monitor when users share files in other channels, helping them prevent the sharing of sensitive files with users who should not have access to them.

File Created
Triggered when a file is created in your Slack workspace.
Who uses this? Teams that upload files to Slack only in specific circumstances or want a log of file creation.
Why set up this alert? Have a single place to clearly understand when files are being created, and by who.
 

File Deleted
It is triggered when a file is deleted from Slack by a user.
Who uses this? Teams who discourage deleting files from Slack to preserve data.
Why set up this alert? Alert admins when a user deletes files from Slack that cannot be recovered. 
 

Guests

Guest Enabled / Joined
It is triggered when a guest is re-enabled or joins a workspace for the first time.
Who uses this? Teams who invite many guests, such as contractors, to collaborate in specific channels.
Why set up this alert? Monitor guests as they are added to verify they have only the necessary privileges and are not unexpectedly enabled.

Guest Disabled
It is triggered when a guest is disabled.
Who uses this? Teams who invite many guests, such as contractors, to collaborate in specific channels.
Why set up this alert? Ensure guests are properly disabled when they are intended to no longer have access to your workspace.
 

Users

User Enabled / Joined
Triggered when a user is re-enabled or joins your workspace.
Who uses this? Teams of all sizes who want to know when a user gets access to their entire Slack workspace.
Why set up this alert? There have been exploits with Slack in the past where users could invite themselves to a workspace, thus getting alerts when users join a workspace is vital to prevent unauthorized access.

User Deleted
It is triggered when a user is deleted from your workspace.
Who uses this? Teams who offboard users often and want a record of a Slack user account being removed.
Why set up this alert? Know exactly when a user has been removed from Slack and has no further access.

Username Changed
Triggered when a user changes the username they use with Slack.
Who uses this? Teams who treat usernames specially and discourage users from changing their own.
Why set up this alert? Know exactly when and who has changed their username to remediate any effects that could be caused by changing their username.
 

Admins

Admin Added / Owner Added
Triggered when a new admin or owner is promoted in a Slack workspace.
Who uses this? Teams of all sizes who carefully control who manages their Slack workspace.
Why set up this alert? Knowing when a new user gains the highest privilege of access to your Slack workspace is crucial to ensuring only users who need those privileges have them.

Admin Removed / Owner Removed
Triggered when an admin or owner is demoted in a Slack workspace.
Who uses this? Teams of all sizes who carefully control who manages their Slack workspace.
Why set up this alert? Ensuring users who should have privileged access to Slack don't lose it can help prevent access control issues to Slack before they begin.