Exfiltration Events
Learn the details available on the Nightfall Exfiltration Events page
The Nightfall Exfiltration page displays various details of the Exfiltration Events. An Exfiltration Event is automatically created in Nightfall when an Exfiltration policy is violated. The Event displays useful information like the integration on which the exfiltration occurred (Google Drive, Salesforce, macOS/Windows Endpoint), the name of the policy violated, the details of the asset responsible for the violation, and so on.
Exfiltration Event List View
You can navigate to the Exfiltration Event page by clicking Exfiltration Prevention button from the left menu.
Once you land on the Exfiltration Events page, all the Exfiltration Events are listed. This view can be called as the Event list view. When you click an Event on the Event list view, the details of only the selected Event is displayed. We can call it the Event Detail view.
The Event list view contains a table which displays details of the Events. You can click here to learn more about the details displayed in the Event list view.
Filtering Data
You can filter the data on the list view by date or by integrations. To filter the data by integrations, you must execute the following steps.
Navigate to Exfiltration Prevention from the left menu.Steps 2-6 help you filter the events to only view the alerts generated by Windows OS.
Click Filter.
Click + Add Filter.
Select Integration.
Select the check box required integration(s).
Click Apply.
You can also use the date filter to view historic Exfiltration events. To learn more about how to use the historic time filter, refer this section.
Search Events
Nightfall provides a powerful search bar to search specific Exfiltration events. Nightfall provides you various search operators to perform your search. You must use the following syntax to search data.
search operator name:"search term"For example, to search events that are in active state, you must use the State search operator with the following syntax.
State:"Active"The various Exfiltration search operators provided by Nightfall are as follows.
General Search Operators
actor_Email
Search using the Email ID of the actor whose action triggered the Event.
actor_Name
Search using the name of the actor (device name) from which the Event was triggered.
event_id
Search the unique Exfiltration event ID.
event_type
Search the Exfiltration event type.
integration_name
Search the integration name.
last_action
Search the last action implemented on an event. Example of action can be Acknowledge, Ignore, Resolve, and so on.
last_actioned_by
Search for the user who last took an action on the event.
notes
Search the notes entered in an Event.
policy_id
Search the unique policy ID.
policy_name
Search the policy name.
resource_content_type
Search the resource type of the file that was exfiltrated. Resource type refers to the file format and can be PDF, .doc, d.ocx, and so on.
resource_id
Search the resource ID. This unique identifier is assigned to resources by their integration (Google Drive, Salesforce)
resource_name
Search the resource name (file name) that was exfiltrated.
resource_owner_email
Search the email of the user who owns the exfiltrated file.
resource_owner_name
Search the name of the user who owns the exfiltrated file.
state
Search the current status of the Event. This could be Active, Acknowledge, and so on.
violation_id
Search the unique violation ID of the event.
violation_type
Search the violation type
Integration Operators
Endpoint (Browser upload)
endpoint.browser_upload.browser_name
Search the Web browser that was used to upload file.
Endpoint (Browser upload)
endpoint.browser_upload.domain
Search the domain name that was used to upload file.
Endpoint (Browser upload)
endpoint.browser_upload.file_name
Search the name of the file.
Endpoint (Browser upload)
endpoint.browser_upload.origin.browser_name
Search the browser from which the exfiltrated file emerged.
Endpoint (Browser upload)
endpoint.browser_upload.origin.domain
Search the domain from which the exfiltrated file emerged.
Endpoint (Browser upload)
endpoint.browser_upload.origin.url
Search the exact URL from which the exfiltrated file emerged.
Endpoint (Browser upload)
endpoint.browser_upload.url
Search the URL used to upload the exfiltrated file.
Endpoint (Clipboard Copy/Paste)
endpoint.clipboard_copy.destination.browser_name
Search the destination browser name to which the copied data was pasted.
Endpoint (Clipboard Copy/Paste)
endpoint.clipboard_copy.destination.domain
Search the destination domain name to which the copied data was pasted.
Endpoint (Clipboard Copy/Paste)
endpoint.clipboard_copy.origin.browser_name
Search the origin browser name from which the data was copied.
Endpoint (Clipboard Copy/Paste)
endpoint.clipboard_copy.origin.domain
Search the origin domain name from which the data was copied.
Endpoint (Clipboard Copy/Paste)
endpoint.clipboard_copy.origin.url
Search the origin URL from which the data was copied.
Endpoint (Cloud Sync)
endpoint.cloud_sync.account_name
Search the name of the account to which the file was uploaded.
Endpoint (Cloud Sync)
endpoint.cloud_sync.account_type
Search the account type (personal/business) of the account to which the file was uploaded.
Endpoint (Cloud Sync)
endpoint.cloud_sync.app
Search the cloud storage app name (Google Drive, OneDrive) to which the file was uploaded.
Endpoint (Cloud Sync)
endpoint.cloud_sync.destination_file_path
Search the destination directory in the storage app to which the file was exfiltrated.
Endpoint (Cloud Sync)
endpoint.cloud_sync.email
Search the email ID of the account to which the file was uploaded.
Endpoint (Cloud Sync)
endpoint.cloud_sync.file_name
Search the name of the file which was uploaded to a cloud storage app.
Endpoint
endpoint.device_id
Search the endpoint device ID of the device from which the exfiltration was performed.
Endpoint
endpoint.machine_name
Search the endpoint device name from which the exfiltration was performed.
Google Drive
gdrive.drive
Search a drive within Google Drive. Returns all the events that were exfiltrated from the searched drive.
Google Drive
gdrive.file_owner
Search a Google Drive user. Returns all the events that were owned by the searched user and were exfiltrated.
Google Drive
gdrive.label_name
Search a Google Drive label. Returns all the events that contained the searched label and were exfiltrated.
Google Drive
gdrive.permission
Search a Google drive permission (restricted, pubic). Returns all the events that contain the searched permission and exfiltrated.
Google Drive
gdrive.shared_external_email
Search the shared Gmail external email ID.
Google Drive
gdrive.shared_internal_email
Search the shared Gmail internal email ID.
Salesforce
salesforce.file.session_level
Search for Salesforce session level file
Salesforce
salesforce.file.source_ip
Search the IP address of the source machine that initiated the exfiltration of the file.
Salesforce
salesforce.report.description
Search the description provided in Salesforce report.
Salesforce
salesforce.report.event_source
Search the Salesforce report event source.
Salesforce
salesforce.report.operation
Search the Salesforce report operation.
Salesforce
salesforce.report.scope
Search the Salesforce report scope.
Salesforce
salesforce.report.session_level
Search the Salesforce session level report.
Salesforce
salesforce.report.source_ip
Search the source IP address of the Salesforce report.
To learn more about how to search special characters, refer to this section. Nightfall allows you to share and download the Event data. The Share button creates a link to the current view with all the filters applied. When you click this link, the Events page opens with all the filters applied.
Last updated
Was this helpful?