Nightfall Documentation
  • Sensitive Data Protection
  • Data Security Posture Management
  • Data Exfiltration Prevention
  • Data Encryption
  • Firewall for AI
  • Nightfall Exfiltration
  • What is Data Exfiltration
  • Nightfall Detection Platform
    • Nightfall Detection Platform
  • Exfiltration Prevention for Google Drive
    • Installing Nightfall for Google Drive
    • Configuring Integration Alerts
    • Configuring Google Drive Policies
      • Google Drive App Selection
      • Scope
      • Trigger
      • Automated Actions
      • Creating Policy
    • Remediation for Google Drive Exfiltration
  • Exfiltration Prevention for Endpoint
    • Endpoint Exfiltration Prevention
    • Installing Exfiltration for MAC
    • Manual Installation
    • Nightfall Agent Deployment with Kandji MDM
    • Nightfall Agent Deployment with Rippling MDM
    • Nightfall Agent Deployment with JAMF MDM
    • Configuring Integration Alerts
    • Configuring Policies
      • MAC App Selection
      • Scope
      • Trigger
      • Advanced Settings
        • Admin Alerting
        • Automated Actions
        • End-User Notifications
      • Creating Policy
      • Remediation for MAC OS Policies
      • FAQs
  • Exfiltration Prevention for Salesforce
    • Nightfall Exfiltration for Salesforce
    • Installing Nightfall Exfiltration for Salesforce
    • Upgrading Nightfall DLP
    • Configuring Integration Alerts
    • Configuring Salesforce Exfiltration Policies
      • Salesforce App Selection
      • Scope
      • Trigger
      • Advanced Settings
      • Creating Policy
      • Remediation for Salesforce Exfiltration
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Exfiltration Prevention for Endpoint
  2. Configuring Policies
  3. Advanced Settings

Automated Actions

Learn more about how automated actions work in a Nightfall exfiltration policy.

PreviousAdmin AlertingNextEnd-User Notifications

Last updated 8 days ago

Was this helpful?

This section describes the various actions that Nightfall takes automatically when an exfiltration attempt is detected. This automated action is triggered when the condition set in the Trigger section is violated.

The automated action supported by Nightfall is described as follows.

Block Transfer

This action automatically blocks the process of file transfer thus preventing an exfiltration attempt. You can use this action to prevent the upload of files with sensitive data, to web browsers or cloud storage apps. You must enable the toggle switch to activate the automated action.

You can configure the Scope section and the Trigger section such that you can leverage this feature to:

  • Block transfer based on file origin: Block the upload of files downloaded from highly sensitive SaaS applications.

  • Block transfer based on destination: Allow uploads only to sanctioned destinations.

  • Combine origin and destination: Create powerful DLP policies that factor in both where files came from and where they are headed.

Currently, this action is supported only for MAC devices.

Some use cases scenarios in which you can use the automatic Block action, are as follows.

Scenario 1: Prevent Exfiltration of sensitive data to unsanctioned destinations

Employees access confidential reports from an internal data repository and attempt to upload them to personal iCloud or unsanctioned personal email service.

Solution

Configure the filters in the Scope section to scope the policy to include domains to be monitored (for instance your organization *.drive.google.com or *.force.com). Now, any file(s) downloaded from the configured domain(s) are monitored. Configure the Trigger section to trigger an exfiltration action when an attempt is made to upload the downloaded file to an unsanctioned destination (for instance to personal iCloud or a non corporate sanctioned domain). Finally, enable the Block automated action.

In this scenario, if a user downloads a file from an organization's Google Drive or Salesforce and attempts to upload it to their personal iCloud, the action is blocked and user gets the following error message.

Also, other similar scenarios could be

  • A health department which prevents employees from uploading customer health data, downloaded from organization's domain, to employees' personal Google Drive, OneDrive, or any supported cloud storage app.

  • An employee working on code repository of an organization, attempting to upload a file to developer forums, LLM services, or generative AI apps like ChatGPT.

Scenario 2: Allowing upload action only to approved destinations

An organization allows employees to store work documents only in corporate-managed OneDrive or Google Drive but wants to prevent uploads to personal accounts.

Solution

Configure the filters in the Scope section to scope the policy to include domains to be monitored (for instance your organization Google Drive or OneDrive). Now, any file(s) downloaded from the configured domain(s) are monitored. Configure the Trigger section to monitor only unsanctioned domains. Finally, enable the Block automated action. Now any attempt to upload a file to sanctioned domains is allowed.