Create Content Compliance Rule - Monitoring

The first content compliance rule is used to monitor all outgoing emails.

Important

It is mandatory for you to create this rule to monitor outgoing emails for sensitive data.

Prerequisites

In the Nightfall UI, navigate to Integrations from the left navigation bar and click the Manage button for the Gmail integration.

All the headers and expressions required to create the compliance rules are available in the Installation section under Gmail settings as displayed in the image below. Keep this screen open to copy/paste the headers as you create the content compliance rules in Google Workspace. We will refer to this page as the Gmail settings page throughout the document.

Content Compliance

The steps to create content compliance rule are as follows.

  1. Login to your Google Workspace with an admin account.

  2. Navigate to the admin console.

  3. From the left menu, expand Apps > Google Workspace > Gmail.

  4. Scroll down and click Compliance.

When you click Compliance, you can view the list of Organization Units (OUs) on the left of the screen (see image below). You can directly configure the compliance rules and routing rules on your production OU (OU at the top most level) by selecting the same.

However, Nightfall recommends that you initially configure the rules on a subset OU (one of the nested OUs) which has a small set of users. When you click on a nested OU, the rules are created only for the nested OU that you select. Once you verify that the configuration is working as expected on the nested OU, you can configure the compliance rules on the production OU.

  1. Scroll down to the Content Compliance section and click ADD ANOTHER RULE. (If you have not created any Compliance rule previously, the button might be displayed as CONFIGURE).

Step 1 - Email Messages to Affect

  1. Enter a name for the compliance rule. For example, Nightfall DLP.

  2. Select Outbound and Internal - Sending checkboxes in the Email messages to affect section.

If you select only the Outbound check box, only those emails that are routed out of your organization to external domains, are scanned. If you wish to scan internal emails (emails that are sent between the employees of your organization). you must select the Internal - Sending check box.

Step 2 - Add Expressions

  1. In step 2 of the content compliance rule, select the If ALL of the following match the message option.

  2. You need to add two expressions in step 2 of content compliance rule. Click ADD.

  1. In the Add setting dialog box, select the Advanced Content match option.

  2. In the Location drop-down menu, select Sender header.

  3. In the Match type drop-down menu select Matches Regex.

  4. Navigate to the Gmail settings page on the Nightfall UI, refer to the regular expression format defined under the Monitoring Content Compliance Rule section, and create a regular expression that matches your organization name.

For example, if your organization name is Contoso.com, you can create the regular expression as .*@contoso\.com$

If you are using multiple domains to send emails from your organization and you need to scan outgoing emails from all those domains for sensitive data, you can use a regular expression to specify multiple domains as illustrated in installation instructions in the Nightfall console. For example, (.@domain-name.extension$|.@domain-name.extension$)

  1. In the Regexp field, enter the regular expression to match your organization name.

  2. Click SAVE.

  1. You can now add a second expression in step 2 of the content compliance rule. Click Add.

  2. Select Advanced content match in the drop-down menu.

  3. In the Location drop-down menu, select Full headers.

  4. In the Match type drop-down menu select Not Contains text.

  5. Navigate to the Gmail settings page on the Nightfall UI and copy the value from the Header field, located under the Full Header section.

  6. Return to the Google Admin Workspace window and paste the copied value in the Content field.

  7. Click SAVE.

The condition expression is created as follows. This expression ensures that all the emails that are not yet scanned by Nightfall are scanned.

Step 3 - Modify Message and Add Custom Headers

  1. In step 3, select Modify message.

  2. Under the Headers section, select the Add X-Gm-Original-To header check box.

  3. Select the Add custom headers check box. The Custom headers section is displayed once you select this check box.

  4. Click ADD under Custom headers to add a new custom header.

There are two fields; Header key and Header value.

  1. Navigate to the Gmail settings page on the Nightfall UI and copy the value from the Authentication field, located under the Messaging Modification section.

  2. Return to the Google Admin Workspace window and paste the copied value in the Header key field.

  3. Navigate to the Gmail settings page on the Nightfall UI and copy the value from the Nightfall UUID field, located under the Messaging Modification section.

  4. Return to the Google Admin Workspace window and paste the copied value in the Header value field.

  5. Click SAVE.

  1. Scroll down to the Envelope recipient section and select the Change envelope recipient check box. A Replace recipient radio button field is displayed.

  2. Navigate to the Gmail settings page on the Nightfall UI and copy the value from the Change envelope recipient with field, located under the Messaging Modification section.

  3. Return to the Google Admin Workspace window and paste the copied value in theReplace recipient field. This is the email address to which emails must be routed for scanning.

  1. Scroll down to the Encryption (onward delivery only) section and select the Require secure transport (TLS) check box.

  2. Click SAVE.

PreviousConfigure Content Compliance RulesNextConfigure Content Compliance Rule - Quarantine

Last updated