Remediation for MAC OS Policies

This document explains what admins can do when a macOS policy is violated.

Managing Violations in Nightfall

Nightfall admins can manage violations from within the Nightfall console. The Events page in Nightfall lists all the violations under the Exfiltration tab. End-users can get a detailed view of each exfiltration violation recorded.

To view violations in Nightfall

Navigate to Exfiltration Prevention from the left menu.

Steps 2-6 help you filter the events to only view the alerts generated by macOS.

Click Filter.
Click + Add Filter.
Select Integration.
Select the macOS check box.
Click Apply.
Select Integration.
Select the macOS check box.
Select Integration.
Select the macOS check box.
Click Apply.

To view historic events, click the Time filter, select the required time period or enter it manually by selecting the Custom Range option. Once the required time period is selected, click Apply. By default, the filter displays results for the Last 7 days. You can click Last 7 Days and choose the required historic time period.

You can click an event to view the details. The detail view window consists of the following tabs.

Summary Tab

The Summary tab consists of the following details.

Assets: The name of the uploaded asset(s) that was exfiltrated.
Policy: The name of the policy violated.
Device ID: The device ID of the device from which the asset was uploaded.
Machine Name: The physical name of the device from which the asset was uploaded.
Browser Name: The name of the browser from which the asset was uploaded. This field is applicable only for browser uploads.
Domain: The domain URL to which the asset containing sensitive data was uploaded. This field is applicable only for browser uploads. When you hover over a domain that is not added to any Collection, you can choose to add it to an existing Collection or create a new one. If you are already leveraging the domain collection as part of your monitoring policies, the new addition will be automatically picked up. For example, if the domain is added to a collection of sanctioned domains your policy is ignoring, future uploads to this destination will be ignored.

App Name: The name of the cloud storage app to which the asset containing sensitive data was uploaded. This field is applicable only for uploads done to cloud storage apps.
Account Type: The nature of the cloud storage app to which the asset was uploaded. The account type is generally either Personal account or Business account. This field is applicable only for uploads done to cloud storage apps.
Upload Start Time: The start date and start time of the upload.
Upload End Time: The end date and end time of the upload.

The Summary tab for a Browser upload action is as follows.

The Summary tab for a Cloud storage app event is as follows.

The Summary tab also displays a log of activities that occured on the Event. The Summary tab also displays a log of activities that occured on the Event. The first log entry is always the asset creation date. The subsequent logs display the actions applied on the event. You can also add comments on the Summary tab. The comments added by you can be viewed by other users as well.

Assets Tab

This tab displays the details of the asset that was uploaded to a domain or cloud storage app. The asset tab also displays a number in brackets. This number indicates the number of assets that were uploaded as part of the event.

In the following image, there are two assets which were uploaded and these four uplaods together triggered the event. In such cases when there are multiple assets involved, you can use the drop-down menu to switch between assets and view the asset details.

The Assets tab displays the following details.

Name: The name of the asset uploaded.
Where: The location of the asset in the device.
Medium: The medium used to upload the asset. This can be browser or cloud storage app.
Size: The size of the asset.

If you have configured in the Scope section of the policy and if the asset contains sensitive data, the asset tab also displays a preview of the sensitive data and the detectors violated. Additionally, you can also find a new field called Sensitive Data that displays the name of the detector(s) violated.

Asset History

The Assets tab also contains the Asset History section. This section displays the source or origin from where the asset was downloaded. Additionally, it also displays the destinations to which the asset was uploaded. If the source and destination details are not available, this section does not display any information. Users can use the time filter to view historic data. By default, the asset history is displayed for the last 7 days. You can click the Last 7 Days drop-down menu to view historic asset details.

Device Tab

The device tab displays the details of the device used to upload the asset. You can view the following details on this tab.

Device ID: The device ID of the device from which the asset was uploaded.
Device Name: The name of the device from which the asset was uploaded.
Connection Status: The current status of the device. This can either be Connected or Disconnected. If the device is not in contact with the Nightfall agent for more than 6 hours, the connection status changes to disconnected.
OS: The operating system used on the device.
MAC Address: The physical MAC address of the device.
Last Connection: The date and time when the device was last connected.
Agent Version: The Nightfall agent version installed on the device.
OS Version: The MAC OS version used on the device.

Important

If a user uploads the same file to multiple browser destinations (say 3), 3 exfiltration events are generated. However, if you uploads multiple files to the same destination, only a single event is generated.

If multiple violations are recorded within a span of five minutes, all the violations are clubbed under a single exfiltration event. The Assets Tab of this event displays the details of each asset.

However, if you upload multiple files to different browser domains or upload multiple files to different cloud storage apps, within a span of five minutes, a separate exfiltration event is generated for each of the uploaded file.

Actions

You can perform the following actions on all the three tabs. These actions are present at the bottom.

Copy Event Link: This action copies the link of the event to the clipboard.
Acknowledge: This action modifies the status of the event to Acknowledged.
Notify Slack: This action sends a Slack notification about the event to the recipient configured in the section.
Notify Email: This action sends an Email notification about the event o the recipient configured in the section.
Resolve: This action resolves the event and modifies the status to resolved.
Ignore: This action ignores the event and modifies the status to ignored.

PreviousCreating Policy NextFAQs

Last updated 27 days ago

Was this helpful?