Skip to main content

Query Slack with cnquery

Rely on cnquery to query and inventory your Slack workspaces. Unlock the powerful data available in the Slack API with the ease of MQL.

Configure access to a Slack organization

Access to the Slack API requires an Access Token. We recommend using a bot token.

  1. As a workspace administrator, create an app: Select the Create an App button and then select From Scratch.

  2. Specify an app name (such as Mondoo) and select the appropriate workspace.

  3. Select Create App.

  4. In the left-side navigation, select OAuth & Permissions.

  5. Scroll to Scopes. Under User Token Scopes, add these scopes:

    • admin: (This permission is required to view access logs. For details, read scopes: admin.)
    • channels:read
    • groups:read
    • im:read
    • mpim:read
    • team:read
    • usergroups:read
    • users:read

  6. Scroll to OAuth Tokens for Your Workspace and select Install to Workspace. Once you authorize the app, Slack provides a token. Copy the token; you need it to retrieve data from Slack.

You can now test using the cnquery shell:

$ cnquery shell slack --token <api-token>
cnquery> slack.team
slack.team: {
  domain: "mondoo"
  id: "T030KKBABCDE"
}

You can also use the SLACK_TOKEN environment variable, which makes the --token parameter optional. Note that if both are present, the SLACK_TOKEN environment variable takes precedence.

$ export SLACK_TOKEN=xoxb-3014687468594-456546543219-5ampl3.70ck3n
$ cnquery shell slack
cnquery> slack.team
slack.team: {
  domain: "mondoo"
  id: "T030KKBABCDE"
}

Example queries

Users

Here is an example of all the data available for a single user:

> slack.users[1]{ * }
slack.users.list[1]: {
  profile: {
    displayName: ""
    displayNameNormalized: ""
    email: "suki@lunalectric.io"
    firstName: "Suki"
    lastName: "Mbeze"
    phone: ""
    realName: "Suki Mbeze"
    realNameNormalized: "Suki Mbeze"
    skype: ""
    statusExpiration: "1969-12-31T16:00:00-08:00"
    team: "T030KKBUGHG"
    title: ""
  }
  timeZoneOffset: -28800
  isBot: false
  isInvitedUser: false
  deleted: false
  name: "suki"
  enterpriseUser: null
  isUltraRestricted: false
  id: "U030KL5BMDH"
  presence: ""
  hasFiles: false
  timeZone: "America/Los_Angeles"
  teamId: "T030KKBUGHG"
  isAdmin: true
  has2FA: false
  locale: "en-US"
  realName: "Suki Mbeze"
  isStranger: false
  isAppUser: false
  isOwner: true
  isRestricted: false
  timeZoneLabel: "Pacific Standard Time"
  isPrimaryOwner: true
  color: "9f69e7"
}

You can find which users have 2FA enabled:

slack.users.where{ has2FA == true }

Conversations (channels)

The conversations resource lets you inspect channels and direct message metadata.

This query asks the purpose of each channel:

slack.conversations.where( isChannel == true ) { name purpose }

Learn more