Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This stage allows you to select notification channels if a policy violation occurs. The notification alerts are sent at two levels.
This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Slack policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for Slack integration, read this document.
Slack Alert: Select a Slack channel to which the violation alerts must be sent. To configure this alert method, Slack must be enabled as an Alert method. To learn more about configuring Slack as an alert channel, refer to this document.
Jira Alert: Select the JIRA project and other parameters. A JIRA ticket is created in the selected JIRA project for each policy violation.
Email Alert: Enter the Email address of the recipient who needs to be notified about policy violations.
Webhook Alert: Configure webhook URL and headers.
When you configure alerts to a Webhook, Nightfall AI sends occasional posts to:
To validate that the Webhook is properly configured before the policy is saved.
Periodically thereafter to ensure that the Webhook is still valid.
The response to the test Webhooks is 200 status code if successful.
An example of Webhook request is as follows.
This as part of alert event consumption and can be ignored.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink www.nightfall.ai with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>.
You can select one of the following methods. You must turn the toggle switch to use this option.
Via Email: This option sends an Email to the End user.
Via Slack: This option sends a Slack notification to the end-user in a pre-configured channel.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on their GitHub operations. You must turn on the toggle switch to use this option. The various available options are as follows.
Delete: This option allows the end-user to delete the message that caused the violation.
Redact: This action replaces the sensitive data with an asterisk, except for the first two characters.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
Report as False Positive: This option allows end users to report false positive alerts.
When a Violation is Reported as False Positive: You can use this option to set actions to be taken when a violation is reported as false positive by the end-user. You can either set the remediation to be automatic or manual.
Remind Every (until Violation expires): You can use this option to set a reminder for the end-user to take action on the violation. You can choose to remind the end user every 24, 48, or 72 hours.
Learn how to set up Nightfall policies to determine which Slack channels, DMs, and workspaces are monitored.
DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. DLP policies help you to monitor and remediate the flow of sensitive data within your organization. Depending on your Nightfall policy configuration, you can set up policies to monitor data that is sent through some or all applications within your organization. You can configure policies and choose to not apply them all the time.
Before you define a policy, or a set of policies, you must define the objectives of each policy, which can then be fulfilled when you configure the policy. Here are a few important questions to ask before configuring your policies:
• What data do you plan to monitor?
• Where within the organization do you want to monitor?
• What should be the scope of each policy?
• What conditions must apply for the policy to match?
• What exceptions/exclusions can be allowed?
• What remediation actions should the policy take?
You can now set up policies to determine which Slack channels are monitored (and which are excluded) for violations and what actions Nightfall must take. Policies determine the content that will be scanned by Nightfall, and workflows that are followed to manage violations.
Policies for Slack integration allow you to define configurations specific to Slack, such as how to handle messages for particular channels or use automated actions such as Quarantine.
Creating a Nightfall policy involves the following tasks:
Create Policies
Define the policy scope and exclusions
Configure Detection Rule
Configure Automated Actions
Note: Instructions to configure policies differ for Slack Pro and Slack Enterprise options. Refer to the Slack tier that you are using.
In this stage, you select the Integration for which the policy is created. In this case, Slack integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select the Slack integration.
In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see .
To select detection rules, select the detection rules from the list of rules that display.
You can also sort the rules that you want to view.
All Detection Rules: View all detection rules created
Selected Detection Rules: View detection rules that are selected and mapped to this policy
Unselected Detection Rules: View detection rules that are neither selected nor mapped to this policy.
Click Next.
This document explains how to set up the Policy Scope for the Slack Enterprise edition. If you are using a Slack Slack Pro or Slack Business+ editions, you must refer to .
The Scope stage allows you to select Slack Channels, Connections, and Direct Messages (DMs) which must be scanned by the policy.
You must add the Nightfall Pro Slack application to all the channels that you wish to scan with Nightfall.
To configure the Policy Scope for the Slack Enterprise edition:
Select one of the following options under the Select Workspaces and Channels section. The scope of this policy is limited to only those Workspaces, channels, and connections that you select in this section.
Workspaces: Select the Select All check box to scan the data in all your Slack workspaces. If you wish to scan only a few workspaces, select the check box(es) of the workspaces to be scanned.
Channels: Select the Select All check box to scan the data in all your Slack channels. Select the Public Channels check box to scan data only in your Public Slack Channels. Select the Private Channels check box to scan data only in your private Slack channels. Select the Direct Messages check box to scan messages shared by individuals in direct messages.
Connections: Select the Select All check box to scan the data in all your Slack connections. Select the Public Connect Channels check box to scan data only in your Public connect Slack Channels. Select the Private Connect Channels check box to scan data only in your private connect Slack channels. Select the Direct Messages check box to scan data shared by individuals as direct messages in shared channels.
The Exclusion settings allow you to exclude specific users or apps (from within the selected monitoring scope) from being scanned. For instance, if you have selected the Select All option in the Channels section, all the Channels are included for scanning, Now, if you wish to exclude any specific channel(s), you can configure such type of settings in the exclusion section.
The exclusions section is optional and you can proceed without configuring it if you wish all your data to be scanned.
To set up exclusions:
(applicable only if you executed step 2 in the previous section) Click the Workspaces radio button.
Select one of the following options under the Exclusions section.
(Optional) Select the name of the users to be excluded, from the Exclude Users drop-down menu.
(Optional) Select the name of the applications to be excluded, from the Exclude Apps drop-down menu.
If you have chosen to monitor specific Slack channels (step 2 in the previous section), additionally you can also select specific users and applications (that are part of the selected Slack channels) from being excluded from scanning. The following step explains how to accomplish this.
Click the Specific channel(s) radio button.
Select one of the following options or both options.
Select the name of the users to be excluded, from the Exclude Users drop-down menu.
Select the name of the applications to be excluded, from the Exclude Apps drop-down menu.
Click Next.
To view and copy the Channel ID of a Slack channel:
Click the required Slack Channel.
Click the Get channel details button.
Navigate to the bottom and click the Copy channel id button.
This section describes the various actions that Nightfall takes automatically when a violation is detected. You must turn on the toggle switch to enable an action. You can also set the timeline as to when an action must be taken (immediately after detecting a violation or after some time).
Currently, Nightfall supports the Delete, Quarantine, and Redact automated actions for the Slack enterprise edition. The three actions are mutually exclusive. You can only configure one of the three actions in a policy.
You must first turn on the toggle switch to enable any of the automated actions.
Once you enable the toggle switch, you can configure when the action must be applied.
If you select immediately, the action is implemented automatically after the sensitive data is detected.
If you select After, you must also set the time frame as to when exactly the action must be applied, after detecting the sensitive data.
The available actions are described as follows.
The delete action automatically deletes the message or attachment that has sensitive data. This is a permanent action and cannot be reverted.
The Redact action replaces the sensitive data with an asterisk, except for the first two characters. This is a permanent action and cannot be reverted.
The Quarantine action temporarily removes files or messages from the original Slack channel and places them in a quarantined Nightfall Slack channel for further review. When a Slack message is Quarantined, Slack Workspace administrator can take one review the Quarantined messages and take one of the following actions:
Accept: If the Slack Workspace administrator is confident that the quarantined message does not contain any sensitive data, they can Accept the message. Accepted messages are sent to the intended recipients.
Reject: If the Slack Workspace administrator is confident that the quarantined message contains sensitive data, they can Reject the message. Rejectected Slack messages are not sent to the intended recipients.
Refer to and pages for the procedures to configure policies for Nightfall for Slack.
(Optional) To select specific channels to be scanned, you must first click the Specific channel(s) radio button. You must then enter the Slack channel ID of the channels that you wish to be scanned. To learn more about how to find the Channel ID of a Slack channel, see .
(Optional) Enter the Slack channel ID of the channels that you wish to be scanned. To learn more about how to find the Channel ID of a Slack channel, see .
When an end user violates a policy in GitHub, a notification is generated based on the notification settings configured by you in the policy configurations.
This document explains where you can find notifications on policy violations and what actions can be taken.
To view the Nightfall violations page:
Navigate to the Violations page in Nightfall.
Apply filters to view only Slack violations.
(Optional) Modify the days filter to view historical violations. You can view violations up to past 180 days.
You can also use the search bar to search Slack violations. The difference between search bar and filters is that search bar searches for all the Slack violations. You need not apply time filter after applying the search bar filter.
(Optional) Hover over a violation to view the severity of the violation. You can also check how likely is it that the detected violation is an actual violation (Likely, Very Likely).
Click the ellipsis menu in the right corner to view the list of actions that you can take to initiate on the violation.
Click on any violation to view the exact data that caused the violation (highlighted in red).
When a data leak occurs, Slack sends an Email to end users, if they have configured Email as a Notification method in their Slack account.
Additionally, if you have configured Email Notification in Admin Alerting, Nightfall admins receive the Email notification.
If you have configured Email Notification in the Automation section of End user notificationsettings, end users receive an email from Nightfall. This Email allows end users to take actions from within the Email.
The Email received from by Nightfall Admins and end-users (if configured), looks as follows.
If you have configured Slack as a Notification in the Automation section of End User Notification, end users can view the violation notification from within Slack.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back to modify any of the policy configurations.
Click Submit.
