Configure Slack Enterprise for the Next Generation API Data Protection
Configure Slack Enterprise for the Next Generation API Data Protection
To configure Slack Enterprise for Next Generation API Data Protection, you need to authorize Netskope as a web application client to access your Slack Enterprise instance. Follow the instructions below.
Prerequisite
-
A Slack account with Enterprise Grid plan.
-
An organization (or primary) owner role.
Configure Netskope to Access Slack Enterprise Account
To authorize Netskope to access your Slack Enterprise account, follow the steps below:
-
Log in to your Slack enterprise grid account as an organization (or primary) owner.
-
Identify the workspace name and note it down. This workspace name will be required during the Slack Enterprise instance setup in the following steps.
This workspace will also be used to install the Netskope Bot for legal hold, quarantine, and policy alert notification. -
Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.
-
Under Apps, select Slack Enterprise and click Setup CASB API Instance.
The Setup Instance window opens.
-
Enter the Slack Org Owner Email address.
-
Enter the Workspace Name noted in step 2. The workspace name is case-sensitive.
This workspace will be used to install the Netskope Bot for legal hold, quarantine, and policy alert notification. -
Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.
-
Ensure that you are logged in to your Slack enterprise grid account as an organization (or primary) owner in one of the tabs of your browser.
An organization (or primary) owner has to be logged in to the enterprise account and use the same browser session to grant access in the Netskope UI. -
Click Grant Access.
A new pop-up window opens asking you to authorize Netskope to access and manage all your organization’s messages and files.
-
Click Allow.
When the configuration results page opens, click Close.
Refresh your browser and you will see a green check icon next to the instance name.
Install the Netskope for Slack Enterprise App
Once you have granted access your Slack Enterprise account to Netskope, next, you should install the the Netskope for Slack Enterprise App on your Slack workspace. This app works like a chat bot. The purpose of the Netskope chat bot is:
-
to send direct messages to users or an organization (or primary) owner in the event of a policy match. You can configure this under the + Notification option of the Next Generation API Data Protection policy wizard page.
-
to store a copy of the violated content as part of the legal hold and quarantine actions in netskope_legalhold and netskope_quarantine private channels respectively. These groups are accessible only by the instance administrator.
The members in the netskope_legalhold & netskope_quarantine private channels include the Netskope bot and Slack an organization (or primary) owner only.
Follow the steps below:
-
Log in to your Slack enterprise grid account as an organization (or primary) owner.
-
On the top-right, click Manage Organizations.
-
On the left navigation pane, click Integrations > Installed Apps.
-
Identify the Netskope for Slack Enterprise app from the list.
-
Click the three-dot icon beside the Netskope for Slack Enterprise app, then click Add to more workspace.
-
Identify the workspace name you entered in step 6 during the instance setup. Select it and click Next.
-
Review the requested permissions and click Next.
-
Select the I’m ready to add this app checkbox and click Add App.
You have successfully installed the Netskope chat bot.
The legal hold, quarantine, and policy alert notification features may take up to an hour to become fully functional after the Netskope chat bot is installed in the workspace.
Next, you can view the Next Generation API Data Protection Inventory page to get deep insights on various entities on your Slack Enterprise account. For more information on the Inventory page, see Next Generation API Data Protection Inventory.
You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.
Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.
Important Points to Note
A few important notes on Next Generation API Data Protection for Slack Enterprise.
Additional Permissions for Organization Owner
In Next-Generation API Data Protection for Slack Enterprise, Netskope leverages the admin.conversations.search
API to locate specific channels like netskope_quarantine
and netskope_legalhold
. For these channels to be accessible, the organization owner must have the channel manegement roles in their Slack account. By default, this role is not assigned to the organization owner. To enable the legal hold and quarantine features, you must manually assign this role in Slack.
-
Log in to your Slack enterprise grid account as a organization primary owner.
-
Go to Manage Organization.
-
On the left navigation, go to People > Manage Permissions, then click Account Types.
-
Make sure Manage private channels at the org level and Manage public channels for a team permissions are checked for Org Owner.
Slack Enterprise Channel Promotion and Conversation Policies
When a channel is shared with multiple workspaces or includes external users, Slack promotes it to the organization level. In Next Generation API Data Protection, the existing channel will be deleted, and a new one will be created for the promoted channel.
In Next Generation API Data Protection, you can bind specific policies to individual channels. If a channel is deleted during promotion, the policies previously set on that channel becomes invalid and will not transfer to the newly promoted channel automatically.
This applies only when you configure channel-specific policies.
Slack Canvas
Slack has introduced a new feature “Canvas”. Next Generation API Data Protection for Slack Enterprise can perform a DLP scan on direct messages, 1:n messages, channels, threads, and replies within a Slack Canvas. However, Next Generation API Data Protection cannot scan attachments in Slack Canvas. This is due to a lack of underlying Slack API support.
Snippet Edit
Editing an existing snippet without changing any associated messages may not be detected by Next Generation API Data Protection, as Slack currently lacks an appropriate API to identify such events.