Slack Remediation Guide

Sensitive data like personal information or credentials can pose a large risk when found in Slack messages. Read our guide to remediating these DLP risks in Slack.

Nightfall’s Slack integration offers the ability to set up automated remediation workflows. In general, we recommend that before setting up automated remediation workflows, you first test detection while leveraging manual workflows. Once you’ve optimized detection and identified key patterns in the types of violations and required remediation action, you can automate the process.

Slack alerts on violations in real time, and remediation actions are taken from within the Slack interface.

Manual Slack remediation options will appear as options within the violation alert, and include:

  • Delete the violation (Pro and Enterprise)

  • Notify the end user

  • Quarantine the violation (places the violation in the “Content” channel and the “Quarantine channel) (work on Nightfall for Slack Enterprise plan only)

There are also Automated actions available for the Slack Pro and Slack Enterprise integrations, which are illustrated below:

Automated Actions for Slack Pro

For Slack Pro, the options for Automated Actions are to Notify the user, or to Delete the message that caused the violation.

Automated Actions for Slack Enterprise

For Slack Enterprise, the options are to Notify the user, Quarantine the message, or to Delete the message that caused the violation.

If you select the Quarantine option, the content of the message will be sent to the ‘#nightfall-content-slack’ channel, and the original message will be replaced with a tombstone message, indicating that the original message is no longer available.

The channel that will receive the alert messages for policy violations from is #nightfall-alerts-slack. Similarly, for messages that are quarantined, an alert will also be sent to the #nightfall-quarantine-slack channel for all quarantined message alerts.