Messages and Files objects are both considered as files in Slack , in some environments, the policies and requirements around each one of them is different. This article goes through a suggestion on how to separate the policies of each object in DLP enforce.
Slack generates a lot of message objects, in order to balance the functionality with performance, Slack Securlet scans them in batches. This method is a way to tweak the policy engine to scan each message object of separately.
Environment
Cloudsoc Tenant, with:
Activated Slack Securlet.
CDS Connector (Active, Connected and healthy)
DLP Enforce
Resolution
General:
Messages are sent across as files named "Unkown.txt", the idea is to add a condition on the file name so that the policy enforcement engine treats them individually.
Steps:
Create Policy Group (if not created already):
Create Application Detector/Filter for Slack Securlet and associate it with the policy group created on step one (or chosen)
Create A policy for Slack Messages
Two conditions (file name unkown.txt, and keyword)
One response action (Delete DAR)
Use the policy Group defined on Step one
Create another policy for Slack Files
Two conditions (any file name except unkown.txt, and keyword)