# Removable Media Nightfall’s removable media controls allow you to monitor or block sensitive data exfiltration to external storage devices such as USB drives and external HDD/SSD. Policies are evaluated at the endpoint and can be scoped with device type, vendor, and serial number filters for precise enforcement. Out of the box, Nightfall supports \~1,200 removable media vendors, enabling immediate coverage without manual vendor onboarding. Nightfall detects and can block the following removable media categories: * USB storage devices (thumb drives, external HDD/SSD) These are internally represented as removable media types and can be included or excluded in the policy configuration. **How Removable Media Policies Work** A removable media policy is evaluated using three layers of filters: 1. Origin - Where the content originated from 2. Destination Removable Media Filters - Which removable devices the rule applies to 3. Content Detection - Whether sensitive data is present 4. Endpoint Device - Which devices are included or excluded in the policy If all conditions match, the configured enforcement (Monitor or Block) is applied. **Policy configuration:** 1. **Step 1 -** To apply a policy to removable devices: * Set Action to “To removable media” This ensures the rule only evaluates file transfers where data is being written to an external device. 2. **Step 2** **-** Removable media filters 1. Removable media filters allow you to precisely control which removable devices are included in enforcement. 1. **Device Type** 1. Monitor all – Applies to all removable media types 1. Specific types – Limit enforcement to selected media types (USB, HDD/SSD) 2. All device types except – Exclude specific device types from enforcement 3. If no specific type is selected, all removable media types are included by default. 2. **Vendor filtering** 1. Nightfall supports \~1,200 removable media vendors out of the box. 2. You can configure vendor behavior as follows: 1. Monitor all vendors (default) 2. Specific vendor(s) – Apply the rule only to selected vendors 3. All vendors except – Exclude specific vendors from enforcement 4. Vendor matching is based on device metadata reported by the operating system. 5. Example use cases: 1. Allow corporate-approved encrypted USB vendors 2. Block unknown or consumer-grade USB brands 3. **Device Serial Number Filtering** 1. Serial number filters provide the most granular level of control. Options: 1. Monitor all (default) * Specific serial numbers – Apply enforcement only to listed devices * All serial numbers except – Exclude specific devices from enforcement * Serial numbers are matched exactly as reported by the endpoint OS. 2. Example use cases: * Allow a small set of approved devices * Exempt forensic or IT-issued USB drives 4. **Filter precedence and evaluation logic** 1. When multiple device filters are configured, Nightfall evaluates them together using the following rules: 1. Include rules are evaluated first 2. Exclude rules override include rules 3. If no include filters are specified, the rule defaults to include all 2. Practical Implications 1. If you select Specific vendors, only those vendors are eligible 2. If you then exclude a serial number, that device will never trigger the policy 3. If both vendor and serial filters are empty, all removable media is in scope Once a removable media action and device match, Nightfall evaluates the content being transferred: * Sensitive data types (PII, credentials, secrets, etc.), file classifiers or any other applicable detectors in the configured detection rules If sensitive content is detected, enforcement is applied. Each policy can be configured to: * Monitor – Log the event for visibility and auditing * Block – Prevent the transfer to removable media Both modes can be enabled simultaneously to provide audit visibility even when blocking. **Common Configuration Examples** 1. Example 1: Block All USB Devices 1. Action: To removable media 2. Device Type: USB 3. Vendor: Monitor all 4. Serial Number: Monitor all 5. Enforcement: Block 2. Example 2: Allow Only Approved Vendors 1. Action: To removable media 2. Vendor: Specific vendor(s) 3. Enforcement: Block 4. All other vendors will be blocked. 3. Example 3: Allow Only Specific Devices 1. Action: To removable media 2. Serial Number: Specific serial numbers 3. Enforcement: Block 4. Only listed devices will be allowed; all others blocked. 4. Example 4: Exclude Corporate USB Drives 1. Action: To removable media 2. Vendor: All vendors 3. Serial Number: All serial numbers except 4. Enforcement: Block 5. Corporate-approved devices are excluded from enforcement. For exfiltration events involving removable media, Nightfall surfaces additional asset-level metadata to help security teams understand where data was written and which physical device was involved. In the Asset details panel, you can expect the following removable media–specific fields: * Medium – Indicates the destination medium as Removable Media * Mount Path – The local mount location of the device on the endpoint (for example, /Volumes/My USB Device on macOS) * Volume Label – The human-readable label assigned to the removable device * Media Type – The category of removable media (for example, USB, HDD/SSD) * Vendor ID – The hardware vendor identifier reported by the operating system * Serial Number – The device’s unique serial number, when available These fields are available only for removable media events and enable precise investigations, device allowlisting, and policy tuning. All other event information - including user identity, endpoint details, timestamps, policy action, file preview, activity log and risk context, manual actions - is consistent with other Endpoint Exfiltration events and is available in the Summary and Device tabs.