Learn how you can select the Exchange integration in a Nightfall policy.
In this stage, you select the Integration for which the policy is created. In this case, the Microsoft Exchange Online integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Sensitive Data.
Select the Exchange Online integration.
Learn how to configure a detection policy for Nightfall for Exchange.
DLP policies are a set of rules that include specific conditions, actions, and exceptions that monitor and filter data. DLP policies also enable you to remediate any leakage of sensitive information from within your organization.
You can set up policies to scan data that is sent through some or all applications within your organization.
You can configure policies and choose to not apply them all the time.
Before you define a policy, or a set of policies, we recommend that you define the objectives of each policy, which can then be fulfilled when you configure the policy.
What data do you plan to monitor?
Where within the organization do you want to monitor?
What should be the scope of each policy?
What conditions must apply for the policy to match?
What exceptions/exclusions can be allowed?
What remediation actions should the policy take?
You can now configure policies on the Microsoft Teams integration to determine which tenants and teams must be monitored, and which ones excluded. You can also automate the remediation actions that you want Nightfall to perform on a policy violation.
The following documents help you setup Policies on Exchange.
Learn how to configure the Scope section for Exchange.
The Scope section allows you to select specific mailboxes to be monitored. Once you select the mailboxes, you can further add granular level filters to only monitor emails from specific senders and recipients.
Note: If you have configured multiple Microsoft tenants in Nightfall, you must first select the tenant to be monitored.
Nightfall provides the following sections on the Scope page.
Mailboxes: In this section, you can choose to monitor only specific senders, recipients, or groups. Conversely, you can exclude the monitoring of specific senders, internal recipients, or domains.
Recipients and Domains: In this section, you can apply filters to monitor only external recipients and domains. Conversely, you can exclude the monitoring of specific external recipients, or domains.
Click + Add Tenant and select a Microsoft tenant.
Click + Add Filter and select one or multiple described as follows.
You can use this filter to only monitor or exclude the monitoring of emails sent by specific senders.
Only Include: You can use this option to only monitor mails sent by specific users. Once you select this option, you must also select the required users from the drop-down menu.
Exclude: You can use this option to exclude the monitoring of mails sent by specific users. Once you select this option, you must also select the required users from the drop-down menu.
You can use this filter to only monitor or exclude the monitoring of emails sent by users who are part of specific sender groups.
Only Include: You can use this option to only monitor mails sent by specific sender user groups. Once you select this option, you must also select the required sender user groups from the drop-down menu.
Exclude: You can use this option to exclude the monitoring of mails sent by specific sender user groups. Once you select this option, you must also select the required sender user groups from the drop-down menu.
You can use this filter to only monitor or exclude the monitoring of emails sent to users who are part of specific recipient groups.
Only Include: You can use this option to only monitor mails sent to specific recipient user groups. Once you select this option, you must also select the required recipient user groups from the drop-down menu.
Exclude: You can use this option to exclude the monitoring of mails sent to specific recipient user groups. Once you select this option, you must also select the required recipient user groups from the drop-down menu.
You can use this filter to only monitor or exclude the monitoring of emails sent to internal recipients.
Only Include: You can use this option to only monitor mails sent to internal recipients. Once you select this option, you must also select the required users from the drop-down menu.
Exclude: You can use this option to exclude the monitoring of mails sent to internal recipients. Once you select this option, you must also select the required users from the drop-down menu.
Click Next once you have configured all the required filters.
You can use this section to apply filters on external recipients and domains. This section provides the following filters.
You can use this filter to either monitor all the mails sent to external recipients, only monitor specific external recipients or exclude the monitoring of specific external recipients.
Monitor All: This option monitors all the emails sent to external recipients.
Only Include: You can use this option to only monitor mails sent to external recipients. Once you select this option, you must also select the required users from the drop-down menu.
Exclude: You can use this option to exclude the monitoring of mails sent to external recipients. Once you select this option, you must also select the required users from the drop-down menu.
You can use this filter to monitor emails sent to recipient domains. You can also use wild cards to match multiple domains.
Monitor All: This option monitors all the emails sent to all the domains.
Only Include: You can use this option to only monitor mails sent to specific domains. Once you select this option, you must also enter the domain names to be included for monitoring.
Exclude: You can use this option to exclude the monitoring of mails sent to specific domains. Once you select this option, you must also enter the domain names to be excluded from being monitored.
Note: You can use to generate a regular expression that exactly matches your domain requirements.
Learn how to configure the detection rules section in Nightfall policies created for Exchange
In this section, you can select the Detection rules for the policy and If not already created, you can create detection rules. To learn more about how to configure detection rules, see Configuring Detection Rules.
To add the detection rules to the policy, you can select the detection rules from the list of rules that displayed.
You must select at least one detection rule to proceed further.
Click Next once you have selected all the required detection rules.
Learn how to configure the advanced settings section in Nightfall policies created for MS Exchange.
This stage allows you to select notification channels if a policy violation occurs. The notification alerts are sent at two levels.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Exchange policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the Exchange integration, read this document.
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps.
Automated actions allow you to configure automated remediation actions when sensitive data is found in an Email. Nightfall supports two automated actions for Exchange DLP.
Block: The Block action blocks the Email and prevents it from being sent to the recipient. The sender receives a notification email that states that their Email was not sent to the recipient.
Quarantine Email: The quarantine action guarantees the email which has sensitive data. A Nightfall admin can review the quarantined Email to check if data is sensitive and then take a call as to whether the Email must be sent to the recipient or blocked permanently.
Encrypt Email: The encrypt action securely encrypts the contents of the email. When the encryption action is applied a new Event is created in the Nightfall Encryption Events page.
If you enable the encryption action, additionally you can also configure the following settings.
Disable Forward: Prevents forwarding or adding recipients in Nightfall Secure Reader.
Set Expiration Date: Automatically sets a date after which the email becomes inaccessible to recipients.
Persistent Protection on Attachments: Ensures attachments are only accessible via the secure reader, preventing downloads.
Conflicts can arise in two main scenarios:
All the automated actions are configured in a single policy.
Multiple policies with different automated actions were violated simultaneously within the same file, message or record.
When conflicts occur, Nightfall implements the most severe automated action. The priority order to manage conflicts in Exchange is as follows.
Encryption
Block
Quarantine
If you create three policies and enable the encrypt action in first policy, Block in second policy, and Quarantine in the third policy, and if all of the 3 policies are violated, in this case, the encrypted action is enabled on the Event (and not Block or Quarantine).
Also, if you delete the first policy in which the encrypt action is enabled, and then if both the remaining policies are violated, the Block action is enabled (and not Quarantine).
If you enable all the three actions in a single policy, and if the policy is violated, the encryption action is applied.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink https://www.nightfall.ai with the text Nightfall website, you must write
<https://www.nightfall.ai | Nightfall website>.
The automation settings allow you to send notifications to end users. You can select one or both the notification methods. You must first turn on the toggle switch to use the automation option. The automation notification channels are as follows.
Email: This option sends an Email to the user who sent the email with sensitive data.
Slack: This option sends a Slack message to the Exchange user who sent the email with sensitive data.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on their Exchange Emails. You must turn on the toggle switch to use this option. End-users receive the remediation actions in an Email as an action item. The available actions in that Email depend upon the actions that you select in this section. The various available remediation actions for end-users are as follows.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
Report as False Positive: This option allows end users to report false positive alerts.
When end-users report alerts as false positives, you can choose the resolution method to be either Automatic or manual. If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.
Learn how to configure risk score and name a Nightfall policy created for Exchange
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Choose the Policy risk score. By default the risk score is set to Nightfall Risk Score. You can set it to Custom Risk score, and select one of the risk levels, if required. To learn more about Risk scoring, refer to the Risk Scoring document.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back to modify any of the policy configurations.
Click Submit.
Learn how to handle Nightfall Events that were created as a result of sensitive data leak in Microsoft Exchange.
This document explains the impact on end-users and Microsoft Exchange admins when the automated actions in Exchange DLP (Block, Quarantine, or Encrypt) are implemented.
When an Email is blocked, the end user receives an Email from Nightfall that informs them that their Email was blocked. The status of the Event is also automatically changed to Blocked when the Email is blocked.
When an email is quarantined, it is stored separately in a secure server. A Microsoft Exchange admin must visit the server, review the quarantined email, and decide as to whether the email must be allowed to travel to the recipient or be blocked. You can refer to this Microsoft documentation to learn more about how admin users can view quarantine emails. End-users can also perform certain actions on quarantined emails based on the settings configured. You can refer to this Microsoft documentation to learn more about what actions end-users can take on quarantined emails.
When an Email is encrypted, an additional event is created in the Nightfall data encryption, apart from the regular event created in Nightfall detection and response. The email is delivered to the recipient. An event is logged in Nightfall detection and response with the Status Encrypted.
When an end user violates a policy in Exchange DLP, an Event is generated based on the notification settings configured by you in the policy configurations. To learn more about Events, see Data Detection and Response Events.
To view the Events from the Nightfall Console:
Click Detection and Response from the left pane.
(Optional) Modify the days filter to view Events prior to last 7 days. By default the Events recorded in the Last 7 Days are displayed.
Apply filters to view only the Exchange Online Events.
Once you filter the Events to view only the Exchange Events, you can refer to the section to learn more about the available options.
Click on any of the Events to view details of an Event. You may click anywhere in the row of an Event that you wish to inspect. Details will be present via a side panel.
Nightfall allows you to take various action on Events. When you take an action on an Event, the status of the Event changes accordingly. To learn more about Event status, refer to the Event Status document.
In Exchange, you can take actions either from the Event list view page or the Event detail view page. On the Event list view page, you can click the ellipsis menu to view the available list of actions.
On the Event detail view, you can view the applicable actions from the actions section at the bottom.
To view the complete list of actions, applicable to all the integrations, you can refer to the Applying Actions on Events document.
The list of actions supported for Exchange are as follows. Some of these actions are common to other integrations as well.
Copy Event Link: The action copies the link to the Event. You can save or send this link to directly open the Event. This action is available only on the Event detail view.
Ignore: The ignore action flags Nightfall to ignore all the findings in the Event and may be taken if you find the findings false positive. This action marks the Event as resolved and moves it to the Resolved section. You can undo this action.
Acknowledge: You can take this action to notify other users that you have looked into this Event and will take suitable action in future.
Notify Email: This action notifies the end user who added the sensitive data file to Exchange, through email.
Notify Slack: This action notifies the end user who added the sensitive data file to Exchange, through Slack.
Send to JIRA: This action creates a JIRA ticket for the Event. You can pick a project and Issue type while creating the JIRA ticket and can assign the JIRA ticket to the end-user.
Resolve: This action must be taken when the sensitive data is removed completely. This action resolves the Event.
