Sensitive data like personal information or credentials can pose a large risk when found in Slack messages. Read our guide to remediating these DLP risks in Slack.

Nightfall’s Slack integration offers the ability to set up automated remediation workflows. In general, we recommend that before setting up automated remediation workflows, you first test detection while leveraging manual workflows. Once you’ve optimized detection and identified key patterns in the types of violations and required remediation action, you can automate the process.

Slack alerts on violations in real-time, and remediation actions can be taken from within the Slack interface, via Email or via the Nightfall console. Manual Slack remediation options will appear as options within the violation alert, and include:

• Notify the end user.

• Delete the violation.

• Redact message - will replace the message with a set of ** characters, aside from the first few characters. Supported with Nightfall for Slack Enterprise plan only. Supported only on messages and not on images/files.

• Quarantine - the violation places the violation in the Content channel and the Quarantine channel. Supported with Nightfall for Slack Enterprise plan only.

Nightfall can delete the entire message that violates a configured policy. This remediation action is very useful for serious policy violations that risk data exposure and non-compliance.

Each time Nightfall detects a policy violation in any message in Slack channels that it is monitoring, the message can be deleted automatically if it is configured as an automated action. If you have selected both Notify and Delete as automated actions, Nightfall will notify the end-user as well as delete the violating message.

When Nightfall detects a violation, and you have configured it to redact the violation,

• The original message in the respective DM or channel is edited with an attachment of the redacted message.

• All characters in the message, except the first two, are masked with special characters.

You can redact all messages in DMs, as well as for Private and Public channels. Redaction as a remediation action displays all violations in Slack.

As an example, a message like this:

This is a credit card 1111-11111-1111” will be redacted and displayed as an attachment in the original message with “Your message has been redacted as it potentially contained sensitive information.

This is a credit card 11****************.

Nightfall cannot redact deleted or quarantined messages. User activities are generated every time a message is redacted similar to all other remediation actions.

Note: Files and images scanned in Slack are not supported for redaction.

When Nightfall detects a violation, and you have configured it to quarantine the violation,

• The content of the message is sent to the #nightfall-content-slack channel.

• The original message is replaced with a tombstone message, indicating that the original message is no longer available.

• The channel that will receive the alert messages for policy violations from is #nightfall-alerts-slack.

• Messages that are quarantined, alerts are sent to the #nightfall-quarantine-slack channel.

Each time Nightfall discovers a policy violation in a message, you have the option to notify the sender of the message about the violation. Notifying users is available as a manual or automated remediation action.

You have the ability to customize notifications sent via Slack. You can do so by navigating to the Slack settings tab in the console. Edit the customize end-user notifications section and you can specify your organization's security policy to coach end-users on acceptable use of sensitive data.