Configure ChatOps

Use Push’s chatbot to message employees directly in order to validate suspicious activity or encourage better security decisions, such as enabling multi-factor authentication (MFA) or improving a weak password.

Install Push’s chatbot on your Slack or Microsoft Teams workspace and then choose which topics you want to automatically message employees about using Push’s simple preconfigured workflows. You can also use ChatOps to notify your security team when Push detects a new third-party integration in your environment, or when an employee contacted via chat confirms that a mail rule looks suspicious so that you can begin triage.

Why ChatOps?

Well-timed, conversational, and direct messaging to employees allows you to save time while:

• Verifying whether a suspicious mail rule has been created by the employee or a malicious third party.

• Reminding employees to enroll in MFA without relying on sending multiple difficult-to-target emails.

• Encouraging employees to strengthen weak passwords or update shared passwords on the SaaS apps they use for work.

Push continues to add ChatOps topics, and to finetune the user experience to ensure that messages are clear, short, friendly, and effective.

To get started, install the Push chatbot. Push supports integration with Slack and Microsoft Teams.

To install the Push chatbot, log into the Push admin console and your messaging platform.

Prerequisites: You’ll need to be an administrator of your chat platform, or be able to share the integration link with your admin to complete the process.

1. Select ChatOps in the left sidebar.

2. Click Start setup and then choose which chat platform you want to integrate with: Slack or Teams.

3. Click Connect using the automatically generated integration link, or share the link with your messaging platform administrator to complete the integration.

4. Consent to the integration to finish adding the chatbot to your platform.

Send a test message

To confirm that the chatbot is installed correctly, you can send a private test message to yourself.

Click Send test message on the ChatOps page of the admin console.

Success!

There are two categories of messages you can send: Messages to your employees, and messages to your security or IT team.

Configuring ChatOps topics is a two-step process:

1. Review and enable the topics you want to message your employees and/or your security team about.

2. Enable which users should receive messages. You can enable all users licensed in Push as an employee or only individual users. Messages will not be sent to employees until you enable the ChatOps toggle for that employee.

On the ChatOps page of the admin console, select which topics you want to send messages about by enabling the toggle for each subject listed under Employee chat topics and Security team chat topics.

You can enable individual topics or subtopics by using the Activate toggle.

You can send messages to employees on the following topics:

Topic: Browser enrollment

Send employees the instructions on how to enroll their browser in Push using the Push browser extension. For more information about browser self-enrollment, go to Install the browser extension.

What kind of messages are sent: Push will message users who don’t already have the Push browser extension or who have not completed enrollment of their browser using the extension.

If the extension has already been installed by an administrator using a Managed installation, users will not receive messages unless their browser could not be enrolled. For example, managed installations are not possible in Firefox and Safari. If the extension has not been installed or browser enrollment is not complete, the message will provide brief instructions and a link to the relevant extension download page.

Who will be messaged: Only users with ChatOps activated and who have not installed the browser extension or completed enrollment will receive messages.

When will they be messaged: Push will send browser enrollment messages as soon as you enable the ChatOps topic and activate ChatOps for those users — unless the user has other higher-priority messages they’ve been sent, such as to review a suspicious mail forwarding rule or enable MFA. In the case of high-priority messages like those, Push will send browser enrollment instructions a few days later so we don’t overload employees. Messages are sent during the employee’s working hours, defined as 10 a.m. to 4 p.m. local time, if Push can determine their timezone from your integrations. If an employee has not completed enrollment, three reminders will be sent three days apart, only during the work week (Monday through Friday).

Topic: Check suspicious mail rules

Push provides suspicious mail rule detection for Microsoft 365 and Google Workspace. With this ChatOps topic, you can work directly with employees to verify if they created a mail rule before spending precious time to investigate and triage.

What kind of messages are sent: When a mail rule is created that forwards emails to an external domain, the chatbot will message the owner of the inbox to ask if they just created it.

If they say yes, their response will be recorded in the Push admin console that the rule was Accepted, and an administrator can follow up for more information if needed. See Find suspicious mail rules for more information about the administrator triage process for mail rules.

If the employee says they don’t recognize the rule, Push will disable it automatically, provided it was created in Microsoft 365. Google Workspace does not support disabling mail rules.

The employee will receive a follow-up chat message that the rule has been disabled and they can re-enable it if they made a mistake.

If you want your security team to receive a chat message when an employee confirms they don’t recognize a mail rule, enable the ChatOps topic for Potential account compromise alerts to send notifications to a specific channel in your messaging platform.

Who will be messaged: Only users with ChatOps activated.

When will they be messaged: The owner of the inbox will be messaged immediately after a suspicious mail rule is created.

Topic: Fix password issues

When configured, Push will message employees when it finds a weak password or a password that’s shared across more than one SaaS application.

What kind of messages are sent: This ChatOps topic covers two cases: weak passwords and reused passwords. If the Push browser extension observes a login to a SaaS app with either a weak password or one that is reused across multiple applications, the chatbot will message the employee and ask them to update their password for the specific application.

Who will be messaged: Only users with ChatOps activated.

When will they be messaged: When you first enable this ChatOps topic, Push will message employees immediately about recently observed password security issues. Issues older than 30 days will not trigger a message until Push observes the next login to those applications. If an employee isn’t ready to take action on the suggestion, they can choose to be reminded again in a month.

Topic: Register for MFA

When configured, Push will message employees to encourage them to enable multi-factor authentication (MFA) on their Microsoft 365 or Google Workspace accounts. With this topic, you can configure chat messages to be sent for both platforms, or disable messages for a platform you don’t use.

What kind of messages are sent: The chatbot will send a link to enable MFA on the relevant platform, as well as a link to a Push help article explaining the importance of MFA.

Who will be messaged: Only users with ChatOps activated who do not have MFA enabled on their account. Google uses the term 2-Step Verification (2SV) rather than MFA, but they mean the same thing.

When will they be messaged: Messages will be sent as soon as you enable the topic and activate ChatOps for the given employee. Messages are sent during the employee’s working hours, defined as 10 a.m. to 4 p.m. local time.

You can send messages to specific security team or IT team channels on the following topics. Note that unlike employee messaging, which occurs in a private message to an individual user, security team ChatOps topics will go to a channel.

When you install the Push chatbot for Slack, by default it has access only to public channels. You can add the Push chatbot to a private Slack channel by adding Push in the integrations settings for that channel. See this Push help article for more information.

With Microsoft Teams, you can use the Push chatbot to message a private team, but the specific team channel must be unrestricted (public).

Topic: Potential account compromise alerts

When configured, Push will message a designated channel to alert your security or IT team when an employee who was contacted via chat about a suspicious mail rule confirms that they didn’t create the rule. This allows your team to begin investigating as soon as possible.

See Find suspicious mail rules for more information about the administrator triage process for mail rules.

What kind of messages are sent: If an employee contacted via chat confirms that they do not recognize a suspicious mail rule, Push will send a message to your security team channel to indicate a potential account compromise.

Who will be messaged: Your designated Slack or Teams channel. You do not need to activate ChatOps for individual Push administrators using these channels. Once you enable the topic, messages will begin to be sent to your channel.

When will they be messaged: Immediately after an employee responds that they don’t recognize the flagged mail rule.

Topic: SaaS notifications

When configured, Push will notify your channel about new third-party integrations added by your users. If you identify an integration that is unused, unwanted or otherwise problematic, you can also delete it directly from the chat message.

When you delete an integration from the chat message, it will be deleted immediately for all users, including users who are not licensed in Push. For more information about deleting integrations, see Delete third-party integrations.

What kind of messages are sent: Brief descriptions of recently added integrations.

Who will be messaged: Your designated Slack or Teams channel. You do not need to activate ChatOps for individual Push administrators using these channels. Once you enable the topic, messages will begin to be sent to your channel.

When will they be messaged: About once per hour, after Push observes the addition of a new third-party integration to your environment.

After you’ve enabled the ChatOps topics you want to message employees about, you must activate ChatOps for all or some of your employees before they begin receiving messages.

Prerequisites: Complete your integration with Microsoft 365 or Google Workspace and assign licenses to your employees. Complete your integration with Slack or Teams. See Add employees and Install the chatbot for more instructions.

You can activate ChatOps for a single employee, a few employees, or all of them. To activate ChatOps, log into the Push admin console.

1. Select ChatOps in the left sidebar.

2. Click Activate employees.

3. Use the ChatOps toggle to enable chat for individual employees or perform a bulk action to enable chat for a large group or all employees.

You can also activate ChatOps from the Employees page.

When are chat messages sent?

Messages related to browser and MFA enrollment will be sent during the employee’s working hours, defined as 10 a.m. to 4 p.m. local time. Other messages will be sent as soon as they’re triggered by an action, such as the discovery of a suspicious mail rule, or when an employee logs into an app with a weak or reused password.

For more information, see Select ChatOps topics.

Chatbot status

On the ChatOps page, you can check the status of your integration to confirm everything is working as expected. A green dot indicates everything is fine. A red dot indicates that something is wrong, and you may need to update your integration. You can update your integration by going to Settings > Integrations in the admin console.

ChatOps activity

On the ChatOps page of the admin console, you can review chat activity, such as:

• Employees who are able to receive chat messages.

• Number of messages sent to employees across all topics, and for specific topics.

You can view activity data for the last 30 days, 60 days, or 90 days.

You can deactivate ChatOps for individuals or all employees by using the ChatOps toggle or the bulk action on the Employees page or by going to ChatOps and clicking on Activate employees.

To remove the chatbot from your messaging platform, uninstall the Push chat app.

Go to Settings > Integrations > ChatOps Integrations and use the trash icon to delete your Slack or Teams integration.