[Slack] Add slack integration

[legoguy1000]

What does this PR do?

Create an initial Slack integration to view audit logs

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes Slack #1152

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-08-09T00:20:44.956+0000

• Duration: 15 min 19 sec

Test stats 🧪

Test	Results
Failed	0
Passed	5
Skipped	0
Total	5

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[andrewkroh]

/test

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[jamiehynds]

@legoguy1000 Thanks for the PR. Do you know how the outh2 authentication works for this Slack integration? @P1llus and I had some discussions with Slack in the past and it seemed each Slack user would have to approve it, rather than an admin approving for the entire organization. I think this was the case for the Events API, but looks like you're hitting the Alerts API with this integration so hopefully it just requires admin approval.

[legoguy1000]

So there are different kinds of apps that can be made with different oauth scopes. For things like Google drive/mail/calendar... Each user can enable the app to connect their account to their slack account. But for something like this, the scopes are org/enterprise wide. Slack got rid of the legacy method to create API keys to manage the workspace, so an "app" is the only way to create a key with scopes like that. I think the misleading thing is it's not really an "app" in the traditional way when thinking of slack integrations.

[legoguy1000]

While I'm limited in my ability to test the audit logs because of the enterprise plan requirement, I did test the concept on the access logs API and a few others and was able to pull the data without issue.

[andrewkroh]

/test

[legoguy1000]

fixed errors, ready to retest

[legoguy1000]

@andrewkroh can we rerun the tests?

[andrewkroh]

/test

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (1/1)	💚 2.863
Classes	100.0% (1/1)	💚 2.863
Methods	100.0% (14/14)	💚 10.738
Lines	98.588% (349/354)	👍 7.951
Conditionals	100.0% (0/0)	💚

[andrewkroh]

LGTM with the exception of the rate limit behavior; I think that needs a manual verification that it's working.

[andrewkroh]

/test

[andrewkroh]

/test

[legoguy1000]

@andrewkroh I was able to mock the API and the Rate Limiting works as expected. When a 429 is returned the agent waits the set amount of seconds.

[efd6]

/test

[andrewkroh]

LGTM. Once elastic/elastic-package#821 is implemented we should revisit the testing to make the assertion automated.