Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Learn the process of selecting the Slack Enterprise integration while creating a Nightfall policy.
In this stage, you select the Integration for which the policy is created. In this case, the Slack integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Sensitive Data.
Select the Slack integration.
Learn the process of selecting detection rules while creating a Nightfall policy for the Slack Enterprise edition.
In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see Configuring Detection Rules.
To select detection rules, select the detection rules from the list of rules that display.
You can also sort the rules that you want to view.
All Detection Rules: View all detection rules created
Selected Detection Rules: View detection rules that are selected and mapped to this policy
Unselected Detection Rules: View detection rules that are neither selected nor mapped to this policy.
Click Next.
Learn how to handle Nightfall Events that were created as a result of sensitive data leak in the Slack Enterprise.
When an end user violates a policy in Slack, an Event is generated based on the notification settings configured by you in the policy configurations. To learn more about Events, see Sensitive Data Protection Events.
This document explains where you can find notifications on Slack policy Events and what actions can be taken.
To view the Events on the Nightfall Console:
Click Detection and Response from the left pane.
(Optional) Modify the days filter to view Events prior to last 7 days. By default the Events recorded in the Last 7 Days are displayed.
Apply filters to view only the Slack Events.
Once you filter the Events to view only the Slack Events, you can refer to the #event-list-view section to learn more about the available options.
Click on any of the Events to view details of an Event. You may click anywhere in the row of an Event that you wish to inspect. Details will be present via a side panel.
The side panel (or the Event detail view) is divided into three separate sections. The first section has information about the occurrence of individual findings with a preview. The third section is an activity log for the Event. Both these sections reveal information that is common across all sources/integrations. You can refer to these common sections in the #event-detail-view section.
The second section displays details that are source / integration specific and so the details vary from one integration to the other.
Nightfall allows you to take various action on Events. When you take an action on an Event, the status of the Event changes accordingly. To learn more about Event status, refer to the Event Status document.
In Slack, you can take actions either from the Event list view page or the Event detail view page. On the Event list view page, you can click the ellipsis menu to view the available list of actions.
On the Event detail view, you can view the applicable actions from the actions section at the bottom.
To view the complete list of actions, applicable to all the integrations, you can refer to the Applying Actions on Events document.
The list of actions supported for Slack are as follows. Some of these actions are common to other integrations as well.
Copy Event Link: The action copies the link to the Event. You can save or send this link to directly open the Event. This action is available only on the Event detail view.
View in Slack: This action redirects to the sensitive data in the source Slack account. While this action is available only on the Event detail view, please note that relevant access to the source of sensitive data in Slack should be present.
Ignore: The ignore action flags Nightfall to ignore all the findings in the Event and may be taken if you find the findings false positive. This action marks the Event as resolved and moves it to the Resolved section. You can undo this action.
Acknowledge: You can take this action to notify other users that you have looked into this Event and will take suitable action in future.
Notify Email: This action notifies the end user who added the sensitive data file to the OneDrive about the event, through email.
Notify Slack: This action notifies the end user who added the sensitive data file to the OneDrive about the event, through Slack.
Send to JIRA: This action creates a JIRA ticket for the Event. You can pick a project and Issue type while creating the JIRA ticket and can assign the JIRA ticket to the end-user.
Quarantine: This action quarantines the message with sensitive data. Click here to learn more about the action.
Redact: This action redacts the sensitive data present in the Slack message. Click here to learn more about the action.
Delete: This action deletes the sensitive data present in Slack messages or attachments.
Resolve: This action must be taken when the sensitive data is removed completely. This action resolves the Event.
When a data leak occurs, Slack sends an Email to end users, if they have configured Email as a Notification method in their Slack account.
Additionally, if you have configured Email Notification in Admin Alerting, Nightfall admins receive the Email notification. The emails admin. receive looks as follows.
If you have configured Email Notification in the Automation section of End User Notificationsettings, end users receive an email from Nightfall. This Email allows end users to take actions from within the Email. The actions are present at the end of the email. The available actions depend on the settings configured by you admin in the End User Notification section.
If you have configured Slack as a Notification in the Automation section of End User Notification, end users can view the violation notification from within Slack.
Learn the process of configuring automated actions while creating a Nightfall policy for the Slack Enterprise edition.
This section describes the various actions that Nightfall takes automatically when a violation is detected. You must turn on the toggle switch to enable an action. You can also set the timeline as to when an action must be taken (immediately after detecting a violation or after some time).
Currently, Nightfall supports the Delete, Quarantine, and Redact automated actions for the Slack enterprise edition. The three actions are mutually exclusive. You can only configure one of the three actions in a policy.
You must first turn on the toggle switch to enable any of the automated actions.
Once you enable the toggle switch, you can configure when the action must be applied.
If you select immediately, the action is implemented automatically after the sensitive data is detected.
If you select After, you must also set the time frame as to when exactly the action must be applied, after detecting the sensitive data.
The available actions are described as follows.
The delete action automatically deletes the message or attachment that has sensitive data. This is a permanent action and cannot be reverted.
The Redact action replaces the sensitive data with an asterisk, except for the first two characters. This is a permanent action and cannot be reverted.
When a message is quarantined, there is a new message in the quarantine alert channel (nightfall-quarantine-slack
by default). This channel notifies that a new quarantine message is generated. The actual message or attachment is deleted from the original channel and added to the quarantine content channel (nightfall-content-slack
by default). When a Slack message is Quarantined, Slack Workspace administrator must review the Quarantined messages and take one of the following actions:
Accept: If the message is accepted in the notification quarantine channel (nightfall-quarantine-slack
by default), it is deleted from the content channel (nightfall-content-slack
by default) and sent to the original recipient channel.
Reject: If the message is rejected from the notification quarantine channel (nightfall-quarantine-slack
by default), it is deleted forever from the content channel (nightfall-content-slack
by default).
Learn the process of creating of Nightfall policies for the Slack Enterprise edition.
DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. DLP policies help you to monitor and remediate the flow of sensitive data within your organization. Depending on your Nightfall policy configuration, you can set up policies to monitor data that is sent through some or all applications within your organization. You can configure policies and choose to not apply them all the time.
Before you define a policy, or a set of policies, you must define the objectives of each policy, which can then be fulfilled when you configure the policy. Here are a few important questions to ask before configuring your policies:
• What data do you plan to monitor?
• Where within the organization do you want to monitor?
• What should be the scope of each policy?
• What conditions must apply for the policy to match?
• What exceptions/exclusions can be allowed?
• What remediation actions should the policy take?
You can now set up policies to determine which Slack channels are monitored (and which are excluded) for violations and what actions Nightfall must take. Policies determine the content that will be scanned by Nightfall, and workflows that are followed to manage violations.
Policies for Slack integration allow you to define configurations specific to Slack, such as how to handle messages for particular channels or use automated actions such as Quarantine.
Creating a Nightfall policy involves the following tasks:
Create Policies
Define the policy scope and exclusions
Configure Detection Rule
Configure Automated Actions
Note: Instructions to configure policies differ for Slack Pro and Slack Enterprise options. Refer to the Slack tier that you are using.
Learn the process of configuring the Risk Score and naming the policy while creating a Nightfall policy for the Slack enterprise edition.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Choose the Policy risk score. By default the risk score is set to Nightfall Risk Score. You can set it to Custom Risk score, and select one of the risk levels, if required. To learn more about Risk scoring, refer to the #risk-scoring document.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back to modify any of the policy configurations.
Click Submit.
Learn the process of configuring the Scope section while creating a Nightfall policy for the Slack Enterprise edition.
This document explains how to set up the Policy Scope for the Slack Enterprise edition. If you are using a Slack Slack Pro or Slack Business+ editions, you must refer to this document.
The Scope stage allows you to select Slack Channels, Connections, and Direct Messages (DMs) which must be scanned by the policy.
You must add the Nightfall Pro Slack application to all the channels that you wish to scan with Nightfall.
The Scope page allows you to set the Scope for one of the following entities.
Workspaces: Select the Workspaces radio button to configure the scope at the Workspace level. If you select the Workspace option, you can configure the Workspaces to be included in the scope. Within the Workspaces, you can choose to monitor specific types of Channels and Connections. Finally, you can also add filters to zero down on specific users, groups, channels, and apps.
Specific Channel(s): Select the Specific Channel(s) radio button to monitor only specific Slack channels. Once you select the required Slack channels, you can add filters on the selected channels to monitor only specific users, groups, or apps.
In the Workspaces section, you must first select the Slack Workspaces to be monitored by the policy.
You can choose to monitor the following. You must select the check box for the channel type to be monitored.
Public Channel: Select this option to monitor all the messages sent by users in all the public Slack channels of the selected workspace(s).
Private Channel: Select this option to monitor all the messages sent by users in all the private Slack channels of the selected workspace(s).
Direct Messages: Select this option to monitor all the direct messages exchanged between users in the selected workspace(s).
Public Connect Channel: Select this option to monitor all the messages sent by users in all the public Slack connect channels of the selected workspace(s).
Private Connect Channel: Select this option to monitor all the messages sent by users in all the private Slack connect channels of the selected workspace(s).
Direct Messages: Select this option to monitor all the direct messages exchanged between users in the selected workspace(s).
The Filters section provides you an added level of granularity in setting the Scope. You can use specific filters to filter data based on Users, Groups, or Apps.
Slack policies support filtering based on users, user groups, channels, and apps. These options provide flexible, granular control on whom to apply the monitoring. The Only Include option is very useful to pick specific required users, groups, channels or apps for monitoring. particularly useful for creating broad policies with specific exceptions. Combining user and group options allows for complex, layered access control. The exclude option allows you to exclude the monitoring of unwanted users, user groups, channels, and apps, thus reducing the unwanted noise from secure entities.
Only Include: Only messages sent by selected users are scanned for sensitive data.
Exclude: Messages sent by excluded users are not scanned.
Only Include: Only messages sent by users in included Slack groups are scanned for sensitive data.
Exclude: Messages sent by users in excluded Slack groups are not scanned.
Exclude: Messages sent by users in excluded Slack Channels are not scanned. Enter the channel ID of the channel to be excluded.
Only Include: Only messages sent by included Slack apps are scanned for sensitive data.
Exclude: Messages sent by excluded Slack apps are not scanned.
Nightfall uses prioritization to decide which messages to scan when multiple filters are configured in a policy. The order of priority is:
User Exclusion
User Inclusion
Group Exclusion
Group Inclusion
How it works:
1. Initially, Nightfall checks if the file owner is on the User Exclusion list. If they are, their messages are not scanned, no matter how other filters are configured in a policy.
2. If the user isn't excluded, Nightfall then checks if they're on the User Inclusion list. If they are, all their messages are scanned for that policy.
3. If the user isn't on either the exclusion or inclusion lists, Nightfall looks at group memberships. It checks if the user belongs to any excluded groups. If they do, their messages are not scanned for that policy.
4. Finally, if none of the above apply, Nightfall checks if the user is in any included groups. If they are, their messages are scanned for that policy. If not, the messages are not scanned.
To select specific channels to be scanned, you must first click the Specific channel(s) radio button. You must then enter the Slack channel ID of the channels that you wish to be scanned. To learn more about how to find the Channel ID of a Slack channel, see #view-channel-id.
To view and copy the Channel ID of a Slack channel:
Click the required Slack Channel.
Click the Get channel details button.
Navigate to the bottom and click the Copy channel id button.
The Filters section provides you an added level of granularity in setting the Scope. You can use specific filters to filter data based on Users, Groups, Channels, or Apps.
Slack policies support filtering based on users, user groups, and apps. These options provide flexible, granular control on whom to apply the monitoring. The Only Include option is very useful to pick specific required users, groups or apps for monitoring. particularly useful for creating broad policies with specific exceptions. Combining user and group options allows for complex, layered access control. The exclude option allows you to exclude the monitoring of unwanted users, user groups and apps, thus reducing the unwanted noise from secure entities.
Only Include: Only messages sent by selected users are scanned for sensitive data.
Exclude: Messages sent by excluded users are not scanned.
Only Include: Only messages sent by users in included Slack groups are scanned for sensitive data.
Exclude: Messages sent by users in excluded Slack groups are not scanned.
Only Include: Only messages sent by included Slack apps are scanned for sensitive data.
Exclude: Messages sent by excluded Slack apps are not scanned.
Nightfall uses prioritization to decide which messages to scan when multiple filters are configured in a policy. The order of priority is:
User Exclusion
User Inclusion
Group Exclusion
Group Inclusion
How it works:
1. Initially, Nightfall checks if the file owner is on the User Exclusion list. If they are, their messages are not scanned, no matter how other filters are configured in a policy.
2. If the user isn't excluded, Nightfall then checks if they're on the User Inclusion list. If they are, all their messages are scanned for that policy.
3. If the user isn't on either the exclusion or inclusion lists, Nightfall looks at group memberships. It checks if the user belongs to any excluded groups. If they do, their messages are not scanned for that policy.
4. Finally, if none of the above apply, Nightfall checks if the user is in any included groups. If they are, their messages are scanned for that policy. If not, the messages are not scanned.
Learn the process of configuring advanced settings while creating a Nightfall policy for the Slack Enterprise edition.
This stage allows you to select notification channels if a policy violation occurs. The notification alerts are sent at two levels.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Slack policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for Slack integration, read .
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to for steps.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink with the text Nightfall website, you must write < | Nightfall website>.
You can select one of the following methods. You must turn the toggle switch to use this option.
Via Email: This option sends an Email to the End user.
Via Slack: This option sends a Slack notification to the end-user in a pre-configured channel.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on their GitHub operations. You must turn on the toggle switch to use this option. The various available options are as follows.
Delete: This option allows the end-user to delete the message that caused the violation.
Redact: This action replaces the sensitive data with an asterisk, except for the first two characters.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
Report as False Positive: This option allows end users to report false positive alerts.
When a Violation is Reported as False Positive: You can use this option to set actions to be taken when a violation is reported as false positive by the end-user. You can either set the remediation to be automatic or manual.
Remind Every (until Violation expires): You can use this option to set a reminder for the end-user to take action on the violation. You can choose to remind the end user every 24, 48, or 72 hours.