DLP Incidents related to SLACK CANVAS are reported under the SLACK BOT
search cancel

DLP Incidents related to SLACK CANVAS are reported under the SLACK BOT

book

Article ID: 387084

calendar_today

Updated On:

Products

CASB Securlet SAAS

Issue/Introduction

In Slack, Canvas objects are treated similar to "File" objects, though there are a few differences, Especially when it comes to the object ownership.

"file":{
      "id":"F01234AB0CD",
      "created":1700009999,
      "name":"Untitled",
      "title":"Untitled",
      "user":"USLACKBOT"  <<<<

 

In many cases, when a Canvas object is created , Slack marks the owner as "SLACKBOT" , not the actual user who created it. this behavior is reflected on the DLP incidents when they get raised against a Slack Canvas object.

Here is an example:

 

In this example, the original event (Canvas Editing) has been populated against the actual user (FirstN LastN) but the incident itself was raised against the bot user ([email protected])

Resolution

This is the expected behavior since Slack Securlet reports the incidents against the data owner, and since this is the native behavior of Slack.