Nightfall’s Slack integration offers the ability to set up automated remediation workflows. In general, we recommend that before setting up automated remediation workflows, you first test detection while leveraging manual workflows. Once you’ve optimized detection and identified key patterns in the types of violations and required remediation action, you can automate the process.
Slack alerts on violations in real time, and remediation actions are taken from within the Slack interface.
Manual Slack remediation options will appear as options within the violation alert, and include:
Delete the violation (Pro and Enterprise)
Notify the end user
Quarantine the violation (places the violation in the “Content” channel and the “Quarantine channel) (work on Nightfall for Slack Enterprise plan only)
There are also Automated actions available for the Slack Pro and Slack Enterprise integrations, which are illustrated below:
For Slack Pro, the options for Automated Actions are to Notify the user, or to Delete the message that caused the violation.
For Slack Enterprise, the options are to Notify the user, Quarantine the message, or to Delete the message that caused the violation.
If you select the Quarantine option, the content of the message will be sent to the ‘#nightfall-content-slack’ channel, and the original message will be replaced with a tombstone message, indicating that the original message is no longer available.
The channel that will receive the alert messages for policy violations from is #nightfall-alerts-slack. Similarly, for messages that are quarantined, an alert will also be sent to the #nightfall-quarantine-slack channel for all quarantined message alerts.