Trigger
A trigger defines the exfiltration medium - the specific channel or application through which data moves off a managed device. Each trigger represents a distinct interception point: a file upload in a browser, a sync client writing to disk, a document sent to the print queue. Nightfall intercepts the event at that point, inspects the content against your detection rules if applicable, and applies the configured action.
You configure one trigger per policy. Each trigger is independently scoped - a browser upload policy and a thick app policy can cover the same domains without conflicting.
Domain Collections
A domain collection is a named, reusable set of domains used to scope trigger monitoring. Collections appear in two roles:
Source collection - identifies domains associated with corporate account sessions or originating domains. Used to answer: did this data originate from a corporate account? Example: your company's Google Workspace domain (
yourcompany.comon Google Drive).Destination collection - identifies domains associated with personal account sessions or destination domains. Used to answer: did this data go to a personal account? Example:
gmail.com,dropbox.com,chatgpt.comaccessed with a personal login.
Collections are created and managed separately from policies, then referenced when configuring data lineage, session detection on the Browser Upload and Clipboard Paste triggers. Not all domains in a collection support session detection - the policy UI shows coverage at configuration time (e.g., "3 of 12 domains across 2 collections support session detection"). Domains without session detection support are always monitored for all account types regardless of which collection they belong to.
You do not need to configure collections for certain triggers such as Cloud Syncing, Removable Media, Printer, Thick App, Git Push - those triggers use domain or application lists configured directly on the policy.
Once you zero in on the policy to the required devices and originating domains, you must now define the trigger actions that can be termed as exfiltration events. Nightfall provides you with multiple types of triggers that you can set as exfiltration events.
Browser Uploads: If an asset is uploaded through a web browser or desktop app to any online destination (for example, a file attached to a ChatGPT prompt or uploaded to a personal Google Drive via the browser), you can define such events as file upload exfiltration events.
Cloud Syncing: If an asset is synced to a cloud storage application running on the endpoint (for example, a file written to a local Dropbox or OneDrive folder and automatically uploaded to the cloud), you can define such events as cloud sync exfiltration events.
Clipboard Paste: If data is copied from a source application and pasted into an external destination (for example, customer records copied from an internal tool and pasted into a personal email), you can define such events as clipboard paste exfiltration events.
Git Push: If source code is pushed from a managed endpoint to a non-approved remote repository (for example, a developer pushing proprietary code to a personal GitHub account), you can define such events as git push exfiltration events. This feature is designed to prevent accidental or intentional source‑code exfiltration. Detection is based on source and destination metadata.
Removable Media: If an asset is transferred to a removable storage device connected to the endpoint (for example, a file copied to a USB flash drive or an external hard drive), you can define such events as external media transfer exfiltration events.
Printer: If a document is sent to the print queue on the endpoint (for example, a confidential report printed to a shared office printer or exported as a PDF using a virtual printer), you can define such events as print exfiltration events.
Desktop App: If data is transferred, uploaded, or pasted within a desktop application (for example, a file attached in WhatsApp or sensitive content pasted into a ChatGPT desktop app), you can define such events as exfiltration events.
The steps to use the above triggers are elaborated in the following sections.
Last updated
Was this helpful?