This stage allows you to select notification channels if a policy violation occurs. The advanced settings page consists of the following configurations.

#admin-alerting: This section describes the process of setting alerts for Nightfall administrators when a policy violation is detected.

#automated-actions: This section describes the automated actions that can be taken when a policy violation is detected.

#end-user-notification: This section describes the process of setting alerts for end users (a person whose action caused a violation) when a policy violation is detected.

Admin Alerting

This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.

Slack Alert: Select a Slack channel to which the violation alerts must be sent. To configure this alert method, Slack must be enabled as an Alert method. To learn more about configuring Slack as an alert channel, refer to this document.

Jira Alert: Select the JIRA project and other parameters. A JIRA ticket is created in the selected JIRA project for each policy violation.

Email Alert: Enter the Email address of the recipient who needs to be notified about policy violations.

Webhook Alert: Configure webhook URL and headers.

{
  "service": "nightfall",
  "test": true,
  "timestamp": "2024-03-07T23:18:39Z"
}

Automated Actions

This section describes the various actions that Nightfall takes automatically when a violation is detected. You must turn on the toggle switch to enable an action. All the automated actions are permanent and cannot be reversed once applied. You can also set the timeline as to when an action must be taken (immediately after detecting a violation or after some time).

The various automated actions are described as follows.

• Redact: This action redacts all the sensitive information found in Zendesk ticket's comments, that is monitored by this policy. You can turn on the toggle switch to enable this action. You must also select the timeline as to when this action must be taken after a policy violation is detected. You can either choose to take the action immediately after detecting a violation or after a few minutes, hours, or days.

• Delete Attachment: This action deletes any attachments in the Zendesk ticket's comments that contain sensitive information. You can turn on the toggle switch to enable this action. You must also select the timeline as to when this action must be taken after a policy violation is detected. You can either choose to take the action immediately after detecting a violation or after a few minutes, hours, or days.

• Mark as Private: This action modifies the permission of the comment (on which sensitive information is detected) from public to internal note. Once the comment is converted to an internal note, end users cannot view it anymore. You can turn on the toggle switch to enable this action. You must also select the timeline as to when this action must be taken after a policy violation is detected. You can either choose to take the action immediately after detecting a violation or after a few minutes, hours, or days.

End User Notification

This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.

• Custom Message: Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink www.nightfall.ai with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>.

• Automation: You can either select Email, Slack, or both as an automated notification method. You must turn the toggle switch to use this option. Based on the options selected, end-users receive notification on their Email account associated with Zendesk, or Slack account configured.

End User Remediation

The End-user remediation (also known as Human Firewall) section allows you to configure remediation measures that end users can take when a violation is detected on their Zendesk ticket. You must turn on the toggle switch to use this option. The various available options are as follows.

• Redact: This action redacts all the sensitive information found in the Zendesk ticket's comments. To allow end-users to implement this action, you must disable it from the #automated-actions section.

• Delete Attachment: This action deletes any attachments in the Zendesk ticket's comments that contain sensitive information. To allow end-users to implement this action, you must disable it from the #automated-actions section.

• Mark as Private: This action modifies the permission of the comment (on which sensitive information is detected) from public to internal note. To allow end-users to implement this action, you must disable it from the #automated-actions section.

• Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.

• Report as False Positive: This option allows end users to report false positive alerts.

• When a Violation is Reported as False Positive: You can use this option to set actions to be taken when a violation is reported as false positive by the end-user. You can either set the remediation to be automatic or manual.

• Remind Every (until Violation expires): You can use this option to set a reminder for the end-user to take action on the violation. You can choose to remind the end user every 24, 48, or 72 hours.

DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. These policies also enable you to remediate any leakage of sensitive information from within your organization.

• You can set up policies to scan data that is sent through some or all applications within your organization.

• You can configure policies and choose to not apply them all the time.

Before you define a policy, or a set of policies, we recommend that you define the objectives of each policy, which can then be fulfilled when you configure the policy.

Here are a few important questions to ask before configuring your policies:

• What data do you plan to monitor?

• Where within the organization do you want to monitor?

• What should be the scope of each policy?

• What conditions must apply for the policy to match?

• What exceptions/exclusions can be allowed?

• What remediation actions should the policy take?

You can now configure policies on the Zendesk integration to determine which instances and files must be monitored, and which ones excluded. You can also automate the remediation actions that you want Nightfall to perform on a policy violation.

You can now set up policies on Nightfall that will be applied on the Zendesk integration, and monitor data on Zendesk for policy violations. Refer to Creating Policies to learn about how to create policies.

The following documents help you create Policies specifically for the Zendesk integration.

The Scope stage allows you to select an MS Office tenant in which the policy can be created.

To configure Policy Scope:

1. Click + Add Instances and select an instance.

2. Select one of the following options under the Include in Monitoring section. The scope of this policy is limited to only those categories of tickets which are selected in this section.

• New: This option adds all the newly created tickets to be monitored.

• Pending: This option adds all the pending tickets to be monitored.

• Open: This option adds all the open tickets to be monitored.

• Solved: This option adds all the solved tickets to be monitored.

1. To select all the tickets, click Select All.

The Exclude from Monitoring section allows you to exclude Groups and Agents from the policy scope. It is optional and you can proceed without configuring this section, if you wish to maintain the scope of the policy to all the Groups and Agents, selected in Step 2.

1. Select the Groups and Agents to be excluded.

• Groups Exclusion: This option displays a drop-down menu of all the Groups selected in Step 2. You can select any Group to exclude it from the scope of the policy.

• Agents (User) Exclusion: This option displays a drop-down menu of all the Agents (basically users) selected in Step 2. You can select any Agent to exclude them from the scope of the policy.

Click Next.

Example Scenario

Consider that you wish to scan all the tickets irrespective of their status. However, there is a specific group called Support. You do not wish to scan tickets from this group (assuming it's an internal support group). You can accomplish this by using the Groups Exclusion field as shown in the following image.

Similarly, you can also exclude a specific user by using the. Agents Exclusion field.

In this final stage, you assign a name to the policy, verify your configurations, and create the policy.

• Enter a name for the policy.

• (Optional) Enter a description for the policy.

• Click Next.

• Verify if all the policy configurations are set up as per your requirements.

• (Optional) Click back or click on any specific stage to modify any of the policy configurations.

• Click Submit.

In this stage, you select the Integration for which the policy is created. In this case, Zendesk integration must be selected.

1. Click Policies from the left menu.

2. Click + New Policy.

3. Select the Zendesk integration.

In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see Configuring Detection Rules.

To select detection rules, select a detection rule from the list of rules that are displayed and then select one of the following options.

• All Detection Rules: Select this option to include all the detection rules in the policy.

• Selected Detection Rules: Select this option to include only that detection rule in the policy that you selected above.

• Unselected Detection Rules: Select this option to include all the other detection rules in the policy, that you did not select above.

Click Next.

When an end user violates a policy in MS Teams, a notification is generated based on the notification settings configured by you in the policy configurations.

This document explains where you can find notifications on policy violations and what actions can be taken.

Nightfall Violations Page

To view the Nightfall violations page:

1. Navigate to the Violations page in Nightfall.

2. Apply filters to view only MS Teams violations.

3. (Optional) Modify the days filter to view historical violations. You can view violations up to the past 180 days.

1. (Optional) Hover over a violation to view the severity of the violation. You can also check how likely is it that the detected violation is an actual violation (Likely, Very Likely).

2. Click the ellipsis menu in the right corner or on the violation to view the list of actions that you can take to initiate the violation.

3. Click on any violation to view the exact data that caused the violation (highlighted in red). You can click Expand details to view further details.

Email Notification

• If you have configured Email Notification in Admin Alerting, Nightfall admins receive the Email notification. This Email allows admins to take actions from within the Email.

• If you have configured Email Notification in the Automation section of End user notification settings, end users receive an email from Nightfall. This Email allows end users to take actions from within the Email.

If you have selected Slack as an End-user remediation channel, end-users can perform the above tasks from Slack as well.