# Recommended Policy Configurations ## Policy Recommendations *** Nightfall provides a set of reference policy configurations for common data exfiltration scenarios. Each template below describes recommended trigger types, detection rules, scope settings, and actions that you can use as a starting point when creating a new policy in the Nightfall console. *** #### **Use case** Block employees from uploading files or pasting sensitive data into external AI assistants such as ChatGPT, Claude.ai, Microsoft Copilot, and Google Gemini. #### **Configuration** **Scope** * **OS:** macOS and Windows * **Users:** All users (or scope to specific groups with elevated data access) * **Content scanning:** Enabled **Triggers**
TriggerSetting
Browser uploadsDomain in: AI Tools domain collection (add chat.openai.com, claude.ai, gemini.google.com, copilot.microsoft.com, perplexity.ai, and any others in use)
Desktop appEnabled - covers thick-app versions of ChatGPT, Microsoft 365 Copilot (Word, Excel, PowerPoint, Teams AI)
**Detection rules** Enable content scanning with the following detectors: * **PII** - names, SSNs, driver's license numbers, dates of birth * **PCI** - credit card numbers, routing numbers, IBAN * **PHI** - patient records and health information * **Credentials & API keys** - secrets, tokens, private keys * **File classifiers** - financial, HR, legal, M\&A, source code documents **Actions** * **Automated action:** Block * **End-user notification:** Enabled - recommended message: *"This file or content contains sensitive data and cannot be uploaded to external AI tools. Contact your security team if you have a business need."* * **Allow override with justification:** Optional - enable if your organization wants users to self-certify a business reason before the action is allowed. #### Prerequisites * Mac Agent v1.2.11.x or later (desktop app monitoring) * Windows Agent v1.4.9.0 or later (thick app: Outlook, Teams, WhatsApp); v1.4.11.0 or later (M365 Copilot) * **AI Tools** domain collection created under Domain Collections * Nightfall browser extension deployed to managed browsers *** ### Recommendation 2: Block Exfiltration to Personal Cloud Storage #### **Use case** Prevent employees from copying corporate files to personal Google Drive, Dropbox, OneDrive, or Box accounts - including both browser-based uploads and locally synced folders. #### Configuration **Scope** * **OS:** macOS and Windows * **Session detection:** Enable corporate/personal account differentiation - this ensures the policy fires only when the destination is a **personal** account, not a corporate Google or Microsoft account * **Users:** All users **Triggers**
TriggerSetting
Browser uploadsDomain in: Personal Cloud Storage domain collection (drive.google.com, dropbox.com, onedrive.live.com, box.com)
Cloud syncingEnabled - select Google Drive, OneDrive, Dropbox, Box
**Detection rules** Enable content scanning with: * **PII, PCI, PHI, Credentials & API keys** - broad sensitive data coverage * **File classifiers** - financial, legal, HR, M\&A, source code **Actions** * **Automated action:** Block * **Admin alert:** Enabled - route to your security team's notification channel * **End-user notification:** Enabled - *"Corporate files cannot be transferred to personal cloud storage accounts."* #### Prerequisites * Mac Agent v1.2.10.x or later * Windows Agent v1.4.9.0 or later * Directory sync configured (required for corporate/personal account differentiation) * **Personal Cloud Storage** domain collection created *** #### Recommendation 3: Prevent Credential and API Key Leaks **Use case:** Block secrets - API keys, passwords, and cryptographic private keys - from being uploaded or pasted to any external destination. #### Configuration **Scope** * **OS:** macOS and Windows * **Users:** All users; consider prioritizing engineering and DevOps groups for immediate rollout **Triggers** | Trigger | Setting | | --------------- | ------------------------------------------------- | | Browser uploads | Any domain | | Clipboard paste | Any destination | | Desktop app | Enabled - covers messaging apps and email clients | **Detection rules** Enable content scanning with: * **API keys & secrets** - AWS, Azure, Google, Stripe, Okta, Slack, GitHub, and 50+ service-specific key formats * **Passwords & credentials** - username/password patterns in text and code * **Cryptographic keys** - RSA private keys, EC private keys (PEM-encoded) **Actions** * **Automated action:** Block * **End-user notification:** Enabled - *"A secret or API key was detected. This content cannot be shared externally. Rotate the key immediately if it was already exposed."* > **Note:** This template has a low false-positive rate because credential detectors are highly specific. Block mode is safe to enable from the start. * Mac Agent v1.2.11.x or later * Windows Agent v1.4.9.0 or later * Nightfall browser extension deployed *** ### Recommendation 4: Source Code Exfiltration Prevention **Use case:** Prevent proprietary source code from being pushed to personal or unauthorized repositories, or uploaded to external destinations via browser or cloud sync. #### Configuration **Scope** * **OS:** macOS (git push monitoring is macOS-only) * **Users:** Engineering and DevOps groups * **Content scanning:** Enabled **Triggers**
TriggerSetting
Git pushEnabled - monitors pushes to remote repositories not in your approved list
Browser uploadsDomain in: Personal Code Repos domain collection (add personal GitHub, GitLab, Bitbucket URLs; e.g., github.com personal paths)
Cloud syncingEnabled - detects source code written to personal sync folders
**Detection rules** Enable content scanning with: * **File classifiers** - source code classifier for language-agnostic detection * **Custom regex** (optional) - add patterns for internal project identifiers, copyright headers, or proprietary module names **Actions** * **Automated action:** Block * **Admin alert:** Enabled #### Prerequisites * Mac Agent v1.2.10.x or later (git push monitoring) * Nightfall browser extension deployed * **Personal Code Repos** domain collection created * Directory sync configured (for group-based scoping) *** ### Recommendation 5: PHI Data Protection (HIPAA) **Use case:** Detect and block patient health information (PHI) from leaving the endpoint across all exfiltration channels - a foundational policy for HIPAA-covered organizations. #### Configuration **Scope** * **OS:** macOS and Windows * **Users:** All users - or scope to clinical, operations, and data teams if starting with a pilot * **Content scanning:** Enabled **Triggers** Use **all available triggers in independent policies:** * Browser uploads * Cloud syncing * Clipboard paste * Desktop app (thick app monitoring) * Removable media * Printer * Git push **Detection rules** Enable content scanning with: * **PHI** - patient health information combining personal identifiers with medical context (diagnoses, medications, provider details, insurance data) * **PII** - names, SSNs, dates of birth (supplements PHI detection) **Actions** * **Automated action:** Block * **Admin alert:** Enabled - route to compliance and security teams * **End-user notification:** Enabled - *"This content contains protected health information (PHI) and cannot be shared externally. Contact your compliance team for assistance."* * **Allow override with justification:** Enabled - log all overrides for HIPAA audit trail #### Prerequisites * Mac Agent v1.2.11.x or later (for full trigger coverage including print and thick apps) * Windows Agent v1.4.11.0 or later * Directory sync configured *** ### Recommendation 6: Removable Media Data Loss Prevention **Use case:** Block sensitive files from being copied to USB drives, external hard drives, and other removable storage devices. #### Configuration **Scope** * **OS:** macOS and Windows * **Users:** All users * **Content scanning:** Enabled **Triggers** | Trigger | Setting | | --------------- | ------- | | Removable media | Enabled | **Detection rules** Enable content scanning with: * **PII** - personal identifiable information * **PCI** - payment card data * **PHI** - health information * **Credentials & API keys** * **File classifiers** - HR, financial, legal, M\&A documents, source code **Actions** * **Automated action:** Block - the file transfer is blocked at the point of write to the removable device * **End-user notification:** Enabled - *"Files containing sensitive data cannot be transferred to removable storage devices."* > **Note:** This trigger does not require domain collections. No additional collection setup is needed beyond enabling content scanning. #### Prerequisites * Mac Agent v1.2.10.x or later * Windows Agent v1.4.9.0 or later * Coverage for \~1,200+ removable media vendors *** ### Recommendation 7: Financial Data Protection (PCI DSS) **Use case:** Protect payment card data and financial records from exfiltration across browser, clipboard, desktop app, and cloud sync channels - supports PCI DSS compliance requirements. #### Configuration **Scope** * **OS:** macOS and Windows * **Users:** Finance, accounting, and billing teams - scope to these groups for initial rollout; expand to all users after validation * **Content scanning:** Enabled **Triggers** | Trigger | Setting | | --------------- | --------------- | | Browser uploads | Any domain | | Clipboard paste | Any destination | | Desktop app | Enabled | | Cloud syncing | Enabled | **Detection rules** Enable content scanning with: * **PCI** - credit card numbers (Visa, Mastercard, Amex, Discover, JCB, UnionPay), routing numbers, IBAN, SWIFT codes * **File classifiers** - financial documents **Actions** * **Automated action:** Block * **Admin alert:** Enabled - route to security and compliance teams #### Prerequisites * Mac Agent v1.2.11.x or later * Windows Agent v1.4.9.0 or later * Directory sync configured (for group-based scoping) * Nightfall browser extension deployed *** ### Recommendation 8: Corporate IP Protection via File Upload **Use case:** Prevent strategically sensitive documents - M\&A materials, legal contracts, HR records, and internal financial reports - from being uploaded to external destinations. #### Configuration **Scope** * **OS:** macOS and Windows * **Asset origin filter:** Optionally restrict to assets originating from corporate domains (files downloaded from internal tools or corporate Google Workspace/SharePoint) * **Users:** Leadership, finance, legal, HR, and strategy teams - scope via directory sync groups **Triggers** | Trigger | Setting | | --------------- | -------------------------------------------------------------------------- | | Browser uploads | Any domain (or refine with a **High-Risk Destinations** domain collection) | | Cloud syncing | Enabled | | Desktop app | Enabled | **Detection rules** Enable content scanning with: * **File classifiers** - M\&A, legal, financial, HR, regulatory documents * **Custom keywords** (optional) - add internal project codenames, product names, or division identifiers relevant to your organization **Actions** * **Automated action:** Block * **Admin alert:** Enabled * **Allow override with justification:** Recommended - many IP-related transfers have legitimate business reasons; log justifications for audit #### Prerequisites * Mac Agent v1.2.11.x or later * Windows Agent v1.4.9.0 or later * Directory sync configured (for group-based scoping) * Nightfall browser extension deployed *** ### Recommendation 9: Clipboard Paste to Personal Accounts and Risky Destinations **Use case:** Detect and block sensitive content copied from internal tools and pasted into personal email, consumer AI assistants, social platforms, or other unsanctioned destinations - using corporate/personal account differentiation. #### Configuration **Triggers** | Trigger | Setting | | --------------- | ---------------------------------------------------------------------- | | Clipboard paste | Destination: Domain in **Unsanctioned Destinations** domain collection | Build your **Unsanctioned Destinations** domain collection to include: * Personal email: `mail.google.com`, `outlook.live.com`, `yahoo.com` * Consumer AI: `chat.openai.com`, `claude.ai`, `gemini.google.com` * Social media: `twitter.com`, `linkedin.com`, `facebook.com`, `reddit.com` * Personal cloud: `drive.google.com`, `dropbox.com` Use **corporate/personal session detection** to ensure the policy fires only when the destination session is a personal (non-corporate) account on supported domains. **Detection rules** Enable content scanning with: * **PII, PCI, PHI** - broad regulated data coverage * **Credentials & API keys** * **File classifiers** - financial, legal, HR, M\&A **Scope** * **OS:** macOS and Windows * **Session detection:** Enable corporate/personal account differentiation (requires directory sync and **Corporate Domains** collection) * **Users:** All users **Actions** * **Automated action:** Block * **End-user notification:** Enabled - *"This content contains sensitive data and cannot be pasted into personal accounts or external services."* * **Allow override with justification:** Enabled - allows employees to self-certify a business justification; logged for review #### Prerequisites * Mac Agent v1.2.11.x or later * Windows Agent v1.4.9.0 or later * Directory sync configured * **Corporate Domains** collection configured (for personal vs. corporate account filtering) * **Unsanctioned Destinations** domain collection created *** ### Custom Policies Each policy recommendation above is a starting point. Common adjustments: * **Narrow the scope** - start with a specific user group (e.g., finance or engineering) before rolling out to all users, to validate detection accuracy before broad enforcement. * **Start in detect-only mode** - leave the automated action unset and enable admin alerts only. Review policy incidents for 1–2 weeks before switching to Block. * **Add custom detectors** - supplement built-in detectors with custom LLM based file or prompt based classifiers specific to your organization's sensitive data. * **Tune domain collections** - review and expand domain collections regularly as new AI tools, cloud apps, and risky destinations emerge. You can automate this via the apps discovered categorized by risk in App Intelligence. Expand the list of domains or apps to monitor and block via the domain collections. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.nightfall.ai/data-exfiltration-prevention/exfiltration_endpoint/policies/recommended-policy-configurations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.