search

Scope

The Scope section enables you to create an asset lineage based policy in which you can track the journey of an asset from source to destination.

hashtag
Key Features of Lineage Based Policies

  • Security administrators can set precise exfiltration policies to protect sensitive files that originate from high-value SaaS locations from being exfiltrated to unsanctioned destinations

  • High performance security teams can focus their energy and resources on monitoring assets from high value SaaS domains.

  • By combining content download origin to upload destination, organizations can extend their monitoring to cover any cloud application accessed through the browser, even those without direct API integration.

  • Allows security teams to monitor and prevent data exfiltration not just through direct browser uploads but also through cloud storage sync applications, providing a multi-layered defense against data leaks.

  • With lineage-based policies, organizations can proactively identify and manage risks associated with sensitive content movement, ensuring compliance with data security standards and preventing potential breaches before they occur.

hashtag
Configuring the Scope Page

The Scope page consists of the following sections.

hashtag
Operating Systems

This section allows you to select the operating systems to which the policy must be scoped. Nightfall supports the Microsoft's Windows and Apple's MAC operating systems. You can either choose any one of the operating system or both the operating systems, based on your organization's requirements. You must click the check box of the respective operating system to include it in the scope of the policy. All the devices that belong to the selected operating system(s) are monitored by Nightfall.

circle-exclamation

Kindly note that some of the advanced policy features like Content Scanning, Filters, and automated actions are not yet available on Windows—but stay tuned, as we’re working to bring these capabilities soon!

hashtag
Devices

By default, Nightfall monitors all the devices that belong to the selected operating system(s). However, you can choose to exclude trusted devices from being monitored. The Exclude Devices section consists of a drop-down menu. This menu lists all the devices that belong to the selected operating system(s). You can select the devices that you wish to exclude from being monitored.

circle-info

If you have a long list of assets, you can search for an asset by entering the device ID of the asset.

hashtag
Content Scanning

The Content Scanning section allows you to scan the downloaded content for sensitive data. You can choose the Nightfall detection rulesarrow-up-right that you wish to use for scanning the downloaded data. With this feature, you can monitor exfiltration attempts on sensitive data. For instance, you can monitor if any of the content uploaded to unsanctioned destinations contains regulated information like PCI, PII, PHI or organization's secrets like credentials, API keys, and so on. You can combine content scanning with Trigger and the Block features to prevent any exfiltration files containing sensitive data.

To use this feature, you must first select the On option from the drop-down menu and then select the required Nightfall detectors.

If a downloaded file contains sensitive data, it is reported in the exfiltration event. You can check the assets tab of an exfiltration event to view the sensitive data found. In the following image, you can see that a Detectorarrow-up-right called Credit Card Number is violated 20 times in one of the files uploaded to through the browser.

hashtag
Filters

The filters section provides you the flexibility to include and exclude users at a granular level. Once you select the operating system and the devices to be monitored, you can further drill down your scope by using filters. You can apply filters to only monitor assets downloaded from specific domains. Conversely, you can also choose to exclude the monitoring of assets downloaded from specific domains. Additionally, you can also apply filters to only monitor or exclude the monitoring of assets downloaded by specific high risk, like departing users, or function user groups, like HR, Finance or Engineering.

circle-info

You must configure the Directory Syncarrow-up-right feature to use the Internal Users and Internal Groups filters.

hashtag
Asset Origin

The Asset Origin filter allows you to limit the scope of the policy to only those assets which originated from a specific source. To use the asset origin filter, you must click Add Filter and select Asset Origin.

The Asset Origin filter provides the following options:

  • Any Domain: If you select this option, Nightfall monitors the assets originated (downloaded) from any domain, present in any of the domain collections.

  • Domain in: If you select this option, you must additionally also select the domain collections, created in the domain collections section. In this case, Nightfall monitors only those assets that originated from a domain, which is a part of any of the selected domain collection(s).

Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.

  • Domain Not in: If you select this option, you must additionally also select the domain collections, created in the domain collections section. In this case, Nightfall does not monitor those assets that originated from a domain, which is a part of any of the excluded domain collection(s).

Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.

hashtag
User Session Check

User Session Differentiation (also referred to as User Session Check) enables Nightfall to distinguish between personal and corporate user accounts on supported SaaS applications, cloud storage platforms, and AI web apps. This capability addresses a critical data exfiltration capability by detecting and enforcing policies when sensitive data moves from corporate contexts to personal contexts, even when both occur on the same domain.

This feature is available on macOS and Windows.

Traditional DLP solutions struggle to differentiate who a user is logged in as on dual-use platforms like Google Drive, Microsoft 365, or AI assistants. This creates blind spots where users can bypass controls by switching to personal accounts.

User Session Differentiation enables:

  • Prevention of shadow exfiltration via personal accounts

  • Context-aware enforcement (corporate to corporate vs. corporate to personal)

  • Clear audit trails showing account type involved in an event

Confident blocking of high-risk transfers without disrupting legitimate workflows.

When enabled, Nightfall:

  • Detects whether the source and/or destination account is corporate or personal

  • Applies policy logic based on session context (not just domain)

  • Captures session metadata for investigation and audit

As an example, if an employee:

  • Downloads a file from their corporate Google Drive

  • Uploads it to their personal Google Drive

Nightfall can detect, alert, or block this action.

Supported Coverage

User Session Differentiation works across 35+ supported domains, including:

Google Workspace

  • Drive, Docs, Gmail, Calendar, Meet, Keep

Microsoft 365

  • OneDrive, SharePoint, Teams, Outlook, Office apps

Cloud Storage

  • Dropbox, Box, iCloud

AI / Shadow AI Apps

  • ChatGPT, Claude.ai, Gemini, Copilot, Perplexity

Session context is captured for:

  • Browser file uploads

  • Clipboard copy/paste actions

How It Works

  1. Browser Extension captures session context on supported domains

  2. Directory Sync from Okta, Entra ID, Google Directory identifies corporate accounts and domains

  3. Corporate Domains collection is populated automatically with the domains from directory sync

  4. User Session Check evaluates source and destination sessions

  5. Policy enforcement occurs based on configuration

Corporate Domains Collection

The Corporate Domains collection represents domains associated with corporate identities (for example, contoso.com). It is required for session differentiation.

  • Automatically populated when the endpoint agent is enabled and once the directory sync is setup

  • Happens once, based on the first OS provisioned (macOS or Windows)

  • After initial population, the collection is refreshed via an hourly job

  • You can add more domains to this collection as needed

Note: Corporate Domains are populated immediately upon directory sync and once one or more endpoint agents are installed.

Enabling User Session Differentiation

Requirements

  • Endpoint agent with browser extension

  • macOS: Chrome (1.2.9.x+)

  • Windows: Chrome, Edge, Firefox (1.2.32+)

  • Directory sync enabled (Okta, Google Directory, or Entra ID)

  • Corporate Domains collection configured

  • Browser extension deployed (via MDM or manual install)

macOS (MDM)

  • Deploy NightfallAI_Profile_with_Browser_Extensions.mobileconfig

  • Automatically installs browser extension and logs users in

Windows

  • No additional MDM profile required

User Session Differentiation is available in Endpoint Exfiltration policies and requires the User session check toggle to be enabled.

Where It Appears

The toggle is shown when:

  • Monitoring supported domains

  • Using Domain / URL-based sources or destinations

How to Configure User Session Check

Asset Origin (Trigger)

  1. Defines where data originates from.

  2. Supported operators:

    1. Domain in, Domain not in, Any domain

  3. Example Configurations

    1. Monitor Corporate Sources Only - Use case: Detect data originating from corporate accounts only.

      1. Source: Domain in equals Corporate Domains

      2. User session check: Enabled

    2. Exclude Corporate Sources - Use case: Focus on external or unmanaged sources.

      1. Source: Domain not in equals Corporate Domains

Action (Destination)

  1. Defines where data is going (upload, paste, transfer).

  2. Supported actions include:

    1. Browser uploads to, Clipboard copy/paste

  3. Supported operators:

    1. Domain in, Domain not in, Any domain

Common Policy Use-Cases

  1. Block Corporate to Personal AI Uploads

    1. Source: Domain in → Corporate Domains

    2. Action: Browser upload to → Domain in → AI Assistants

    3. User session check: Enabled

    4. Outcome: Blocks uploads when destination account is personal

  2. Allow Corporate → Corporate, Block Corporate → Personal

    1. Source: Domain in → Corporate Domains

    2. Destination: Domain in → Supported Domains

    3. User session check: Enabled

    4. Result:

      1. Corporate → corporate transfers allowed

      2. Corporate → personal transfers blocked

  3. Detect Personal Account Usage on Approved Apps

    1. Action: Browser uploads to → Domain in → Google Workspace

    2. User session check: Enabled

    3. Use case: Visibility into personal account usage on approved SaaS.

  4. Broad Monitoring (Any → Personal)

    1. Source: Any domain

    2. Destination: Domain in → Supported Domains

    3. User session check: Enabled

    4. Use case: Identify any data entering personal accounts.

hashtag
Internal Users

  • Specific User(s): You must choose this option to monitor the actions of specific internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Syncarrow-up-right. You must select the required users.

  • All Users, except for: You must select this option to exclude the monitoring of specific internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Syncarrow-up-right. You must select the required users.

hashtag
Internal Groups

  • Specific Group(s): You must choose this option to monitor of specific internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Syncarrow-up-right. You must select the required groups.

  • All Groups, except for: You must choose this option to exclude monitoring of specific internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Syncarrow-up-right. You must select the required groups.

hashtag
URL and Subpath

Endpoint URL and subpath filtering allows administrators and security teams to precisely control which file exfiltration events are reported or blocked by Nightfall. By creating exclusions at the file, file path, or file type (extension) level, teams can reduce noise, prevent false positives, and maintain focus on genuine data risk. This section explains:

  • How URL and subpath filtering works

  • The end‑to‑end user experience

  • Supported exclusion types

  • Practical use‑cases

  • Important behavioral details and limitations

This functionality is available within:

  • Exfiltration Prevention → Event Details → Assets tab

  • Integrations → Endpoint → Exclusion List

It applies to endpoint‑level exfiltration signals such as:

  • Browser uploads

  • File transfers via removable media

  • File sync

How it works

  1. Exfiltration Event Detected An endpoint event (for example, a Browser Upload) is detected and logged under Exfiltration Prevention. Each event includes:

  • Risk level (Low / Medium / High)

  • Actor (device and user)

  • Asset involved (file name, path, size, medium)

  • Destination (e.g., drive.google.com, chat.deepseek.com)

  1. Viewing Asset Details When an event is opened:

  • Navigate to the Assets tab

  • Select the relevant asset (e.g., Customer List.xlsx)

The Asset Details panel displays:

  • File name

  • Full local file path (e.g., /Users/anantmahajan/Downloads/Customer List.xlsx)

  • Medium (Browser)

  • Size

  1. Activating File or Path Exclusion From the Asset Details panel:

  • Click “Click to activate file & file path exclusion (macOS only)”

A modal titled File & File Path Exclusion appears with three options:

Exclusion Options

  1. Ignore file

  2. Excludes this exact file (specific file name + path)

  3. Ignore path

  4. Excludes all files within the selected directory and its subpaths

  5. Ignore all files with .xlsx extension

  6. Excludes all Excel files across the endpoint

Selecting an option and clicking Continue proceeds to confirmation.

  1. Confirmation Modal

A confirmation dialog clearly states: "Future activity involving this file will not be reported. Existing events won't be affected."

Optional setting:

  • Apply rule to all endpoints (if enabled, the exclusion applies globally rather than device‑specific)

Click Ignore to finalize the exclusion.

  1. Exclusion Is Applied

Once confirmed:

  • The exclusion takes effect immediately

  • Future matching events are suppressed

  • Past events remain visible for audit and investigation

The exclusion appears under: Integrations → Endpoint → Exclusion List

Each entry shows:

  • Excluded item (file, path, or extension)

  • Type (File Name, File Path, or Extension)

  • Time created

  • User who created the exclusion

  • Scope (specific device or all endpoints)

URL & Subpath Filtering Behavior

URL Matching

When a browser upload occurs, Nightfall evaluates:

  • The destination domain (e.g., drive.google.com)

  • The local file path on the endpoint

If the local file matches an exclusion rule, the upload event is:

  • Not reported

  • Not blocked (unless another policy applies)

Subpath Matching

For Ignore path exclusions:

  • All files under the selected directory are excluded

  • Subdirectories are included automatically

Example:

  • /Users/johndoe/Downloads/

Excludes:

  • /Users/johndoe/Downloads/Customer List.xlsx

  • /Users/johndoe/Downloads/Exports/Q4/customers.csv

Supported Exclusion Types

File

Single file only

Known safe document repeatedly triggering alerts

Path

Directory + subdirectories

Trusted export folders or generated reports

Extension

All files of a type

Suppress noisy file types like .log or .xlsx

Common Use‑Cases

  1. Suppressing Known Safe Files

    1. Scenario: A finance team routinely uploads a standardized customer spreadsheet to Google Drive.

    2. Solution: Ignore file: Customer List.xlsx

    3. Outcome:

      1. Prevents repeated high‑risk alerts for a known workflow

      2. Maintains visibility into other files

  2. Ignoring Automated Export Directories

    1. Scenario: An application exports reports into a fixed local directory before upload.

    2. Solution: Ignore path: /Users/*/Downloads/Exports/

    3. Outcome:

      1. Eliminates alert noise from automated processes

      2. Still monitors uploads from other locations

  3. Reducing Alert Fatigue from Common File Types

    1. Scenario: Large volumes of Excel files are shared internally and trigger frequent alerts.

    2. Solution: Ignore all files with .xlsx extension

    3. Outcome:

      1. Significant noise reduction

      2. Should be used carefully due to broad scope

  4. Incident‑Driven Exception Handling

    1. Scenario: An investigation confirms a flagged upload was legitimate.

    2. Solution: Create a targeted file or path exclusion directly from the event

    3. Outcome:

      1. Fast remediation

      2. No policy rewrites required

Best Practices

  1. Exclusions apply only to future activity and Existing events are never retroactively modified.

  2. Path exclusions are recursive and include subpaths.

  3. Extension‑based exclusions are global and high‑impact.

  4. Use Apply to all endpoints sparingly.

  5. Periodically review the Exclusion List for stale rules. Document the reason for exclusions internally when possible.

URL and subpath filtering for endpoint exclusions gives security teams fine‑grained control over exfiltration monitoring. By embedding exclusions directly into the investigation workflow, Nightfall enables fast, contextual decisions without compromising visibility into real risk.

This approach balances strong data security with practical, low‑friction operations.

PreviousMAC/Windows App SelectionNextTrigger

Last updated

Was this helpful?