Trigger

Once you zero in on the policy Scope to the required devices and originating domains, you must now define the trigger actions that can be termed as exfiltration events.

Nightfall provides you with three types of triggers that you can set as exfiltration events.

• Browser Uploads: In this section, if an asset is uploaded through a browser to an online portal (for example, a social media website), you can define such events as exfiltration events.

• Cloud Syncing: In this section, if an asset is uploaded to an online cloud store application (for example, Google Drive), you can define such events as exfiltration events.

• Clipboard Paste: In this section, if data is copied from a source and pasted to a destination, you can define such events as exfiltration events.

• Git Push: Git Push Monitoring helps organizations detect when source code is pushed from managed endpoints to non‑approved Git destinations. This feature is designed to prevent accidental or intentional source‑code exfiltration. Detection is based on source and destination metadata.

The steps to use the above triggers are elaborated in the following sections.

Browser Uploads

Ensure that you have configured domain collections before using the browser uploads option.

To monitor browser uploads:

1. Select the Browser uploads to option.

1. Select one of the following options.

• Any Domain: If you select this option, Nightfall monitors your uploads done to any domain on the Internet.

• Domain in: If you select this option, you must additionally also select the domain collections created in the domain collections section. Nightfall monitors the uploads done to all the domains that belong to the selected domain collections.

Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.

• Domain Not in: If you select this option, you must additionally also select the domain collections created in the domain collections section. Nightfall does not monitor the uploads done to all the domains that belong to the selected domain collections.

Once you select a domain collection from the drop-down menu, it is displayed on the screen and grayed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.

Cloud Sync App Uploads

In this option, you can either choose to monitor uploads done to every cloud sync app or select specific cloud sync apps to which the uploads must be monitored.

1. Select the Cloud Syncing option.

2. Select one of the following options.

• Any Storage Apps: If you select this option, Nightfall monitors the uploads done to every cloud sync storage application.

• Specific Storage App(s): If you select this option, you must additionally select the storage apps. Nightfall monitors the uploads done to the selected storage apps.

Once you select a cloud storage application from the drop-down menu, the selected option is displayed on the screen and grayed out from the drop-down menu. You can use the drop-down menu to select additional cloud storage apps.

Clipboard Paste

In this option, you can choose to monitor the copy/paste actions performed by end-users. If end-users copy some data and paste it to unsanctioned locations.

Apart from text data, Nightfall can also detect non-text clipboard content, including images and screenshots. Clipboard Paste trigger uses the optical character recognition (OCR) technology in combination with Nightfall detectors to prevent the exfiltration of sensitive data present in visuals like copied screenshots, scanned documents, or copied images from web browsers.

Use cases

• A typical example of this trigger can be a scenario in which an end-user copies an API key and pastes it in a prompt in ChatGPT/Deepseek or any other Gen AI apps while attempting to generate a piece of code.

• An employee attempting to capture a screenshot of dashboards, reports, or customer data from sensitive SaaS apps into unsanctioned destinations.

To enable the Clipboard Paste trigger:

1. Select the Paste To option.

2. Select one of the following options.

   1. Any Domain: If you select this option, Nightfall monitors your paste actions performed on any domain on the Internet.

   2. Domain in: If you select this option, you must additionally also select the domain collections created in the domain collections section. Nightfall monitors the uploads done to all the domains that belong to the selected domain collections. The process of domain selection remains the same as demonstrated in the case of theBrowser Uploads section.

   3. Domain Not in: If you select this option, you must additionally also select the domain collections created in the domain collections section. Nightfall does not monitor the uploads done to all the domains that belong to the selected domain collections.

Once you select a domain collection from the drop-down menu, it is displayed on the screen and grayed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.

Removable Media

Nightfall’s removable media controls allow you to monitor or block sensitive data exfiltration to external storage devices such as USB drives and external HDD/SSD. Policies are evaluated at the endpoint and can be scoped with device type, vendor, and serial number filters for precise enforcement.

Out of the box, Nightfall supports ~1,200 removable media vendors, enabling immediate coverage without manual vendor onboarding.

Nightfall detects and can block the following removable media categories:

• USB storage devices (thumb drives, external HDD/SSD)

These are internally represented as removable media types and can be included or excluded in the policy configuration.

How Removable Media Policies Work

A removable media policy is evaluated using three layers of filters:

1. Origin - Where the content originated from

2. Destination Removable Media Filters - Which removable devices the rule applies to

3. Content Detection - Whether sensitive data is present

4. Endpoint Device - Which devices are included or excluded in the policy

If all conditions match, the configured enforcement (Monitor or Block) is applied.

Policy configuration:

1. Step 1 - To apply a policy to removable devices:

   • Set Action to “To removable media”

   This ensures the rule only evaluates file transfers where data is being written to an external device.

2. Step 2 - Removable media filters

   1. Removable media filters allow you to precisely control which removable devices are included in enforcement.

      1. Device Type

         1. Monitor all – Applies to all removable media types

            1. Specific types – Limit enforcement to selected media types (USB, HDD/SSD)

            2. All device types except – Exclude specific device types from enforcement

            3. If no specific type is selected, all removable media types are included by default.

         2. Vendor filtering

            1. Nightfall supports ~1,200 removable media vendors out of the box.

            2. You can configure vendor behavior as follows:

               1. Monitor all vendors (default)

               2. Specific vendor(s) – Apply the rule only to selected vendors

               3. All vendors except – Exclude specific vendors from enforcement

               4. Vendor matching is based on device metadata reported by the operating system.

               5. Example use cases:

                  1. Allow corporate-approved encrypted USB vendors

                  2. Block unknown or consumer-grade USB brands

         3. Device Serial Number Filtering

            1. Serial number filters provide the most granular level of control.

               Options:

               1. Monitor all (default)

                  • Specific serial numbers – Apply enforcement only to listed devices

                  • All serial numbers except – Exclude specific devices from enforcement

                    • Serial numbers are matched exactly as reported by the endpoint OS.

               2. Example use cases:

                  • Allow a small set of approved devices

                  • Exempt forensic or IT-issued USB drives

         4. Filter precedence and evaluation logic

            1. When multiple device filters are configured, Nightfall evaluates them together using the following rules:

               1. Include rules are evaluated first

               2. Exclude rules override include rules

               3. If no include filters are specified, the rule defaults to include all

            2. Practical Implications

               1. If you select Specific vendors, only those vendors are eligible

               2. If you then exclude a serial number, that device will never trigger the policy

               3. If both vendor and serial filters are empty, all removable media is in scope

Once a removable media action and device match, Nightfall evaluates the content being transferred:

• Sensitive data types (PII, credentials, secrets, etc.), file classifiers or any other applicable detectors in the configured detection rules

If sensitive content is detected, enforcement is applied. Each policy can be configured to:

• Monitor – Log the event for visibility and auditing

• Block – Prevent the transfer to removable media

Both modes can be enabled simultaneously to provide audit visibility even when blocking.

Common Configuration Examples

1. Example 1: Block All USB Devices

   1. Action: To removable media

   2. Device Type: USB

   3. Vendor: Monitor all

   4. Serial Number: Monitor all

   5. Enforcement: Block

2. Example 2: Allow Only Approved Vendors

   1. Action: To removable media

   2. Vendor: Specific vendor(s)

   3. Enforcement: Block

   4. All other vendors will be blocked.

3. Example 3: Allow Only Specific Devices

   1. Action: To removable media

   2. Serial Number: Specific serial numbers

   3. Enforcement: Block

   4. Only listed devices will be allowed; all others blocked.

4. Example 4: Exclude Corporate USB Drives

   1. Action: To removable media

   2. Vendor: All vendors

   3. Serial Number: All serial numbers except

   4. Enforcement: Block

   5. Corporate-approved devices are excluded from enforcement.

For exfiltration events involving removable media, Nightfall surfaces additional asset-level metadata to help security teams understand where data was written and which physical device was involved.

In the Asset details panel, you can expect the following removable media–specific fields:

• Medium – Indicates the destination medium as Removable Media

• Mount Path – The local mount location of the device on the endpoint (for example, /Volumes/My USB Device on macOS)

• Volume Label – The human-readable label assigned to the removable device

• Media Type – The category of removable media (for example, USB, HDD/SSD)

• Vendor ID – The hardware vendor identifier reported by the operating system

• Serial Number – The device’s unique serial number, when available

These fields are available only for removable media events and enable precise investigations, device allowlisting, and policy tuning.

All other event information - including user identity, endpoint details, timestamps, policy action, file preview, activity log and risk context, manual actions - is consistent with other Endpoint Exfiltration events and is available in the Summary and Device tabs.

Git Push Monitoring

Nightfall monitors the following signals during a Git push operation:

• The endpoint where the push originates

• The user performing the push

• The Git protocol (HTTPS / SSH)

• The remote destination URL

• The repository name and configured remotes

A Git Push Monitoring policy evaluates where code is being pushed, not what is being pushed. If the destination does not match your approved Git domains, Nightfall generates an exfiltration event.

Supported Git Destinations

Git Push Monitoring supports:

• GitHub Cloud

• GitLab Cloud

• Bitbucket

• Any Git server accessible via HTTPS or SSH

Policy Configuration

1. Step 1: Define Approved Git Destinations

Customers define approved Git hosting locations using Domain Collections.

Examples:

• github.com/my‑company‑org/*

• gitlab.company.com/*

• bitbucket.org/company/*

These domains represent where source code is allowed to be pushed.

1. Step 2: Configure Git Push Monitoring Policy

Policy Type: Endpoint Exfiltration Action: Git Push

Destination Condition Options:

• Any domain

• Domain in approved list

• Domain not in approved list (recommended)

Recommended Configuration:

This configuration alerts when developers push code outside approved repositories.

Example Use Cases

1. Prevent Personal GitHub Usage

   1. Approved: github.com/company‑org/*

   2. Detected: github.com/john‑doe/test‑repo

2. Monitor Scratch or Temporary Repositories

   1. Even if the repository is newly created or unnamed, Nightfall detects the push if the destination domain is not approved.

3. Enforce Corporate GitHub & GitLab Usage

   1. Ensure all production code stays within:

      1. Corporate GitHub organizations

      2. Internal GitLab instances

Event Details

When a Git push violates policy, Nightfall generates an event with metadata‑only context.

Event Summary Fields

Example Scenarios

The following scenarios illustrate the support matrix for this capability.

1. Push to Approved Repository

   1. Git operation succeeds

   2. No alert generated

2. Push to Non‑Approved Repository

   1. Git operation succeeds (no blocking)

   2. Exfiltration event generated

3. HTTPS and SSH Both Supported

   1. Detection works for both authentication methods

4. Multiple Remotes Supported

   1. Events reflect the actual remote used for the push

5. Unmanaged Devices

   1. No detection occurs without an endpoint agent

Git Push Monitoring provides organizations with a simple and effective control to:

• Detect source code exfiltration

• Enforce approved Git destinations

• Gain visibility into developer Git activity