Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Learn how you can select the Gmail integration in a Nightfall policy.
In this stage, you select the Integration for which the policy is created. In this case, the Gmail integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Sensitive Data.
Select the Gmail integration.
Learn about the Gmail policies in Nightfall DLP for Gmail.
DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. DLP policies also enable you to remediate any leakage of sensitive information from within your organization.
You can set up policies to scan data that is sent through some or all applications within your organization.
You can configure policies and choose to not apply them all the time.
Before you define a policy or a set of policies, we recommend that you define the objectives of each policy, which can then be fulfilled when you configure the policy.
Here are a few important questions to ask before configuring your policies:
What data do you plan to monitor?
Where within the organization do you want to monitor?
What should be the scope of each policy?
What conditions must apply for the policy to match?
What exceptions/exclusions can be allowed?
What remediation actions should the policy take?
You can now configure policies on the Gmail integration to determine which repositories are monitored, and which ones are excluded from monitoring. You can also automate the remediation actions that you want Nightfall to perform on a policy violation.
The process of creating policies in Nightfall consists of six stages enlisted as follows.
Learn how to configure the Scope section for Gmail.
The Gmail Scope configuration page allows you to set filters to perform the following tasks.
Monitor or Exclude Monitoring of Emails sent by Specific Users and Groups: You can set up the Gmail scope to monitor only the required emails that were sent by either specific users or from a user group ID. Similarly, you can also choose to exclude certain user and group mail IDs from being monitored.
Monitor or Exclude Monitoring of Emails sent to Specific Recipients and Domains: You can choose specific email IDs that you wish to monitor or skip monitoring.
The Scope section is divided into the following two sub-sections.
Senders: Select this option if you wish to monitor or exclude monitoring of outgoing mails from specific users or user groups.
Recipients: Select this option to monitor or exclude monitoring of emails sent to specific recipients. The recipients can be a user or a user group. Additionally, you can also choose to exclude an entire domain. All the emails sent to the mail IDs of the excluded domain(s) are not monitored by Nightfall.
Exclusions are evaluated before inclusions
Recipient filters are validated before the sender filters
User-level filters take priority over group-level filters
Domain-level filters, for recipients, have the highest priority
If no filters match, the default action is to scan the email
Important
The following list represents both the order and priority in which filters are evaluated when multiple filters are configured in a policy. Filters higher on the list take precedence over those lower down.
Recipient Domain Exclusions
Recipient Domain Inclusions
Recipient User Exclusions
Sender User Exclusions
Sender Group Exclusions
Recipient User Inclusions
Sender User Inclusions
Sender Group Inclusions
Default to scan all emails, if no other filters apply
Now, let's take a look at an example scenario to describe the behavior.
Example Scenario:
A marketing team member (sender@company.com) sends an email to:
Let's examine how different filter configurations would affect this email:
Recipient Domain Exclusions:
If configured: external-partner.com is excluded
Result: Email will still be scanned because not all recipients are in the excluded domain.
Recipient Domain Inclusions:
If configured: external-partner.com is included
Result: Email will be scanned given one of the domain is included.
Recipient User Exclusions:
If configured: ceo@company.com is excluded
Result: Email will still be scanned because not all recipients are excluded.
Sender User Exclusions:
If configured: sender@company.com is excluded
Result: Email won't be scanned, regardless of recipients.
Sender Group Exclusions:
If configured: Marketing group is excluded
Result: Email won't be scanned if sender is in the Marketing group.
Recipient User Inclusions:
If configured: team@company.com is included
Result: Email will be scanned because at least one recipient is included.
Sender User Inclusions:
If configured: sender@company.com is included
Result: Email will be scanned due to sender inclusion.
Sender Group Inclusions:
If configured: Marketing group is included
Result: Email will be scanned if sender is in the Marketing group.
Default to scan all emails:
If no other filters apply, the email will be scanned.
Notes:
The first matching filter as per the priority listed above determines if the email is scanned.
For recipient-based filters, ALL recipients must match for exclusions, but ANY match triggers inclusions such that the email is scanned.
This priority order ensures that the most specific and restrictive rules are applied first, allowing for precise control over email scanning while maintaining a clear hierarchy for conflict resolution when multiple filters are in place.
The Senders section is used to configure specific email IDs that must be monitored or excluded from monitoring. The mail IDs of individual users and user group mail IDs can be configured.
To configure the Sender section, you must select the Sender option by clicking the Add Filter drop-down menu.
Once you select the Sender option, you can configure Users and User groups.
Monitor all: Select this option to monitor all the emails sent by users whose data was synced from an IdP through the Directory Sync feature.
Monitor specific: Select this filter to monitor all the emails being sent by specific user(s). Once you select this option, you must also select specific user(s) from the search bar. Nightfall populates the name and email IDs of all the users whose data was synced from an IdP through the Directory Sync feature. You must select the required users' mail IDs. All the emails sent by selected users are monitored by Nightfall for sensitive data.
Monitor all, except: Select this filter to exclude user(s). Emails sent by the excluded users are not monitored by the policy. Once you select this option, you must also select specific user(s) from the search bar. Nightfall populates the name and email IDs of all the users whose data was synced from an IdP through the Directory Sync feature. You must select the required user groups. The emails sent by selected users are not monitored by Nightfall.
Monitor all: Select this option to monitor all the emails sent by users whose data was synced from an IdP through the Directory Sync feature.
Monitor Specific: Select this option to monitor all the emails being sent from specific user group mail IDs. Nightfall populates the name and email IDs of all the user groups whose data was synced from an IdP through the Directory Sync feature. You must select the required user group mail IDs. All the emails sent from the selected user group mail IDs are monitored by Nightfall for sensitive data.
Monitor all, except: Select this option to exclude user group(s). Emails sent from the excluded user group mail IDs are not monitored by the policy. Once you select this option, you must also select specific user group(s) from the search bar. Nightfall populates the name and email IDs of all the user groups whose data was synced from an IdP through the Directory Sync feature. You must select the required user groups. The emails sent from the selected user group mail IDs are not monitored by Nightfall.
The Recipients and Domains section allows you to monitor or exclude monitoring of emails sent to specific recipients. Additionally, you can also exclude monitoring of an entire domain.
You can perform the following operations on the recipients section:
Monitor emails sent to specific recipients. Recipients can be internal/external or users/user groups.
Exclude monitoring of emails sent to specific recipients. Recipients can be internal/external or users/user groups.
Include or exclude monitoring of all the mails sent to the email IDs of a specific domain.
To configure the Recipient section, you must select the Recipients option by clicking the Add Filter drop-down menu.
Once you select the Recipient option, you must configure the internal and external Recipients, and the Domains sections.
Only Include: Select this option to monitor emails sent to specific recipient email IDs which are generally part of your organization. The email IDs can belong to a user or a user group. Once you select this option, you must also select specific users or group(s) from the search bar. Nightfall populates the name and email IDs of all the users and user groups whose data was synced from an IdP through the Directory Sync feature. You must select the required user(s) and user group(s). All the emails sent to the selected user or user group email IDs are monitored by Nightfall for sensitive data.
Exclude: Select this option to exclude the monitoring of emails sent to specific recipient email IDs. The email IDs can belong to a user or a user group. Once you select this option, you must also select specific users or group(s) from the search bar. Nightfall populates the name and email IDs of all the users and user groups whose data was synced from an IdP through the Directory Sync feature. You must select the required user(s) and user group(s). All the emails sent to the selected user or user group email IDs are not monitored by Nightfall for sensitive data.
Only Include: Select this option to monitor emails sent to specific external recipient email IDs. The email IDs can belong to a user or a user group. Once you select this option, you must also enter the email ID of users or group(s) and hit the enter key. All the emails sent to the external user or user group email IDs are monitored by Nightfall for sensitive data.
Exclude: Select this option to exclude the monitoring of emails sent to specific external recipient email IDs. The email IDs can belong to a user or a user group. Once you select this option, you must also enter the email ID of users or group(s) and hit the enter key. All the emails sent to the external user or user group email IDs are not monitored by Nightfall for sensitive data.
The Domains section allows you to include or exclude an entire domain from being monitored. All the mails sent to the email IDs of the excluded domain are not monitored by Nightfall. Similarly, all the emails sent to the email ID of the included domain are monitored by Nightfall.
Only Include: Select this option to monitor emails sent to specific domain(s). All the email IDs which belong to the included domain(s) are monitored by Nightfall. Once you select this option, you must also enter the domain name (example contoso.com) and hit the enter key. All the emails sent to email ID(s) that belong to the selected domain(s) are monitored by Nightfall for sensitive data.
Exclude: Select this option to exclude the monitoring of emails sent to specific domain(s). All the email IDs which belong to the excluded domain(s) are not monitored by Nightfall. Once you select this option, you must also enter the domain name (example contoso.com) and hit the enter key. All the emails sent to email ID(s) that belong to the excluded domain(s) are not monitored by Nightfall for sensitive data.
Learn how to configure risk score and name a Nightfall policy created for Gmail.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Choose the Policy risk score. By default the risk score is set to Nightfall Risk Score. You can set it to Custom Risk score, and select one of the risk levels, if required. To learn more about Risk scoring, refer to the document.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.
Learn how to handle Nightfall Events that were created as a result of sensitive data leak in the Gmail DLP.
When an end user violates a policy in Gmail by sending out an Email with sensitive data, an Event is generated based on the notification settings configured by you in the policy configurations.
This document explains where you can find Events on Gmail policy violations and what actions can be taken.
To view Events in the Nightfall Console:
Click Detection and Response from the left pane.
(Optional) Modify the days filter to view Events prior to last 7 days. By default the Events recorded in the Last 7 Days are displayed.
Apply filters to view only the Gmail Events.
(Optional) To view historic alerts, set the date filter appropriately.
Click on any of the Events to view details of an Event. You may click anywhere in the row of an Event that you wish to inspect. Details will be present via a side panel.
The second section displays details that are source / integration specific and so the details vary from one integration to the other.
In JIRA, you can take actions either from the Event list view page or the Event detail view page. On the Event list view page, you can click the ellipsis menu to view the available list of actions.
On the Event detail view, you can view the applicable actions from the actions section at the bottom.
The list of actions supported for Slack are as follows. Some of these actions are common to other integrations as well.
Copy Event Link: The action copies the link to the Event. You can save or send this link to directly open the Event. This action is available only on the Event detail view.
Ignore: The ignore action flags Nightfall to ignore all the findings in the Event and may be taken if you find the findings false positive. This action marks the Event as resolved and moves it to the Resolved section. You can undo this action.
Acknowledge: You can take this action to notify other users that you have looked into this Event and will take suitable action in future.
Notify Email: This action notifies the end user who added the sensitive data file to the OneDrive about the event, through email.
Notify Slack: This action notifies the end user who added the sensitive data file to the OneDrive about the event, through Slack.
Send to JIRA: This action creates a JIRA ticket for the Event. You can pick a project and Issue type while creating the JIRA ticket and can assign the JIRA ticket to the end-user.
Resolve: This action must be taken when the sensitive data is removed completely. This action resolves the Event.
Learn how to configure the advanced settings section in Nightfall policies created for the Gmail DLP.
This stage allows you to select notification channels if a policy violation occurs. The notification alerts are sent at two levels.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Gmail policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the Gmail integration, read .
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to for steps.
Automated actions allow you to configure automated remediation actions when sensitive data is found in an Email. Nightfall supports two automated actions for Gmail DLP.
Block: The Block action blocks the Email and prevents it from being sent to the recipient. The sender receives a notification email that states that their Email was not sent to the recipient.
Quarantine Email: The quarantine action guarantees the email which has sensitive data. A Nightfall admin can review the quarantined Email to check if data is sensitive and then take a call as to whether the Email must be sent to the recipient or blocked permanently.
Encrypt Email: The encrypt action securely encrypts the contents of the email. When the encryption action is applied a new Event is created in the Nightfall Encryption Events page.
If you enable the encryption action, additionally you can also configure the expiration time for the email. The recipient cannot view the email after the expiration of the time.
If you do not enable any of the automated actions, the Email with sensitive data is sent to the recipient. Nightfall recommends that you enable at least one of the automated actions.
The three automated actions have a priority order which is followed when a conflict arises. The priority order is as follows.
Encryption
Block
Quarantine
If you create three policies and enable the encrypt action in first policy, Block in second policy, and Quarantine in the third policy, and if all of the 3 policies are violated, in this case, the encrypt action is enabled on the violation (and not Block or Quarantine).
Also, if you delete the first policy in which the encrypt action is enabled, and then if both the remaining policies are violated, the Block action is enabled (and not Quarantine).
If you enable all the three actions in a single policy, and if the policy is violated, the encryption action is applied.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
The automation settings allow you to send notifications to end users. You can select one or both the notification methods. You must first turn on the toggle switch to use the automation option. The automation notification channels are as follows
Email: This option sends an Email to the user who sent the email with sensitive data.
Slack: This option sends a Slack message to the Gmail user who sent the email with sensitive data.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on their Gmail Emails. You must turn on the toggle switch to use this option. End-users receive the remediation actions in an Email as an action item. The available actions in that Email depend upon the actions that you select in this section. The various available remediation actions for end-users are as follows.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
Report as False Positive: This option allows end users to report false positive alerts.
When end-users report alerts as false positive, you can choose the resolution method to be either Automatic or manual.
If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.
Once you filter the Events to view only the Slack Events, you can refer to the section to learn more about the available options.
The side panel (or the Event detail view) is divided into three separate sections. The first section has information about the occurrence of individual findings with a preview. The third section is an activity log for the Event. Both these sections reveal information that is common across all sources/integrations. You can refer to these common sections in the section.
Nightfall allows you to take various action on Events. When you take an action on an Event, the status of the Event changes accordingly. To learn more about Event status, refer to the document.
To view the complete list of actions, applicable to all the integrations, you can refer to the document.
The actions like Encrypt email, Block Email, and Quarantine Email can be configured in the policy settings. To learn more about these actions, click .
If you have configured Email Notification in , Nightfall admins receive the Email notification. This Email allows admins to take actions from within the Email.
If you have configured Email Notification in the Automation section of settings, end users receive an email from Nightfall. This notification allows end users to take remedial actions from within the Email. The available remedial actions depend on the settings configured in the section.
To learn more about how automated actions impact the end-user and Nightfall admin, see .
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink with the text Nightfall website, you must write < | Nightfall website>.
Learn how to configure the detection rules section in Nightfall policies created for Gmail.
In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see Configuring Detection Rules.
You can use the search bar to search for a detection rule by its name.
Once the required detection rules are displayed, you can select the required detection rules by ticking the respective check box.
These three options are related to the display of detection rules.
All Detection Rules: This option displays all the available detection rules, irrespective of the detection rule(s) selected.
Selected Detection Rules: This option displays only those detection rules that you have selected.
Unselected Detection Rules: This option displays only those detection rules that you have not selected.
Select the check box(es) of all the detection rules you wish to include in the policy. The policy evaluates only those detection rules that you have selected here. Once you select all the required detection rules, click Next to move to the next stage.
