Configuring the SaaS Security API Connector for Workplace from Meta

This article explains how to configure the Workplace from Meta connector for the SaaS Security API policy for your account and create rules that use this connector in the Data Protection Policy.

Note

Note: Please contact SaaSecAPI@catonetworks.com or your official Cato reseller for more information about using the SaaS Security API policy.

Overview

The Workplace from Meta SaaS Security API connector monitors messages posted by users in Workplace and scans for sensitive data that you define in the DLP Content Profiles. When the connector identifies sensitive data in message content or attachment files, it generates an event with the details. These are the message types scanned by the Workplace connector:

  • Posts

  • Comments

  • Chat messages

Create the connector for the Workplace account for your organization. Then define rules in the Data Protection policy that define the users and group types that are scanned and monitored. You can create a single connector for each Workplace account.

Prerequisites

  • Administrator permissions for your organization's Workplace account

Required Permissions for the API Connectors for Workplace

To enable Cato's SaaS Security API to scan Workplace messages, the connector gives Cato the following permissions with the Workplace account:

  • Read all messages

  • Read group membership

  • Read group content

  • Read user email

  • Read user timeline

Working with Workplace Connectors

This section explains how to create API connectors for Workplace to scan messages for sensitive data.

Creating the Workplace Connector

Use the Cato Management Application to create the Workplace connector, and then sign in to your Workplace account.

The Workplace connector lets the Cato SaaS Security API engine scan the content that you define in the Data Protection policy.

To create the connector for Workplace:

  1. From the navigation pane, select Assets > Integrations and select the Installed SaaS Applications tab.

  2. Click New. The New Connector window opens.

  3. In SaaS Application, select Workplace.

  4. Enter the Connector Name.

  5. Create the app in Workplace and configure the permissions for your Cato account to access the Workplace app:

    1. In Workplace, log in as an administrator, and navigate to Admin Panel > Integrations.

    2. Under Custom integrations click Create custom integration.

    3. Enter the app details and click Create. The app is created in Workplace.

    4. Under Custom integrations, click the app you created. The Integration details page opens.

    5. Navigate to Integration details > Permissions.

      CAS_Workplace_Integration_Permissions.png
    6. Select these permissions:

      • Read all messages

      • Read group membership

      • Read group content

      • Read user email

      • Read user timeline

    7. Disable the Automatically remove unused permissions option.

      Workplace_unused_permissions.png
  6. Copy app authentication information from Workplace to the Cato Management Application:

    1. In Workplace, navigate to Admin Panel > Integrations.

    2. Under Custom integrations, click the app you created. The Integration details page opens.

    3. Navigate to Integration details > Details.

      CAS_Workplace_Integration_Details.png
    4. Copy the App ID and App Secret from Workplace to the New Connector panel in the Cato Management Application.

      CAS_Workplace_App_ID_Secret.png
    5. In Workplace, under Access token, click Reset access token.

    6. Copy the access token from Workplace to the New Connector panel in the Cato Management Application.

  7. In the New Connector panel, click Save. The Workplace connector is created and added to the Installed SaaS Applications page.

    CAS_Workplace_Installed_SaaS_Apps.png

Understanding the Connector Status

The Status column on the Installed SaaS Applications page shows the status of the connection between the Workplace account and your Cato account. These are the explanations of the statuses:

  • Connected - Your account is connected to the account and working correctly

  • Connection error - Connectivity or permissions issue with the Workplace connector. Please open a ticket with Support.

Adding Workplace Rules to the Data Protection Policy

This section explains how to use the Data Protection policy to monitor Workplace posts, comments, and chats for sensitive data.

For recommended best practices for Data Protection rules for the Workplace connector, see below.

Understanding the Workplace Rule Settings

This section explains how to define the settings for the Data Protection rules to scan Workplace messages. Each rule can be defined with the following settings:

  • Users - Define the Workplace users to monitor. Select Any or define one or more specific users.

  • Sharing Options - Define the Workplace group types to monitor. Select Any or select specific group types, including:

    • Open Group - Public groups where any user can see members' posts

    • Closed Group - Any user can see who the members are, but only members can see the posts

    • Secret Group - Only members can see who the members are and the posts

    • Cross Company Group - Groups shared with users outside the organization

  • File Attributes - Criteria for attachments that are scanned (default value is all attachments):

    • File Type

    • File Name

    • File Size (maximum file size is 20 MB)

  • Content Profile - DLP Content Profile that defines the DLP content inspection.

    You can create or edit Content Profiles in Security > DLP Configuration > Content Profile

  • Actions - Select if you want to generate an event or send a notification when the rule is matched.

Configuring Workplace Rules

Use the Data Protection page to add the SaaS application rules in your Data Protection policy.

Slack_Data_Protection_Rule.png

To create a new Data Protection rule for the Workplace app:

  1. From the navigation pane, select Security > SaaS Security API and select or expand Data Protection.

  2. Click New. The New Rule panel opens.

  3. In Application Connector, select the Workplace app.

  4. In the General section, enter the settings for the rule.

  5. In Users, define the Workplace users that you are monitoring:

    • Any - Monitor messages from all Workplace users (default value)

    • Workplace User - Select the specific Workplace users to monitor

  6. In Sharing Options, define the group types to monitor.

  7. In File Attributes, define the criteria to specify the files that are scanned (the default setting is to scan all files).

    If you define multiple criteria, select if there is an AND (default setting) or OR relationship between them.

  8. In Content Profile, select the DLP Content Profile for this rule.

    For more about DLP Content Profiles, see Creating DLP Content Profiles.

  9. In Actions, select Monitor.

  10. (Optional) Configure tracking options to generate Events and Send Notifications.

    For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the Alerts section.

  11. Click Save. The rule is added to the Data Protection policy.

Working with Ordered Data Protection Rules

The SaaS Security API engine inspects the data sequentially, and checks to see if it matches a rule. If the data does not match a rule, then it is not inspected. Rules that are at the top of the rulebase have a higher priority and they are applied before the rules lower down in the rulebase. Each type of application or connector is only applied to the data once.

Best Practice - To maximize the efficiency of your rulebase, we recommend that for each connector type, rules for specific users have a higher priority than rules that apply to Any users.

For example, if the data matches a connector in rule #2, the data is inspected by the SaaS Security API engine. The engine does not continue to apply rules #3 and below for the same connector. However, the data could match a lower priority rule with a different connector.

Known Limitations

Due to access restrictions, the following limitations apply to the Data Protection scans for the Workplace connector:

  • Data Protection rules do not scan attachments in Chat messages, however the message content is scanned. In Post and Comment messages, both attachments and message content are scanned.

  • Attachments are only scanned for messages in Open Groups.

  • Data Protection rules configured with File Attributes have the following limitations:

    • For Post and Comment messages - Only attachments are scanned, message content isn't scanned

    • For Chat messages - Attachments and messages aren't scanned

  • Data Protection rules configured with Sharing Options other than Any Group have the following limitation:

    • For Chat messages - Attachments and message content aren't scanned

Best Practices for Workplace Data Protection Rules

Due to known limitations (see above), we recommend the following best practices for Workplace Data Protection rules:

  • Use File Attributes only in a rule when you need to scan for specific files or file types.

  • Best practices for using File Attributes:

    • Use File Attributes only in a rule when you need to scan for specific files or file types

    • If you configure rules using File Attributes, make sure to also have other rules without File Attributes configured. This ensures that message content beside attachments is scanned.

  • Best practices for using Sharing Options:

    • If you configure a rule with specific Sharing Options, also create a similar rule for Any Group to make sure that Chat messages and attachments are also scanned. The following are example rules where the first rule scans closed groups for credit card data, while the second rule scans all groups for credit card data. Due to limitations, the first rule won't scan attachments or Chat messages, while the second rule scans attachments (in open groups) and Chat messages.

      CAS_Workplace_Sample_Sharing_Option_Rules.png

Analyzing SaaS Security API Events

The Monitoring > Events screen shows all the SaaS Security API events for your account. The powerful search tools let you drill-down and identify the few events that contain the relevant data that you need.

SaaS Security API events can be identified by the following fields:

  • Event Type - Security

  • Sub-Type - SaaS Security API Data Protection and SaaS Security API Anti Malware

You can learn more about using the Events screen here. You can use the SaaS Security API Data Protection preset to filter the events.

This is a sample SaaS Security API Workplace connector event:

CAS_Workplace_Event.png

Explaining the SaaS Security API Events Fields

Field Name

Description

Application Activity

Message type (Post, Comment, Chat, Attachment)

Connector Name

Name for the connector that is defined for the rule

Connector Type

SaaS app that is defined for this connector

DLP Profile

DLP Content Profile that generated this event

Full Path URL

Link to the relevant Post or Comment

Matched Data Types

Data Types in the Content Profile that matched the rule

Rule

Name of the rule in the Data Protection policy

Sharing Scope

Group type the message was posted in

Severity

Severity defined for the rule

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment