Automated Actions
Learn more about how automated actions work in a Nightfall exfiltration policy.
Last updated
Was this helpful?
Learn more about how automated actions work in a Nightfall exfiltration policy.
Last updated
Was this helpful?
This section describes the various actions that Nightfall takes automatically when an exfiltration attempt is detected. This automated action is triggered when the condition set in the Trigger section is violated.
The automated action supported by Nightfall is described as follows.
This action automatically blocks the process of file transfer thus preventing an exfiltration attempt. You can use this action to prevent the upload of files with sensitive data, to web browsers or cloud storage apps. You must enable the toggle switch to activate the automated action.
You can configure the Scope section and the Trigger section such that you can leverage this feature to:
Block transfer based on file origin: Block the upload of files downloaded from highly sensitive SaaS applications.
Block transfer based on destination: Allow uploads only to sanctioned destinations.
Combine origin and destination: Create powerful DLP policies that factor in both where files came from and where they are headed.
Currently, this action is supported only for MAC devices.
Some use cases scenarios in which you can use the automatic Block action, are as follows.
Employees access confidential reports from an internal data repository and attempt to upload them to personal iCloud or unsanctioned personal email service.
Solution
Configure the filters in the Scope section to scope the policy to include domains to be monitored (for instance your organization *.drive.google.com or *.force.com). Now, any file(s) downloaded from the configured domain(s) are monitored. Configure the Trigger section to trigger an exfiltration action when an attempt is made to upload the downloaded file to an unsanctioned destination (for instance to personal iCloud or a non corporate sanctioned domain). Finally, enable the Block automated action.
In this scenario, if a user downloads a file from an organization's Google Drive or Salesforce and attempts to upload it to their personal iCloud, the action is blocked and user gets the following error message.
Also, other similar scenarios could be
A health department which prevents employees from uploading customer health data, downloaded from organization's domain, to employees' personal Google Drive, OneDrive, or any supported cloud storage app.
An employee working on code repository of an organization, attempting to upload a file to developer forums, LLM services, or generative AI apps like ChatGPT.
An organization allows employees to store work documents only in corporate-managed OneDrive or Google Drive but wants to prevent uploads to personal accounts.
Solution
Configure the filters in the Scope section to scope the policy to include domains to be monitored (for instance your organization Google Drive or OneDrive). Now, any file(s) downloaded from the configured domain(s) are monitored. Configure the Trigger section to monitor only unsanctioned domains. Finally, enable the Block automated action. Now any attempt to upload a file to sanctioned domains is allowed.
