Recommended Policy Configurations

Policy Recommendations

Nightfall provides a set of reference policy configurations for common data exfiltration scenarios. Each template below describes recommended trigger types, detection rules, scope settings, and actions that you can use as a starting point when creating a new policy in the Nightfall console.

Use case

Block employees from uploading files or pasting sensitive data into external AI assistants such as ChatGPT, Claude.ai, Microsoft Copilot, and Google Gemini.

Configuration

Scope

• OS: macOS and Windows

• Users: All users (or scope to specific groups with elevated data access)

• Content scanning: Enabled

Triggers

Detection rules

Enable content scanning with the following detectors:

• PII - names, SSNs, driver's license numbers, dates of birth

• PCI - credit card numbers, routing numbers, IBAN

• PHI - patient records and health information

• Credentials & API keys - secrets, tokens, private keys

• File classifiers - financial, HR, legal, M&A, source code documents

Actions

• Automated action: Block

• End-user notification: Enabled - recommended message: "This file or content contains sensitive data and cannot be uploaded to external AI tools. Contact your security team if you have a business need."

• Allow override with justification: Optional - enable if your organization wants users to self-certify a business reason before the action is allowed.

Prerequisites

• Mac Agent v1.2.11.x or later (desktop app monitoring)

• Windows Agent v1.4.9.0 or later (thick app: Outlook, Teams, WhatsApp); v1.4.11.0 or later (M365 Copilot)

• AI Tools domain collection created under Domain Collections

• Nightfall browser extension deployed to managed browsers

Recommendation 2: Block Exfiltration to Personal Cloud Storage

Use case

Prevent employees from copying corporate files to personal Google Drive, Dropbox, OneDrive, or Box accounts - including both browser-based uploads and locally synced folders.

Configuration

Scope

• OS: macOS and Windows

• Session detection: Enable corporate/personal account differentiation - this ensures the policy fires only when the destination is a personal account, not a corporate Google or Microsoft account

• Users: All users

Triggers

Detection rules

Enable content scanning with:

• PII, PCI, PHI, Credentials & API keys - broad sensitive data coverage

• File classifiers - financial, legal, HR, M&A, source code

Actions

• Automated action: Block

• Admin alert: Enabled - route to your security team's notification channel

• End-user notification: Enabled - "Corporate files cannot be transferred to personal cloud storage accounts."

Prerequisites

• Mac Agent v1.2.10.x or later

• Windows Agent v1.4.9.0 or later

• Directory sync configured (required for corporate/personal account differentiation)

• Personal Cloud Storage domain collection created

Recommendation 3: Prevent Credential and API Key Leaks

Use case: Block secrets - API keys, passwords, and cryptographic private keys - from being uploaded or pasted to any external destination.

Configuration

Scope

• OS: macOS and Windows

• Users: All users; consider prioritizing engineering and DevOps groups for immediate rollout

Triggers

Detection rules

Enable content scanning with:

• API keys & secrets - AWS, Azure, Google, Stripe, Okta, Slack, GitHub, and 50+ service-specific key formats

• Passwords & credentials - username/password patterns in text and code

• Cryptographic keys - RSA private keys, EC private keys (PEM-encoded)

Actions

• Automated action: Block

• End-user notification: Enabled - "A secret or API key was detected. This content cannot be shared externally. Rotate the key immediately if it was already exposed."

Note: This template has a low false-positive rate because credential detectors are highly specific. Block mode is safe to enable from the start.

• Mac Agent v1.2.11.x or later

• Windows Agent v1.4.9.0 or later

• Nightfall browser extension deployed

Recommendation 4: Source Code Exfiltration Prevention

Use case: Prevent proprietary source code from being pushed to personal or unauthorized repositories, or uploaded to external destinations via browser or cloud sync.

Configuration

Scope

• OS: macOS (git push monitoring is macOS-only)

• Users: Engineering and DevOps groups

• Content scanning: Enabled

Triggers

Detection rules

Enable content scanning with:

• File classifiers - source code classifier for language-agnostic detection

• Custom regex (optional) - add patterns for internal project identifiers, copyright headers, or proprietary module names

Actions

• Automated action: Block

• Admin alert: Enabled

Prerequisites

• Mac Agent v1.2.10.x or later (git push monitoring)

• Nightfall browser extension deployed

• Personal Code Repos domain collection created

• Directory sync configured (for group-based scoping)

Recommendation 5: PHI Data Protection (HIPAA)

Use case: Detect and block patient health information (PHI) from leaving the endpoint across all exfiltration channels - a foundational policy for HIPAA-covered organizations.

Configuration

Scope

• OS: macOS and Windows

• Users: All users - or scope to clinical, operations, and data teams if starting with a pilot

• Content scanning: Enabled

Triggers

Use all available triggers in independent policies:

• Browser uploads

• Cloud syncing

• Clipboard paste

• Desktop app (thick app monitoring)

• Removable media

• Printer

• Git push

Detection rules

Enable content scanning with:

• PHI - patient health information combining personal identifiers with medical context (diagnoses, medications, provider details, insurance data)

• PII - names, SSNs, dates of birth (supplements PHI detection)

Actions

• Automated action: Block

• Admin alert: Enabled - route to compliance and security teams

• End-user notification: Enabled - "This content contains protected health information (PHI) and cannot be shared externally. Contact your compliance team for assistance."

• Allow override with justification: Enabled - log all overrides for HIPAA audit trail

Prerequisites

• Mac Agent v1.2.11.x or later (for full trigger coverage including print and thick apps)

• Windows Agent v1.4.11.0 or later

• Directory sync configured

Recommendation 6: Removable Media Data Loss Prevention

Use case: Block sensitive files from being copied to USB drives, external hard drives, and other removable storage devices.

Configuration

Scope

• OS: macOS and Windows

• Users: All users

• Content scanning: Enabled

Triggers

Detection rules

Enable content scanning with:

• PII - personal identifiable information

• PCI - payment card data

• PHI - health information

• Credentials & API keys

• File classifiers - HR, financial, legal, M&A documents, source code

Actions

• Automated action: Block - the file transfer is blocked at the point of write to the removable device

• End-user notification: Enabled - "Files containing sensitive data cannot be transferred to removable storage devices."

Note: This trigger does not require domain collections. No additional collection setup is needed beyond enabling content scanning.

Prerequisites

• Mac Agent v1.2.10.x or later

• Windows Agent v1.4.9.0 or later

• Coverage for ~1,200+ removable media vendors

Recommendation 7: Financial Data Protection (PCI DSS)

Use case: Protect payment card data and financial records from exfiltration across browser, clipboard, desktop app, and cloud sync channels - supports PCI DSS compliance requirements.

Configuration

Scope

• OS: macOS and Windows

• Users: Finance, accounting, and billing teams - scope to these groups for initial rollout; expand to all users after validation

• Content scanning: Enabled

Triggers

Detection rules

Enable content scanning with:

• PCI - credit card numbers (Visa, Mastercard, Amex, Discover, JCB, UnionPay), routing numbers, IBAN, SWIFT codes

• File classifiers - financial documents

Actions

• Automated action: Block

• Admin alert: Enabled - route to security and compliance teams

Prerequisites

• Mac Agent v1.2.11.x or later

• Windows Agent v1.4.9.0 or later

• Directory sync configured (for group-based scoping)

• Nightfall browser extension deployed

Recommendation 8: Corporate IP Protection via File Upload

Use case: Prevent strategically sensitive documents - M&A materials, legal contracts, HR records, and internal financial reports - from being uploaded to external destinations.

Configuration

Scope

• OS: macOS and Windows

• Asset origin filter: Optionally restrict to assets originating from corporate domains (files downloaded from internal tools or corporate Google Workspace/SharePoint)

• Users: Leadership, finance, legal, HR, and strategy teams - scope via directory sync groups

Triggers

Detection rules

Enable content scanning with:

• File classifiers - M&A, legal, financial, HR, regulatory documents

• Custom keywords (optional) - add internal project codenames, product names, or division identifiers relevant to your organization

Actions

• Automated action: Block

• Admin alert: Enabled

• Allow override with justification: Recommended - many IP-related transfers have legitimate business reasons; log justifications for audit

Prerequisites

• Mac Agent v1.2.11.x or later

• Windows Agent v1.4.9.0 or later

• Directory sync configured (for group-based scoping)

• Nightfall browser extension deployed

Recommendation 9: Clipboard Paste to Personal Accounts and Risky Destinations

Use case: Detect and block sensitive content copied from internal tools and pasted into personal email, consumer AI assistants, social platforms, or other unsanctioned destinations - using corporate/personal account differentiation.

Configuration

Triggers

Build your Unsanctioned Destinations domain collection to include:

• Personal email: mail.google.com, outlook.live.com, yahoo.com

• Consumer AI: chat.openai.com, claude.ai, gemini.google.com

• Social media: twitter.com, linkedin.com, facebook.com, reddit.com

• Personal cloud: drive.google.com, dropbox.com

Use corporate/personal session detection to ensure the policy fires only when the destination session is a personal (non-corporate) account on supported domains.

Detection rules

Enable content scanning with:

• PII, PCI, PHI - broad regulated data coverage

• Credentials & API keys

• File classifiers - financial, legal, HR, M&A

Scope

• OS: macOS and Windows

• Session detection: Enable corporate/personal account differentiation (requires directory sync and Corporate Domains collection)

• Users: All users

Actions

• Automated action: Block

• End-user notification: Enabled - "This content contains sensitive data and cannot be pasted into personal accounts or external services."

• Allow override with justification: Enabled - allows employees to self-certify a business justification; logged for review

Prerequisites

• Mac Agent v1.2.11.x or later

• Windows Agent v1.4.9.0 or later

• Directory sync configured

• Corporate Domains collection configured (for personal vs. corporate account filtering)

• Unsanctioned Destinations domain collection created

Custom Policies

Each policy recommendation above is a starting point. Common adjustments:

• Narrow the scope - start with a specific user group (e.g., finance or engineering) before rolling out to all users, to validate detection accuracy before broad enforcement.

• Start in detect-only mode - leave the automated action unset and enable admin alerts only. Review policy incidents for 1–2 weeks before switching to Block.

• Add custom detectors - supplement built-in detectors with custom LLM based file or prompt based classifiers specific to your organization's sensitive data.

• Tune domain collections - review and expand domain collections regularly as new AI tools, cloud apps, and risky destinations emerge. You can automate this via the apps discovered categorized by risk in App Intelligence. Expand the list of domains or apps to monitor and block via the domain collections.