Slack

Slack for Teams

As of February 24, 2021, Cisco Cloudlock for Slack will only support Slack Enterprise plans. This is due to the deprecation of various APIs by Slack, which is required for Cloudlock to provide CASB functionalities for Slack Free, Slack Standard, and Slack Plus plans.  As per Slack official guidance, we continue to support DLP offerings to Enterprise plans only. 

If you have any questions, contact [email protected]

Cisco Cloudlock offers packages for Slack Enterprise and Slack for Teams. For prerequisites and installation steps see Slack (Teams) Quick Start Setup Guide and Slack (Enterprise) Quick Start Setup Guide.

Table of Contents

Slack for Teams
Slack Enterprise Grid

Spaces Monitored

1

Multiple

Teams Monitored

1

Multiple

UEBA Support

Logins Only

Not Available

Authorization User

Workspace Admin

Org Admin

Response Actions Available

None (platform specific)

Quarantine and Slack User or Admin notification

Monitored

All Public Channels. Private Channels & Direct Messages are limited to those that the Authorization user is a member of

All Workspaces, Public Channels, Private Channels and Direct Messages

Scope

Public Channels can be specified

None

View Object

Yes

Not Available

Incident Details

Channel

Channel
Workspace

Policies

Cisco Cloudlock monitors Slack Enterprise and Slack for Teams in the following policies:

Data Loss Prevention (DLP)

Exposure

Slack for Teams

  • File hosted by external service—File is stored in a 3rd party cloud service such as Google Drive or Dropbox.
  • Public—Public channel is accessible by anyone.
  • Public with link—Accessible by anyone on the internet who has access to the link or can search for it.
  • Specific shares (Users and Groups; Domains and top-level domains)—Any internal or external users, groups or domains specifically listed.

Slack (Enterprise)

  • File hosted by external service—File is stored in a 3rd party cloud service such as Google Drive or Dropbox.
  • Public—Public channel is accessible by anyone.
  • Public with link—Accessible by anyone on the internet who has access to the link or can search for it.

Attachments and Files

  • Files that are shared via a link (to OneDrive or Google Drive for example) will not be monitored as they are seen as links and not files.

  • In Slack for Teams, files or attachments shared in a direct message or private channel that the authorizing admin is not a part of are not monitored.

User Events and Behavior Analytics (UEBA)

  • Build Your Own: Event Analysis

UEBA

UEBA only covers Slack for Teams and only logins are monitored. No other events are available.

Response Actions

Slack Response Actions

Slack platform-specific Response Actions are available for Slack Enterprise Grid only.

Direct Message Admin

Sends a customizable message in Slack to the specified admin regarding the incident.

Direct Message User

Sends a message in Slack to the user who triggers the policy. The message is customizable.

Quarantine Content

The message that caused the violation is replaced with a message created in the Response Actions settings.

Incident Examples

In this incident, a user violated a custom regex policy (Social Security Number) when they posted an attached file with social security numbers to a public channel. Because this incident occurred in Slack Enterprise, both the Workspace and Channel information are provided.

This incident was triggered by a custom regex policy (Social Security Number) when the user posted a message in a public channel with social security numbers. Because this incident occurred in Slack Enterprise, both the Workspace and Channel information are provided.

This incident triggered for a context only policy when the user shared a document to a public channel. Both the workspace and channel are provided in the incident details for Slack Enterprise.

This incident triggered for a context only policy when the user posted a message with an attachment to a public channel. Both the workspace and channel are provided in the incident details for Slack Enterprise.

This incident is an example of the only UEBA monitoring for Slack. The incident was triggered when a user logged into their Slack instance. This type of incident is only available in Slack for Teams.

View an Object

For a DLP incident, you can click View Object in the uppermost right corner to view the file that violated the policy. You are redirected to sign into your Slack tenant to view the message in the channel.

Updated about a year ago

Slack


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.