DLP incidents continued to be created for exposed files from the Slack Securlet even though the user was terminated months before. 

This scan of these files is working as designed.

Files are part of channels and their exposures are based on those channels. Whenever a user joins or leaves a channel, CloudSOC rescans all of the files within the channel as exposures might've changed, which could now make a file trigger a policy set against those said exposures.

Since files are not deleted from Slack if the uploader is removed, the CI logs are showing up for such files. Files are always associated to the user that uploaded them which is why they are seeing the names of the terminated users. 

Any change in the metadata will trigger a rescan, and the data is always reported by the data owner regardless of the user (data owner) current status (exists or not, activated or not).

To stop scanning the file in the future, you remove the file from Slack. 

Slack Securlet incidents filed against a deactivated user