Apply a DLP policy to a specific Slack Account in Cloudsoc Securlet
Article ID: 272835
Updated On:
Products
Issue/Introduction
Slack Securlet can be activated on multiple Slack accounts (Tenants/Workspaces). Each account can be managed with a different set of policies. This article goes over a suggestion on how to configure a DLP Enforce policy to a certain Slack Account.
Environment
- Slack Securlet is activated with multiple accounts
- Cloudsoc Tenant is integrated with CDS/DLP Enforce
Resolution
Generally, the Application Detection filter can be used to enable the content inspection on a certain Gatelet or Securlet. Though the filter does not distinguish between the accounts. To achieve that, a Contextual attribute name "common.doc.instance" can be leveraged.
Here are the steps:
1- Log in to the DLP Enforce portal, and navigate to the Policy Screen
2- Create a new Policy and associate it with the desired policy group (which is also associated with the Application Detector for Slack Securlet)
3- Add a new Rule in the policy create in the previous step, Select Contextual Attribute, then Custom, String, Use "common.doc.instance" as the attribute name, and use the slack account instance id as the value
4- Combine the contextual attribute rule with any set of rules based on the requirement (in this example we used a keyword rule for demonstration purposes only)
5- Save the policy.
Additional Information
Sometimes it is challenging to find the instance id, one way of finding it is to trigger a policy to generate a DLP Incident (Data At Rest), In the incident details and under the "Custom" section, the Instance ID is reported there as shown in the screenshot bellow.
Feedback
