Slack
Slack for Teams
As of February 24, 2021, Cisco Cloudlock for Slack will only support Slack Enterprise plans. This is due to the deprecation of various APIs by Slack, which is required for Cloudlock to provide CASB functionalities for Slack Free, Slack Standard, and Slack Plus plans.β― As per Slack official guidance, we continue to support DLP offerings to Enterprise plans only.β―
If you have any questions, contact [email protected].
Cisco Cloudlock offers packages for Slack Enterprise and Slack for Teams. For prerequisites and installation steps, see Slack (Teams) Quick Start Setup Guide and Slack (Enterprise) Quick Start Setup Guide.
Table of Contents
Slack for Teams | Slack Enterprise Grid | |
---|---|---|
Spaces Monitored | 1 | Multiple |
Teams Monitored | 1 | Multiple |
UEBA Support | Logins Only | Not Available |
Authorization User | Workspace Admin | Org Admin |
Response Actions Available | None (platform specific) | Quarantine and Slack User or Admin notification |
Monitored | All Public Channels. Private Channels & Direct Messages are limited to those that the Authorization user is a member of | All Workspaces, Public Channels, Private Channels and Direct Messages |
Scope | Public Channels can be specified | None |
View Object | Yes | Not Available |
Incident Details | Channel | Channel Workspace |
Policies
Cisco Cloudlock monitors Slack Enterprise and Slack for Teams in the following policies:
Data Loss Prevention (DLP)
- Predefined
- Build Your Own: Context Only
- Build Your Own: Custom Regex
Exposure
Slack for Teams
- File hosted by external serviceβFile is stored in a 3rd party cloud service such as Google Drive or Dropbox.
- PublicβPublic channel is accessible by anyone.
- Public with linkβAccessible by anyone on the internet who has access to the link or can search for it.
- Specific shares (Users and Groups; Domains and top-level domains)βAny internal or external users, groups or domains specifically listed.
Slack (Enterprise)
- Public with linkβ Accessible by anyone on the internet who has access to the link or can search for it.
- Publicβ Public channel is accessible by anyone.
- File hosted by external serviceβ File is stored in a 3rd party cloud service such as Google Drive or Dropbox.
- Public Slack Connect Channels Onlyβ Collaborate openly with external organizations in a public Slack channel. Anyone within connected organizations can join, making it ideal for broad communication and sharing.
- Private Slack Connect Channels Only β Collaborate securely with external partners in a private Slack channel. Only invited members can join, ensuring confidentiality for sensitive discussions.
- Shared with any external userβ An incident is triggered if one or more of the channel participants is an external user (outside the domain) that you have specified.
- Specific sharesβ An incident is triggered if one or more of the channel participants, or domains that you have specified . Ex: All_Users
In case of exceptions: You need to add those channels that you don't want to monitor and will not raise an incident.
Examples:
- Create Policy:
Configure specific shares for "Slack" as shown in the image.
Select "ALL_USERS" from the users and groups dropdown menu will exclude or will not monitor. In our example, we are not monitoring "public-channel-01." - Visibility of "ALL_USERS":
The "ALL_USERS" option is available only for "Slack Enterprise." - Precedence of "ALL_USERS":
If "ALL_USERS" is chosen along with other options, "ALL_USERS" will take precedence over the other options.
Attachments and Files
Files that are shared via a link (to OneDrive or Google Drive for example) will not be monitored as they are seen as links and not files.
In Slack for Teams, files or attachments shared in a direct message or private channel that the authorizing admin is not a part of are not monitored.
User Events and Behavior Analytics (UEBA)
- Build Your Own: Event Analysis
UEBA
UEBA only covers Slack for Teams and only logins are monitored. No other events are available.
Response Actions
Slack Response Actions
Slack platform-specific Response Actions are available for Slack Enterprise Grid only.
Direct Message Admin
Sends a customizable message in Slack to the specified admin regarding the incident.
Direct Message User
Sends a message in Slack to the user who triggers the policy. The message is customizable.
Quarantine Content
The message that caused the violation is replaced with a message created in the Response Actions settings.
Incident Examples
In this incident, a user violated a custom regex policy (Social Security Number) when they posted an attached file with social security numbers to a public channel. Because this incident occurred in Slack Enterprise, both the workspace and channel information are provided.
This incident was triggered by a custom regex policy (Social Security Number) when the user posted a message in a public channel with social security numbers. Because this incident occurred in Slack Enterprise, both the workspace and channel information are provided.
This incident triggered for a context only policy when the user shared a document to a public channel. Both the workspace and channel information are provided in the incident details for Slack Enterprise.
This incident triggered for a context only policy when the user posted a message with an attachment to a public channel. Both the workspace and channel information are provided in the incident details for Slack Enterprise.
This incident is an example of the only UEBA monitoring for Slack. The incident was triggered when a user logged into their Slack instance. This type of incident is only available in Slack for Teams.
View an Object
For a DLP incident, you can click View Object in the uppermost right corner to view the file that violated the policy. You are redirected to sign into your Slack tenant to view the message in the channel.
Updated about 2 months ago