The Nightfall for OneDrive integration supports the configuration of alerts at the policy level and at the integration level. Alerts can be sent in Microsoft Teams by using the following alert destinations.

• Slack

• Microsoft Teams

• Email

• Webhook

• Jira Tickets

When you configure alert settings at the integration level, the alert settings apply to all the policies, created for the OneDrive integration. However, when you configure alert settings specifically for a policy, which is created in the OneDrive integration, the alert settings are applicable only for that specific policy.

This document explains how to configure alerts at the integration level. To learn about how to configure alerts at the policy level, read this document.

Prerequisites

• To use Slack as an alert platform, you must first perform the required Slack configurations. You can refer to this document to learn more about how to configure Slack as an Alert platform.

• To use Webhook as an alert platform, you must first perform the required Webhook configurations. You can refer to this document to learn more about how to configure Webhook as an Alert platform.

• To use JIRA as an alert platform, you must have the DLP for the JIRA app installed from the Atlassian Marketplace. You can read more about the DLP for JIRA integration here.

• To use MS Teams as an alert platform, you must install the MS Teams alert app in your MS Teams application. You can read more about this setup in the Setting up MS Teams as an Alert Platform document.

Configure Alerts at the Integration Level

You can configure alerts at the integration level once you have installed the Nightfall for OneDrive DLP integration.

To configure alerts at the integration level:

1. Navigate to the Microsoft 365 integration.

2. Scroll down to the Teams Alerting section.

3. You can configure one or multiple alert channels.

Configuring Slack as an Alert Channel

1. To configure Slack as an alert channel, click + Slack channel.

1. In the Slack alert channel field, enter the name of the Slack channel in which you wish to receive the alerts.

2. Click Save.

A confirmation pop-up box is displayed to confirm if the Slack channel (entered in the second step) must be used only for OneDrive DLP integration or all the Nightfall integrations.

1. Select No, only integration level to use the Slack channel only for OneDrive DLP, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.

Configuring MS Teams as an Alert Channel

1. Click + Microsoft Teams.

The Team and Channel drop-down menus are displayed.

1. Select the required team and/or channel to which the notifications must be sent.

2. Click Save.

Configuring Email as an Alert Channel

1. Click + Email.

1. Enter the Email ID of the recipient who should receive the notifications.

2. Click Save.

A confirmation pop-up box is displayed to confirm if the Email ID (entered in the second step) must be used only for OneDrive DLP integration or all the Nightfall integrations.

1. Select No, only integration level to use the Slack channel only for One Drive DLP, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.

Configuring Webhook as an Alert Channel

1. Click + Webhook.

2. Enter the Webhook URL.

3. Click Test. If the test result is not successful, check the Webhook URL.

4. (Optional) Click Add Header to add headers.

5. Click Save.

{
  "service": "nightfall",
  "test": true,
  "timestamp": "2024-03-07T23:18:39Z"
}

Configuring Jira as an Alert Channel

1. Click + Jira Ticket.

2. Select a JIRA project from the Jira Project drop-down menu.

3. Select an issue type from the Issue Type drop-down menu.

4. (Optional) Add comments to be added in the JIRA ticket.

5. Click Save changes.

A confirmation pop-up box is displayed to confirm if the JIRA settings configured for the OneDrive DLP integration must be applied to all the other Nightfall integrations too.

1. Select No, only integration level to use the configurations only for OneDrive DLP, or select Yes, please to use the selected JIRA configurations for all the Nightfall integrations.

Configure End-User Notification

When an Event is triggered, Nightfall sends a notification to the end-user whose actions triggered the Event. While notifying the end-user, Nightfall also sends a text message. You can draft the text message to be sent to the end-user. This message applies to all the policies. Click Save changes once done.

In this final stage, you assign a name to the policy, verify your configurations, and create the policy.

1. Enter a name for the policy.

2. (Optional) Enter a description for the policy.

3. Choose the Policy risk score. By default the risk score is set to Nightfall Risk Score. You can set it to Custom Risk score, and select one of the risk levels, if required. To learn more about Risk scoring, refer to the document.

4. Click Next.

1. Verify if all the policy configurations are set up as per your requirements.

2. (Optional) Click back to modify any of the policy configurations.

3. Click Submit.

To monitor the chat messages between individual users, for sensitive data, you must first configure the Directory Sync feature for your Azure Entra account. This configuration gives Nightfall access to the list of users in your Azure account and thus Nightfall can monitor the messages sent between users.

Prerequisites to Monitor Chats

To monitor Chats, you must perform the following.

1. Configure the Directory Sync feature. Refer to this document.

2. Once you complete the configuration, you must perform the steps mentioned in the Monitoring Chats section of this document.

Monitoring Chats

To Monitor Chat messages:

1. Enable the toggle switch, if not enabled.

1. Click Add Tenant and select the tenant to be monitored.

Inclusion and Exclusions

Inclusions

For the selected tenant, you must select the users that must be monitored. You can choose to monitor either all the users in the tenant or specific users or group of users.

When you select the Specific user(s) & group(s) option, two new drop-down menus are displayed. These menus allow you to select specific users or groups of users to be monitored.

Exclusions

When you choose to monitor all the users, you may also choose a specific list of users or groups of users to exclude from monitoring. This is an optional configuration and you can skip it if you wish to monitor all the users.

To exclude specific users and groups, select the users or groups in the exclusion section.

Example Scenario

Acme Corp wishes to monitor the messages exchanged between all the users. They configure the Directory Sync for their MS Entra account and select the All users option in the inclusion section. However, they realize that there is an internal group in which users share dummy API keys, passwords, and credit card details, for testing. This group is called the Test group. To avoid false positive alerts, Acme Corp excludes the Test group from exclusion.

DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. DLP policies also enable you to remediate any leakage of sensitive information from within your organization.

• You can set up policies to scan data that is sent through some or all applications within your organization.

• You can configure policies and choose to not apply them all the time.

Before you define a policy, or a set of policies, we recommend that you define the objectives of each policy, which can then be fulfilled when you configure the policy.

Here are a few important questions to ask before configuring your policies:

• What data do you plan to monitor?

• Where within the organization do you want to monitor?

• What should be the scope of each policy?

• What conditions must apply for the policy to match?

• What exceptions/exclusions can be allowed?

• What remediation actions should the policy take?

You can now configure policies on the Microsoft Teams integration to determine which tenants and teams must be monitored, and which ones excluded. You can also automate the remediation actions that you want Nightfall to perform on a policy violation.

The following documents help you setup Policies on MS Teams.

Integration

Scope

Detection Rules

Advanced Settings

Managing Violations

This stage allows you to select notification channels if a policy violation occurs. The notification alerts are sent at two levels.

Admin Alerting

The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps.

End User Notifications

This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.

• Custom Message: Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink https://www.nightfall.ai with the text Nightfall website, you must write <https://www.nightfall.ai | Nightfall website>.

• Automation: You can select either Email, Teams, or Slack as an automated notification method to notify the end-users. You must select the respective check box to use the notification method. You must first turn the toggle switch to use this option.

End User Remediation

The End-user remediation (also known as Human Firewall) section allows you to configure remediation measures that end users can take when a violation is detected on their MS Teams operations. You must turn on the toggle switch to use this option. The various available options are as follows.

• Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.

• Report as False Positive: This option allows end users to report false positive alerts.

• When a Violation is Reported as False Positive: You can use this option to set actions to be taken when a violation is reported as false positive by the end-user. You can either set the remediation to be automatic or manual.

• Remind Every (until Violation expires): You can use this option to set a reminder for the end-user to take action on the violation. You can choose to remind the end user every 24, 48, or 72 hours.

When Nightfall detects a violation to one or more MS Teams policies, it reports the violation as an Event. This document describes workflows and options for the MS Teams Events. Furthermore, it is recommended to read the Nightfall Events Sensitive Data Protection Events document before proceeding further.

Nightfall Events

To view the Events in the Nightfall console:

1. Click Detection and Response from the left pane.

2. Filter the data to view only the MS Teams Events.

1. (Optional) To view Events prior to the Last 7 days, click on the date filter and choose the appropriate date range upto a max of 180 days.

nce you filter the Events to view only the MS Teams events, you can refer to the #event-list-view section to learn more about the available options.

1. Click on any of the Events to view details of an Event. You may click anywhere in the row of an Event that you wish to inspect. Details will be present via a side panel.Click the ellipsis menu in the right corner or on the violation to view the list of actions that you can take to initiate the violation.

The side panel (or the Event detail view) is divided into three separate sections. The first section has information about the occurrence of individual findings with a preview. The third section is an activity log for the Event. Both these sections reveal information that is common across all sources/integrations. You can refer to these common sections in the #event-detail-view section.

The second section displays details that are source / integration specific and so the details vary from one integration to the other.

Event Actions

Nightfall allows you to take various action on Events. When you take an action on an Event, the status of the Event changes accordingly. To learn more about Event status, refer to the Event Status document.

In MS Teams, you can take actions either from the Event list view page or the Event detail view page. On the Event list view page, you can click the ellipsis menu to view the available list of actions.

On the Event detail view, you can view the applicable actions from the actions section at the bottom.

The list of actions supported for MS Teams are as follows. Some of these actions are common to other integrations as well.

• Copy Event Link: The action copies the link to the Event. You can save or send this link to directly open the Event. This action is available only on the Event detail view.

• View in MS Teams: This action redirects to the relevant document with sensitive data in the source MS Teams. While this action is available only on the Event detail view, please note that relevant access to the document in source message in MS Teams should be present.

• Ignore: The ignore action flags Nightfall to ignore all the findings in the Event and may be taken if you find the findings false positive. This action marks the Event as resolved and moves it to the Resolved section. You can undo this action.

• Acknowledge: You can take this action to notify other users that you have looked into this Event and will take suitable action in future.

• Notify Email: This action notifies the end user who sent the message with sensitive data in MS Teams about the event, through email.

• Notify Slack: This action notifies the end user who sent the message with sensitive data in MS Teams about the event, through Slack.

• Notify Teams: This action notifies the end user who sent the message with sensitive data in MS Teams about the event, through MS Teams.

• Send to JIRA: This action creates a JIRA ticket for the Event. You can pick a project and Issue type while creating the JIRA ticket and can assign the JIRA ticket to the end-user

• Resolve: This action must be taken when the sensitive data is removed completely from the source file. This action resolves the Event.

Email Notification

• If you have configured Email Notification in Admin Alerting, Nightfall admins receive the Email notification. This Email allows admins to take actions from within the Email.

• If you have configured Email Notification in the Automation section of End user notification settings, end users receive an email from Nightfall. This Email allows end users to take actions from within the Email.

Viewing Notifications in MS Teams

When a violation occurs, the end user who triggered the violation receives an Email to their registered Microsoft account. The Email looks as follows.

If you have enabled end-user remediation in policy settings, based on the options selected in end-user remediation, end-users can view two options. They can either choose to Remediate in Teams or Report as False Positive. The options to Remediate in Teams or Report as False Positive are displayed in the Email only if you have configured them in the end-user remediation section of the policy.

In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see .

To select detection rules, select the detection rules from the list of rules that are displayed.

You can also sort the rules that you want to view.

• All Detection Rules: View all detection rules created

• Selected Detection Rules: View detection rules that are selected and mapped to this policy

• Unselected Detection Rules: View detection rules that are neither selected nor mapped to this policy.

Click Next.

In this stage, you select the Integration for which the policy is created. In this case, the Microsoft Teams integration must be selected.

1. Click Policies from the left menu.

1. Click + New Policy.

1. Select Sensitive Data.

1. Select the Microsoft Teams integration.

The Scope stage allows you to select an MS Office tenant in which the policy can be created. In the Scope section, you must also choose to monitor one of the following:

• the messages exchanged between two users.

• the messages exchanged between groups.

The following documents explain the process of configuring the Scope for messages exchanged between two users and the messages exchanged between groups.

• Configure Scope for messages exchanged between users

• Groups Scope for messages exchanged in Groups.

Nightfall for Microsoft Teams prevents sensitive content that is shared through Microsoft Teams. Sensitive information and specific types of data like social security numbers, credit card numbers, or passwords are scanned and prevented from unintentional leakage.

Nightfall for Microsoft Teams scans all messages and documents that are exchanged over Channels (Private, Public, and Shared) and prevents sensitive information (such as credit card numbers or health records) from being leaked. Scans will include archived items, but not deleted items.

This document explains the process to configure the Scope section for messages sent in various groups of MS Teams.

To configure the Scope:

1. Enable the toggle switch for Teams.

2. Click + Add Tenant and select the tenant.

Configuring the Inclusion Section

Once you select the tenant, you must select which Teams and Channels if the selected tenant, must be monitored by Nightfall. This selection can be done in the Include in monitoring section.

Selecting Teams

1. Click the All teams radio button to monitor all the teams. This option monitors all the existing Teams present under the selected tenant. Additionally, any Team(s) created in the future will also be automatically included for monitoring.

2. (applicable only if you did not execute step 1) Click the Specific team(s) radio button to select the specific team(s) to be monitored.

Once you select the Specific team(s) option, a new field Teams comes up. This field allows you to select the required teams by selecting the name of the team, as shown in the following image.

The Group of Teams option allows you to select a set of Teams by entering a text string that may partially match a Team name. You can navigate to this site to generate a regular expression pattern. The supported substring match operations are as follows.

• Starts With: Use this option to enter a text string which should match the start of a Team's name.

• Ends With: Use this option to enter a text string which should match the end of a Team's name.

• Contains: Use this option to enter a text string which should match a part of a Team's name.

Example Scenario for Patterns

• Let's consider that some of the teams in your MS Teams tenant have external stakeholders too (people who are not part of your organization). A team with external stakeholders is named ext-dev, ext-cs, ext-qa, and so on. To monitor all the external teams, you can use the Starts with option and use the substring ext-.

• Similarly, if you have ended all the team names that have external stakeholders, with the word ext (dev-ext, qa-ext, cs-ext), you can select the Ends With option and enter the -ext substring.

• Similarly, if you have used the word ext anywhere in the team name, you can select the Contains option and enter the substring ext.

Selecting Channels

Once you select the required teams, you must now select the channels of the selected team, to be monitored. Nightfall provides you with the following options to select the channel.

• Private Channels: This option monitors all the private channels of the selected team(s).

• Public Channels: This option monitors all the public channels of the selected team(s).

• Shared Channels: This option monitors all the shared channels of the selected team(s).

Configuring the Exclusion Section

The Exclusion section allows you to exclude certain channels from being monitored. You can enter a text string that should be present in the channel name that needs to be excluded.

To use the exclusion section, click Create a new Exclusion Rule and select Channel Exclusion. You can navigate to this site to generate a regular expression pattern.

• Channel Exclusion: This field allows you to enter a string that should be present in the Channel name for channels to be excluded from being monitored. The various options are as follows.

  • Starts With: Use this option to enter a string that should be present at the start of the Channel name.

  • Ends With: Use this option to enter a string that should be present at the end of the Channel name.

  • Contains: Use this option to enter a string that should be present in the Channel name.

Example Scenario

Consider that you wish to monitor all the channels in your MS Teams. However, there are a few test channels that were created internally just for testing and you wish to exclude these test channels. There are many test channels and test channels may also be created in the future. So, you need to manually add the newly created test channels as well in the exclusion list, which is cumbersome.

You can use the Channel Exclusion option, select the Contains option and enter the text string "test".