Learn how to configure the detection rules section in Nightfall policies created for Notion.
In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see Configuring Detection Rules.
To select detection rules, select a detection rule from the list of rules that are displayed and then select one of the following options.
All Detection Rules: Select this option to include all the detection rules in the policy.
Selected Detection Rules: Select this option to include only that detection rule in the policy that you selected above.
Unselected Detection Rules: Select this option to include all the other detection rules in the policy, that you did not select above.
Learn how to configure the advanced settings section in Nightfall policies created for Notion.
This stage allows you to select notification channels if a policy violation occurs. The advanced settings page consists of the following configurations.
#admin-alerting: This section describes the process of setting alerts for Nightfall administrators when a policy violation is detected.
#automated-actions: This section describes the automated actions that can be taken when a policy violation is detected.
#end-user-notification: This section describes the process of setting alerts for end users (a person whose action caused a violation) when a policy violation is detected.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Slack policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for Slack integration, read this document.
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps.
This section describes the various actions that Nightfall takes automatically when a violation is detected. You must turn on the toggle switch to enable an action. All the automated actions are permanent and cannot be reversed once applied. You can also set the timeline as to when an action must be taken (immediately after detecting a violation or after some time).
The various automated actions are described as follows.
Redact: This action redacts all the sensitive information found in the content of a Notion page. You can turn on the toggle switch to enable this action. You must also select the timeline as to when this action must be taken after a policy violation is detected. You can either choose to take the action immediately after detecting a violation or after a few minutes, hours, or days.
Delete Attachment: This action deletes any attachments in the Notion pages that contain sensitive information. You can turn on the toggle switch to enable this action. You must also select the timeline as to when this action must be taken after a policy violation is detected. You can either choose to take the action immediately after detecting a violation or after a few minutes, hours, or days.
Mark as Private: This action modifies the status of the Notion page that contains sensitive information. You can either choose to unpublish the webpage or remove guest users from your Notion account, thus ensuring that none of the people from outside your organization are able to view sensitive information on your Notion page. You must also select the timeline as to when this action must be taken after a policy violation is detected. You can either choose to take the action immediately after detecting a violation or after a few minutes, hours, or days.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
Custom Message: Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink https://www.nightfall.ai with the text Nightfall website, you must write <https://www.nightfall.ai | Nightfall website> .
Automation: You can either select Email, Slack, or both as an automated notification method. You must turn the toggle switch to use this option. Based on the options selected, end-users receive notification on their Email account associated with Zendesk, or Slack account configured.
End-User remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take when a violation is detected on their Zendesk ticket. You must turn on the toggle switch to use this option. The various available options are as follows.
Redact: This action redacts all the sensitive information found in the Zendesk ticket's comments. To allow end-users to implement this action, you must disable it from the #automated-actions section.
Delete Attachment: This action deletes any attachments in the Zendesk ticket's comments that contain sensitive information. To allow end-users to implement this action, you must disable it from the #automated-actions section.
Mark as Private: This action modifies the permission of the comment (on which sensitive information is detected) from public to internal note. To allow end-users to implement this action, you must disable it from the #automated-actions section.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
Report as False Positive: This option allows end users to report false positive alerts.
When a Violation is Reported as False Positive: You can use this option to set actions to be taken when a violation is reported as false positive by the end-user. You can either set the remediation to be automatic or manual.
Remind Every (until Violation expires): You can use this option to set a reminder for the end-user to take action on the violation. You can choose to remind the end user every 24, 48, or 72 hours.
Learn how you can select the Notion integration in a Nightfall policy.
In this stage, you select the Integration for which the policy is created. In this case, the Notion integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Sensitive Data.
Select the Notion integration.
Learn how to handle Nightfall Events that were created as a result of sensitive data leak in the Notion.
When an end user violates a policy in Notion, an Event is generated based on the notification settings configured by you in the policy configurations. To learn more about Events, see Sensitive Data Protection Events.
This document explains where you can find notifications on policy violations and what actions can be taken.
To view the Events in the Nightfall console:
Click Detection and Response from the left pane.
(Optional) Modify the days filter to view Events prior to last 7 days. By default the Events recorded in the Last 7 Days are displayed.
Apply filters to view only Notion Events.
Once you filter the Events to view only the Notion Events, you can refer to the #event-list-view section to learn more about the available options.
Click on any of the Events to view details of an Event. You may click anywhere in the row of an Event that you wish to inspect. Details will be present via a side panel.
The side panel (or the Event detail view) is divided into three separate sections. The first section has information about the occurrence of individual findings with a preview. The third section is an activity log for the Event. Both these sections reveal information that is common across all sources/integrations. You can refer to these common sections in the #event-detail-view section.
The second section displays details that are source / integration specific and so the details vary from one integration to the other.
On the Event detail view, you can view the applicable actions from the actions section at the bottom.
Nightfall allows you to take various action on Events. When you take an action on an Event, the status of the Event changes accordingly. To learn more about Event status, refer to the Event Status document.
In Notion, you can take actions either from the Event list view page or the Event detail view page. On the Event list view page, you can click the ellipsis menu to view the available list of actions.
On the Event detail view, you can view the applicable actions from the actions section at the bottom.
To view the complete list of actions, applicable to all the integrations, you can refer to the Applying Actions on Events document.
The list of actions supported for Notion are as follows. Some of these actions are common to other integrations as well.
Copy Event Link: The action copies the link to the Event. You can save or send this link to directly open the Event. This action is available only on the Event detail view.
View in Notion: This action redirects to the sensitive data in the source Notion page. While this action is available only on the Event detail view, please note that relevant access to the source of sensitive data in Notion should be present.
Ignore: The ignore action flags Nightfall to ignore all the findings in the Event and may be taken if you find the findings false positive. This action marks the Event as resolved and moves it to the Resolved section. You can undo this action.
Acknowledge: You can take this action to notify other users that you have looked into this Event and will take suitable action in future.
Notify Email: This action notifies the end user who added the sensitive data file to the OneDrive about the event, through email.
Notify Slack: This action notifies the end user who added the sensitive data file to the OneDrive about the event, through Slack.
Send to JIRA: This action creates a JIRA ticket for the Event. You can pick a project and Issue type while creating the JIRA ticket and can assign the JIRA ticket to the end-user.
Redact: This action redacts the sensitive data present in the Notion page.
Remove Access: This action removes the page from the web and/or removes guest access to the page.
Delete Attachment: This action deletes the sensitive data present in the attachments of a Notion page.
Resolve: This action must be taken when the sensitive data is removed completely. This action resolves the Event.
If you have configured Email Notification in Admin Alerting, Nightfall admins receive the Email notification. This Email allows admins to take actions from within the Email.
If you have configured Email Notification in the Automation section of End user notification settings, end users receive an email from Nightfall. This Email allows end users to take actions from within the Email.
If you have selected Slack as an End-user remediation channel, end-users can perform the above tasks from Slack as well.
Learn how you can create policies for the Nightfall DLP for Notion.
DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. These policies also enable you to remediate any leakage of sensitive information from within your organization.
You can set up policies to scan data that is sent through some or all applications within your organization.
You can configure policies and choose to not apply them all the time.
Before you define a policy, or a set of policies, we recommend that you define the objectives of each policy, which can then be fulfilled when you configure the policy.
Here are a few important questions to ask before configuring your policies:
What data do you plan to monitor?
Where within the organization do you want to monitor?
What should be the scope of each policy?
What conditions must apply for the policy to match?
What exceptions/exclusions can be allowed?
What remediation actions should the policy take?
You can now configure policies on the Notion integration to determine which instances and files must be monitored, and which ones excluded. You can also automate the remediation actions that you want Nightfall to perform on a policy violation.
You can now set up policies on Nightfall that will be applied on the Notion integration, and monitor data on Notion for policy violations.
The following documents help you create Policies specifically for the Notion integration.
Learn how to configure risk score and name a Nightfall policy created for the Notion DLP.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Choose the Policy risk score. By default the risk score is set to Nightfall Risk Score. You can set it to Custom Risk score, and select one of the risk levels, if required. To learn more about Risk scoring, refer to the #risk-scoring document.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.
