Slack Messages
Slack is a popular enterprise collaboration and communication tool - as well as a common exposure point for secrets and NHIs. SailPoint Entro identifies such exposures, as shown in the example below:

The following steps should be taken to react effectively when SailPoint Entro detects secrets or tokens exposed over Slack in order to limit the scope of impact.
Step 1: Locate the Exposed Token with SailPoint Entro Platform

Note that SailPoint Entro supplies the URL to navigate directly to the Slack channel, message, or file where the token was exposed.
Step 2: Revoke Rotate and remove the Exposed Token
To remediate the issue, use the RIGOR workflow:
-
Redact Sensitive Information: Edit or delete the Slack channel, comments, or attached files that contain the exposed sensitive Token to ensure Slack hygiene is met.
-
Inform the owner about the token exposure so that the practice is not repeated.
-
Generate a new token if required, and ensure secure storage.
-
Organize and take notes throughout this process as they will be necessary for a future root cause analysis, response plans, etc...
-
Revoke any exposed tokens immediately through the issuing service based on the token type provided by SailPoint Entro. Refer to Key Rotation Best Practices.
Step 3 (optional): Use best practices in Slack
Ensure that Slack apps or bots utilize secure storage for access tokens and sensitive data. Avoid hard-coding tokens or storing them directly in Slack. Instead, leverage secure APIs from storage solutions that offer access control, logging, and auditing features.
Step 3b (optional): Security Training
It is imperative that all team members, including developers and system administrators, receive comprehensive education on the risks of improper handling of tokens and other sensitive data. This training should encompass secure coding practices, data privacy, and the significance of utilizing secure storage solutions.
Step 4: Audit Access
Examine Timeline and Access: Utilize Slack’s audit logs to identify the exact time the secret was exposed and track who accessed it, focusing on the sequence of events. Check the logs to determine if guest users accessed the exposed information, as they are easier for bad actors to masquerade as.