Remediation for MAC OS Policies
This document explains what admins can do when a macOS policy is violated.
Managing Violations in Nightfall
Nightfall admins can manage violations from within the Nightfall console. The Events page in Nightfall lists all the violations under the Exfiltration tab. End-users can get a detailed view of each exfiltration violation recorded.
To view violations in Nightfall
Navigate to Exfiltration Prevention from the left menu.
Steps 2-6 help you filter the events to only view the alerts generated by macOS.
Click Filter.
Click + Add Filter.
Select Integration.
Select the macOS check box.
Click Apply.
Select Integration.
Select the macOS check box.
Select Integration.
Select the macOS check box.
Click Apply.
You can click an event to view the details. The detail view window consists of the following tabs.
Summary Tab
The Summary tab consists of the following details.
Assets: The name of the uploaded asset(s) that was exfiltrated.
Policy: The name of the policy violated.
Device ID: The device ID of the device from which the asset was uploaded.
Machine Name: The physical name of the device from which the asset was uploaded.
Browser Name: The name of the browser from which the asset was uploaded. This field is applicable only for those events that were triggered by the browser upload action.
App Name: The name of the cloud storage app to which the asset containing sensitive data was uploaded. This field is applicable only for uploads done to cloud storage apps.
Account Type: The nature of the cloud storage app to which the asset was uploaded. The account type is generally either a personal account or a business account. This field is applicable only for uploads done to cloud storage apps.
Upload Start Time: The start date and start time of the upload.
Upload End Time: The end date and end time of the upload.
The Summary tab for a Browser upload action is as follows.
The Summary tab for a Cloud storage app event is as follows.
The Summary tab for a Clipboard Paste action is as follows.
The Summary tab also displays a log of activities that occurred on the event. The Summary tab also displays a log of activities that occurred on the event. The first log entry is always the asset creation date. The subsequent logs display the actions applied to the event. You can also add comments on the Summary tab. The comments added by you can be viewed by other users as well.
Assets Tab
This tab displays the details of the asset that was uploaded to a domain or cloud storage app. The asset tab also displays a number in brackets. This number indicates the number of assets that were uploaded as part of the event.
In the following image, there are two assets that were uploaded, and these four uploads together triggered the event. In such cases when there are multiple assets involved, you can use the drop-down menu to switch between assets and view the asset details.
The Assets tab displays the following details for the Browser upload action and the Cloud Storage app action.
Name: The name of the asset uploaded.
Where: The location of the asset in the device.
Medium: The medium used to upload the asset. This can be a browser or cloud storage app.
Size: The size of the asset.
Asset History
The Assets tab also contains the Asset History section. This section displays the source or origin from where the asset was downloaded. Additionally, it also displays the destinations to which the asset was uploaded. If the source and destination details are not available, this section does not display any information. Users can use the time filter to view historic data. By default, the asset history is displayed for the last 7 days. You can click the Last 7 Days drop-down menu to view historic asset details.
Asset Tab for Clipboard Paste Action
The assets tab for the copy/paste action displays the following information.
Content Origin: The site from which the data was copied. If Nightfall cannot find the origin, this field displays Local Machine (Unknown origin).
Content Destination: The location where the copied information was pasted.
Time of Copy: The date and time when the data was copied.
Time of Paste: The date and time when the data was pasted.
If the copy/pasted content contains sensitive data, the asset tab displays the sensitive data and also the text surrounding the sensitive data. The sensitive data is highlighted so that it can be recognized easily.
The asset history section displays the timeline and the number of times data was copied and pasted.
Device Tab
The device tab displays the details of the device used to upload the asset. You can view the following details on this tab.
Device ID: The device ID of the device from which the asset was uploaded.
Device Name: The name of the device from which the asset was uploaded.
Connection Status: The current status of the device. This can either be Connected or Disconnected. If the device is not in contact with the Nightfall agent for more than 6 hours, the connection status changes to disconnected.
OS: The operating system used on the device.
MAC Address: The physical MAC address of the device.
Last Connection: The date and time when the device was last connected.
Agent Version: The Nightfall agent version installed on the device.
OS Version: The MAC OS version used on the device.
Actions
You can perform the following actions on all three tabs. These actions are present at the bottom.
Copy Event Link: This action copies the link of the event to the clipboard.
Acknowledge: This action modifies the status of the event to Acknowledged.
Resolve: This action resolves the event and modifies the status to resolved.
Ignore: This action ignores the event and modifies the status to ignored.
Last updated
Was this helpful?
