Deletes a message that violates a policy
Nightfall can delete the entire message that violates a configured policy. This remediation action is very useful for serious policy violations that risk data exposure and non-compliance.
Each time Nightfall detects a policy violation in any message in Slack channels that it is monitoring, the message can be deleted automatically if it is configured as an automated action. If you have selected both Notify and Delete as automated actions, Nightfall will notify the end-user as well as delete the violating message.
A shared Slack channel is a channel that is shared by two different Slack workspaces (basically shared Slack channels are used to collaborate with users outside of your organization). If an external user posts sensitive data on a shared Slack channel, Nightfall cannot delete this data since it is owned by a user who is not part of your Slack workspace.
Learn how Nightfall can remediate data exposure risks in Slack
Sensitive data like personal information or credentials can pose a large risk when found in Slack messages. Read our guide to remediating these DLP risks in Slack.
Nightfall’s Slack integration offers the ability to set up automated remediation workflows. In general, we recommend that before setting up automated remediation workflows, you first test detection while leveraging manual workflows. Once you’ve optimized detection and identified key patterns in the types of violations and required remediation action, you can automate the process.
Slack alerts on violations in real-time, and remediation actions can be taken from within the Slack interface, via Email or via the Nightfall console. Manual Slack remediation options will appear as options within the violation alert, and include:
Notify the end user.
Delete the violation.
Redact message - will replace the message with a set of ** characters, aside from the first few characters. Supported with Nightfall for Slack Enterprise plan only. Supported only on messages and not on images/files.
Quarantine - the violation places the violation in the Content channel and the Quarantine channel. Supported with Nightfall for Slack Enterprise plan only.
Redaction is a remediation action for messages within Slack.
When Nightfall detects a violation, and you have configured it to redact the violation,
The original message in the respective DM or channel is edited with an attachment of the redacted message.
All characters in the message, except the first two, are masked with special characters.
You can redact all messages in DMs, as well as for Private and Public channels. Redaction as a remediation action displays all violations in Slack.
As an example, a message like this:
This is a credit card 1111-11111-1111” will be redacted and displayed as an attachment in the original message with “Your message has been redacted as it potentially contained sensitive information.
This is a credit card 11****************.
Nightfall cannot redact deleted or quarantined messages. User activities are generated every time a message is redacted similar to all other remediation actions.
Note: Files and images scanned in Slack are not supported for redaction.
Notifies users whose messages violate a policy
Nightfall allows you to customize notifications sent via Slack. You can do so by navigating to the Slack settings tab in the console. Edit the customize end-user notifications section and you can specify your organization's security policy to coach end-users on acceptable use of sensitive data.
If you have enabled Slack as a notification option in the #automation section, end users receive a Slack notification about the violation caused by their messages. Additionally, if you have also enabled#end-user-remediation actions, the end-user who sent a message with sensitive data can take remediation action by themselves. The remediation actions are available at the end of the Slack message. The available remediation actions depend on the settings configured by Nightfall admins in the #end-user-remediation section.
The following image displays the Slack notification message sent to end-user with remediation actions at the end of the message.
If you have enabled Email as a notification option in the #automation section, end users receive an Email notification about the violation caused by their messages. Additionally, if you have also enabled#end-user-remediation actions, the end-user who sent a message with sensitive data can take remediation action by themselves. The remediation actions are available at the end of the Email message. The available remediation actions depend on the settings configured by Nightfall admins in the #end-user-remediation section.
The following image displays the Email notification message sent to end-user with remediation actions at the end of the message.
If you have enabled admin notifications in the #admin-alerting section, the Nightfall admins receive a Slack notification as shown in the following image. Nightfall admins can themselves take actions or notify the end users about the violation. The actions available for a Nightfall admin are totally different from those available to an end-user and do not depend on the settings configured in the #end-user-remediation section.
The following image displays the notification sent in Slack to a Nightfall admin.
Isolates violated messages for further review by the sender
When Nightfall detects a violation, and you have configured it to quarantine the violation,
The content of the message is sent to the #nightfall-content-slack channel.
The original message is replaced with a tombstone message, indicating that the original message is no longer available.
The channel that will receive the alert messages for policy violations from is #nightfall-alerts-slack.
Messages that are quarantined, alerts are sent to the #nightfall-quarantine-slack channel.