Getting Started
Use this guide to get started with the installation of the Nightfall for Slack integration

Overview

Please follow the steps below in our installation instructions to get set up:
Please log in to the Nightfall console at app.nightfall.ai. Once logged in, please navigate to the Slack option, on the left hand side of the console.

Installation

Nightfall Pro DLP for Slack

Please select the ‘Add to Slack’ option to Authorize the Discovery API access into the Slack environment and to add the Nightfall app to Slack.
After clicking 'Add to Slack', you will be directed to the 'Allow' page. Be sure to select the correct workspace associated with your Nightfall account.
After you click 'Allow', you will be directed to setup instructions - please complete these steps to start receiving alerts.
Note: Upon installation, the bot must be added to the channels that you would like to monitor
To invite the bot to a channel, you can use the command depicted below:
/invite @Nightfall Pro #[channel]
If you would like to have Nightfall add the bot to all your public channels, please reach out to [email protected], and we can help with the request.
Note: If you see an error upon this installation, mentioning a 400 error with a "restricted action", in the format below, please reference the help article below to remediate:
{"status":400,"detail":"failed to create notification channel: restricted_action"}

Nightfall Enterprise DLP for Slack

The below screenshot depicts a user that is on the Slack Enterprise tier.
Please select the ‘Authorize’ option to Authorize the Discovery API access into the Slack environment. This will require you to be a Workspace Owner in Slack.
After clicking 'Authorize', you will be directed to the 'Allow' page. Be sure to select the correct workspace associated with your Nightfall account before clicking 'Allow'. Once complete, Nightfall will be able to access the Discovery API.
If this authorization fails, it most likely means that the Discovery API is not yet enabled in your Slack organization. Please contact your Slack sales rep or email [email protected] to enable this.
After granting access to the Discovery API, you will be directed back to the dashboard to install the Nightfall Enterprise bot. Please click 'Install' to grant our bot access to your Slack workspace.
Now, please select the ‘Install’ option.
After clicking 'Install', you will be directed to another 'Allow' page. Again, please be sure to select the correct workspace associated with your Nightfall account before clicking 'Allow'.
The workspace you select here will be the one in which Nightfall creates new private channels in which to send you DLP alerts and triage the quarantine. Once complete, Nightfall will be installed in your Slack workspace.
Note: If you see an error upon this installation, mentioning a 400 error with a "restricted action", in the format below, please reference the help article below to remediate:
{"status":400,"detail":"failed to create notification channel: restricted_action"}

Create your first Slack Policy

The instructions below are a bit different for the Slack Pro and Slack Enterprise options. Please refer to the Slack tier that you will be using.

Nightfall Pro DLP for Slack

Please navigate to the Slack option, on the left hand side of the console.
This is the screen from which we will be setting up and operating the Nightfall for Slack integration. To create your first policy, please select the ‘+ New policy’ option:
Once you name the policy, the first option for configuration will be the Scope. This scope refers to the channel types that you would like to monitor for this policy, both internal and external.
Monitoring can be done on Public or Private channels for both Internal AND Connect Slack channels
Note: As is depicted in the screenshot below, the Nightfall Pro bot MUST be added to all channels that you would like to scan. If you would like to have Nightfall add the bot to all your public channels, please reach out to [email protected], and we can help with the request.
Once you select the scope, the next step is the detection rule.
You will now see the option to add your detection rules of choice to this Slack Policy. If you do not have any detection rules set up, please go here for more info on how to set up Detection Rules.
Note: As mentioned above, you can add multiple detection rules to the Slack Policies
Once you have added your detection rule of choice, we can now select the Automated Actions that we would like to take, when a policy violation is detected.
For Slack Pro, the options are to Notify the user, or to Delete the message that caused the violation.
The next step is alerting. By default, the Slack channel that will receive alerts from Nightfall, is #nightfall-slack-alerts.
As shown below, the set up for your first Slack Policy is now complete and you can now save the policy.

Nightfall Enterprise DLP for Slack

Please navigate to the Slack option, on the left hand side of the console.
This is the screen from which we will be setting up and operating the Nightfall for Slack integration. To create your first policy, please select the ‘+ New policy’ option:
Once you name the policy, the first option for configuration will be the Scope. This scope refers to the channel types that you would like to monitor, for this policy, both internal and external.
Monitoring can be done on Public/Private channels, as well as Direct Messages, for both Internal AND Connect Slack channels
Note: As is depicted in the screenshot below, you also have the option to Exclude specific channels from monitoring
You will now see the option to add your detection rules of choice to this Slack Policy. If you do not have any detection rules set up, please go here for more info on how to set up Detection Rules.
Once you have added your detection rules of choice, we can now select the Automated Actions that we would like to take, when a policy violation is detected.
For Slack Enterprise, the options are to Notify the user, Quarantine the message, or to Delete the message that caused the violation.
If you select the Quarantine option, the content of the message will be sent to the ‘#nightfall-content-slack’ channel, and the original message will be replaced with a tombstone message, indicating that the original message is no longer available.
The channel that will receive the alert messages for policy violations from is #nightfall-alerts-slack. Similarly, for messages that are quarantined, an alert will also be sent to the #nightfall-quarantine-slack channel for all quarantined message alerts.
For Slack alerts, you are also now able to also send alerts to both webhook endpoints, as well as to email addresses as well.
As can be seen below, to make these changes, you can navigate to the Settings tab of the Slack view in the Nightfall console. These are available for both Slack Pro, as well as Slack enterprise customers.
Sending Slack alerts to a webhook endpoint, will also allow for integration and ingestion with other security tools, such as a SIEM or a SOAR. For more information on how to use webhook endpoints to integrate with security tools, please refer to the article below:
As shown below, the set up has been completed and you can now save the policy.
Last modified 1mo ago