Learn how to handle Nightfall Events that were created as a result of sensitive data leak in the Microsoft Teams.
When Nightfall detects a violation to one or more MS Teams policies, it reports the violation as an Event. This document describes workflows and options for the MS Teams Events. Furthermore, it is recommended to read the Nightfall Events Sensitive Data Protection Events document before proceeding further.
To view the Events in the Nightfall console:
Click Detection and Response from the left pane.
Filter the data to view only the MS Teams Events.
(Optional) To view Events prior to the Last 7 days, click on the date filter and choose the appropriate date range upto a max of 180 days.
nce you filter the Events to view only the MS Teams events, you can refer to the #event-list-view section to learn more about the available options.
Click on any of the Events to view details of an Event. You may click anywhere in the row of an Event that you wish to inspect. Details will be present via a side panel.Click the ellipsis menu in the right corner or on the violation to view the list of actions that you can take to initiate the violation.
The side panel (or the Event detail view) is divided into three separate sections. The first section has information about the occurrence of individual findings with a preview. The third section is an activity log for the Event. Both these sections reveal information that is common across all sources/integrations. You can refer to these common sections in the #event-detail-view section.
The second section displays details that are source / integration specific and so the details vary from one integration to the other.
Nightfall allows you to take various action on Events. When you take an action on an Event, the status of the Event changes accordingly. To learn more about Event status, refer to the Event Status document.
In MS Teams, you can take actions either from the Event list view page or the Event detail view page. On the Event list view page, you can click the ellipsis menu to view the available list of actions.
On the Event detail view, you can view the applicable actions from the actions section at the bottom.
The list of actions supported for MS Teams are as follows. Some of these actions are common to other integrations as well.
Copy Event Link: The action copies the link to the Event. You can save or send this link to directly open the Event. This action is available only on the Event detail view.
View in MS Teams: This action redirects to the relevant document with sensitive data in the source MS Teams. While this action is available only on the Event detail view, please note that relevant access to the document in source message in MS Teams should be present.
Ignore: The ignore action flags Nightfall to ignore all the findings in the Event and may be taken if you find the findings false positive. This action marks the Event as resolved and moves it to the Resolved section. You can undo this action.
Acknowledge: You can take this action to notify other users that you have looked into this Event and will take suitable action in future.
Notify Email: This action notifies the end user who sent the message with sensitive data in MS Teams about the event, through email.
Notify Slack: This action notifies the end user who sent the message with sensitive data in MS Teams about the event, through Slack.
Notify Teams: This action notifies the end user who sent the message with sensitive data in MS Teams about the event, through MS Teams.
Send to JIRA: This action creates a JIRA ticket for the Event. You can pick a project and Issue type while creating the JIRA ticket and can assign the JIRA ticket to the end-user
Resolve: This action must be taken when the sensitive data is removed completely from the source file. This action resolves the Event.
If you have configured Email Notification in Admin Alerting, Nightfall admins receive the Email notification. This Email allows admins to take actions from within the Email.
If you have configured Email Notification in the Automation section of End user notification settings, end users receive an email from Nightfall. This Email allows end users to take actions from within the Email.
When a violation occurs, the end user who triggered the violation receives an Email to their registered Microsoft account. The Email looks as follows.
If you have enabled end-user remediation in policy settings, based on the options selected in end-user remediation, end-users can view two options. They can either choose to Remediate in Teams or Report as False Positive. The options to Remediate in Teams or Report as False Positive are displayed in the Email only if you have configured them in the end-user remediation section of the policy.
