Nightfall Documentation
  • Data Detection and Response
  • Posture Management
  • Data Exfiltration Prevention
  • Data Encryption
  • Developer APIs
  • Data Classification and Discovery
  • Nightfall Exfiltration
  • What is Data Exfiltration
  • Nightfall Detection Platform
    • Nightfall Detection Platform
  • Exfiltration Prevention for Google Drive
    • Installing Nightfall for Google Drive
    • Configuring Integration Alerts
    • Configuring Google Drive Policies
      • Google Drive App Selection
      • Scope
      • Trigger
      • Automated Actions
      • Creating Policy
    • Remediation for Google Drive Exfiltration
  • Exfiltration Prevention for Endpoint
    • Endpoint Exfiltration Prevention
    • Install Nightfall AI Agent for MAC OS
      • Manual Installation
      • Nightfall Agent Deployment with Kandji MDM
      • Nightfall Agent Deployment with Rippling MDM
      • Nightfall Agent Deployment with JAMF MDM
    • Install Nightfall AI Agent for Windows OS
      • Manual Installation
      • Nightfall Windows Agent Deployment: Rippling MDM
      • Nightfall Windows Agent Deployment: Generic MSI Deployment
    • Configuring Integration Alerts
    • Configuring Policies
      • MAC/Windows App Selection
      • Scope
      • Trigger
      • Advanced Settings
        • Admin Alerting
        • Automated Actions
        • End-User Notifications
      • Creating Policy
      • Remediation for MAC OS Policies
      • FAQs
      • Remediation for Windows OS Policies
  • Exfiltration Prevention for Salesforce
    • Nightfall Exfiltration for Salesforce
    • Installing Nightfall Exfiltration for Salesforce
    • Upgrading Nightfall DLP
    • Configuring Integration Alerts
    • Configuring Salesforce Exfiltration Policies
      • Salesforce App Selection
      • Scope
      • Trigger
      • Advanced Settings
      • Creating Policy
      • Remediation for Salesforce Exfiltration
Powered by GitBook
On this page
  • Verify Connection
  • Removing Disconnected Devices
  • Create Domain Collections
  • Creating Policy

Was this helpful?

Export as PDF
  1. Exfiltration Prevention for Endpoint

Configuring Policies

PreviousConfiguring Integration AlertsNextMAC/Windows App Selection

Last updated 2 months ago

Was this helpful?

The Exfiltration policies for MAC and Windows OS allow you to monitor if there are any uploads via browser or cloud storage apps. You can configure the domains in Internet that needs to be monitored and also the cloud storage apps which need to be monitored.

When there are any uploads to the configured domain or cloud storage apps, the Nightfall AI agent notifies this action. You can configure the notification channels through which you wish to receive notifications when there is an attempt to upload files/folders.

Verify Connection

Once you have completed the installation of the Nightfall agent, you must ensure that the connection is live. If the Nightfall agent cannot connect to the macOS or the Windows OS device for more than 6 hours, the connection is lost. When the connection is live, a Connected message is displayed. If the connection is lost, a Disconnected message is displayed under the Agent Status column.

Removing Disconnected Devices

When a macOS or Windows OS device is disconnected, you can remove the device from the monitored list (Devices tab). To remove a disconnected device from the monitored list, click the delete icon for the respective device.

Clicking the delete icon displays a warning pop-up window as shown in the following image. Click Remove Device to confirm the removal of the device.

If a removed device reconnects, it is automatically added to the monitored list. To permanently prevent the monitoring of a device, you must de-provision the device through MDM (uninstall the Nightfall Agents and remove it from future targeting).

This feature declutters your monitoring list and ensures that only active devices that are being monitored are displayed.

You can leverage this feature efficiently with loaner laptops. When a former employee returns a device, the connection is lost and the status is displayed as disconnected. Security teams can be concerned about the device displaying the Disconnected status for a prolonged period and can initiate an investigation. Instead, you can use this feature and remove the device from the monitored list. When the device is reassigned to another employee, it connects back automatically, and the monitoring resumes.

Similarly, you can use this feature for seasonal and dormant devices; remove them once they are not in use. They will connect back automatically once they are in use again.

Create Domain Collections

Collections help you refine your monitoring to reduce noise from sanctioned upload destinations as well as closely monitor exfiltration of files originating from high-value SaaS applications accessed through the browser. You can also define specific domain collections to closely monitor upload activity to specific categories of upload destinations. For instance, to track files uploaded to social media, you can create a domain collection called social media and add domains like Facebook, Instagram, Twitter, and so on. Similarly, you create a collection for known and sanctioned upload destinations that are safe to upload to so you can ignore them from your monitoring policies or monitor the upload of items originating from such domains. While creating a policy, you can directly add the collection to be monitored. All the domains in the collection will be monitored.

You can create a domain by either manually entering all the domain URLs manually or by uploading a comma-delimited list of domains in a text file.

To group domains:

  1. Log in to the Nightfall app.

  2. Navigate to Integrations from the left menu.

  3. Click Manage on the macOS/Windows OS integration.

  1. Click the Domains tab.

  2. Click + New Collection.

You can either add the domains manually or upload a text file containing the list of domains. The following section has two tabs. The first explains the process of manually adding domains, and the second tab explains adding domains by uploading a file.

  1. Click + Add Domain.

  1. Enter a name for the Collection in the Collection Name field (Social Media in the following image)

  2. Enter a domain and hit the enter key (facebook.com in the following image).

Important

When you add a domain, the sub domain is not included automatically. For instance, if you add abcd.com, docs.abcd.com is not included. To include subdomains, you must enter the full URL containing the subdomain. If you have multiple subdomains, you can use the asterisk wildcard (*) and enter the domain as *.abcd.com

  1. (Optional) Click + Add Domain to add multiple domains to the collection.

  2. (Optional) Click the delete icon to delete a domain.

  3. Click Save Changes.

  1. Enter a name for the Collection in the Collection Name field.

  2. Click Upload.

  1. Browse and upload the text file containing the list of domains.

All the domains must be separated by a comma. The file must have a .txt extension.

Once you upload the file, the list of domains present in the file are displayed as follows.

Important

When you add a domain, the sub domain is not included automatically. For instance, if you add abcd.com, docs.abcd.com is not included. To include subdomains, you must enter the full URL containing the subdomain. If you have multiple subdomains, you can use the asterisk wildcard (*) and enter the domain as *.abcd.com

  1. (Optional) To add more Domains to the Collection, you can either click + Add Domain and enter the domain manually, or click Upload txt and upload another text file containing domains.

  2. (Optional) Click the delete icon to remove a domain from the Collection.

  3. Click Save Changes.

Creating Policy

The detailed steps to configure the MAC OS/Windows OS device exfiltration policy are explained in the following documents.

  • MAC/Windows App Selection

  • Scope

  • Trigger

  • Advanced Settings

  • Creating Policy

  • Remediation for MAC OS Policies

  • Remediation for Windows OS Policies