In Slack, Canvas objects are treated similar to "File" objects, though there are a few differences, Especially when it comes to the object ownership.
"file":{ "id":"F01234AB0CD", "created":1700009999, "name":"Untitled", "title":"Untitled", "user":"USLACKBOT" <<<<
In many cases, when a Canvas object is created , Slack marks the owner as "SLACKBOT" , not the actual user who created it. this behavior is reflected on the DLP incidents when they get raised against a Slack Canvas object.
Here is an example:
In this example, the original event (Canvas Editing) has been populated against the actual user (FirstN LastN) but the incident itself was raised against the bot user ([email protected])
This is the expected behavior since Slack Securlet reports the incidents against the data owner, and since this is the native behavior of Slack.