Nightfall Documentation
  • Data Detection and Response
  • Posture Management
  • Data Exfiltration Prevention
  • Data Encryption
  • Firewall for AI
  • Data Classification and Discovery
  • Nightfall Exfiltration
  • What is Data Exfiltration
  • Nightfall Detection Platform
    • Nightfall Detection Platform
  • Exfiltration Prevention for Google Drive
    • Installing Nightfall for Google Drive
    • Configuring Integration Alerts
    • Configuring Google Drive Policies
      • Google Drive App Selection
      • Scope
      • Trigger
      • Automated Actions
      • Creating Policy
    • Remediation for Google Drive Exfiltration
  • Exfiltration Prevention for Endpoint
    • Endpoint Exfiltration Prevention
    • Install Nightfall AI Agent for MAC OS
      • Manual Installation
      • Nightfall Agent Deployment with Kandji MDM
      • Nightfall Agent Deployment with Rippling MDM
      • Nightfall Agent Deployment with JAMF MDM
    • Install Nightfall AI Agent for Windows OS
      • Manual Installation
      • Nightfall Windows Agent Deployment: Rippling MDM
      • Nightfall Windows Agent Deployment: Generic MSI Deployment
    • Configuring Integration Alerts
    • Configuring Policies
      • MAC/Windows App Selection
      • Scope
      • Trigger
      • Advanced Settings
        • Admin Alerting
        • Automated Actions
        • End-User Notifications
      • Creating Policy
      • Remediation for MAC OS Policies
      • FAQs
      • Remediation for Windows OS Policies
  • Exfiltration Prevention for Salesforce
    • Nightfall Exfiltration for Salesforce
    • Installing Nightfall Exfiltration for Salesforce
    • Upgrading Nightfall DLP
    • Configuring Integration Alerts
    • Configuring Salesforce Exfiltration Policies
      • Salesforce App Selection
      • Scope
      • Trigger
      • Advanced Settings
      • Creating Policy
      • Remediation for Salesforce Exfiltration
Powered by GitBook
On this page
  • Key Features of Lineage Based Policies
  • Configuring the Scope Page
  • Operating Systems
  • Devices
  • Content Scanning
  • Filters

Was this helpful?

Export as PDF
  1. Exfiltration Prevention for Endpoint
  2. Configuring Policies

Scope

The Scope section enables you to create an asset lineage based policy in which you can track the journey of an asset from source to destination.

Key Features of Lineage Based Policies

  • Security administrators can set precise exfiltration policies to protect sensitive files that originate from high-value SaaS locations from being exfiltrated to unsanctioned destinations

  • High performance security teams can focus their energy and resources on monitoring assets from high value SaaS domains.

  • By combining content download origin to upload destination, organizations can extend their monitoring to cover any cloud application accessed through the browser, even those without direct API integration.

  • Allows security teams to monitor and prevent data exfiltration not just through direct browser uploads but also through cloud storage sync applications, providing a multi-layered defense against data leaks.

  • With lineage-based policies, organizations can proactively identify and manage risks associated with sensitive content movement, ensuring compliance with data security standards and preventing potential breaches before they occur.

Configuring the Scope Page

The Scope page consists of the following sections.

  • Operating Systems

  • Devices

  • Content Scanning

  • Filters

Operating Systems

This section allows you to select the operating systems to which the policy must be scoped. Nightfall supports the Microsoft's Windows and Apple's MAC operating systems. You can either choose any one of the operating system or both the operating systems, based on your organization's requirements. You must click the check box of the respective operating system to include it in the scope of the policy. All the devices that belong to the selected operating system(s) are monitored by Nightfall.

Kindly note that some of the advanced policy features like Content Scanning, Filters, and automated actions are not yet available on Windows—but stay tuned, as we’re working to bring these capabilities soon!

Devices

By default, Nightfall monitors all the devices that belong to the selected operating system(s). However, you can choose to exclude trusted devices from being monitored. The Exclude Devices section consists of a drop-down menu. This menu lists all the devices that belong to the selected operating system(s). You can select the devices that you wish to exclude from being monitored.

If you have a long list of assets, you can search for an asset by entering the device ID of the asset.

Content Scanning

To use this feature, you must first select the On option from the drop-down menu and then select the required Nightfall detectors.

Filters

The filters section provides you the flexibility to include and exclude users at a granular level. Once you select the operating system and the devices to be monitored, you can further drill down your scope by using filters. You can apply filters to only monitor assets downloaded from specific domains. Conversely, you can also choose to exclude the monitoring of assets downloaded from specific domains. Additionally, you can also apply filters to only monitor or exclude the monitoring of assets downloaded by specific high risk, like departing users, or function user groups, like HR, Finance or Engineering.

Asset Origin

The Asset Origin filter allows you to limit the scope of the policy to only those assets which originated from a specific source. To use the asset origin filter, you must click Add Filter and select Asset Origin.

The Asset Origin filter provides the following options:

Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.

Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.

Internal Users

Internal Groups

PreviousMAC/Windows App SelectionNextTrigger

Last updated 2 months ago

Was this helpful?

The Content Scanning section allows you to scan the downloaded content for sensitive data. You can choose the that you wish to use for scanning the downloaded data. With this feature, you can monitor exfiltration attempts on sensitive data. For instance, you can monitor if any of the content uploaded to unsanctioned destinations contains regulated information like PCI, PII, PHI or organization's secrets like credentials, API keys, and so on. You can combine content scanning with Trigger and the Block features to prevent any exfiltration files containing sensitive data.

If a downloaded file contains sensitive data, it is reported in the exfiltration event. You can check the assets tab of an exfiltration event to view the sensitive data found. In the following image, you can see that a called Credit Card Number is violated 20 times in one of the files uploaded to through the browser.

You must configure the feature to use the Internal Users and Internal Groups filters.

Any Domain: If you select this option, Nightfall monitors the assets originated (downloaded) from any domain, present in any of the .

Domain in: If you select this option, you must additionally also select the domain collections, created in the section. In this case, Nightfall monitors only those assets that originated from a domain, which is a part of any of the selected domain collection(s).

Domain Not in: If you select this option, you must additionally also select the domain collections, created in the section. In this case, Nightfall does not monitor those assets that originated from a domain, which is a part of any of the excluded domain collection(s).

Specific User(s): You must choose this option to monitor the actions of specific internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in . You must select the required users.

All Users, except for: You must select this option to exclude the monitoring of specific internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in . You must select the required users.

Specific Group(s): You must choose this option to monitor of specific internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in . You must select the required groups.

All Groups, except for: You must choose this option to exclude monitoring of specific internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in . You must select the required groups.

Nightfall detection rules
Detector
Directory Sync
Directory Sync
Directory Sync
Directory Sync
Directory Sync
domain collections
domain collections
domain collections