Learn how to configure the scope of the detection policy that you configure.
In this stage, you select the Integration for which the policy is created. In this case, Gmail integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Sensitive Data.
The tile for Microsoft Teams should state Connected if Directory Sync has been setup for the M365 tenant in addition to enabling the MS Teams application for the M365 tenant. Proceed to select the Microsoft Teams integration.
The Scope stage allows you to select an MS Office tenant in which the policy can be created. In the Scope section, you must also choose to monitor one of the following:
the messages exchanged between two users.
the messages exchanged between groups.
The following documents explain the process of configuring the Scope for messages exchanged between two users and the messages exchanged between groups.
Configure Scope for messages exchanged between users
Groups Scope for messages exchanged in Groups.
Learn how to configure a detection policy for Nightfall for Microsoft Teams
DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. DLP policies also enable you to remediate any leakage of sensitive information from within your organization.
You can set up policies to scan data that is sent through some or all applications within your organization.
You can configure policies and choose to not apply them all the time.
Before you define a policy, or a set of policies, we recommend that you define the objectives of each policy, which can then be fulfilled when you configure the policy.
Here are a few important questions to ask before configuring your policies:
What data do you plan to monitor?
Where within the organization do you want to monitor?
What should be the scope of each policy?
What conditions must apply for the policy to match?
What exceptions/exclusions can be allowed?
What remediation actions should the policy take?
You can now configure policies on the Microsoft Teams integration to determine which tenants and teams must be monitored, and which ones excluded. You can also automate the remediation actions that you want Nightfall to perform on a policy violation.
The following documents help you setup Policies on MS Teams.
In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see Configuring Detection Rules.
To select detection rules, select the detection rules from the list of rules that are displayed.
You can also sort the rules that you want to view.
All Detection Rules: View all detection rules created
Selected Detection Rules: View detection rules that are selected and mapped to this policy
Unselected Detection Rules: View detection rules that are neither selected nor mapped to this policy.
Click Next.
To monitor the chat messages between individual users, for sensitive data, you must first configure the Directory Sync feature for your Azure Entra account. This configuration gives Nightfall access to the list of users in your Azure account and thus Nightfall can monitor the messages sent between users.
To monitor Chats, you must perform the following.
Configure the Directory Sync feature. Refer to this document.
Once you complete the configuration, you must perform the steps mentioned in the #monitoring-chats document.
To Monitor Chat messages:
Enable the toggle switch, if not enabled.
Click Add Tenant and select the tenant to be monitored.
The Add Tenant button is displayed only if your organization has registered multiple M365 tenants with Nightfall. If your organization has registered a single M365 tenant, the tenant is selected by default and you will not see the Add Tenant button.
In the above image, you can see that the first two tenants are greyed out. This implies that the Directory Sync is not configured for these tenants. In such tenants, you can only monitor messages sent in groups and not messages sent between individual users.
For the selected tenant, you must select the users that must be monitored. You can choose to monitor either all the users in the tenant or specific users or group of users.
When you select the Specific user(s) & group(s) option, two new drop-down menus are displayed. These menus allow you to select specific users or groups of users to be monitored.
When you choose to monitor all the users, you may also choose a specific list of users or groups of users to exclude from monitoring. This is an optional configuration and you can skip it if you wish to monitor all the users.
To exclude specific users and groups, select the users or groups in the exclusion section.
The Exclusion section is not applicable if you select the Specific user(s) & group(s) option in the Inclusion section.
Acme Corp wishes to monitor the messages exchanged between all the users. They configure the Directory Sync for their MS Entra account and select the All users option in the inclusion section. However, they realize that there is an internal group in which users share dummy API keys, passwords, and credit card details, for testing. This group is called the Test group. To avoid false positive alerts, Acme Corp excludes the Test group from exclusion.
When an end user violates a policy in MS Teams, a notification is generated based on the notification settings configured by you in the policy configurations.
This document explains where you can find notifications on policy violations and what actions can be taken.
To view the Nightfall violations page:
Navigate to the Violations page in Nightfall.
Apply filters to view only MS Teams violations.
(Optional) Modify the days filter to view historical violations. You can view violations up to the past 180 days.
(Optional) Hover over a violation to view the severity of the violation. You can also check how likely is it that the detected violation is an actual violation (Likely, Very Likely).
Click the ellipsis menu in the right corner or on the violation to view the list of actions that you can take to initiate the violation.
Click on any violation to view the exact data that caused the violation (highlighted in red). You can click Expand details to view further details.
If you have configured Email Notification in Admin Alerting, Nightfall admins receive the Email notification. This Email allows admins to take actions from within the Email.
If you have configured Email Notification in the Automation section of End user notification settings, end users receive an email from Nightfall. This Email allows end users to take actions from within the Email.
When a violation occurs, the end user who triggered the violation receives an Email to their registered Microsoft account. The Email looks as follows.
If you have enabled end-user remediation in policy settings, based on the options selected in end-user remediation, end-users can view two options. They can either choose to Remediate in Teams or Report as False Positive. The options to Remediate in Teams or Report as False Positive are displayed in the Email only if you have configured them in the end-user remediation section of the policy.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back to modify any of the policy configurations.
Click Submit.
Edit the detection policy before putting it to work.
This stage allows you to select notification channels if a policy violation occurs. The notification alerts are sent at two levels.
This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.
Slack Alert: Select a Slack channel to which the violation alerts must be sent. To configure this alert method, Slack must be enabled as an Alert method. To learn more about configuring Slack as an alert channel, refer to this document.
Jira Alert: Select the JIRA project and other parameters. A JIRA ticket is created in the selected JIRA project for each policy violation.
Email Alert: Enter the Email address of the recipient who needs to be notified about policy violations.
Webhook Alert: Configure webhook URL and headers.
When you configure alerts to a Webhook, Nightfall AI sends occasional posts to:
To validate that the Webhook is properly configured before the policy is saved.
Periodically thereafter to ensure that the Webhook is still valid.
The response to the test Webhooks is 200
status code if successful.
An example of Webhook request is as follows.
This is part of alert event consumption and can be ignored.
Click Next.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
Custom Message: Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink www.nightfall.ai with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>
Automation: You can select Email as an automated notification method. You must turn the toggle switch to use this option.
The End-user remediation (also known as Human Firewall) section allows you to configure remediation measures that end users can take when a violation is detected on their MS Teams operations. You must turn on the toggle switch to use this option. The various available options are as follows.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
Report as False Positive: This option allows end users to report false positive alerts.
When a Violation is Reported as False Positive: You can use this option to set actions to be taken when a violation is reported as false positive by the end-user. You can either set the remediation to be automatic or manual.
Remind Every (until Violation expires): You can use this option to set a reminder for the end-user to take action on the violation. You can choose to remind the end user every 24, 48, or 72 hours.
Learn how to configure the detection rules that are part of a detection policy.
This document explains the process to configure the Scope section for messages sent in various groups of MS Teams.
To configure the Scope:
Enable the toggle switch for Teams.
Click + Add Tenant and select the tenant.
Once you select the tenant, you must select which Teams and Channels if the selected tenant, must be monitored by Nightfall. This selection can be done in the Include in monitoring section.
To learn more about Teams and Channels in MS Teams, you can refer to this Microsoft documentation.
Click the All teams radio button to monitor all the teams. This option monitors all the existing Teams present under the selected tenant. Additionally, any Team(s) created in the future will also be automatically included for monitoring.
(applicable only if you did not execute step 1) Click the Specific team(s) radio button to select the specific team(s) to be monitored.
Once you select the Specific team(s) option, a new field Teams comes up. This field allows you to select the required teams by selecting the name of the team, as shown in the following image.
The Group of Teams option allows you to select a set of Teams by entering a text string that may partially match a Team name. You can navigate to this site to generate a regular expression pattern. The supported substring match operations are as follows.
Starts With: Use this option to enter a text string which should match the start of a Team's name.
Ends With: Use this option to enter a text string which should match the end of a Team's name.
Contains: Use this option to enter a text string which should match a part of a Team's name.
Example Scenario for Patterns
Let's consider that some of the teams in your MS Teams tenant have external stakeholders too (people who are not part of your organization). A team with external stakeholders is named ext-dev, ext-cs, ext-qa, and so on. To monitor all the external teams, you can use the Starts with option and use the substring ext-.
Similarly, if you have ended all the team names that have external stakeholders, with the word ext (dev-ext, qa-ext, cs-ext), you can select the Ends With option and enter the -ext substring.
Similarly, if you have used the word ext anywhere in the team name, you can select the Contains option and enter the substring ext.
Once you select the required teams, you must now select the channels of the selected team, to be monitored. Nightfall provides you with the following options to select the channel.
Private Channels: This option monitors all the private channels of the selected team(s).
Public Channels: This option monitors all the public channels of the selected team(s).
Shared Channels: This option monitors all the shared channels of the selected team(s).
The Exclusion section allows you to exclude certain channels from being monitored. You can enter a text string that should be present in the channel name that needs to be excluded.
This section is optional and you can skip it. You must configure this section only if you wish to exclude certain channels from being monitored.
To use the exclusion section, click Create a new Exclusion Rule and select Channel Exclusion. You can navigate to this site to generate a regular expression pattern.
Channel Exclusion: This field allows you to enter a string that should be present in the Channel name for channels to be excluded from being monitored. The various options are as follows.
Starts With: Use this option to enter a string that should be present at the start of the Channel name.
Ends With: Use this option to enter a string that should be present at the end of the Channel name.
Contains: Use this option to enter a string that should be present in the Channel name.
Consider that you wish to monitor all the channels in your MS Teams. However, there are a few test channels that were created internally just for testing and you wish to exclude these test channels. There are many test channels and test channels may also be created in the future. So, you need to manually add the newly created test channels as well in the exclusion list, which is cumbersome.
You can use the Channel Exclusion option, select the Contains option and enter the text string "test".