ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Slack Securlet Rescanned files of a terminated user

book

Article ID: 226206

calendar_today

Updated On:

Products

CASB Security Standard

Issue/Introduction

DLP incidents continued to be created for exposed files from the Slack Securlet even though the user was terminated months before. 

Resolution

This scan of these files is working as designed.

Files are part of channels and their exposures are based on those channels. Whenever a user joins or leaves a channel, CloudSOC rescans all of the files within the channel as exposures might've changed, which could now make a file trigger a policy set against those said exposures.

Since files are not deleted from Slack if the uploader is removed, the CI logs are showing up for such files. Files are always associated to the user that uploaded them which is why they are seeing the names of the terminated users. 

To stop scanning the file in the future, you remove the file from Slack.