Frequently Asked Questions (FAQs)

Is User Session Check enabled by default?

No. It must be explicitly enabled in endpoint exfiltration policies.

Why is the Account Type field empty in some events?

Session differentiation only applies to supported domains and actions. If unavailable, the field remains empty.

Does this work on the same domain (e.g., Google Drive → Google Drive)?

Yes. Differentiation is based on account session, not just domain.

Can I block only personal account usage but allow corporate usage?

Yes. Use Domain in with Corporate Domains and enable User Session Check.

How is the Corporate Domains collection auto-populated and from where are these default domains collected?

Nightfall automatically populates the Corporate Domains collection by analyzing user email addresses and email alias domains from all connected identity providers (IdPs), including Okta, Entra ID, and Google Directory. Any domain or alias domain associated with users in these directory services is treated as a corporate domain.

The initial population happens when the Nightfall endpoint agent is first enabled (on the first provisioned OS, macOS or Windows). At that time, Nightfall fetches all user email and alias domains from the connected identity providers and populates the Corporate Domains collection.

After the initial population, the collection is periodically refreshed (hourly) to capture any newly discovered domains or updates from the connected identity providers.

Do all supported browsers have the same security coverage?

Yes. All supported browsers provide identical protection across file uploads, clipboard actions, and personal vs. business enforcement.

Is Safari supported?

Safari is supported but Nightfall has not yet enabled Safari extension distribution. As a result, customers cannot currently deploy a publicly available Nightfall plugin on Safari but can install a private package.

Why is Perplexity Comet not supported on Windows?

Perplexity Comet’s Windows version prevents third-party browser extension installation, which blocks Nightfall deployment.

Why isn’t ChatGPT Atlas supported on Windows?

ChatGPT Atlas is not available on Windows at this time.

Are AI browsers treated differently from traditional browsers?

No. AI browsers receive the same data protection coverage as traditional browsers when supported.

Are there any feature limitations on Arc, Brave, or Vivaldi?

No. Arc, Brave, and Vivaldi receive full feature parity with Chrome.

Can customers use any browsers across their organization?

Yes. Nightfall policies apply consistently across all supported browsers and operating systems.

What is the detailed browser support on macoS and Windows?

Below is a concise summary of Nightfall functionality across each supported browser and operating system.

Google Chrome

• macOS & Windows: Fully supported

• Capabilities: File uploads, clipboard copy/paste, typed text monitoring, and personal vs. business detection

• Notes: Full feature parity across both operating systems

Microsoft Edge

• macOS & Windows: Fully supported

• Capabilities: File upload protection, clipboard monitoring, typed text inspection, and personal vs. business enforcement

• Notes: Equivalent security coverage to Chrome

Firefox

• macOS & Windows: Fully supported

• Capabilities: Full data exfiltration protection including file uploads, clipboard actions, and personal vs. business detection

• Notes: No functional differences across OS

Arc

• macOS & Windows: Fully supported

• Capabilities: File uploads, clipboard protection, typed input inspection, and personal vs. business detection

• Notes: Full feature parity with Chrome

Brave

• macOS & Windows: Fully supported

• Capabilities: Complete exfiltration protection including file uploads, clipboard actions, and personal vs. business detection

• Notes: No feature gaps compared to Chrome

Vivaldi

• macOS & Windows: Fully supported

• Capabilities: Full coverage for file uploads, clipboard monitoring, typed input, and personal vs. business enforcement

• Notes: Consistent functionality across OS

Perplexity Comet

• macOS: Supported

• Windows: Not supported

• Capabilities (macOS): Full exfiltration protection including file uploads, clipboard actions, typed text, and personal vs. business detection

• Notes: Windows version blocks third-party extension installation

ChatGPT Atlas

• macOS: Supported

• Windows: Not available

• Capabilities (macOS): File uploads, clipboard monitoring, and typed text inspection

• Notes: Personal vs. business detection is not currently supported

Safari

• macOS: Not currently supported for deployment

• Windows: Not supported

• Notes: Safari extension distribution is not yet available

While configuring the Scope section, if I use the Asset Origin Filter and add my Slack domain. Now, if I download a file from the Slack app will Nightfall monitor this download?

Yes. Nightfall monitors the downloads even from the Slack app.

What happens if I don’t configure any removable media filters?

If no Device Type, Vendor, or Serial Number filters are configured, the policy applies to all removable media by default. This is equivalent to selecting Monitor all for every device filter.

How do include and exclude filters work together?

Nightfall evaluates device filters using the following precedence:

1. Include rules are evaluated first

2. Exclude rules always override include rules

3. If no include filters are set, the policy defaults to include all

This ensures that exclusions (for example, approved corporate devices) are always respected.

What if I select a specific vendor and a specific serial number in the removable media filters?

Both conditions must match for the policy to apply:

• The device must belong to the selected vendor

• The device’s serial number must match the specified serial number

If either condition does not match, the policy is not triggered.

What happens if a removable media device matches an included vendor but is explicitly excluded by serial number?

The device will not trigger the policy. Serial number exclusions always take precedence, even if the vendor or device type is included.

What if the device does not report a serial number?

If a removable device does not expose a serial number:

• Vendor and Device Type filters are still evaluated

• Serial number–based include or exclude rules will not match

In these cases, enforcement behavior is determined by the remaining configured filters.

Can I allow only a small number of approved USB devices?

Yes. Configure:

• Action: To removable media

• Serial Number: Specific serial numbers

• Enforcement: Block

Only the listed devices will be allowed. All other removable media will be blocked.

Can I block unknown USB drives but allow corporate-issued ones?

Yes. You can either:

• Exclude approved vendors, or

• Exclude approved serial numbers

All other removable devices will remain in scope for enforcement.

Does Nightfall continuously support new removable media vendors?

Yes. Nightfall supports ~1,200 removable media vendors out of the box, and vendor recognition is continuously updated as new devices are observed in the wild.

Customers do not need to manually onboard new vendors to receive baseline coverage.

Is enforcement applied if no sensitive data is detected?

Removable media policies are only enforced when sensitive content is detected according to your configured detection rules. If no sensitive data is found, the file transfer is allowed. You can also block usage of removable media based on a data lineage policy without any content scanning enabled.

Can I both monitor and block removable media activity?

Yes. Policies can be configured to block transfers while still logging events for audit and investigation purposes.

Which operating systems are supported?

Endpoint Exfiltration Prevention for removable media is supported on:

• Windows endpoints

• macOS endpoints

Behavior may vary slightly based on OS-level device reporting, but enforcement logic remains consistent.

Does Nightfall inspect or scan my source code?

No. Git Push Monitoring does not inspect source code, commits, diffs, file names, or repository contents. Nightfall evaluates only metadata associated with the Git push action, such as the destination URL, repository name, user, and device. To scan secrets or any other PII, PCI, PHI or file classifiers in GitHub, you can use Nightfall’s detection and response policies.

Is any code copied, stored, or transmitted to Nightfall?

No. Nightfall does not collect or store source code. Only high-level metadata required to identify the Git push event is processed.

Does Nightfall block Git pushes?

No. Git Push Monitoring is a monitor-only control. Git operations always complete successfully. When a policy violation occurs, Nightfall generates an event but does not interrupt developer workflows.

What Git commands are supported?

Nightfall detects Git push activity regardless of how the push is initiated. The following commands are supported and validated through testing:

• git push

• git push origin <branch>

• git push --set-upstream origin <branch>

• git push -u origin <branch>

• git push <remote> <branch>

• git push --force / git push -f

• git push --tags

Pushes triggered indirectly (for example, by scripts or wrappers that ultimately invoke git push) are also detected.

Are both HTTPS and SSH Git pushes supported?

Yes. Git Push Monitoring supports:

• HTTPS-based Git remotes (e.g., https://github.com/org/repo.git)

• SSH-based Git remotes (e.g., [email protected]:org/repo.git)

The destination domain is extracted and evaluated consistently across both protocols.

Are IDE-based Git actions supported?

Yes. Git pushes initiated from popular IDEs and Git clients are supported, including:

• VS Code Git integration

• JetBrains IDEs (IntelliJ, PyCharm, WebStorm, etc.)

• GitHub Desktop

• Sourcetree

As long as the IDE ultimately invokes a Git push operation on a managed endpoint, Nightfall detects the activity.

Are terminal / CLI Git pushes supported?

Yes. Git pushes executed directly from:

• macOS Terminal

• iTerm

• Windows Git Bash / PowerShell (where supported by the endpoint agent)

are fully supported.

How does Nightfall handle multiple Git remotes?

If a repository has multiple remotes configured (for example, origin and personal), Nightfall evaluates the specific remote used during the push.

Example:

• git push origin main → evaluated against origin destination

• git push personal main → evaluated against personal destination

Events accurately reflect the remote and destination URL used.

What happens with new, empty, or scratch repositories?

Nightfall detects Git pushes to:

• Newly created repositories

• Empty repositories

• Scratch or temporary repositories

Even if the repository has no prior history, detection is based on the destination domain and repository URL.

How are corporate GitHub and GitLab organizations supported?

Customers can define approved Git destinations using Domain Collections, including:

• GitHub organizations (e.g., github.com/company-org/*)

• GitLab cloud namespaces

Wildcard matching is supported to simplify configuration.

What happens if a developer pushes to a personal GitHub account?

If the destination domain or repository does not match the approved domain list:

• The push succeeds

• A Git Push event is generated

• Security teams can investigate and respond

Are unmanaged devices monitored?

No. Git Push Monitoring requires the Nightfall endpoint agent. Git activity from unmanaged or offline devices is not detected.

What are the supported scenarios and capabilities with git push monitoring?

Support Matrix - The following matrix summarizes supported scenarios with git push monitoring by Nightfall: