Policy Configuration
Learn how to set up policies to determine what Slack channels are monitored (and which are excluded) for violations and what actions are taken.
Policies determine what content is scanned by Nightfall and how as well as workflows for handling violations.
Policies for the Slack integration allow you to specify configurations particular to working with Slack, such as how to handle messages for particular channels or use automated actions that are particular to Slack such as "Quarantine."
Setting up Policies
Note: Instructions differ for Slack Pro and Slack Enterprise options. Please refer to the Slack tier that you will be using.
Navigate to the Slack option under Integrations, on the left hand side of the console and select the Policies tab.
To create your policy, please select the ‘+ New policy’ option:
Once you name the policy, the first option for configuration will be the Scope. This scope refers to the channel types that you would like to monitor for this policy, both internal and external.
You can configure Monitoring on Public or Private channels for both Internal and Connect Slack channels.
Note: The Nightfall Pro bot must be added to all channels that you would like to scan.
To add the bot to all your public channels, please reach out to [email protected], and we can help with the request.
Slack Policy Scope Set Up fro Nightfall Pro DLP for Slack
As part of defining a Policy for Nightfall Pro DLP for Slack, you have the option to exclude users, and apps from monitoring. Messages produced by those users and apps will not be scanned by Nightfall and will not cause alerts to be sent.
This allows you to avoid scanning messages where there is no business need to monitor that content as well as prevent messages from sensitive users, such as executives at the company, from being monitored. It also allows you to prevent false positives as a result of scanning messages from Slack applications.
To create an Exclusion, navigate to the Slack configuration under the Integrations section of left hand navigation. Select the Policies tab and look at the Scope section.
To exclude users from monitoring, select the “+ Users” button under the “Exclude from monitoring" sub-section of Policy’s Scope.
Excluding Users to Policy
The “Exclude Users” modal window will pop up.
Typing in the “Add Users'' text box will present you with a drop down list of options matching your input based on the user’s name and email (if the email is included in their profile). Click on the user from the list to select the user for exclusion.
Once selected, the user’s name will appear as a chiclet below the “Add Users" input with a minus sign (“-“) next to it, clicking on which will remove the user from the list of users to add.
Once you have selected all the users you wish to exclude, click the “Add” button to commit your selection and close the modal window. Clicking on “Cancel” will close the modal without adding any users you have selected to the list of excluded users.
Messages sent by the users you have added will not be scanned for policy violations.
The excluded users will appear in a column labeled “Users” under the “Exclude from monitoring” section.
To remove a user from the list of excluded users, click on the minus sign (“-“) next to their name in the list.
To exclude Apps from monitoring, select the “+ Apps” button under the “Exclude from monitoring" sub-section of Policy’s Scope.
Excluding Apps in Policy
The “Exclude Apps” modal window will pop up.
Typing in the “Add Apps” text box will present you with a drop down list of options matching your input based on the app’s name. Click on the app from the list to select the app for exclusion.
Once selected, the app’s name will appear as a chiclet below the “Add Apps" input with a minus sign (“-“) next to it, clicking on which will remove the app.
Once you have selected all the apps you wish to exclude, click the “Add” button to commit your selection and close the modal window. Clicking on “Cancel” will close the modal without adding any apps you have selected to the list of excluded apps.
Messages sent by the apps you have added will not be scanned for policy violations.
The excluded apps will appear in a column labeled “Apps” under the “Exclude from monitoring” section.
To remove an app from the list of excluded apps, click on the minus sign (“-“) next to the app’s name in the list.
Once you select the scope, the next step is the detection rule.
You will now see the option to add your detection rules of choice to this Slack Policy. If you do not have any detection rules set up, please go here for more info on how to set up Detection Rules.
You can add multiple detection rules to the Slack Policies
You can combine multiple detection rules into a detection policy. This enables you to maintain a granular set of detection rules at the platform level, and choose from them as needed for Slack. You need not maintain a separate Slack detection rule. Detection Rules support logical operators and you can link together for advanced detection logic (e.g. for PHI detection).
Multiple Detection Rules per Policy
Once you have added your detection rule of choice, we can now select the Automated Actions that we would like to take, when a policy violation is detected.
For Slack Pro, the options are to Notify the user, or to Delete the message that caused the violation.
The next step is alerting. By default, the Slack channel that will receive alerts from Nightfall, is #nightfall-slack-alerts.
As shown below, the set up for your first Slack Policy is now complete and you can now save the policy.
Apply Policies to select Channels and Workspaces
Navigate to the Slack option, on the left hand side of the console.
This is the screen from which we will be setting up and operating the Nightfall for Slack integration. To create your first policy, please select the ‘+ New policy’ option:
Once you name the policy, the first option for configuration will be the Scope. This scope refers to the channel types that you would like to monitor, for this policy, both internal and external.
Monitoring can be done on Public/Private channels for both Internal AND Connect Slack channels.
In addition the Enterprise edition of the Nightfall Slack integration allows you to monitor Direct Messages as well.
Furthermore the Enterprise edition allows you to apply policies to all Workspaces or select specific Workspaces.
As part of defining a Policy for Nightfall Pro DLP for Enterprise, you have the option to exclude certain users and apps from monitoring just as you do in the Pro edition. The Enterprise edition allows you to exclude channels as well. Messages sent to those channels or produced by those users and apps will not be scanned by Nightfall and will not cause alerts to be sent.
To exclude channels from monitoring, select the “+ Channels” button under the “Exclude from monitoring" sub-section of a Policy’s Scope.
The “Exclude Channels” modal window will pop up.
Enter the conversation ID in the “Add Channels” text box. You may add multiple channels by separating the conversation IDs with a comma.
To find a channel's conversation ID, right click the channel in Slack and copy the link. The conversation ID is the end of the link.
Copying a Slack conversation ID
https://yourco.slack.com/archives/C02GCEY0E5Z
Copy the text after the last slash and put it in the text box. After you have entered all your conversation IDs (separated by commas), click the "Enter" button.
The channel’s conversation ID will appear as a chiclet below the “Add Channels" input with a minus sign (“-“) next to it, clicking on which will remove the channel from the list of channels to add.
Once you have selected all the channels you wish to exclude, click the “Add” button to commit your selection and close the modal window. Clicking on “Cancel” will close the modal without adding any channels to the list of excluded Channels.
Messages sent to the channels you have added will not be scanned for policy violations.
The excluded channels will appear in a column labeled “Channels” under the “Exclude from monitoring” section.
To remove a channel from the list of “Excluded Channels,” click on the minus sign (“-“) next to the name of the channel in the list.
You will now see the option to add your detection rules of choice to this Slack Policy. If you do not have any detection rules set up, please go here for more info on how to set up Detection Rules.
Once you have added your detection rules of choice, we can now select the Automated Actions that we would like to take, when a policy violation is detected.
For Slack Enterprise, the options are to:
- Notify the user
- Quarantine the message
- Delete the message that caused the violation
- Redact the content of the message that caused the violation
If you select the Quarantine option, the content of the message will be sent to the ‘#nightfall-content-slack’ channel, and the original message will be replaced with a tombstone message, indicating that the original message is no longer available.
Automated actions for Nightfall Enterprise DLP for Slack
As shown below, the set up has been completed and you can now save the policy.
You can now enforce a policy based on the location (workspace, channel or direct messages) within Slack - for example, you can apply different policies to public vs. private channels. The availability of this functionality depends on which Nightfall for Slack product you have:
Nightfall Pro for Slack: You can apply policies based on the channel type - public vs. private.
Nightfall Enterprise for Slack: You can apply policies based on message or channel type - public channel vs. private channel vs. direct messages.
- You can apply policies to all or select Channels and Workspaces.
Configure Automated Actions
You can also select channels to include or exclude.