Slack
Slack for Teams
As of February 24, 2021, Cisco Cloudlock for Slack will only support Slack Enterprise plans. This is due to the deprecation of various APIs by Slack, which is required for Cloudlock to provide CASB functionalities for Slack Free, Slack Standard, and Slack Plus plans. As per Slack official guidance, we continue to support DLP offerings to Enterprise plans only.
If you have any questions, contact [email protected].
Cisco Cloudlock offers packages for Slack Enterprise and Slack for Teams. For prerequisites and installation steps see Slack (Teams) Quick Start Setup Guide and Slack (Enterprise) Quick Start Setup Guide.
Table of Contents
| Slack for Teams | Slack Enterprise Grid | |
|---|---|---|
| Spaces Monitored | 1 | Multiple |
| Teams Monitored | 1 | Multiple |
| UEBA Support | Logins Only | Not Available |
| Authorization User | Workspace Admin | Org Admin |
| Response Actions Available | None (platform specific) | Quarantine and Slack User or Admin notification |
| Monitored | All Public Channels. Private Channels & Direct Messages are limited to those that the Authorization user is a member of | All Workspaces, Public Channels, Private Channels and Direct Messages |
| Scope | Public Channels can be specified | None |
| View Object | Yes | Not Available |
| Incident Details | Channel | Channel Workspace |
Policies
Cisco Cloudlock monitors Slack Enterprise and Slack for Teams in the following policies:
Data Loss Prevention (DLP)
- Predefined
- Build Your Own: Context Only
- Build Your Own: Custom Regex
Exposure
Slack for Teams
- File hosted by external service—File is stored in a 3rd party cloud service such as Google Drive or Dropbox.
- Public—Public channel is accessible by anyone.
- Public with link—Accessible by anyone on the internet who has access to the link or can search for it.
- Specific shares (Users and Groups; Domains and top-level domains)—Any internal or external users, groups or domains specifically listed.
Slack (Enterprise)
- File hosted by external service—File is stored in a 3rd party cloud service such as Google Drive or Dropbox.
- Public—Public channel is accessible by anyone.
- Public with link—Accessible by anyone on the internet who has access to the link or can search for it.
Attachments and Files
Files that are shared via a link (to OneDrive or Google Drive for example) will not be monitored as they are seen as links and not files.
In Slack for Teams, files or attachments shared in a direct message or private channel that the authorizing admin is not a part of are not monitored.
User Events and Behavior Analytics (UEBA)
- Build Your Own: Event Analysis
UEBA
UEBA only covers Slack for Teams and only logins are monitored. No other events are available.
Slack Response Actions
Slack platform-specific Response Actions are available for Slack Enterprise Grid only.
Direct Message Admin
Sends a customizable message in Slack to the specified admin regarding the incident.
Direct Message User
Sends a message in Slack to the user who triggers the policy. The message is customizable.
Quarantine Content
The message that caused the violation is replaced with a message created in the Response Actions settings.
Incident Examples
In this incident, a user violated a custom regex policy (Social Security Number) when they posted an attached file with social security numbers to a public channel. Because this incident occurred in Slack Enterprise, both the Workspace and Channel information are provided.
This incident was triggered by a custom regex policy (Social Security Number) when the user posted a message in a public channel with social security numbers. Because this incident occurred in Slack Enterprise, both the Workspace and Channel information are provided.
This incident triggered for a context only policy when the user shared a document to a public channel. Both the workspace and channel are provided in the incident details for Slack Enterprise.
This incident triggered for a context only policy when the user posted a message with an attachment to a public channel. Both the workspace and channel are provided in the incident details for Slack Enterprise.
This incident is an example of the only UEBA monitoring for Slack. The incident was triggered when a user logged into their Slack instance. This type of incident is only available in Slack for Teams.
View an Object
For a DLP incident, you can click View Object in the uppermost right corner to view the file that violated the policy. You are redirected to sign into your Slack tenant to view the message in the channel.
Updated 8 months ago