HomeDocumentation and Guides
Home
Documentation and Guides

Slack

👍

Slack for Teams

As of February 24, 2021, Cisco Cloudlock for Slack will only support Slack Enterprise plans. This is due to the deprecation of various APIs by Slack, which is required for Cloudlock to provide CASB functionalities for Slack Free, Slack Standard, and Slack Plus plans.  As per Slack official guidance, we continue to support DLP offerings to Enterprise plans only. 

If you have any questions, contact [email protected].

Cisco Cloudlock offers packages for Slack Enterprise and Slack for Teams. For prerequisites and installation steps, see Slack (Teams) Quick Start Setup Guide and Slack (Enterprise) Quick Start Setup Guide.

Table of Contents

Slack for TeamsSlack Enterprise Grid
Spaces Monitored 1Multiple
Teams Monitored 1Multiple
UEBA Support Logins OnlyNot Available
Authorization User Workspace AdminOrg Admin
Response Actions Available None (platform specific)Quarantine and Slack User or Admin notification
Monitored All Public Channels. Private Channels & Direct Messages are limited to those that the Authorization user is a member ofAll Workspaces, Public Channels, Private Channels and Direct Messages
Scope Public Channels can be specifiedNone
View Object YesNot Available
Incident DetailsChannelChannel
Workspace

Policies

Cisco Cloudlock monitors Slack Enterprise and Slack for Teams in the following policies:

Data Loss Prevention (DLP)

Exposure

Slack for Teams

  • File hosted by external service—File is stored in a 3rd party cloud service such as Google Drive or Dropbox.
  • Public—Public channel is accessible by anyone.
  • Public with link—Accessible by anyone on the internet who has access to the link or can search for it.
  • Specific shares (Users and Groups; Domains and top-level domains)—Any internal or external users, groups or domains specifically listed.

Slack (Enterprise)

  • Public with link— Accessible by anyone on the internet who has access to the link or can search for it.
  • Public— Public channel is accessible by anyone.
  • File hosted by external service— File is stored in a 3rd party cloud service such as Google Drive or Dropbox.
  • Public Slack Connect Channels Only— Collaborate openly with external organizations in a public Slack channel. Anyone within connected organizations can join, making it ideal for broad communication and sharing.
  • Private Slack Connect Channels Only — Collaborate securely with external partners in a private Slack channel. Only invited members can join, ensuring confidentiality for sensitive discussions.

🚧

Attachments and Files

  • Files that are shared via a link (to OneDrive or Google Drive for example) will not be monitored as they are seen as links and not files.

  • In Slack for Teams, files or attachments shared in a direct message or private channel that the authorizing admin is not a part of are not monitored.

User Events and Behavior Analytics (UEBA)

  • Build Your Own: Event Analysis

🚧

UEBA

UEBA only covers Slack for Teams and only logins are monitored. No other events are available.

Response Actions

🚧

Slack Response Actions

Slack platform-specific Response Actions are available for Slack Enterprise Grid only.

Direct Message Admin

Sends a customizable message in Slack to the specified admin regarding the incident.

Direct Message User

Sends a message in Slack to the user who triggers the policy. The message is customizable.

797

Quarantine Content

The message that caused the violation is replaced with a message created in the Response Actions settings.

521

Incident Examples

In this incident, a user violated a custom regex policy (Social Security Number) when they posted an attached file with social security numbers to a public channel. Because this incident occurred in Slack Enterprise, both the workspace and channel information are provided.

This incident was triggered by a custom regex policy (Social Security Number) when the user posted a message in a public channel with social security numbers. Because this incident occurred in Slack Enterprise, both the workspace and channel information are provided.

2615

This incident triggered for a context only policy when the user shared a document to a public channel. Both the workspace and channel information are provided in the incident details for Slack Enterprise.

This incident triggered for a context only policy when the user posted a message with an attachment to a public channel. Both the workspace and channel information are provided in the incident details for Slack Enterprise.

2006

This incident is an example of the only UEBA monitoring for Slack. The incident was triggered when a user logged into their Slack instance. This type of incident is only available in Slack for Teams.

View an Object

For a DLP incident, you can click View Object in the uppermost right corner to view the file that violated the policy. You are redirected to sign into your Slack tenant to view the message in the channel.

322