# Automated Actions

This section describes the various actions that Nightfall takes automatically when an exfiltration attempt is detected. This automated action is triggered when the condition set in the [Trigger](/data-exfiltration-prevention/exfiltration_endpoint/policies/trigger.md) section is violated. 

The automated action supported by Nightfall is described as follows. 

### Block Transfer

This action automatically blocks the process of file transfer thus preventing an exfiltration attempt. You can use this action to prevent the upload of files with sensitive data, to web browsers or cloud storage apps. You must enable the toggle switch to activate the automated action.

You can configure the  [Scope](/data-exfiltration-prevention/exfiltration_endpoint/policies/scope.md) section and the [Trigger](/data-exfiltration-prevention/exfiltration_endpoint/policies/trigger.md) section such that you can leverage this feature to:

* **Block transfer based on file origin**: Block the upload of files downloaded from highly sensitive SaaS applications.
* **Block transfer based on destination**: Allow uploads only to sanctioned destinations.
* **Combine origin and destination**: Create powerful DLP policies that factor in both where files came from and where they are headed.

{% hint style="warning" %}
Currently, this action is supported only for MAC devices. 
{% endhint %}

Some use cases scenarios in which you can use the automatic Block action, are as follows. 

#### Scenario 1: Prevent Exfiltration of sensitive data to unsanctioned destinations

Employees access confidential reports from an internal data repository and attempt to upload them to personal iCloud or unsanctioned personal email service.

**Solution**

Configure the filters in the [Scope](/data-exfiltration-prevention/exfiltration_endpoint/policies/scope.md) section to scope the policy to include domains to be monitored (for instance your organization \*.drive.google.com or \*.force.com). Now, any file(s) downloaded from the configured domain(s) are monitored. Configure the [Trigger](/data-exfiltration-prevention/exfiltration_endpoint/policies/trigger.md) section to trigger an exfiltration action when an attempt is made to upload the downloaded file to an unsanctioned destination (for instance to personal iCloud or a non corporate sanctioned domain). Finally, enable the **Block** automated action. 

In this scenario, if a user downloads a file from an organization's Google Drive or Salesforce and attempts to upload it to their  personal iCloud, the action is blocked and user gets the following error message. 

<figure><img src="/files/nYqOxeXLoPSs7U2n5Z6C" alt="" width="194"><figcaption></figcaption></figure>

Also, other similar scenarios could be&#x20;

* A health department which prevents employees from uploading customer health data, downloaded from organization's domain, to employees' personal Google Drive, OneDrive, or any supported cloud storage app.
* An employee working on code repository of an organization, attempting to upload a file to  developer forums, LLM services, or generative AI apps like ChatGPT.&#x20;

#### Scenario 2: Allowing upload action only to approved destinations

An organization allows employees to store work documents only in corporate-managed OneDrive or Google Drive but wants to prevent uploads to personal accounts.

**Solution**

Configure the filters in the [Scope](/data-exfiltration-prevention/exfiltration_endpoint/policies/scope.md) section to scope the policy to include domains to be monitored (for instance your organization Google Drive or OneDrive). Now, any file(s) downloaded from the configured domain(s) are monitored. Configure the [Trigger](/data-exfiltration-prevention/exfiltration_endpoint/policies/trigger.md) section to monitor only unsanctioned domains. Finally, enable the **Block** automated action. Now any attempt to upload a file to sanctioned domains is allowed.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.nightfall.ai/data-exfiltration-prevention/exfiltration_endpoint/policies/advanced_settings/automated_action.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.