When an end user violates a policy in Gmail by sending out an Email with sensitive data, a notification is generated based on the notification settings configured by you in the policy configurations.
This document explains where you can find notifications on policy violations and what actions can be taken.
To view the Nightfall violations page:
Navigate to the Violations page in Nightfall.
Apply filters to view only Gmail violations.
(Optional) To view historic alerts, set the date filter appropriately.
(Optional) Hover over a violation to view the severity of the violation (Likely, Very Likely). You can also check if a violation has active credentials.
Click on any Violation to view the details.
Click on any violation to view the exact data that caused the violation (highlighted in red). You can click Expand details to view further details.
Some of the important points from the detailed view are as follows (the numbers in the image are acronyms explained below).
1 - The sensitive data findings that were found in the Email. One finding was Highly Likely (highlighted in red) and the other was Likely (highlighted in yellow).
2 - The current status of the Violation. The various statuses for Gmail are as follows.
Blocked - The email was blocked.
Quarantined Email- The email has been quarantined.
Released Email - The email was quarantined but was later released.
Attachment Deleted - The email was sent but the attachment was deleted since it contained sensitive data.
Processing - Nightfall is assessing the Email for sensitive data.
3- The nature of sensitive data found in the Email (API key in this case).
For more information on Violations, see Violations.
If you have configured Email Notification in Admin Alerting, Nightfall admins receive the Email notification. This Email allows admins to take actions from within the Email.
If you have configured Email Notification in the Automation section of End user notification settings, end users receive an email from Nightfall. This notification allows end users to take remedial actions from within the Email. The available remedial actions depend on the settings configured in the end user remediation section.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Save Changes.
In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see .
You can use the search bar to search for a detection rule by its name.
Once the required detection rules are displayed, you can select the required detection rules by ticking the respective check box. When you select any detection rule, you can view three options.
These three options are related to the display of detection rules.
All Detection Rules: This option displays all the available detection rules, irrespective of the detection rule(s) selected.
Selected Detection Rules: This option displays only those detection rules that you have selected.
Unselected Detection Rules: This option displays only those detection rules that you have not selected.
Select the check box(es) of all the detection rules you wish to include in the policy. The policy evaluates only those detection rules that you have selected here. Once you select all the required detection rules, click Next to move to the next stage.
DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. DLP policies also enable you to remediate any leakage of sensitive information from within your organization.
You can set up policies to scan data that is sent through some or all applications within your organization.
You can configure policies and choose to not apply them all the time.
Before you define a policy or a set of policies, we recommend that you define the objectives of each policy, which can then be fulfilled when you configure the policy.
Here are a few important questions to ask before configuring your policies:
What data do you plan to monitor?
Where within the organization do you want to monitor?
What should be the scope of each policy?
What conditions must apply for the policy to match?
What exceptions/exclusions can be allowed?
What remediation actions should the policy take?
You can now configure policies on the GitHub integration to determine which repositories are monitored, and which ones are excluded from monitoring. You can also automate the remediation actions that you want Nightfall to perform on a policy violation.
The process of creating policies in Nightfall consists of six stages enlisted as follows.
This stage allows you to select notification channels if a policy violation occurs. The notification alerts are sent at two levels.
This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Gmail policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the Gmail integration, read .
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to for steps.
Automated actions allow you to configure automated remediation actions when sensitive data is found in an Email. Nightfall supports two automated actions for Gmail DLP.
Block: The Block action blocks the Email and prevents it from being sent to the recipient. The sender receives a notification email that states that their Email was not sent to the recipient.
Quarantine Email: The quarantine action guarantees the email which has sensitive data. A Nightfall admin can review the quarantined Email to check if data is sensitive and then take a call as to whether the Email must be sent to the recipient or blocked permanently.
To enable the automated actions you must turn on the respective toggle switch.
If you do not enable any of the two automated actions, the Email with sensitive data is sent to the recipient. Nightfall recommends that you enable at least one of the two actions.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
The automation settings allow you to send notifications to end users. You can select one or both the notification methods. You must first turn on the toggle switch to use the automation option. The automation notification channels are as follows
Email: This option sends an Email to the user who sent the email with sensitive data.
Slack: This option sends a Slack message to the Gmail user who sent the email with sensitive data.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on their Gmail Emails. You must turn on the toggle switch to use this option. End-users receive the remediation actions in an Email as an action item. The available actions in that Email depend upon the actions that you select in this section. The various available remediation actions for end-users are as follows.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
Report as False Positive: This option allows end users to report false positive alerts.
When end-users report alerts as false positive, you can choose the resolution method to be either Automatic or manual.
If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.
In this stage, you select the Integration for which the policy is created. In this case, Gmail integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Sensitive Data.
Select the Gmail integration.
To learn more about how automated actions impact the end-user and Nightfall admin, see .
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>.
