Configuring Policies
Last updated
Was this helpful?
Last updated
Was this helpful?
The Exfiltration policies for MAC and Windows OS allow you to monitor if there are any uploads via browser or cloud storage apps. You can configure the domains in Internet that needs to be monitored and also the cloud storage apps which need to be monitored.
When there are any uploads to the configured domain or cloud storage apps, the Nightfall AI agent notifies this action. You can configure the notification channels through which you wish to receive notifications when there is an attempt to upload files/folders.
Once you have completed the installation of the Nightfall agent, you must ensure that the connection is live. If the Nightfall agent cannot connect to the macOS or the Windows OS device for more than 6 hours, the connection is lost. When the connection is live, a Connected message is displayed. If the connection is lost, a Disconnected message is displayed under the Agent Status column.
When a macOS or Windows OS device is disconnected, you can remove the device from the monitored list (Devices tab). To remove a disconnected device from the monitored list, click the delete icon for the respective device.
Clicking the delete icon displays a warning pop-up window as shown in the following image. Click Remove Device to confirm the removal of the device.
If a removed device reconnects, it is automatically added to the monitored list. To permanently prevent the monitoring of a device, you must de-provision the device through MDM (uninstall the Nightfall Agents and remove it from future targeting).
This feature declutters your monitoring list and ensures that only active devices that are being monitored are displayed.
You can leverage this feature efficiently with loaner laptops. When a former employee returns a device, the connection is lost and the status is displayed as disconnected. Security teams can be concerned about the device displaying the Disconnected status for a prolonged period and can initiate an investigation. Instead, you can use this feature and remove the device from the monitored list. When the device is reassigned to another employee, it connects back automatically, and the monitoring resumes.
Similarly, you can use this feature for seasonal and dormant devices; remove them once they are not in use. They will connect back automatically once they are in use again.
Collections help you refine your monitoring to reduce noise from sanctioned upload destinations as well as closely monitor exfiltration of files originating from high-value SaaS applications accessed through the browser. You can also define specific domain collections to closely monitor upload activity to specific categories of upload destinations. For instance, to track files uploaded to social media, you can create a domain collection called social media and add domains like Facebook, Instagram, Twitter, and so on. Similarly, you create a collection for known and sanctioned upload destinations that are safe to upload to so you can ignore them from your monitoring policies or monitor the upload of items originating from such domains. While creating a policy, you can directly add the collection to be monitored. All the domains in the collection will be monitored.
You can create a domain by either manually entering all the domain URLs manually or by uploading a comma-delimited list of domains in a text file.
To group domains:
Log in to the Nightfall app.
Navigate to Integrations from the left menu.
Click Manage on the macOS/Windows OS integration.
Click the Domains tab.
Click + New Collection.
You can either add the domains manually or upload a text file containing the list of domains. The following section has two tabs. The first explains the process of manually adding domains, and the second tab explains adding domains by uploading a file.
Click + Add Domain.
Enter a name for the Collection in the Collection Name field (Social Media in the following image)
Enter a domain and hit the enter key (facebook.com in the following image).
(Optional) Click + Add Domain to add multiple domains to the collection.
(Optional) Click the delete icon to delete a domain.
Click Save Changes.
The detailed steps to configure the MAC OS/Windows OS device exfiltration policy are explained in the following documents.