Splitting Slack Securlet policies based on the object type (Messages vs Files)
search cancel

Splitting Slack Securlet policies based on the object type (Messages vs Files)

book

Article ID: 272574

calendar_today

Updated On:

Products

CASB Security Advanced CASB Security Advanced CASB Security Premium CASB Security Standard CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS

Issue/Introduction

  • Messages and Files objects are both considered as files in Slack , in some environments, the policies and requirements around each one of them is different. This article goes through a suggestion on how to separate the policies of each object in DLP enforce.

 

  • Slack generates a lot of message objects, in order to balance the functionality with performance, Slack Securlet scans them in batches. This method is a way to tweak the policy engine to scan each message object of separately.

Environment

Cloudsoc Tenant, with:

  1. Activated Slack Securlet.
  2. CDS Connector (Active, Connected and healthy)
  3. DLP Enforce

 

Resolution

General:

Messages are sent across as files named "Unkown.txt", the idea is to add a condition on the file name so that the policy enforcement engine treats them individually.

 

Steps:

  • Create Policy Group (if not created already):

 

  • Create Application Detector/Filter for Slack Securlet and associate it with the policy group created on step one (or chosen)

  • Create A policy for Slack Messages
      • Two conditions (file name unkown.txt, and keyword)
      • One response action (Delete DAR)
      • Use the policy Group defined on Step one

  • Create another policy for Slack Files
      • Two conditions (any file name except unkown.txt, and keyword)
      • One response action (Quarantine DAR)
      • Use the policy Group defined on Step one

Powered by Wolken Software