Ready to help
Configure ChatOps
In this section:
Overview
Use Push’s Slack or Microsoft Teams integrations to receive real-time notifications when Push detects new security findings or other changes in your identity infrastructure.
You can also use the Push chatbot to message employees directly in order to help them fix simple security issues, hardening your overall identity posture.
Install Push’s chatbot on your Slack or Microsoft Teams workspace and then choose which topics you want to send or receive messages about.
What permissions are required?
Slack scopes
Scope | Purpose |
|---|---|
chat:write | Post messages in approved channels and conversations. |
im:write | Start direct messages with people |
users:read | View people in a workspace. |
users:read.email | View email addresses of people in a workspace. |
im:history | View messages and other content in direct messages that your slack app has been added to. |
channels:read | View basic information about public channels in a workspace. |
groups:read | View basic information about private channels that your slack app has been added to. |
channels:join | Join public channels in a workspace. |
mpim:read | View basic information about group direct messages that your Slack app has been added to. |
im:read | View basic information about direct messages that your Slack app has been added to. |
app_mentions:read | View messages that directly mention @your_slack_app in conversations that the app is in. |
Microsoft Teams scopes
Scope | Purpose |
|---|---|
Channel.ReadBasic.All | Read channel names and channel descriptions, on behalf of the signed-in user. |
MailboxSettings.Read | Allows the app to read the user’s mailbox settings. Does not include permission to send mail. |
Team.ReadBasic.All | Read the names and descriptions of teams, on behalf of the signed-in user. |
TeamsAppInstallation.ReadWriteSelfForTeam.All | Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user. |
TeamsAppInstallation.ReadWriteSelfForUser.All | Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user. |
User.Read.All | Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
User.Read | Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
Install the chatbot
To get started, install the Push chatbot. Push supports integration with Slack and Microsoft Teams.
Push will never message employees without your consent. After installing the chatbot, you have full control over:
When messages will begin to be sent.
Which topics Push will message employees about.
Which employees will receive messages.
To install the Push chatbot, log into the Push admin console and your messaging platform.
Prerequisites: You’ll need to be an administrator of your chat platform, or be able to share the integration link with your admin to complete the process.
1. Select ChatOps in the left sidebar.
2. Click Start setup and then choose which chat platform you want to integrate with: Slack or Teams.
3. Click Connect using the automatically generated integration link, or share the link with your messaging platform administrator to complete the integration.
4. Consent to the integration to finish adding the chatbot to your platform.
Send a test message
To confirm that the chatbot is installed correctly, you can send a private test message to yourself.
Click Send test message on the ChatOps page of the admin console.
Success!
Select ChatOps topics
There are two categories of messages you can send: Messages to your security team, and messages to your employees.
Configuring ChatOps topics is a two-step process:
Review and enable the topics you want to message your your security team and/or your employees about.
Enable which employees should receive messages. You can enable all users licensed in Push as an employee or only individual users. Messages will not be sent to employees until you enable the ChatOps toggle for that employee.
Note: When enabling a security team chat topic, you'll need to specify which channel on your chat platform you want to send messages to, e.g. #push-security-alerts.
Note that if you enable ChatOps channel notifications for your security or IT team, these messages will be sent to your designated team channel. You do not need to activate ChatOps for individual Push administrators using a team channel. Once you enable the topic itself, messages will begin to be sent to your channel and will be visible to anyone in that channel so you can share Push updates with your whole team.
On the ChatOps page of the admin console, select which topics you want to send messages about by enabling the toggle for each subject listed under Security team notifications and Employee chat topics.
You can enable individual topics or subtopics by using the Activate toggle.
Security team chat topics
You can send messages to specific security team or IT team channels on the following topics. Note that unlike employee messaging, which occurs in a private message to an individual user, security team ChatOps topics will go to a channel.
You'll need to specify which channel you want to receive chat messages when you enable the security team chat topics.
When you install the Push chatbot for Slack, by default it has access only to public channels. You can add the Push chatbot to a private Slack channel by adding Push in the integrations settings for that channel. See this Push help article for more information.
With Microsoft Teams, you can use the Push chatbot to message a private team, but the specific team channel must be unrestricted (public).
Topic: Potential account compromises
This ChatOps topic works together with the employee topic Suspicious mail rules. You must enable both the employee and the security team topics in order to receive suspicious mail rule alerts in your security team channel.
When configured, Push will message a designated channel to alert your security or IT team when an employee who was contacted via chat about a suspicious mail rule confirms that they didn’t create the rule. This allows your team to begin investigating as soon as possible.
See Find suspicious mail rules for more information about the administrator triage process for mail rules.
What kind of messages are sent: If an employee contacted via chat confirms that they do not recognize a suspicious mail rule, Push will send a message to your security team channel to indicate a potential account compromise.
Who will be messaged: Your designated Slack or Teams channel. You do not need to activate ChatOps for individual Push administrators using these channels. Once you enable the topic, messages will begin to be sent to your channel.
When will they be messaged: Immediately after an employee responds that they don’t recognize the flagged mail rule.
Related blog post
Topic: SaaS discovery
When configured, Push will notify your channel about newly discovered third-party integrations or SaaS apps added by your users. You can choose to be notified about newly observed third-party integrations and / or SaaS apps by enabling the ChatOps subtopics for each.
If you identify an integration that is unused, unwanted or otherwise problematic, you can delete it directly from the chat message. When you delete an integration from the chat message, it will be deleted immediately for all users, including users who are not licensed in Push. For more information about deleting integrations, see Delete third-party integrations.
What kind of messages are sent: Brief descriptions of recently added integrations or new SaaS apps.
Who will be messaged: Your designated Slack or Teams channel. You do not need to activate ChatOps for individual Push administrators using these channels. Once you enable the topic, messages will begin to be sent to your channel.
When will they be messaged: For third-party integrations, about once per hour if Push has observed the addition of new integrations. Newly discovered SaaS apps will generate a notification as soon as Push finds one.
Topic: Security findings
When configured, Push will notify your security team about new security findings, new security findings, such as when Push finds employees are using stolen, leaked, weak or reused passwords or shared accounts, or when their accounts lack MFA protection. When the issue is fixed, Push will also let you know.
What kind of messages are sent: Brief descriptions of new security findings, such as stolen credentials, leaked passwords, weak passwords, reused passwords, shared accounts, and more. You can choose to be notified about all new security finding types, or just the ones you care about. Disable any subtopics you don't need on the ChatOps page by going to the subtopic list under Security findings.
Who will be messaged: Your designated Slack or Teams channel. You do not need to activate ChatOps for individual Push administrators using these channels. Once you enable the topic, messages will begin to be sent to your channel.
When will they be messaged: Immediately after Push observes a new finding or a resolution to an existing finding. Note that Push must observe the resolution (such as an employee logging in with their newly changed password) in order to report it.
Employee chat topics
You can send messages to employees on the following topics:
Topic: Browser enrollment
Send employees the instructions on how to enroll their browser in Push using the Push browser extension. For more information about browser self-enrollment, go to Install the browser extension.
What kind of messages are sent: Push will message users who don’t already have the Push browser extension or who have not completed enrollment of their browser using the extension.
If the extension has already been installed by an administrator using a Managed installation, users will not receive messages unless their browser could not be enrolled. If the extension has not been installed or browser enrollment is not complete, the message will provide brief instructions and a link to the relevant extension download page.
Who will be messaged: Only users with ChatOps activated and who have not installed the browser extension or completed enrollment will receive messages.
When will they be messaged: Push will send browser enrollment messages as soon as you enable the ChatOps topic and activate ChatOps for those users — unless the user has other higher-priority messages they’ve been sent, such as to review a suspicious mail forwarding rule or enable MFA. In the case of high-priority messages like those, Push will send browser enrollment instructions a few days later so we don’t overload employees. Messages are sent during the employee’s working hours, defined as 10 a.m. to 4 p.m. local time, if Push can determine their timezone from your integrations. If an employee has not completed enrollment, three reminders will be sent three days apart, only during the work week (Monday through Friday).
Topic: Suspicious mail rules
Push provides suspicious mail rule detection for Microsoft 365 and Google Workspace. With this ChatOps topic, you can work directly with employees to verify if they created a mail rule before spending precious time to investigate and triage.
What kind of messages are sent: When a mail rule is created that forwards emails to an external domain, the chatbot will message the owner of the inbox to ask if they just created it.
If they say yes, their response will be recorded in the Push admin console that the rule was Accepted, and an administrator can follow up for more information if needed. See Find suspicious mail rules for more information about the administrator triage process for mail rules.
If the employee says they don’t recognize the rule, Push will disable it automatically, provided it was created in Microsoft 365. Google Workspace does not support disabling mail rules.
The employee will receive a follow-up chat message that the rule has been disabled and they can re-enable it if they made a mistake.
If you want your security team to receive a chat message when an employee confirms they don’t recognize a mail rule, enable the ChatOps topic for Potential account compromise alerts to send notifications to a specific channel in your messaging platform.
Who will be messaged: Only users with ChatOps activated.
When will they be messaged: The owner of the inbox will be messaged immediately after a suspicious mail rule is created.
Topic: Password issues
When configured, Push will message employees when it finds a weak password or a password that’s shared across more than one app.
What kind of messages are sent: This ChatOps topic covers two cases: weak (including leaked) passwords and reused passwords. If the Push browser extension observes a login to a SaaS app with either a weak password or one that is reused across multiple applications, the chatbot will message the employee and ask them to update their password for the specific application.
Who will be messaged: Only users with ChatOps activated.
When will they be messaged: When you first enable this ChatOps topic, Push will message employees immediately about recently observed password security issues. Issues older than 30 days will not trigger a message until Push observes the next login to those applications. If an employee isn’t ready to take action on the suggestion, they can choose to be reminded again in a month. If an employee does not opt to be reminded again in a month, Push will send a reminder message every two working days, for a maximum of three times.
Topic: Multi-factor authentication registration
When configured, Push will message employees to encourage them to enable multi-factor authentication (MFA) on their Microsoft 365 or Google Workspace accounts. With this topic, you can configure chat messages to be sent for both platforms, or disable messages for a platform you don’t use.
What kind of messages are sent: The chatbot will send a link to enable MFA on the relevant platform, as well as a link to a Push help article explaining the importance of MFA.
Who will be messaged: Only users with ChatOps activated who do not have MFA enabled on their account. Google uses the term 2-Step Verification (2SV) rather than MFA, but they mean the same thing.
On Microsoft 365, users can register for MFA, but an M365 administrator may need to configure enforcement of MFA before they’re prompted to use it.
When will they be messaged: Messages will be sent as soon as you enable the topic and activate ChatOps for the given employee. Messages are sent during the employee’s working hours, defined as 10 a.m. to 4 p.m. local time.
Topic: Third-party integrations
When configured, Push will message employees to ask if they still need a third-party integration that hasn't been used recently.
What kind of messages are sent: Push will message an employee when we find a third-party integration connected to your Google Workspace or Microsoft 365 tenant that hasn’t been used in 90 days.
An integration is considered “actively used” when it accesses a specific API scope it was previously granted, such as calendar access.
Note: We don’t message employees about unused integrations that only have permission to perform social logins.
If an employee opts to remove an integration, Push will delete it only for that user. Push administrators can remove integrations for all users via the Push admin console.
Who will be messaged: Push will only send ChatOps messages to employees where ChatOps has been activated. If Push notices that a third-party integration hasn’t been active in 90 days, the chatbot will message the employee and ask if they still need the integration. They can select Remove or Keep.
When will they be messaged: Messages will be sent as soon as you enable the ChatOps topic and activate ChatOps for the given employee. Messages are sent during the employee’s working hours, defined as 10 a.m. to 4 p.m. local time, if Push can determine their timezone from your integrations.
Activate ChatOps for employees
After you’ve enabled the ChatOps topics you want to message employees about, you must activate ChatOps for all or some of your employees before they begin receiving messages.
Prerequisites: Complete your integration with Microsoft 365 or Google Workspace and assign licenses to your employees. Complete your integration with Slack or Teams. See Add employees and Install the chatbot for more instructions.
You can activate ChatOps for a single employee, a few employees, or all of them. To activate ChatOps, log into the Push admin console.
1. Select ChatOps in the left sidebar.
2. Click Activate employees.
3. Use the ChatOps toggle to enable chat for individual employees or perform a bulk action to enable chat for a large group or all employees.
You can also activate ChatOps from the Employees page.
When are chat messages sent?
Messages related to browser and MFA enrollment will be sent during the employee’s working hours, defined as 10 a.m. to 4 p.m. local time. Other messages will be sent as soon as they’re triggered by an action, such as the discovery of a suspicious mail rule, or when an employee logs into an app with a weak or reused password.
For more information, see Select ChatOps topics.
Chatbot status
On the ChatOps page, you can check the status of your integration to confirm everything is working as expected. A green dot indicates everything is fine. A red dot indicates that something is wrong, and you may need to update your integration. You can update your integration by going to Settings > Integrations in the admin console.
ChatOps activity
On the ChatOps page of the admin console, you can review chat activity, such as:
Employees who are able to receive chat messages.
Number of messages sent to employees across all topics, and for specific topics.
You can view activity data for the last 30 days, 60 days, or 90 days.
Deactivating ChatOps
You can deactivate ChatOps for individuals or all employees by using the ChatOps toggle or the bulk action on the Employees page or by going to ChatOps and clicking on Activate employees.
To remove the chatbot from your messaging platform, uninstall the Push chat app.
Go to Settings > Integrations > ChatOps Integrations and use the trash icon to delete your Slack or Teams integration.
