Slack Securlet Policy only look for matches within a single message
search cancel

Slack Securlet Policy only look for matches within a single message

book

Article ID: 380948

calendar_today

Updated On:

Products

CASB Securlet SAAS CASB Security Advanced CASB Security Premium CASB Security Standard

Issue/Introduction

You notice that some Slack Securlet policies with a single rule can only look for matches within a one Slack message, whereas some compound policies can match on multiple message. For instance, if you have a data identifier policy with keyword validator, both the keyword and the DI has to be found with in a single message to trigger the DLP incident. However, if you create a policy with a keyword rule AND a data identifer rule, it can then trigger when the keyword and the DI are found in multiple consecutive messages.

Cause

This is because each slack message is an considered an independent attachment/component. Multiple Slack messages can be batched together as a single DLP request to scan their content inspection, but when the policy is set to look for matches of the same component, it will only look for matches within each message/component. Please see the techdoc Configuring compound rules for more detail. However, if you have a policy that has multiple rules (compound rules), the policy can match across different components (see cross-component matching for more detail).  For Data identifiers with a validator, such as keywords, it is implied that the keywords must exist in the same component to match the policy.

 

Resolution

If you want your policy to be able to trigger when the keyword and the DI are found in multiple messages sent within a short timeframe, then instead of using validator keyword, you should consider break the rule into a keyword rule and a DI rule and set the component to ANY. For messages that are not sent to DLP in one request, for example, the messages are sent some time aprart from each, they will not be scanned by DLP in batches.