Slack Watchman – Version 2.0.0

Slack Watchman – Version 2.0.0

The past housebound weeks have given me time to continue working on Slack Watchman, and i’ve now reached the stage of releasing version 2.0.0

The release is available on GitHub: https://github.com/PaperMtn/slack-watchman/releases/tag/2.0.0

The latest version is always available on PyPI as well:

pip install slack-watchman

The new release contains the following:

New searches

Since the first release, the following searches have been added:

  • Twitter API keys
    • Access token
    • oauth_token
    • oauth_token_secret
  • Facebook API Keys
    • Access token
    • Secret keys
  • Slack webhooks
  • Google API keys
  • GitHub API tokens
  • PayPal Braintree tokens
  • Dates of birth
  • Passport numbers

Custom searches

This new feature allows you to find posts containing custom terms you give Slack Watchman via a .txt file at runtime. This lets you look for sensitive data people shouldn’t be posting in your workspaces, such as confidential project names. There may be some secret projects mentioned that you don’t want in public channels, or information you could not afford to be in the public domain if a user’s account were to get compromised.

So, for example, in Westeros Inc there is the secret project underway: Project RedWedding. Those involved in Project RedWedding don’t want it to be discussed in public… because of reasons. Luckily, they are running Slack Watchman to monitor their Slack workspace, and have added the phrase RedWedding to the custom searches, so they were alerted that the phrase had been used in a public channel. They are then able to quickly contact the person who made the post, or remove it themselves.

In real life this can also be useful for catching password reuse. If you know that (despite your advice) some of your system admins continue to use the same passwords for accounts, you can look for these known passwords being posted in public channels.

Custom searches can be added with the --custom argument and supplying the path to a .txt file containing one search per line.

All posts matching the search queries you specify will be returned, they are not filtered by regex. Generic terms may return a lot of results over a long timeframe.

Command line arguments updated

With more searches being added, the list of command line arguments was getting unmanageable. The new format splits searches into 4 categories:

  • Tokens
  • Files
  • Personal data
  • Financial

You can still search for everything using the --all argument, or you can search for one or more individual category if that is what you are interested in.

API searching optimised

Querying the Slack API now makes use of built in Slack advanced search modifiers to perform timeframe searching. Before, even if querying for the past 24 hours, the query to the API would return all results, and then results before your desired timeframe would be discounted (inefficient). Now Slack Watchman only queries the Slack API for results after the timeframe you specify (efficient).

This makes searching much quicker for shorter timeframes, meaning you get rate limited much less frequently.

Under the hood improvements

As more searches were getting added, the code was getting messy. Lots of refactoring has made it beautiful again, and made it much more manageable to add searches to in the future.

Future plans

I plan to add more features to Slack Watchman, including more searches.

If you feel there is a feature that could be added, or have an idea of a search to add (especially if you have a working regex to filter for it) feel free to make a pull request, or shoot me a message: https://twitter.com/_PaperMtn