Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Nightfall for OneDrive allows you to monitor your files and folders in the Microsoft OneDrive application. You can use this integration to check if any sensitive data exists in your OneDrive account. If sensitive data is found, you can configure appropriate steps to secure your OneDrive.
As a prerequisite, to use the Nightfall for OneDrive integration, you must configure the Directory Sync feature in Nightfall. This configuration fetches details of users in your Azure Entra account and the default OneDrives associated with each user which can be monitored by Nightfall. To learn more about configuring the Directory Sync feature, you can refer to this document.
Once you set up the Directory Sync feature, you must configure the OneDrive app. The Steps for the same are as follows.
Navigate to Microsoft 365 integration under My Integrations.
Click + Add Tenant.
Click Connect to initiate the authentication of your Microsoft Azure Entra account.
Enter your Azure login credentials.
Click Accept.
Ensure that the Teams check box is selected. If you wish to use Microsoft for OneDrive, you can also select the check box for OneDrive.
Click Save Changes.
Click Finish.
You can see that the apps selected in step 6 (Teams, OneDrive) are now connected.
If you have not connected either the OneDrive or the Teams application in step 6, the Connect button is displayed against the app. You can click the Update App Selection button to connect to the app.
Learn how you can select the OneDrive integration while creating a Nightfall policy.
In this stage, you select the Integration for which the policy is created. In this case, the OneDrive integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Sensitive Data.
Select the OneDrive integration.
Learn how to configure the detection rules section in Nightfall policies created for Microsoft OneDrive.
In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see Configuring Detection Rules.
You can use the search bar to search for a detection rule by its name.
Once the required detection rules are displayed, you can select the required detection rules by ticking the respective check box. When you select any detection rule, you can view three options.
These three options are related to the display of detection rules.
All Detection Rules: This option displays all the available detection rules, irrespective of the detection rule(s) selected.
Selected Detection Rules: This option displays only those detection rules that you have selected.
Unselected Detection Rules: This option displays only those detection rules that you have not selected.
Select the check box(es) of all the detection rules you wish to include in the policy. The policy evaluates only those detection rules that you have selected here. Once you select all the required detection rules, click Next to move to the next stage.
Learn how to configure OneDrive policies
DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. DLP policies also enable you to remediate any leakage of sensitive information from within your organization.
You can set up policies to scan data that is sent through some or all applications within your organization.
You can configure policies and choose to not apply them all the time.
Before you define a policy or a set of policies, we recommend that you define the objectives of each policy, which can then be fulfilled when you configure the policy.
Here are a few important questions to ask before configuring your policies:
What data do you plan to monitor?
Where within the organization do you want to monitor?
What should be the scope of each policy?
What conditions must apply for the policy to match?
What exceptions/exclusions can be allowed?
What remediation actions should the policy take?
You can now configure policies on the OneDrive integration to determine which repositories are monitored, and which ones are excluded from monitoring. You can also automate the remediation actions that you want Nightfall to perform on a policy violation.
The process of creating policies in Nightfall consists of six stages enlisted as follows.
Learn how to configure the scope section in Nightfall policies created for Microsoft OneDrive.
In this stage, you must select the tenant and the files of your OneDrive that must be monitored.
To configure Scope, click + Add Tenant and select a tenant.
Once you select the tenant, you must select which drives in the selected tenant, must be monitored by Nightfall. This selection can be done in the Include in monitoring section.
To monitor all the drives in your OneDrive, you must select the All OneDrives option.
Within your drives, files have different types of permission sets. Nightfall allows you to select files with specific permission types to be monitored. You can select the respective check box to monitor files with specific permission sets. To monitor all the files, irrespective of the permission, select Access for all.
Check this Microsoft document to learn more about file and folder permissions in OneDrive.
In this section, you can select the special folders to be monitored. You can select the check box for the respective special folder to include it in monitoring. To select all the special folders, click Select All.
Check this Microsoft document to learn more about special folders in OneDrive.
To monitor drives specific to a user or group, you must select the Selected OneDrives option.
Select the drives of the users and groups that must be monitored.
The #scan-documents-with-permissions and the #include-special-folders configurations are the same as in case of #selecting-all-drives.
When you select the All OneDrives option, all the files and folders in your OneDrive are selected for monitoring. However, you can configure the exclusion section to skip some files and folders from being monitored. The exclusion section is optional and you can skip it if you wish to monitor all the drives. The exclusion section is not applicable if you select the Selected OneDrives option in the Inclusion section.
Nightfall provides you four options to configure the exclusion option.
In this option, you can directly select the individual or group OneDrives to be excluded from being scanned.
In this option, you can select the labels to be excluded from being monitored. Currently, Nightfall supports only the sensitivity labels. Click here to learn more about the sensitivity labels. This option is in Beta because the Microsoft API used in this option is itself in Beta.
In this option, you can enter the folder paths to be excluded. All the files and folders in the folder path are excluded from being scanned. The folder paths must be relative to the base of OneDrive.
The following points must be considered while using this option.
All the input paths must begin with a forward slash (/).
You cannot select only the root folder from exclusion. Basically, you cannot just include a forward slash in the Folder paths field. A valid folder path must follow the forward slash.
You must specify the complete Folder paths field and end the folder path with a forward slash. If you enter /doc in the folder path, all the folders beginning with doc like /doc, /docs, /documents, doc1, and so on. To exclude only the doc folder, you must enter /doc/ in the Folder paths field.
In this option, you can select the file extensions. All the files with the selected extension are excluded from being scanned.
Learn how to configure integration level alerts in Nightfall for OneDrive.
The Nightfall for OneDrive integration supports the configuration of alerts at the policy level and the integration level. Alerts can be sent in OneDrive to the following alert destinations.
When you configure alert settings at the integration level, the alert settings apply to all the policies, created for the OneDrive integration. However, when you configure alert settings specifically for a policy, which is created in the OneDrive integration, the alert settings are applicable only for that specific policy.
You can configure alerts at the integration level once you have installed the Nightfall for OneDrive DLP integration.
To configure alerts at the integration level:
Navigate to the Microsoft 365 integration.
Scroll down to the OneDrive Alerting section.
You can configure one or multiple alert channels.
To configure Slack as an alert channel, click + Slack channel.
In the Slack alert channel field, enter the name of the Slack channel in which you wish to receive the alerts.
Click Save.
A confirmation pop-up box is displayed to confirm if the Slack channel (entered in the second step) must be used only for OneDrive DLP integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for OneDrive DLP, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Microsoft Teams.
The Team and Channel drop-down menus are displayed.
Select the required team and/or channel to which the notifications must be sent.
Click Save.
Click + Email.
Enter the Email ID of the recipient who should receive the notifications.
Click Save.
A confirmation pop-up box is displayed to confirm if the Email ID (entered in the second step) must be used only for OneDrive DLP integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for One Drive DLP, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Webhook.
Enter the Webhook URL.
Click Test. If the test result is not successful, check the Webhook URL.
(Optional) Click Add Header to add headers.
Click Save.
When you configure alerts to a Webhook, Nightfall AI sends occasional posts to:
To validate that the Webhook is properly configured before the policy is saved.
Periodically thereafter to ensure that the Webhook is still valid.
The response to the test Webhooks is 200
status code if successful.
An example of Webhook request is as follows.
This is part of alert event consumption and can be ignored.
Click + Jira Ticket.
Select a JIRA project from the Jira Project drop-down menu.
Select an issue type from the Issue Type drop-down menu.
(Optional) Add comments to be added in the JIRA ticket.
Click Save changes.
A confirmation pop-up box is displayed to confirm if the JIRA settings configured for the OneDrive DLP integration must be applied to all the other Nightfall integrations too.
Select No, only integration level to use the configurations only for OneDrive DLP, or select Yes, please to use the selected JIRA configurations for all the Nightfall integrations.
When an Event is triggered, Nightfall sends a notification to the end-user whose actions triggered the Event. While notifying the end-user, Nightfall also sends a text message. You can draft the text message to be sent to the end-user. This message applies to all the policies. Click Save changes once done.
Learn how to configure the advanced setting section in Nightfall policies created for Microsoft OneDrive.
This stage allows you to select notification channels if a policy violation occurs. The notification alerts are sent at two levels.
This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the OneDrive policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the OneDrive integration, read .
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to for steps.
Automated actions allow you to configure automated remediation actions when sensitive data is found in OneDrive. Nightfall supports the following automated actions for OneDrive DLP.
Restrict to Owner: This action suspends the current file permissions and restricts the access of the file only to its owner.
Delete Document: The action permanently deletes the file from OneDrive.
Move to Recycle Bin: This action deletes the file from OneDrive. Users can recover the file from OneDrive's recycle bin.
To enable the automated actions you must turn on the respective toggle switch.
You can also set the timeframe as to when an automated action must be implemented. You can choose to implement the action immediately after discovering sensitive data or after some time has elapsed.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
The automation settings allow you to send notifications to end users. You can select one or both the notification methods. You can select either Email, Teams, or Slack as an automated notification method to notify the end-users. You must select the respective check box to use the notification method. You must first turn the toggle switch to use this option.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on their OneDrive files. You must turn on the toggle switch to use this option. End-users receive the remediation actions either in an email, the selected Slack channel, or as a Teams messsage, as an action item. The available actions in that Email depend upon the actions that you select in this section. The various available remediation actions for end-users are as follows.
Report as False Positive with Business Justification: This action allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
Report as False Positive: This action allows end users to report false positive alerts.
When end-users report alerts as false positive, you can choose the resolution method to be either Automatic or manual.
If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.
This document explains how to configure alerts at the integration level. To learn about how to configure alerts at the policy level, read .
To use Slack as an alert platform, you must first perform the required Slack configurations. You can refer to to learn more about how to configure Slack as an Alert platform.
To use Webhook as an alert platform, you must first perform the required Webhook configurations. You can refer to to learn more about how to configure Webhook as an Alert platform.
To use JIRA as an alert platform, you must have the DLP for the JIRA app installed from the . You can read more about the DLP for JIRA integration .
To use MS Teams as an alert platform, you must install the MS Teams alert app in your MS Teams application. You can read more about this setup in the document.
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink with the text Nightfall website, you must write < | Nightfall website>.
Delete File: The action permanently deletes the file from OneDrive. You can use this action here only if it is not enabled in .
Move to Recycle Bin: This action deletes the file from OneDrive. Users can recover the file from OneDrive's recycle bin. You can use this action here only if it is not enabled in .
Restrict to Owner: This action suspends the current file permissions and restricts the access of the file only to its owner. You can use this action here only if it is not enabled in .
Learn how to configure risk score and name a Nightfall policy created for Microsoft OneDrive.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Choose the Policy risk score. By default the risk score is set to Nightfall Risk Score. You can set it to Custom Risk score, and select one of the risk levels, if required. To learn more about Risk scoring, refer to the #risk-scoring document.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.
Learn how to handle Nightfall Events that were created as a result of sensitive data leak in the Microsoft OneDrive.
When Nightfall detects a violation to one or more OneDrive SDP policies, it reports the violation as an Event. This document describes workflows and options for the OneDrive Events. Furthermore, it is recommended to read the Nightfall Events Sensitive Data Protection Events document before proceeding further.
To view the Events on the Nightfall console:
Click Detection and Response from the left pane.
Filter the data to view only the OneDrive Events.
(Optional) To view Events prior to the Last 7 days, click on the date filter and choose the appropriate date range or enter a custom date range.
Once you filter the Events to view only the OneDrive events, you can refer to the #event-list-view section to learn more about the available options.
Click on any of the Events to view details of an Event. You may click anywhere in the row of an Event that you wish to inspect. Details will be present via a side panel.
The side panel (or the Event detail view) is divided into three separate sections. The first section has information about the occurrence of individual findings with a preview. The third section is an activity log for the Event. Both these sections reveal information that is common across all sources/integrations. You can refer to these common sections in the #event-detail-view section.
The second section displays details that are source / integration specific and so the details vary from one integration to the other.
Nightfall allows you to take various action on Events. When you take an action on an Event, the status of the Event changes accordingly. To learn more about Event status, refer to the Event Status document.
In OneDrive, you can take actions either from the Event list view page or the Event detail view page. On the Event list view page, you can click the ellipsis menu to view the available list of actions.
On the Event detail view, you can view the applicable actions from the actions section at the bottom.
To view the complete list of actions, applicable to all the integrations, you can refer to the Applying Actions on Events document.
The list of actions supported for OneDrive are as follows. Some of these actions are common to other integrations as well.
Copy Event Link: The action copies the link to the Event. You can save or send this link to directly open the Event. This action is available only on the Event detail view.
View in OneDrive: This action redirects to the relevant document with sensitive data in the source OneDrive. While this action is available only on the Event detail view, please note that relevant access to the document in source OneDrive should be present.
Download Original Content: This action downloads the original file that contains sensitive data. If the file is deleted or moved to a different location within OneDrive, this action fails. This action is available only on the Event detail view.
Ignore: The ignore action flags Nightfall to ignore all the findings in the Event and may be taken if you find the findings false positive. This action marks the Event as resolved and moves it to the Resolved section. You can undo this action.
Acknowledge: You can take this action to notify other users that you have looked into this Event and will take suitable action in future.
Notify Email: This action notifies the end user who added the sensitive data file to the OneDrive about the event, through email.
Notify Slack: This action notifies the end user who added the sensitive data file to the OneDrive about the event, through Slack.
Notify Teams: This action notifies the end user who added the sensitive data file to the OneDrive about the event, through MS Teams.
Delete File: This action deletes the file containing sensitive data, from OneDrive.
Move to Recycle bin: This action moves the file containing sensitive data, to the OneDrive recycle bin.
Send to JIRA: This action creates a JIRA ticket for the Event. You can pick a project and Issue type while creating the JIRA ticket and can assign the JIRA ticket to the end-user
Restrict to Owner: This action restricts the access of the file containing the sensitive data to only the owner of the file.
Resolve: This action must be taken when the sensitive data is removed completely from the source file. This action resolves the Event.
If you have configured Email Notification in Admin Alerting, Nightfall admins receive the Email notification. This Email allows admins to take actions from within the Email.
If you have configured Email Notification in the Automation section of End user notification settings, end users receive an email from Nightfall. This notification allows end users to take remedial actions from within the Email. The available remedial actions depend on the settings configured in the end user remediation section.