Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Learn how to configure the advanced setting section in Nightfall policies created for Microsoft Teams.
This stage allows you to select notification channels if a policy violation occurs. The notification alerts are sent at two levels.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the MSTeams policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the OneDrive integration, read this document.
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
Custom Message: Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink https://www.nightfall.ai with the text Nightfall website, you must write <https://www.nightfall.ai | Nightfall website>.
Automation: You can select either Email, Teams, or Slack as an automated notification method to notify the end-users. You must select the respective check box to use the notification method. You must first turn the toggle switch to use this option.
The End-user remediation (also known as Human Firewall) section allows you to configure remediation measures that end users can take when a violation is detected on their MS Teams operations. You must turn on the toggle switch to use this option. The various available options are as follows.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
Report as False Positive: This option allows end users to report false positive alerts.
When a Violation is Reported as False Positive: You can use this option to set actions to be taken when a violation is reported as false positive by the end-user. You can either set the remediation to be automatic or manual.
Remind Every (until Violation expires): You can use this option to set a reminder for the end-user to take action on the violation. You can choose to remind the end user every 24, 48, or 72 hours.
Learn how to handle Nightfall Events that were created as a result of sensitive data leak in the Microsoft Teams.
When Nightfall detects a violation to one or more MS Teams policies, it reports the violation as an Event. This document describes workflows and options for the MS Teams Events. Furthermore, it is recommended to read the Nightfall Events document before proceeding further.
To view the Events in the Nightfall console:
Click Detection and Response from the left pane.
Filter the data to view only the MS Teams Events.
(Optional) To view Events prior to the Last 7 days, click on the date filter and choose the appropriate date range upto a max of 180 days.
Click on any of the Events to view details of an Event. You may click anywhere in the row of an Event that you wish to inspect. Details will be present via a side panel.Click the ellipsis menu in the right corner or on the violation to view the list of actions that you can take to initiate the violation.
The second section displays details that are source / integration specific and so the details vary from one integration to the other.
In MS Teams, you can take actions either from the Event list view page or the Event detail view page. On the Event list view page, you can click the ellipsis menu to view the available list of actions.
On the Event detail view, you can view the applicable actions from the actions section at the bottom.
The list of actions supported for MS Teams are as follows. Some of these actions are common to other integrations as well.
Copy Event Link: The action copies the link to the Event. You can save or send this link to directly open the Event. This action is available only on the Event detail view.
View in MS Teams: This action redirects to the relevant document with sensitive data in the source MS Teams. While this action is available only on the Event detail view, please note that relevant access to the document in source message in MS Teams should be present.
Ignore: The ignore action flags Nightfall to ignore all the findings in the Event and may be taken if you find the findings false positive. This action marks the Event as resolved and moves it to the Resolved section. You can undo this action.
Acknowledge: You can take this action to notify other users that you have looked into this Event and will take suitable action in future.
Notify Email: This action notifies the end user who sent the message with sensitive data in MS Teams about the event, through email.
Notify Slack: This action notifies the end user who sent the message with sensitive data in MS Teams about the event, through Slack.
Notify Teams: This action notifies the end user who sent the message with sensitive data in MS Teams about the event, through MS Teams.
Send to JIRA: This action creates a JIRA ticket for the Event. You can pick a project and Issue type while creating the JIRA ticket and can assign the JIRA ticket to the end-user
Resolve: This action must be taken when the sensitive data is removed completely from the source file. This action resolves the Event.
When a violation occurs, the end user who triggered the violation receives an Email to their registered Microsoft account. The Email looks as follows.
Learn how to configure the detection rules section in Nightfall policies created for Microsoft Teams DLP.
In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see .
To select detection rules, select the detection rules from the list of rules that are displayed.
You can also sort the rules that you want to view.
All Detection Rules: View all detection rules created
Selected Detection Rules: View detection rules that are selected and mapped to this policy
Unselected Detection Rules: View detection rules that are neither selected nor mapped to this policy.
Click Next.
nce you filter the Events to view only the MS Teams events, you can refer to the section to learn more about the available options.
The side panel (or the Event detail view) is divided into three separate sections. The first section has information about the occurrence of individual findings with a preview. The third section is an activity log for the Event. Both these sections reveal information that is common across all sources/integrations. You can refer to these common sections in the section.
Nightfall allows you to take various action on Events. When you take an action on an Event, the status of the Event changes accordingly. To learn more about Event status, refer to the document.
If you have configured Email Notification in , Nightfall admins receive the Email notification. This Email allows admins to take actions from within the Email.
If you have configured Email Notification in the Automation section of settings, end users receive an email from Nightfall. This Email allows end users to take actions from within the Email.
If you have enabled in policy settings, based on the options selected in end-user remediation, end-users can view two options. They can either choose to Remediate in Teams or Report as False Positive. The options to Remediate in Teams or Report as False Positive are displayed in the Email only if you have configured them in the section of the policy.
Learn how to configure a detection policy for Nightfall for Microsoft Teams.
DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. DLP policies also enable you to remediate any leakage of sensitive information from within your organization.
You can set up policies to scan data that is sent through some or all applications within your organization.
You can configure policies and choose to not apply them all the time.
Before you define a policy, or a set of policies, we recommend that you define the objectives of each policy, which can then be fulfilled when you configure the policy.
Here are a few important questions to ask before configuring your policies:
What data do you plan to monitor?
Where within the organization do you want to monitor?
What should be the scope of each policy?
What conditions must apply for the policy to match?
What exceptions/exclusions can be allowed?
What remediation actions should the policy take?
You can now configure policies on the Microsoft Teams integration to determine which tenants and teams must be monitored, and which ones excluded. You can also automate the remediation actions that you want Nightfall to perform on a policy violation.
The following documents help you setup Policies on MS Teams.
Learn how to configure the Scope section for Microsoft Teams.
The Scope stage allows you to select an MS Office tenant in which the policy can be created. In the Scope section, you must also choose to monitor one of the following:
the messages exchanged between two users.
the messages exchanged between groups.
The following documents explain the process of configuring the Scope for messages exchanged between two users and the messages exchanged between groups.
Configure Scope for messages exchanged between users
Groups Scope for messages exchanged in Groups.
Learn how you can select the MS Teams integration in a Nightfall policy.
In this stage, you select the Integration for which the policy is created. In this case, the Microsoft Teams integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Sensitive Data.
Select the Microsoft Teams integration.
Learn how to configure the Scope section for personal chats in Microsoft Teams policy.
To monitor the chat messages between individual users, for sensitive data, you must first configure the Directory Sync feature for your Azure Entra account. This configuration gives Nightfall access to the list of users in your Azure account and thus Nightfall can monitor the messages sent between users.
To monitor Chats, you must perform the following.
Configure the Directory Sync feature. Refer to .
Once you complete the configuration, you must perform the steps mentioned in the section of this document.
To Monitor Chat messages:
Enable the toggle switch, if not enabled.
Click Add Tenant and select the tenant to be monitored.
The Add Tenant button is displayed only if your organization has registered multiple M365 tenants with Nightfall. If your organization has registered a single M365 tenant, the tenant is selected by default and you will not see the Add Tenant button.
In the above image, you can see that the first two tenants are greyed out. This implies that the Directory Sync is not configured for these tenants. In such tenants, you can only monitor messages sent in groups and not messages sent between individual users.
For the selected tenant, you must select the users that must be monitored. You can choose to monitor either all the users in the tenant or specific users or group of users.
When you select the Specific user(s) & group(s) option, two new drop-down menus are displayed. These menus allow you to select specific users or groups of users to be monitored.
When you choose to monitor all the users, you may also choose a specific list of users or groups of users to exclude from monitoring. This is an optional configuration and you can skip it if you wish to monitor all the users.
To exclude specific users and groups, select the users or groups in the exclusion section.
The Exclusion section is not applicable if you select the Specific user(s) & group(s) option in the Inclusion section.
Acme Corp wishes to monitor the messages exchanged between all the users. They configure the Directory Sync for their MS Entra account and select the All users option in the inclusion section. However, they realize that there is an internal group in which users share dummy API keys, passwords, and credit card details, for testing. This group is called the Test group. To avoid false positive alerts, Acme Corp excludes the Test group from exclusion.
Learn how to configure the Scope section for personal chats in Microsoft Teams policy.
This document explains the process to configure the Scope section for messages sent in various groups of MS Teams.
To configure the Scope:
Enable the toggle switch for Teams.
Click + Add Tenant and select the tenant.
Once you select the tenant, you must select which Teams and Channels if the selected tenant, must be monitored by Nightfall. This selection can be done in the Include in monitoring section.
Click the All teams radio button to monitor all the teams. This option monitors all the existing Teams present under the selected tenant. Additionally, any Team(s) created in the future will also be automatically included for monitoring.
(applicable only if you did not execute step 1) Click the Specific team(s) radio button to select the specific team(s) to be monitored.
Once you select the Specific team(s) option, a new field Teams comes up. This field allows you to select the required teams by selecting the name of the team, as shown in the following image.
Starts With: Use this option to enter a text string which should match the start of a Team's name.
Ends With: Use this option to enter a text string which should match the end of a Team's name.
Contains: Use this option to enter a text string which should match a part of a Team's name.
Example Scenario for Patterns
Let's consider that some of the teams in your MS Teams tenant have external stakeholders too (people who are not part of your organization). A team with external stakeholders is named ext-dev, ext-cs, ext-qa, and so on. To monitor all the external teams, you can use the Starts with option and use the substring ext-.
Similarly, if you have ended all the team names that have external stakeholders, with the word ext (dev-ext, qa-ext, cs-ext), you can select the Ends With option and enter the -ext substring.
Similarly, if you have used the word ext anywhere in the team name, you can select the Contains option and enter the substring ext.
Once you select the required teams, you must now select the channels of the selected team, to be monitored. Nightfall provides you with the following options to select the channel.
Private Channels: This option monitors all the private channels of the selected team(s).
Public Channels: This option monitors all the public channels of the selected team(s).
Shared Channels: This option monitors all the shared channels of the selected team(s).
The Exclusion section allows you to exclude certain channels from being monitored. You can enter a text string that should be present in the channel name that needs to be excluded.
This section is optional and you can skip it. You must configure this section only if you wish to exclude certain channels from being monitored.
Channel Exclusion: This field allows you to enter a string that should be present in the Channel name for channels to be excluded from being monitored. The various options are as follows.
Starts With: Use this option to enter a string that should be present at the start of the Channel name.
Ends With: Use this option to enter a string that should be present at the end of the Channel name.
Contains: Use this option to enter a string that should be present in the Channel name.
Consider that you wish to monitor all the channels in your MS Teams. However, there are a few test channels that were created internally just for testing and you wish to exclude these test channels. There are many test channels and test channels may also be created in the future. So, you need to manually add the newly created test channels as well in the exclusion list, which is cumbersome.
You can use the Channel Exclusion option, select the Contains option and enter the text string "test".
To learn more about Teams and Channels in MS Teams, you can refer to this .
The Group of Teams option allows you to select a set of Teams by entering a text string that may partially match a Team name. You can navigate to to generate a regular expression pattern. The supported substring match operations are as follows.
To use the exclusion section, click Create a new Exclusion Rule and select Channel Exclusion. You can navigate to to generate a regular expression pattern.
Learn how to configure risk score and name a Nightfall policy created for Microsoft Teams DLP.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Choose the Policy risk score. By default the risk score is set to Nightfall Risk Score. You can set it to Custom Risk score, and select one of the risk levels, if required. To learn more about Risk scoring, refer to the #risk-scoring document.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back to modify any of the policy configurations.
Click Submit.