OpenSec Atlas

slack-watchman: An Open Source Tool for Identity & Access Management (IAM) | OpenSec Atlas

Identity & Access Management (IAM)

Tool

slack-watchman

Slack Watchman is a tool that uses the Slack API to detect exposed secrets and enumerate sensitive workspace information for security teams.

View on GitHub

About This Tool

Slack enumeration and exposed secrets detection tool

Primary Use Case

Slack Watchman is primarily used by red, blue, and purple teams to monitor Slack workspaces for exposed secrets such as API keys, tokens, and sensitive personal or financial data. It helps security professionals identify and remediate potential leaks and misconfigurations in Slack environments by providing detailed enumeration and time-based searching capabilities.

Key Features

Detection of exposed API keys, tokens, and service accounts across multiple platforms (AWS, Azure, GCP, Slack, GitHub, etc.)
Identification of sensitive files including certificates, executables, and config files for popular services
Detection of personal data leaks such as passwords, passport numbers, and social security numbers
Financial data detection including Paypal tokens, bank card details, and IBAN numbers
Time-based searching with configurable lookback periods (24 hours, 7 days, 30 days, all time)
Enumeration of users, admins, conversations (including externally shared and Slack Canvas), and workspace authentication options
Unauthenticated probe mode to gather workspace metadata and authentication configurations without a token
Automatic updating of detection signatures from a central repository

Insights & Recommendations

Slack Watchman requires Slack API tokens for authenticated scans to detect secrets and enumerate detailed workspace data. Use the --probe flag for limited unauthenticated enumeration. Regularly update signatures to maintain detection accuracy. Be mindful of privacy and compliance when scanning workspaces.

Installation

Ensure Python 2.7 or 3.x is installed
Install Slack Watchman via pip: pip install slack-watchman
Optionally configure watchman.conf for tokens, URLs, and disabled signatures

Usage

slack-watchman --probe https://domain.slack.com

Run Slack Watchman in unauthenticated probe mode to enumerate workspace metadata and authentication options without requiring a token.

Smart Usage Notes

Integrate Slack Watchman into continuous monitoring pipelines for proactive detection of leaked secrets.
Use unauthenticated probe mode to map workspace security posture before engagement or defense.
Combine findings with SIEM tools to automate alerting on exposed sensitive data in Slack.
Leverage time-based searching to track secret exposure trends and effectiveness of remediation efforts.
Incorporate Slack Watchman scans into purple team exercises to validate detection and response capabilities.