Trigger
The Trigger section in Salesforce policies allows you to define the frequency of action that must be considered as an exfiltration event. In case of Salesforce policies, the download frequency is the trigger.
The download frequency can be defined as the number of downloads over a period to time. This allows you to set custom thresholds in terms of number of downloads over a specific period of time and can be useful to identify anomalous download patterns for specific locations, users or content type. This can be set in combination to other scoping capabilities.
Configuring Triggers
In the Actions section, you can define the download action that must be considered as a potential exfiltration attempt by Nightfall. Nightfall allows you to set the frequency of downloads as the action.
To configure Actions:
Click the minimum number of files that must be the download threshold.
Set the time period within which the minimum no. of downloads must be considered as exfiltration event.
In the following case, an exfiltration event is created if, there are 2 or more downloads within a minute.
You must set the action frequency carefully. For example, consider that you set the action condition as 5 or more files, within 1 hour as shown in the following image. In this case, if a user downloads four assets, every 1 hour, the policy does not trigger a violation, since the Action condition does not match. So, a user can keep downloading four files every hour and get away with it.
Last updated