Remediation on Nightfall for Gmail
Learn how to remediate events in Nightfall for Gmail.
Last updated
Was this helpful?
Learn how to remediate events in Nightfall for Gmail.
Last updated
Was this helpful?
This document explains the impact on end-users and Google Workspace admins when the automated actions in Gmail DLP (Block, Quarantine, or Encrypt) are implemented.
To learn more about configuring automated actions for Gmail DLP, see, Automated actions.
When an Email is blocked, the end user receives an Email from Nightfall that informs them that their Email was blocked. End users receive this email from dlp@nightfall.ai. Apart from this email, end users also get the original Email which was blocked.
The Email looks as follows.
The status of the Event is also automatically changed to Blocked when the Email is blocked.
When an email is quarantined, it is stored separately in a secure Gmail server. A Google Workspace admin must visit the server, review the quarantined email, and decide as to whether the email must be allowed to travel to the recipient or be blocked.
To access the quarantine emails:
Login to your Google Workspace with an admin account.
Click the menu icon.
Select Admin.
In the left menu, expand Apps and then expand Google Workspace.
Click Gmail.
Scroll down and click Manage quarantines.
Click GO TO ADMIN QUARANTINE.
The list of all the quarantined emails is displayed.
Click any email to expand it. You can view three options.
SHOW ORIGINAL - This option displays the full email.
ALLOW - This option releases the email from quarantine and sends it to the recipient. You must select this option if you are confident that the sensitive data detected by Nightfall is false positive.
DENY - This option blocks the email and does not send it to the recipient. You must select this option if you are confident that the sensitive data detected by Nightfall is actually sensitive.
When an Email is encrypted, an additional event is created in the Nightfall data encryption, apart from the regular event created in Nightfall detection and response. The email is delivered to the recipient. An event is logged in Nightfall Nightfall detection and response with the Status Encrypted.
When an end user violates a policy in Gmail DLP, an Event is generated based on the notification settings configured by you in the policy configurations. To learn more about Events, see Data Detection and Response Events.
To view the Events from the Nightfall Console:
Click Detection and Response from the left pane.
(Optional) Modify the days filter to view Events prior to last 7 days. By default the Events recorded in the Last 7 Days are displayed.
Apply filters to view only the Gmail DLP Events.
Click on any of the Events to view details of an Event. You may click anywhere in the row of an Event that you wish to inspect. Details will be present via a side panel.
Nightfall allows you to take various action on Events. When you take an action on an Event, the status of the Event changes accordingly. To learn more about Event status, refer to the Event Status document.
In Gmail, you can take actions either from the Event list view page or the Event detail view page. On the Event list view page, you can click the ellipsis menu to view the available list of actions.
On the Event detail view, you can view the applicable actions from the actions section at the bottom.
To view the complete list of actions, applicable to all the integrations, you can refer to the Applying Actions on Events document.
The list of actions supported for Confluence are as follows. Some of these actions are common to other integrations as well.
Copy Event Link: The action copies the link to the Event. You can save or send this link to directly open the Event. This action is available only on the Event detail view.
Ignore: The ignore action flags Nightfall to ignore all the findings in the Event and may be taken if you find the findings false positive. This action marks the Event as resolved and moves it to the Resolved section. You can undo this action.
Acknowledge: You can take this action to notify other users that you have looked into this Event and will take suitable action in future.
Notify Email: This action notifies the end user who added the sensitive data file to the OneDrive about the event, through email.
Notify Slack: This action notifies the end user who added the sensitive data file to the OneDrive about the event, through Slack.
Send to JIRA: This action creates a JIRA ticket for the Event. You can pick a project and Issue type while creating the JIRA ticket and can assign the JIRA ticket to the end-user.
Resolve: This action must be taken when the sensitive data is removed completely. This action resolves the Event.
Once you filter the Events to view only the Confluence Events, you can refer to the section to learn more about the available options.