# Remediation for Salesforce Exfiltration

This document explains what admins and end-users can do once a policy is violated.

## Admin Notification and Remediation

When end-users violate a policy, the Nightfall admin is notified about the incident. The notification channel used to notify the Nightfall admin depends on the settings configured in the [Automated Actions](/data-exfiltration-prevention/exfiltration_google_drive/policies/automated_actions.md#admin-alerting) section. If you have not enabled any notification channels in the Admin alerting section, Nightfall admins are not notified. 

If you have enabled the email notification in the Admin alerts section, Nightfall admins receive an email. The email is as shown in the following image. 

<figure><img src="/files/9vQnDm8fCgx74fzqplOu" alt=""><figcaption></figcaption></figure>

The Email consists of the following data.

* **Event**: The event that caused the violation. For Salesforce, the event is always download of assets.&#x20;
* **Who**: The Email ID of the user who downloaded the file.
* **When**: The date and time when the email was downloaded.
* **What**: The name of the file that was downloaded.
* **Policies Violated**: The name of the policy that was violated.
* **Violation Dashboard**: The link to the Events screen to view the violation in detail.
* **Actions**: The list of actions that the Nightfall admin can take.&#x20;

Also, a Slack message is sent if you have enabled the Slack alerts for the Nightfall admin.&#x20;

## End-User Notification and Remediation

End-users receive notifications and remediation actions if the Nightfall admin has enabled these settings. The notifications are based on the settings configured in the [Automated Actions](/data-exfiltration-prevention/exfiltration_google_drive/policies/automated_actions.md#automation) section. The end-user remediation actions are based on the settings configured in the [Automated Actions](/data-exfiltration-prevention/exfiltration_google_drive/policies/automated_actions.md#end-user-remediation) section.&#x20;

If you have configured the Email notification for end-users and enabled the end-user remediation, end-users can take remediation actions from the Email itself. The end-user Email is shown in the following image. &#x20;

<figure><img src="/files/ZPMdJjO7lu0bituXJJww" alt=""><figcaption></figcaption></figure>

If you have configured Slack notifications for end-user and enabled end-user remediation, end-users also get a message in the respective Slack channel configured.&#x20;

## Manage Violations in Nightfall

To manage violations in the Nightfall console:

1. Click **Events** from the left menu.

<figure><img src="/files/d4RfiMry8UPZrqzNLuPH" alt=""><figcaption></figcaption></figure>

2. Click the **Exfiltration** tab.&#x20;

<figure><img src="/files/SLacQ4Dta59JXkpFxbaD" alt=""><figcaption></figcaption></figure>

The Exfiltration Events page lists all the exfiltration events. To view events specific to the Salesforce integration:

3. Click **Filters** and select **+ Add Filter.**

<figure><img src="/files/AEmv5e7rq9sD5ACE44h8" alt=""><figcaption></figcaption></figure>

4. Select **Integration** in the **Select a filter** field.&#x20;

<figure><img src="/files/Mkv8NpOCGSz5xS9Rl2HD" alt=""><figcaption></figcaption></figure>

5. Select the **Salesforce** check box in the **Select an option** field.

<figure><img src="/files/L6OOHzqVJ5blXkdihGNM" alt=""><figcaption></figcaption></figure>

6. Click **Apply**.

<figure><img src="/files/z9t7q2rEOlvcsvikodNZ" alt=""><figcaption></figcaption></figure>

Now, only the Salesforce events are displayed.

<figure><img src="/files/X0QdFK4QogqqpWwBUxUy" alt=""><figcaption></figcaption></figure>

7. To view events with specific statuses, you can click the respective tabs.&#x20;

<figure><img src="/files/q8cPNcCBuqKFcHPl8ZXb" alt=""><figcaption></figcaption></figure>

To view historic events, click the Time filter and select the required time period.&#x20;

<figure><img src="/files/oXfd1yAERNeschjtMIb5" alt=""><figcaption></figcaption></figure>

You can click an event to view the details. The detail view window is as follows.&#x20;

<figure><img src="/files/64xTWtGukl0pGEgZWsMo" alt="" width="416"><figcaption></figcaption></figure>

The detail view window consists of the following tabs.

* **Summary**: The Summary tab displays highlights of the event like the name of the downloaded asset, the name of the violated policy, and the email ID of the user who violated the policy.&#x20;
* **Asset**: The asset tab displays the details of the asset. You can view details like name of the  downloaded asset, size of the downloaded asset, exfiltration action (download), owner's Salesforce ID and IP address. If there are multiple assets in a single violation, you can choose which asset's details must be displayed.&#x20;

<figure><img src="/files/5jwT9706Ks82JURhCpqh" alt=""><figcaption></figcaption></figure>

* **Actor**: The actor tab displays the email ID of the Salesforce user who downloaded the asset. You can add notes on this tab which is displayed in the **Admin notes** section.&#x20;

<figure><img src="/files/OyILFikepjH4wyjizil4" alt=""><figcaption></figcaption></figure>

### Taking Actions on the Events Page

The events list view displays an ellipsis menu at the extreme right corner. Admins can click this menu to take appropriate action on an exfiltration event.&#x20;

<figure><img src="/files/DgV7jVvo1LRbP1x0P94j" alt=""><figcaption></figcaption></figure>

The various available actions are explained as follows.&#x20;

* **Acknowledge**: This action can be taken when you just wish to acknowledge that you have viewed the violation.&#x20;
* **Notify Email**: This action sends an email notification to the end-user who caused the violation.
* **Notify Slack**: This action sends a Slack notification to the end-user who caused the violation.
* **Ignore**: This action ignored the violation. You can take this action when an event is false positive.
* **Freeze User**: This action freezes the user account and logs them out of Salesforce. Users cannot login until admin unfreezes their account.&#x20;
* **Revoke User Permission**: This permission revokes the user's download privileges. Users can only view data in Salesforce. This action assigns the Salesforce's Minimum access profile to the user. You can learn more about this profile from this [Salesforce document](https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_general_new_profile.htm\&release=226\&type=5).&#x20;
* **Unfreeze User**: Once you freeze a user, this action is active. You can unfreeze a freezed user with this action.&#x20;

Once the action is implemented, the status of the event changes respectively. By default, an event can have one of the following two statuses.

* **Active**: The event has been generated but no action has been taken.
* **Input Requested**: A notification has been sent to the end-user requesting their response.&#x20;

<figure><img src="/files/KA6itcNogFlgnZxBffxz" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
You can also take action from the event detail view page. The actions are available at the bottom of the detail view page.&#x20;
{% endhint %}

<figure><img src="/files/KfaZGU3CUGL0SGXojGIm" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.nightfall.ai/data-exfiltration-prevention/exfiltration_salesforce/policies/remediation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.