1 of 52

Data Exfiltration Prevention

Nightfall Exfiltration

What is Data Exfiltration

Data exfiltration, also known as data theft, data exportation, or data extrusion, is the unauthorized transfer of data from a device or network. It can occur as part of an automated attack or can be performed manually. The illegitimate transfer of data often looks very similar to legitimate transfers, making it difficult to detect.

Common Techniques for Data Exfiltration

Data exfiltration can occur in various ways and through multiple attack methods. Here are some of the most commonly used techniques:

Social Engineering and Phishing Attacks: These attacks trick victims into downloading malware and giving up their account credentials.
Outbound Emails: Cyber criminals employees or intruders use email to exfiltrate any data that sits on organizations’ outbound email systems.
Downloads to Insecure Devices: Data is transferred by users from secure, trusted systems to an insecure device. From there, the attacker can infiltrate the device and exfiltrate the data.
Uploads to Cloud Storage: Data can be exfiltrated from cloud storage when data is uploaded to insecure or misconfigured resources.

Nightfall Exfiltration Solution

Nightfall provides a highly revolutionised solution to data exfiltration. Nightfall AI's exfiltration prevention capabilities easily integrate with existing tools, thus catering to security teams and companies across industries. Nightfall's exfiltration solution is much more than just a tool; it proactively protects against data breaches, providing tangible benefits for organizations striving to secure their sensitive information.

Common Techniques for Data Exfiltration

Data exfiltration can occur in various ways and through multiple attack methods. Here are some of the most commonly used techniques:

Social Engineering and Phishing Attacks: These attacks trick victims into downloading malware and giving up their account credentials.
Outbound Emails: Cyber criminals employees or intruders use email to exfiltrate any data that sits on organizations’ outbound email systems.
Downloads to Insecure Devices: Data is transferred by users from secure, trusted systems to an insecure device. From there, the attacker can infiltrate the device and exfiltrate the data.
Uploads to Cloud Storage: Data can be exfiltrated from cloud storage when data is uploaded to insecure or misconfigured resources.

Nightfall Exfiltration Solution

Nightfall Detection Platform

Nightfall Copilot - NyX

Nyx – AI-powered DLP Copilot

Learn about Nyx. Nightfall's AI-powered Copilot.

Nyx is Nightfall’s AI-powered DLP Copilot, designed to help you quickly investigate and understand exfiltration risks. She can surface patterns, summarize user activity, and suggest next steps — all through a simple natural-language conversation.

Getting Started

Click the Comet Icon: In the upper right corner of your Nightfall dashboard, click the comet icon to open Nyx.
Start Conversing: Type your question in plain English — no special syntax required.

Things You Can Ask Nyx

“What are my most common exfiltration patterns?”
“Summarize Bob’s activity over the last 7 days.”
“What are my most frequent upload domains? Put results in a table.”
"Write an email to Bob's supervisor for me."

Beta Limitations

Nyx can process up to 100 exfiltration events at a time.
Available for endpoint customers only. Support for other event types coming soon.

Give Us Feedback

Your feedback will directly shape Nyx’s future! After trying her out, let us know what works well and what could be improved.

Learn More

Inside the making of Nyx, our AI Copilot
Get a Nyx demo

Dashboard and Events

Exfiltration Prevention for Google Drive

Installing Nightfall for Google Drive

This document explains the steps to install the Nightfall for Google Drive.

Requirements

To install the Nightfall DLP for Google Drive integration, you must have the following:

A Google Workspace account, preferably a service account.
An admin user account of your organization's Google Workspace account (or any other Google Workspace account) on which you wish to install the integration.

Installation

To install Nightfall for Google Drive:

Log in to Nightfall.
Click Google Drive under the MY INTEGRATIONS section (click Show more if you are unable to view Google Drive)
Click Begin Setup.

The access permission page is displayed as follows. Copy the client ID and Scopes ID generated.

Login to your Google Workspace with an admin account.
Click the menu icon.
Select Admin.

In the Admin console left pane, expand Security and then expand Access and data control.
Click API controls.

Click MANAGE DOMAIN WIDE DELEGATION under Domain wide delegation.

Click Add New.

Paste the Client ID copied from the Nightfall app, in the Client ID field.
Paste the Scopes ID copied from the Nightfall app, under OAuth Scope field. Use comma to add multiple scope IDs.
Click AUTHORIZE.

Return to the Nightfall app and click Next Step.

Click Connect.

Once the installation is completed, you can view the details of your Google Drive in the Nightfall app.

Once the installation is completed, Nightfall connects to your Google Workspace account and fetches all the domains. In the above image, you can see that 3 domains are fetched. These three domains were already present in your Google Workspace and are considered to be internal. You can add additional domains by clicking the ellipsis menu at the right end and selecting Manage Domains.

Configuring Integration Alerts

Nightfall for Google Drive allows you to configure alerts at the policy level and also at the integration level. Alerts can be sent in Google drive by using the following alert channels.

Slack
Email
Webhook
Jira Tickets

When you configure alert settings at the integration level, the alert settings apply to all the policies, created for the Google Drive integration. However, when you configure alert settings specifically for a policy, which is created in the Google Drive integration, the alert settings are applicable only for that specific policy.

This document explains how to configure alerts at the integration level. To learn about how to configure alerts at the policy level, read .

Prerequisites

To use Slack as an alert platform, you must first perform the required Slack configurations. You can refer to to learn more about how to configure Slack as an Alert platform.
To use Webhook as an alert platform, you must first perform the required Webhook configurations. You can refer to to learn more about how to configure Webhook as an Alert platform.
To use JIRA as an alert platform, you must have the DLP for the JIRA app installed from the . You can read more about the DLP for JIRA integration .

Configure Alerts at the Integration Level

You can configure alerts at the integration level once you have installed the Nightfall for Google Drive integration.

To configure alerts at the integration level:

Navigate to the Google Drive integration
Scroll down to the Alerting section.
You can configure one or multiple alert channels.

Configuring Slack as an Alert Channel

To configure Slack as an alert channel, click + Slack channel.

In the Slack alert channel field, enter the name of the Slack channel in which you wish to receive the alerts.
Click Save.

A confirmation pop-up box is displayed to confirm if the Slack channel (entered in the second step) must be used only for Google Drive integration or all the Nightfall integrations.

Select No, only integration level to use the Slack channel only for Google Drive, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.

Configuring Email as an Alert Channel

Click + Email.

Enter the Email ID of the recipient who should receive the notifications.
Click Save.

A confirmation pop-up box is displayed to confirm if the Email ID (entered in the second step) must be used only for Google Drive integration or all the Nightfall integrations.

Select No, only integration level to use the Slack channel only for Google Drive, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.

Configuring Webhook as an Alert Channel

Click + Webhook.
Enter the Webhook URL.
Click Test. If the test result is not successful, check the Webhook URL.
(Optional) Click Add Header to add headers.
Click Save.

When you configure alerts to a Webhook, Nightfall AI sends occasional posts to:

To validate that the Webhook is properly configured before the policy is saved.
Periodically thereafter to ensure that the Webhook is still valid.

The response to the test Webhooks is 200 status code if successful.

An example of Webhook request is as follows.

This is part of alert event consumption and can be ignored.

Configuring JIRA as an Alert Channel

Click + Jira Ticket.
Select a JIRA project from the Jira Project drop-down menu.
Select an issue type from the Issue Type drop-down menu.
(Optional) Add comments to be added in the JIRA ticket.
Click Save changes.

A confirmation pop-up box is displayed to confirm if the JIRA settings configured for the Google Drive integration must be applied to all the other Nightfall integrations too.

Select No, only integration level to use the configurations only for Google Drive, or select Yes, please to use the selected JIRA configurations for all the Nightfall integrations.

Configure End-User Notification

When a Violation occurs, Nightfall sends a notification to the end-user whose actions triggered the violation. While notifying the end-user, Nightfall also sends a text message. You can draft the text message to be sent to the end-user. This message applies to all the policies. Click Save changes once done.

Configuring Google Drive Policies

Exfiltration policies allow you to monitor download events across your Google Drive environment. Through real-time download monitoring, you can identify insider risk and anomalous behaviour before it escalates to large scale security incidents. You can monitor download activity for specific users or user groups, specific drives containing valuable sensitive assets, or downloads of any files containing sensitive data types as discovered and classified by Nightfall's ML/AI based detectors.

You can set up your policies to monitor only, to educate users in real-time about your download and data governance policies, or to automatically suspend user access to the Google Workspace to enforce zero tolerance policies.

The detailed steps to configure the Google Drive Exfiltration policy is explained in the following documents.

Google Drive App Selection

In this stage, you select the Integration for which the policy is created. In this case, Google Drive integration must be selected.

Click Policies from the left menu.

Click + New Policy.

Select Exfiltration.

Select the Google Drive integration.

Trigger

The trigger section further enhances the unwanted noise reduction capabilities. With the trigger section, you can

Set what download behavior can be termed as an exfiltration event.
Exclude downloads by trusted apps from being termed as exfiltration events.

Configuring Trigger Section

In the trigger section, you can set the download behavior, the download frequency to be precise, must be termed as an exfiltration event.

To configure the Trigger section:

Set the minimum number of downloads threshold that must be considered as an exfiltration event.
Set the required time period (frequency). If the minimum download threshold (set in the previous step) is reached or exceeded, within the set time period, an exfiltration event is generated.

In the following image, the configurations are set such that if an asset is downloaded 2 or more times within 10 minutes, an exfiltration event is triggered.

You must set the action frequency carefully. For example, consider that you set the download condition as 5 or more files, within 1 hour. In this case, if a user downloads four assets, every 1 hour, the policy does not trigger a violation, since the condition is not met.

Exclude Apps

Depending on your environment, a significant number of downloads may be attributed to applications (i.e. backup apps). You may choose to ignore such download events to reduce the noise and focus your monitoring on unexpected application and user download events.

The Exclude apps section allows you to exclude specific applications from being monitored by your policy.

To configure the Exclude apps section, select the applications to exclude from the drop-down menu. Once saved, Nightfall will not alert on download events attributed to the excluded applications.

Automated Actions

This stage allows you to select automated notification channels or actions if a policy violation occurs.

Admin Alerting

This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.

The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Google Drive Exfiltration policies, you must configure alerts at the integration level. To learn more about how to configure integration-level alerts for the Google Drive integration, read this document.

The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps.

Automated Actions

Automated actions allow you to configure automated remediation actions when an exfiltration attempt is detected by Nightfall policy. Nightfall supports the following automated actions for Google Drive. You can choose to implement the automated action immediately after detecting a download attempt or after some time.

Suspend Account: This action suspends the user's account who tried to download files and triggered the exfiltration event.

To enable the automated action, you must turn on the respective toggle switch.

You must now select when exactly after detecting the event, the action must be triggered. if you select the Immediately option, the automated action is triggered immediately after the download attempt is made.

If you select the After option, you must select the time gap after which the automated action must be implemented.

End-User Notification

This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.

Custom Message

Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink www.nightfall.ai with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>.

Automation

The automation settings allow you to send notifications to end users. You can select one or both the notification methods. You must first turn on the toggle switch to use the automation option. The automation notification channels are as follows

Email: This option sends an Email to the user who attempted the download.
Slack: This option sends a Slack message to the user who attempted the download.

End-User Remediation

End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on by their download attempt. You must turn on the toggle switch to use this option. End-users receive the remediation actions in an Email as an action item. The various available remediation actions for end-users are as follows.

Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.

When end-users report alerts as false positive, you can choose the resolution method to be either Automatic or manual.

If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.

Creating Policy

In this final stage, you assign a name to the policy, verify your configurations, and create the policy.

Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.

Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.

Remediation for Google Drive Exfiltration

This document explains what admins and end-users can do once a policy is violated.

Admin Notification and Remediation

When end-users violate a policy, the Nightfall admin is notified about the incident. The notification channel used to notify the Nightfall admin depends on the settings configured in the Admin Alerting section. If you have not enabled any notification channels in the Admin alerting section, Nightfall admins are not notified.

If you have enabled the email notification in the Admin alerts section, Nightfall admins receive an email. The email is as shown in the following image.

The Email consists of the following data.

Event: The event that caused the violation. For Google Drive, the event is always a download of assets.
Actor: The Email ID of the user who downloaded the file.
When: The date and time when the email was downloaded.
Where: The name of the file that was downloaded.
Policies Violated: The name of the policy that was violated.
Violation Dashboard: The link to the Events screen to view the violation in detail.
Actions: The list of actions that the Nightfall admin can take.

Also, a Slack message is sent if you have enabled the Slack alerts for the Nightfall admin. The Slack message looks as shown in the following image.

End-User Notification and Remediation

End-users receive notifications and remediation actions if the Nightfall admin has enabled these settings. The notifications are based on the settings configured in the Automation section. The end-user remediation actions are based on the settings configured in the End-User Remediation section.

If you have configured the Email notification for end-users and enabled the end-user remediation, end-users can take remediation actions from the Email itself.

If you have configured Slack notifications for end-user and enabled end-user remediation, end-users can view the Slack message.

Managing Events in Nightfall

Nightfall admins can manage violations from within the Nightfall console. The Events page in Nightfall lists all the violations under the Exfiltration tab. End-users can get a detailed view of each exfiltration Event triggered.

To view violations in Nightfall navigate to the Exfiltration Prevention page from the left menu.

The Exfiltration Events page lists all the exfiltration events. To view events with specific statuses, you can click the respective tabs.

To view the past events, click the Time filter and select the required time period. By default, the time period displays Events for the Last 7 Days.

Event List View

The Event list view consists of the following columns.

Column Name

Description

Event type and asset(s)

The nature of the event (asset download) and the name of the asset that is either downloaded or uploaded.

Location

The location of the asset (Google Drive in this case)

When

Number of days/months since the event occured.

Actor

The email ID of the user who downloaded the asset. In some cases, you can also find the name of an app in brackets. This indicates that the app present in your Google Workspace downloaded the asset on behalf of the user. You can find more info in this .

Policy

The name of the policy violated by the event.

Status

THe current status of the event.

Event Detail View

You can click an event to view the details. The detail view window consists of the following tabs.

Summary: The Summary tab displays highlights of the event like the name of the downloaded asset, the name of the violated policy, the email ID of the user who violated the policy, and so on.
Asset: The asset window displays the details of the asset and the history of the asset. You can also choose to view historic asset data. If there are multiple assets in a single violation, you can choose which asset's details must be displayed.

Actor: The actor tab displays the details and history of the user who downloaded the asset. You can choose to view historical data of the user. You can also add which can serve as metadata for the violation.

Taking Actions on the Events Page

The events list view displays an ellipsis menu at the extreme right corner. Admins can click this menu to take appropriate action on an exfiltration event.

The various available actions are explained as follows.

Acknowledge: This action can be taken when you just wish to acknowledge that you have viewed the violation.
Notify Email: This action sends an email notification to the end-user who caused the violation.
Notify Slack: This action sends a Slack notification to the end-user who caused the violation.
Suspend Account: This action suspends the account of the user who caused the violation.
Ignore: This action ignored the violation. You can take this action when an event is false positive.
Copy Link: This action is only available on the Asset detail view. You can copy the direct link to the Event with this action.

Once the action is implemented, the status of the event changes respectively. By default, an event can have one of the following two statuses.

Active: The event has been generated but no action has been taken.
Input Requested: A notification has been sent to the end-user requesting their response.

You can also take action from the event detail view page. The actions are available at the bottom of the detail view page.

Exfiltration Prevention for Endpoint

Endpoint Exfiltration Prevention

Nightfall supports exfiltration prevention in endpoint devices. The exfiltration prevention in endpoint devices prevents your organization's employees from exfiltrating data out of your organization. This feature is available for devices running on the macOS and Windows OS.

To monitor each device for exfiltration, you must first install the Nightfall agent on the devices that require monitoring. You can install the Nightfall agent either manually on each device. Alternatively, you can also use an MDM to install the agent. Once you install the Nightfall agent, you must create policies to start the monitoring. Nightfall monitors the devices as per the policy rules set.

You can learn about how to install the Nightfall AI agent for macOS/Windows OS and the process to create policies from the following links.

Install Nightfall AI Agent for MAC OS
Install Nightfall AI Agent for Windows OS
Configuring Policies

Install Nightfall AI Agent for MAC OS

Nightfall for macOS allows you to detect exfiltration events on your macOS devices. The Nightfall exfiltration feature can monitor any files being uploaded through supported cloud storage apps or browsers on macOS devices.

To use Nightfall for macOS, you must install the Nightfall AI agent. This agent monitors your macOS device continuously. You can install the agent either manually or through a mobile device management (MDM) tool. You can request the Nightfall deployment bundle, which contains the .pkg and other pre-installation scripts required for your MDM deployment.

Manual Installation
Installation using the Kandji MDM
Installation using the Rippling MDM
Installation using the JAMF MDM

Stealth Mode Installation

You can install the Nightfall AI macOS agent in stealth/hidden mode. Installing the agent in stealth mode allows you to hide visible UI elements once the Nightfall agent is installed. When you install the agent in silent mode, the Nightfall status bar icon. Additionally, the Nightfall application will not be visible in the Applications folder when viewed in Finder.

Use cases

Covert Monitoring: If an organization suspects an employee of exfiltrating sensitive data, they can install the agent in stealth mode to monitor the employee's asset without the employee's knowledge.
Ensuring Bias-Free Compliance: An organization wishes to confirm if their employees are adhering to HIPAA/PCI compliances; they can install the agent in stealth mode without giving any indication to their employees (which can prompt a change in their behavior).
Prevent User Distractions: Organizations that do not wish to distract their users about the agent presence and monitoring can depoy in stealth mode.

Stealth Mode Installation Process

In the mdm_pre_installation_script.shfile, find the hide_status_iconflag.
Set the flag to true. By default, the flag is set to false⁣.

Stealth mode installation hides the agent only from UI. Employees can find Nightfall if they navigate to the Application folder via Terminal.

Nightfall Agent Auto Update

Nightfall employs the automatic endpoint update functionality. With this feature, Nightfall can deliver the majority of endpoint agent bug fixes and feature updates directly to endpoints.

Features:

Stay Secure: Receive the latest security patches and updates promptly, reducing the risk of vulnerabilities being exploited.
Remain Compatible: Keep your deployment compatible with the latest operating system updates and other software changes.
Receive New Features: You get access to new features and improvements to exfiltration monitoring without manual intervention.
Minimize Administrative Overhead: IT administrators don't need to manually deploy updates to each endpoint, saving time and resources.

Manual Installation

This document explains the process of installing the Nightfall agent manually.

Prerequisites

Ensure that you have root level access to the target macOS device.
On your Nightfall console, navigate to and click the Download Package button on the top right corner of the page. Click Download Package for macOS and unpack the contents of the downloaded file.
Create a default policy for web browser uploads and cloud storage application sync.

To install the Nightfall agent in stealth mode (to hide UI elements), see .

Installing the Package

Locate the mdm_pre_installation_script.sh in the payload downloaded from Nightfall.
Open a Terminal window.
Run the mdm_pre_installation_script.shscript on your local machine as a root user, by executing the following command.

Double click the provided nightfall-ai-agent_<version>.pkg.
Click Continue.

Click Install.

Click Use Password to enter your device password and start the installation process.

Once the installation is completed, you get a completion message as shown in the following image.

Click Close.

At the top right corner of your screen, you can view the Nightfall AI agent icon which looks as follows.

When you click this icon, you can view the details of the agent.

Grant System Permissions

These system permissions and handled automatically through MDM profiles. For manual install, enabling these permissions manually is required.

Grant Full Disk Access

To monitor your MAC device, you must grant access to the hard disk. This section explains the process of granting disk access.

Navigate to System Settings > Privacy & Security > Full Disk Access.

If Nightfall is listed, make sure to toggle the permission to ON
[Optional] Should Nightfall not be listed in the primary list
1. Click the + icon at the bottom of the list (you may be prompted to enter your macOS password)

Select NightfallAIAgent (under Applications) and click Open.

Click Quit & Reopen.

On the Full Disk Access page, ensure that the toggle switch is turned on for the NightfallAIAgent. This ensures that the full disk access is granted.

Grant Accessibility Permissions

For clipboard monitoring, you must grant the Nightfall agent accessibility permissions. This section explains the process.

Navigate to System Settings > Privacy & Security > Accessibility.

If Nightfall is listed, make sure to toggle the permission to ON

[Optional] If Nightfall is not listed in the primary list
1. Click the + icon at the bottom of the list (you may be prompted to enter your macOS password)

b. Select NightfallAIAgent (under Applications) and click Open.

c. On the Accessibility settings page, ensure that the toggle switch is turned on for the NightfallAIAgent. This ensures that the full disk access is granted.

Reboot The Agent

To ensure changes are picked up by the agent:

Open Activity Monitor > Search of Nightfall > you should see two Nightfall processes running
1. If you do not see two Nightfall processes, make sure to expand your view to all processes
Select both process and click Quit, the agent will restart instantly.

Grant Browser Permissions

Apart from the disk access and accessibility permissions, you must also grant permission to the Nightfall AI agent to monitor browser uploads. This section explains the process.

To grant access to browser uploads:

Open a browser instance and upload a test file to any destination.
When prompted, grant the Nightfall AI agent permissions.

At this stage, your manual installation is complete. Your machines should start showing up on you Nightfall AI management console under

Uninstalling the Nightfall AI Agent

To uninstall the Nightfall AI agent, locate the uninstallation script provided as part of the deployment bundle. You must execute the following command on your MAC device, as a root user.

Nightfall Agent Deployment with Kandji MDM

This document explains the process of installing Nightfall AI agent using the Kandji MDM.

Prerequisites

The Kandji APN is set.
The target macOS devices are onboarded.
On your Nightfall console, navigate to and click the Download Package button on the top right corner of the page. Click Download Package for macOS and unpack the contents of the downloaded file.

To install the Nightfall agent in stealth mode (without notifying the end-user), see .

Create a Blueprint

Navigate to
Click New Blueprint on the top right corner.
Click New Blueprint on the pop up menu.
Enter a name for the blueprint in the Blueprint name field.
Enter a description for the blueprint in the Blueprint description field.
Click Create Blueprint.

Create Custom Profiles

In this section, we create a custom profile for each of the profiles provided in the Nightfall endpoint payload and assign them to the blueprint you have created in the previous section.

In the downloaded folder, locate the README.md under /Profiles to learn about the various MDM profiles available.
1. Choose the .mobileconfig profile that works best for your needs.
Navigate to .
a. Click Add new.

b. Select Custom Profile and click Add & Configure on the pop-up window.

c. Add Title, Select Blueprint, and finally drag and drop the .mobileconfig file.

d. Click Save.

Create a Custom App

In this section, we will create a custom app item for Nightfall Endpoint Agent.

Navigate to .
Click Add New.

Click Custom App
Click Add & Configure on the pop-up window.

a. Add Title, Select the Blueprint you previously created.

b. Select the Audit and enforce option.

c. Paste the content of mdm_kandji_audit_script into the Audit Script text box.

d. Choose the Installer Package option.

e. Add Preinstall Script & Upload the installer package.

I. Paste the content of mdm_pre_installation_script into the Pre-install Script text box.

II. Upload the installer package

i. Drag and drop or click to upload the provided nightfall-ai-agent_v*.*.*.pkg file

Save the change and wait for the changes to get deployed on the node machine.

Nightfall Agent Deployment with Rippling MDM

This document explains the process of installing Nightfall AI agent using the Rippling MDM.

Pre-requisites

Target macOS devices are onboarded.
On your Nightfall console, navigate to and click the Download Package button on the top right corner of the page. Click Download Package for macOS and unpack the contents of the downloaded file.
In the downloaded folder, locate the README.md under /Profiles to learn about the various MDM profiles available.
1. Choose the .mobileconfig profile that works best for your needs.
Navigate to and click “Add configurations”.
Upload and save the config profile of your choice.
Select Deploy from the three-dot context menu located on the far right of the first profile.
- Select all employees or specific target devices.
- Click Save.
Repeat step 4 for each remaining profiles.

To install the Nightfall agent in stealth mode (without notifing the end-user), see .

Step 1 - Create & Deploy Profiles

In this step, you will create a custom profile for each of the profiles provided in your Nightfall endpoint payload.

Locate the following .mobileconfig files in the downloaded Nightfall Endpoint payload package.
- NightfallAI_ApplicationSystemEvents.mobileconfig
- NightfallAI_Notification.mobileconfig
- NightfallAI_PPPC.mobileconfig
Navigate to and click Add configurations.
Upload and save provided config profiles.
- Drop or select NightfallAI_PPPC.mobileconfig.
- Configuration name: “Nightfall AI PPPC”
- Configuration description: “Nightfall AI PPPC profile”
- Platform: “macOS”
- Click Save & continue.
- Repeat the above for all remaining .mobileconfigprofiles provided.
Select Deploy from the three-dot context menu located on the far right of the first profile.
- Select all employees or specific target devices.
- Click Save.
Repeat step 4 for each remaining profile.

Step 2 - Configure & Deploy Software Package

Step 2.1 - Create & Configure the Software Package

Navigate to:
Click Upload Software on the right of the page.
- Name: “Nightfall Endpoint DLP Agent <version>”
  - <version> is the version of the package your received from Nightfall.
- Operating System: “macOS”
- Category: “My Uploads” (Default)
- Description: “Nightfall Endpoint DLP Agent”.
- Upload Icon: use the .png icon file provided.
- Upload Installer File: drop or select the provided nightfall-ai-agent-signed.pkg file.
- Install-check script: provided in your package as mdm_pre_install_check_script.sh
- Pre-install script: provided in your package as mdm_pre_installation_script.sh
- Click Submit.
- Click Add on the newly created Software Item.
- Click Finished Selecting.

Step 2.2 - Deploy the Nightfall Endpoint DLP Agent

Search or scroll to the newly added item matching the name you used in the previous step.
a. Click Edit.
i. Select all employees or specific target devices.

ii. Click Save.

The Nightfall Endpoint DLP Agent will now deploy to all selected target devices. This may take up to 72 hours and is dependent on the endpoint devices being turned on, connected, and pre-requisite profiles deployed.

Upgrading to a New Version

The below describes the steps to upgrade endpoints with a new version of the agent:

Search or scroll to the old version of the Nightfall Endpoint DLP Agent and click “Edit”.
a. Remove all devices from the installation list and click “Save”.
Follow the to configure the new software package for the new version
Follow to deploy the new version.

The Nightfall Endpoint DLP Agent will now deploy to all selected target endpoints. Installation may take up to 48 hours and is dependent on the endpoint devices being turned on and connected.

Nightfall Agent Deployment with JAMF MDM

This document explains the process of installing the Nightfall AI agent using JAMF.

The JAMF installation consists of the following steps.

Prerequisites

Target macOS devices are onboarded.
On your Nightfall console, navigate to https://app.nightfall.ai/endpoint and click the Download Package button on the top right corner of the page. Click Download Package for macOS and unpack the contents of the downloaded file.

To install the Nightfall agent in stealth mode (without notifing the end-user), see Install Nightfall AI Agent for MAC OS.

Step 1 - Upload The Nightfall MDM Profile of your choice to Jamf Pro

In the downloaded folder, locate the README.md under /Profiles to learn about the various MDM profiles available.
1. Choose the .mobileconfig profile that works best for your needs.
Log in to your Jamf Pro account.
Navigate to Computers > Configuration Profiles.
Click the Upload button.
Click the Upload button and upload .mobileconfig of your choice.
In the Scope tab, add the target devices or device groups to which this profile should be deployed.
Click Save.

Once assigned, profiles will be automatically deployed as part of the next Jamf inventory cycle.

The MDM profile has to be deployed on target machines prior to deploying additional payload. In Jamf, you can enforce this requirement through the creation of a Smart Group in which you can set the presence of the profile created above as a pre-requisite for any other payload targeting the group.

Step 2 - Upload and Add Pre-Installation Check Script

This script checks if the required profiles are installed and that the endpoint agent is at the desired version.

Unpack the zip file provided and locate the mdm_pre_install_check_script.sh file under the .\\mdm_scripts\\ folder
On Jamf Pro, navigate to Computers > Scripts.
Click the New button.
Enter a display name for the script (e.g., "Nightfall AI Pre-Installation Check").
Click on the Script tab
Paste the contents of mdm_pre_install_check_script.sh into the script editor.
Click Save.

Step 3 - Upload and Add the Pre-Installation Script

This script configures the target machine and prepares it to connect to your Nightfall instance once the package is deployed.

Locate the mdm_pre_installation_script.sh file under the .\\mdm_scripts\\ folder
On Jamf Pro, navigate to Computers > Scripts.
Click the New button.
Enter a display name for the script (e.g., "Nightfall AI Pre-Installation Script").
Paste the contents of mdm_pre_installation_script.sh into the script editor.
Click Save.

Step 4 - Upload the Nightfall App Package

Navigate to Settings > Packages.
Click the New button.
Enter a display name for the package (e.g., "Nightfall AI Agent").
Click the Choose File button and upload nightfall-ai-agent-signed.pkg.
Click Save.

Step 5 - Create a Policy and Add scripts and package

Navigate to Computers > Policies.
Click the New button.
Enter a display name for the policy (e.g., "Deploy Nightfall AI").
Click General from the left pane & configure the Trigger and Execution Frequency as needed.
Click Package from the left pane & click on configure
Add Nightfall AI Agent package
Click on Scripts from the left pane & click on configure
Add Pre-Install Check Script and Pre-Install Script. Ensure the Priority is Before and the sequence is [ The scripts must be run once & in sequence to prepare the machine for the package install. ] -
1. Pre-Install Check Script
2. Pre-Install Script
Click on Scope and determine the Target, Limitations, and Exclusions per need.
Click Save.

Install Nightfall AI Agent for Windows OS

Nightfall for Windows OS allows you to detect exfiltration events on your Windows OS devices. The Nightfall exfiltration feature can monitor any files being uploaded through supported cloud storage apps or browsers on Windows OS devices.

To use Nightfall for macOS, you must install the Nightfall AI agent. This agent monitors your Windows OS device continuously. You can install the agent either manually or through a Mobile device management (MDM) tool. You can request the Nightfall deployment bundle which contains the data required for your MDM deployment.

Nightfall supports the following agent installation methods Windows OS.

Manual Installation

Learn how to install the Nightfall agent on Microsoft Windows OS manually.

Overview

This document outlines the steps to manually deploy the Nightfall AI Agent on a Windows device.

Prerequisites

Ensure that Windows endpoint has been enabled on your Nightfall tenant.
- Download the Nightfall AI Agent NightfallAgent.msi file from Nightfall.
  - Download NightfallAgent.msi from to a local folder on the target machine
    Integrations -> Endpoint Windows -> Manage -> Download Package -> Download Package For Windows

Navigate to > Exfiltration > Endpoint - (optional)

Deployment Steps

Copy downloaded NightfallAgent.msi to a folder on a target machine.
Run the Installer:
1. Launch CMD as an Administrator

b. Navigate to the folder where NightfallAgent.msi is downloaded to.

i. cd C:\\users\\<username>\\Downloads\\ update the above accordingly.

c. Copy the installation command from .

i. Note : this includes the necessary command line parameters for the agent to communicate with Nightfall

ii. Integrations -> Endpoint Windows -> Manage -> Download Package -> 'To install, run the command as admin.

d. Paste the msiexec installation command copied from the above step to cmd and press Enter key.

e. Installation should start in silent mode.

Verify Installation
1. Once installation is complete, check if the agent is running:
  1. Open Task Manager (Ctrl + Shift + Esc).
  2. Look for the Nightfall Agent & NightfallUI processes under the Processes tab.

b. Confirm the Nightfall agent is configured to your Nightfall tenant

i. On the windows machine:

1. Double-click the Nightfall agent icon in the status bar.

2. The displayed UUID should match your Nightfall tenant UUID located under

ii. On the Nightfall console:

1. The newly configured device should be listed under

Conclusion

The Nightfall AI Agent should now be successfully installed, running on your Windows machine, and connected to your Nightfall tenant. If you run into any issues, please contact Nightfall AI support.

Nightfall Agent Deployment: Microsoft Intune

Learn how to install the Nightfall Agent for Windows using Intune as a Line-of-Business (LOB) app.

Prerequisites

You must have access to Microsoft Intune with the necessary admin privileges.
Get the .msi package and command arguments form https://app.nightfall.ai/endpoint
- Download the .msi installer file for the Nightfall Agent.
- Note the API Key and Company ID in the command line provided by Nightfall.

Deployment Steps

Log into the Intune Admin Center
- Navigate to Microsoft Intune Admin Center.
- Go to: Home > Apps > All Apps > Add
Select App Type
- Under App type, choose: Line-of-business app
Add App Package
- In the App package file section, click Select app package file.
- Upload the NightfallAgent.msi file.
Configure App Information
- Fill in the Name, Description, and other fields as desired.
- Click Next.

Specify Install Command Line

In the Command-line arguments field, enter:

API_KEY=your_api_key_here COMPANY_ID=your_company_id_here

⚠️ Important:
- Do NOT include msiexec /i NightfallAgent.msi — This is handled automatically.
- Do NOT wrap the values in double quotes.

✅ Correct Example: API_KEY=ufapuhaefaw COMPANY_ID=qohuifpqrwf

Assign the App
- Assign the app to the appropriate device groups or users.
- Click Next and complete the wizard.
Monitor Deployment
- Go to Monitor > App Install Status to confirm successful deployment.
Verify Installation on a target/test machine
1. Once installation shows as successfull by Intune, check if the agent is running:
  1. Open Task Manager (Ctrl + Shift + Esc).
  2. Look for the Nightfall Agent & NightfallUI processes under the Processes tab.
2. Confirm the Nightfall agent is configured to your Nightfall tenant
  1. On the windows machine:
    Double-click the Nightfall agent icon in the status bar.
    The displayed UUID should match your Nightfall tenant UUID located under https://app.nightfall.ai/settings/
  2. On the Nightfall console:
    The newly configured device should be listed under https://app.nightfall.ai/endpoint.

Nightfall Windows Agent Deployment: Rippling MDM

Learn how to install the Nightfall agent on Microsoft Windows OS using the Rippling MDM.

Prerequisites

You have the Device Administrator role in Rippling.
Target Windows devices have been onboarded into Rippling MDM.
On your Nightfall console, navigate to and click the Download Package button on the top right corner of the page. Click Download Package for Windows. A .msiextension file is downloaded.

1. Configure and Deploy Software Package

Create and Configure the Software Package in Rippling

Navigate to:
Click Upload Software on the right of the pane and provide the following details.
1. Name: “Nightfall Endpoint DLP Agent <version>”
  - <version> is the version of the package your received from Nightfall.
2. Operating System: “Windows”
3. Category: “My Uploads” (Default)
4. Description: “Nightfall Endpoint DLP Agent”.
5. Upload Icon: use the .png icon file provided.
6. Upload Installer File: Drop or select the downloaded NightfallAgent.msi file.
7. Under Silent arguments add /qn /norestart API_KEY="" COMPANY_ID="" where the content of API_KEY and COMPANY_ID are the values provided to you by Nightfall. Note that these values must be enclosed in " double quote characters.
8. Click Submit.
9. You will receive an email from Rippling with the subject: “Your recently uploaded custom software is processing”
10. After a period of time (typically less than 1 hour) You will receive an email from Rippling: “Your recently uploaded custom software has been processed successfully!”
11. You may now proceed to step 2. to deploy the agent.

Deploy the Nightfall Endpoint DLP Agent

Click Add on the newly created Software Item in the Rippling Software Catalog.
Click Finished Selecting.
Search or scroll to the newly added item matching the name you used in the previous step.
1. Click Edit
  1. Select all employees or specific target devices.
  2. Click Save.

The Nightfall Endpoint DLP Agent will now deploy to all selected target devices. This may take up to 72 hours and is dependent on the endpoint devices being turned on, connected.

Configuring Integration Alerts

Nightfall for macOS and Nightfall for Windows OS allow you to configure alerts at the policy level and also at the integration level.

You can navigate to the alerts page by executing the following steps:

Click Integrations in the left pane.
Click Manage for either Endpoint macOS or Endpoint Windows widget.
Click the Alerting tab.

Alerts can be sent in macOS and windows OS policies by using the following alert channels.

Slack
Email
Webhook
Jira Tickets

When you configure alert settings at the integration level, the alert settings apply to all the policies, created for the macOS/Windows OS integration. However, when you configure alert settings specifically for a policy, which is created in the macOS/Windows OS integration, the alert settings are applicable only for that specific policy.

This document explains how to configure alerts at the integration level. To learn about how to configure alerts at the policy level, read this document.

Prerequisites

To use Slack as an alert platform, you must first perform the required Slack configurations. You can refer to this document to learn more about how to configure Slack as an Alert platform.
To use Webhook as an alert platform, you must first perform the required Webhook configurations. You can refer to this document to learn more about how to configure Webhook as an Alert platform.
To use JIRA as an alert platform, you must have the DLP for the JIRA app installed from the Atlassian Marketplace. You can read more about the DLP for JIRA integration here.

Configure Alerts at the Integration Level

You can configure alerts at the integration level once you have installed the Nightfall for macOS/ Nightfall for Windows OS integration.

To configure alerts at the integration level:

Navigate to the macOS integration
Scroll down to the Alerting section.
You can configure one or multiple alert channels.

Configuring Slack as an Alert Channel

To configure Slack as an alert channel, click + Slack channel.

In the Slack alert channel field, enter the name of the Slack channel in which you wish to receive the alerts.
Click Save.

A confirmation pop-up box is displayed to confirm if the Slack channel (entered in the second step) must be used only for macOS integration or all the Nightfall integrations.

Select No, only integration level to use the Slack channel only for macOS, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.

Configuring Email as an Alert Channel

Click + Email.

Enter the Email ID of the recipient who should receive the notifications.
Click Save.

A confirmation pop-up box is displayed to confirm if the Email ID (entered in the second step) must be used only for macOS integration or all the Nightfall integrations.

Select No, only integration level to use the Slack channel only for macOS, or select Yes, please to use the selected email address for all the Nightfall integrations.

Configuring Webhook as an Alert Channel

Click + Webhook.
Enter the Webhook URL.
Click Test. If the test result is not successful, check the Webhook URL.
(Optional) Click Add Header to add headers.
Click Save.

When you configure alerts to a Webhook, Nightfall AI sends occasional posts to:

To validate that the Webhook is properly configured before the policy is saved.
Periodically thereafter to ensure that the Webhook is still valid.

The response to the test Webhooks is 200 status code if successful.

An example of Webhook request is as follows.

{
  "service": "nightfall",
  "test": true,
  "timestamp": "2024-03-07T23:18:39Z"
}

This is part of alert event consumption and can be ignored.

Configuring JIRA as an Alert Channel

Click + Jira Ticket.
Select a JIRA project from the Jira Project drop-down menu.
Select an issue type from the Issue Type drop-down menu.
(Optional) Add comments to be added in the JIRA ticket.
Click Save changes.

A confirmation pop-up box is displayed to confirm if the JIRA settings configured for the macOS integration must be applied to all the other Nightfall integrations too.

Select No, only integration level to use the configurations only for macOS, or select Yes, please to use the selected JIRA configurations for all the Nightfall integrations.

Configure End-User Notifications

Configuring Policies

The Exfiltration policies for MAC and Windows OS allow you to monitor if there are any uploads via browser or cloud storage apps. You can configure the domains in Internet that needs to be monitored and also the cloud storage apps which need to be monitored.

When there are any uploads to the configured domain or cloud storage apps, the Nightfall AI agent notifies this action. You can configure the notification channels through which you wish to receive notifications when there is an attempt to upload files/folders.

Verify Connection

Once you have completed the installation of the Nightfall agent, you must ensure that the connection is live. If the Nightfall agent cannot connect to the macOS or the Windows OS device for more than 6 hours, the connection is lost. When the connection is live, a Connected message is displayed. If the connection is lost, a Disconnected message is displayed under the Agent Status column.

Removing Disconnected Devices

When a macOS or Windows OS device is disconnected, you can remove the device from the monitored list (Devices tab). To remove a disconnected device from the monitored list, click the delete icon for the respective device.

Clicking the delete icon displays a warning pop-up window as shown in the following image. Click Remove Device to confirm the removal of the device.

If a removed device reconnects, it is automatically added to the monitored list. To permanently prevent the monitoring of a device, you must de-provision the device through MDM (uninstall the Nightfall Agents and remove it from future targeting).

This feature declutters your monitoring list and ensures that only active devices that are being monitored are displayed.

You can leverage this feature efficiently with loaner laptops. When a former employee returns a device, the connection is lost and the status is displayed as disconnected. Security teams can be concerned about the device displaying the Disconnected status for a prolonged period and can initiate an investigation. Instead, you can use this feature and remove the device from the monitored list. When the device is reassigned to another employee, it connects back automatically, and the monitoring resumes.

Similarly, you can use this feature for seasonal and dormant devices; remove them once they are not in use. They will connect back automatically once they are in use again.

Create Domain Collections

Collections help you refine your monitoring to reduce noise from sanctioned upload destinations as well as closely monitor exfiltration of files originating from high-value SaaS applications accessed through the browser. You can also define specific domain collections to closely monitor upload activity to specific categories of upload destinations. For instance, to track files uploaded to social media, you can create a domain collection called social media and add domains like Facebook, Instagram, Twitter, and so on. Similarly, you create a collection for known and sanctioned upload destinations that are safe to upload to so you can ignore them from your monitoring policies or monitor the upload of items originating from such domains. While creating a policy, you can directly add the collection to be monitored. All the domains in the collection will be monitored.

You can create a domain by either manually entering all the domain URLs manually or by uploading a comma-delimited list of domains in a text file.

To group domains:

Log in to the Nightfall app.
Navigate to Integrations from the left menu.
Click Manage on the macOS/Windows OS integration.

Click the Domains tab.
Click + New Collection.

You can either add the domains manually or upload a text file containing the list of domains. The following section has two tabs. The first explains the process of manually adding domains, and the second tab explains adding domains by uploading a file.

Click + Add Domain.

Enter a name for the Collection in the Collection Name field (Social Media in the following image)
Enter a domain and hit the enter key (facebook.com in the following image).

Important

When you add a domain, the sub domain is not included automatically. For instance, if you add abcd.com, docs.abcd.com is not included. To include subdomains, you must enter the full URL containing the subdomain. If you have multiple subdomains, you can use the asterisk wildcard (*) and enter the domain as *.abcd.com

(Optional) Click + Add Domain to add multiple domains to the collection.
(Optional) Click the delete icon to delete a domain.
Click Save Changes.

Enter a name for the Collection in the Collection Name field.
Click Upload.

Browse and upload the text file containing the list of domains.

All the domains must be separated by a comma. The file must have a .txt extension.

Once you upload the file, the list of domains present in the file are displayed as follows.

Important

(Optional) To add more Domains to the Collection, you can either click + Add Domain and enter the domain manually, or click Upload txt and upload another text file containing domains.
(Optional) Click the delete icon to remove a domain from the Collection.
Click Save Changes.

Creating Policy

The detailed steps to configure the MAC OS/Windows OS device exfiltration policy are explained in the following documents.

MAC/Windows App Selection
Scope
Trigger
Advanced Settings
Creating Policy
Remediation for MAC OS Policies
Remediation for Windows OS Policies

MAC/Windows App Selection

In this stage, you select the Integration for which the policy is created. In this case, Google Drive integration must be selected.

Click Policies from the left menu.
Click + New Policy.
Select Exfiltration.
Select Endpoint.

Scope

The Scope section enables you to create an asset lineage based policy in which you can track the journey of an asset from source to destination.

Key Features of Lineage Based Policies

Security administrators can set precise exfiltration policies to protect sensitive files that originate from high-value SaaS locations from being exfiltrated to unsanctioned destinations
High performance security teams can focus their energy and resources on monitoring assets from high value SaaS domains.
By combining content download origin to upload destination, organizations can extend their monitoring to cover any cloud application accessed through the browser, even those without direct API integration.
Allows security teams to monitor and prevent data exfiltration not just through direct browser uploads but also through cloud storage sync applications, providing a multi-layered defense against data leaks.
With lineage-based policies, organizations can proactively identify and manage risks associated with sensitive content movement, ensuring compliance with data security standards and preventing potential breaches before they occur.

Configuring the Scope Page

The Scope page consists of the following sections.

Operating Systems
Devices
Content Scanning
Filters

Operating Systems

This section allows you to select the operating systems to which the policy must be scoped. Nightfall supports the Microsoft's Windows and Apple's MAC operating systems. You can either choose any one of the operating system or both the operating systems, based on your organization's requirements. You must click the check box of the respective operating system to include it in the scope of the policy. All the devices that belong to the selected operating system(s) are monitored by Nightfall.

Kindly note that some of the advanced policy features like Content Scanning, Filters, and automated actions are not yet available on Windows—but stay tuned, as we’re working to bring these capabilities soon!

Devices

By default, Nightfall monitors all the devices that belong to the selected operating system(s). However, you can choose to exclude trusted devices from being monitored. The Exclude Devices section consists of a drop-down menu. This menu lists all the devices that belong to the selected operating system(s). You can select the devices that you wish to exclude from being monitored.

If you have a long list of assets, you can search for an asset by entering the device ID of the asset.

Content Scanning

The Content Scanning section allows you to scan the downloaded content for sensitive data. You can choose the Nightfall detection rules that you wish to use for scanning the downloaded data. With this feature, you can monitor exfiltration attempts on sensitive data. For instance, you can monitor if any of the content uploaded to unsanctioned destinations contains regulated information like PCI, PII, PHI or organization's secrets like credentials, API keys, and so on. You can combine content scanning with Trigger and the Block features to prevent any exfiltration files containing sensitive data.

To use this feature, you must first select the On option from the drop-down menu and then select the required Nightfall detectors.

If a downloaded file contains sensitive data, it is reported in the exfiltration event. You can check the assets tab of an exfiltration event to view the sensitive data found. In the following image, you can see that a Detector called Credit Card Number is violated 20 times in one of the files uploaded to through the browser.

Filters

The filters section provides you the flexibility to include and exclude users at a granular level. Once you select the operating system and the devices to be monitored, you can further drill down your scope by using filters. You can apply filters to only monitor assets downloaded from specific domains. Conversely, you can also choose to exclude the monitoring of assets downloaded from specific domains. Additionally, you can also apply filters to only monitor or exclude the monitoring of assets downloaded by specific high risk, like departing users, or function user groups, like HR, Finance or Engineering.

You must configure the Directory Sync feature to use the Internal Users and Internal Groups filters.

Asset Origin

The Asset Origin filter allows you to limit the scope of the policy to only those assets which originated from a specific source. To use the asset origin filter, you must click Add Filter and select Asset Origin.

The Asset Origin filter provides the following options:

Any Domain: If you select this option, Nightfall monitors the assets originated (downloaded) from any domain, present in any of the domain collections.
Domain in: If you select this option, you must additionally also select the domain collections, created in the domain collections section. In this case, Nightfall monitors only those assets that originated from a domain, which is a part of any of the selected domain collection(s).

Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.

Domain Not in: If you select this option, you must additionally also select the domain collections, created in the domain collections section. In this case, Nightfall does not monitor those assets that originated from a domain, which is a part of any of the excluded domain collection(s).

Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.

Internal Users

Specific User(s): You must choose this option to monitor the actions of specific internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.
All Users, except for: You must select this option to exclude the monitoring of specific internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.

Internal Groups

Specific Group(s): You must choose this option to monitor of specific internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Sync. You must select the required groups.
All Groups, except for: You must choose this option to exclude monitoring of specific internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Sync. You must select the required groups.

Trigger

Once you zero in on the policy to the required devices and originating domains, you must now define the trigger actions that can be termed as exfiltration events.

Nightfall provides you with three types of triggers that you can set as exfiltration events.

Browser Uploads: In this section, if an asset is uploaded through a browser to an online portal (for example, a social media website), you can define such events as exfiltration events.
Cloud Syncing: In this section, if an asset is uploaded to an online cloud store application (for example, Google Drive), you can define such events as exfiltration events.
Clipboard Paste: In this section, if data is copied from a source and pasted to a destination, you can define such events as exfiltration events.

The steps to use the above triggers are elaborated in the following sections.

Browser Uploads

Ensure that you have configured before using the browser uploads option.

To monitor browser uploads:

Select the Browser uploads to option.

Select one of the following options.

Any Domain: If you select this option, Nightfall monitors your uploads done to any domain on the Internet.
Domain in: If you select this option, you must additionally also select the domain collections created in the section. Nightfall monitors the uploads done to all the domains that belong to the selected domain collections.

Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.

Domain Not in: If you select this option, you must additionally also select the domain collections created in the section. Nightfall does not monitor the uploads done to all the domains that belong to the selected domain collections.

Once you select a domain collection from the drop-down menu, it is displayed on the screen and grayed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.

Cloud Sync App Uploads

In this option, you can either choose to monitor uploads done to every cloud sync app or select specific cloud sync apps to which the uploads must be monitored.

Select the Cloud Syncing option.
Select one of the following options.

Any Storage Apps: If you select this option, Nightfall monitors the uploads done to every cloud sync storage application.
Specific Storage App(s): If you select this option, you must additionally select the storage apps. Nightfall monitors the uploads done to the selected storage apps.

Once you select a cloud storage application from the drop-down menu, the selected option is displayed on the screen and grayed out from the drop-down menu. You can use the drop-down menu to select additional cloud storage apps.

Clipboard Paste

In this option, you can choose to monitor the copy/paste actions performed by end-users. If end-users copy some data and paste it to unsanctioned locations.

Apart from text data, Nightfall can also detect non-text clipboard content, including images and screenshots. Clipboard Paste trigger uses the optical character recognition (OCR) technology in combination with Nightfall to prevent the exfiltration of sensitive data present in visuals like copied screenshots, scanned documents, or copied images from web browsers.

Use cases

A typical example of this trigger can be a scenario in which an end-user copies an API key and pastes it in a prompt in ChatGPT/Deepseek or any other Gen AI apps while attempting to generate a piece of code.
An employee attempting to capture a screenshot of dashboards, reports, or customer data from sensitive SaaS apps into unsanctioned destinations.

To enable the Clipboard Paste trigger:

Select the Paste To option.
Select one of the following options.
1. Any Domain: If you select this option, Nightfall monitors your paste actions performed on any domain on the Internet.
2. Domain in: If you select this option, you must additionally also select the domain collections created in the section. Nightfall monitors the uploads done to all the domains that belong to the selected domain collections. The process of domain selection remains the same as demonstrated in the case of the section.
3. Domain Not in: If you select this option, you must additionally also select the domain collections created in the section. Nightfall does not monitor the uploads done to all the domains that belong to the selected domain collections.

If end-users attempt to paste content, once you enable the Clipboard Paste trigger, they receive an error message as shown in the following image.

Advanced Settings

Learn about the advanced setting options present in the Nightfall exfiltration policy for MAC devices.

The advanced settings pages allows you to configure notifications for Nightfall admins and end-users. Additionally, you can also configure automated actions. The various configurations available in the advanced settings pages are described in the following sections.

Admin Alerting

Learn how to configure admin alerts in Nightfall exfiltration policies.

This stage allows you to select the notifications channels. If Nightfall detects sensitive data in any of the selected upload channels, the notifications are sent to the recipients configured in this section.

Admin Alerting

This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.

The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the mac/Windows OS Exfiltration policies, you must configure alerts at the integration level. To learn more about how to configure integration-level alerts, read this document.

The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps.

Automated Actions

Learn more about how automated actions work in a Nightfall exfiltration policy.

This section describes the various actions that Nightfall takes automatically when an exfiltration attempt is detected. This automated action is triggered when the condition set in the section is violated.

The automated action supported by Nightfall is described as follows.

Block Transfer

This action automatically blocks the process of file transfer thus preventing an exfiltration attempt. You can use this action to prevent the upload of files with sensitive data, to web browsers or cloud storage apps. You must enable the toggle switch to activate the automated action.

You can configure the section and the section such that you can leverage this feature to:

Block transfer based on file origin: Block the upload of files downloaded from highly sensitive SaaS applications.
Block transfer based on destination: Allow uploads only to sanctioned destinations.
Combine origin and destination: Create powerful DLP policies that factor in both where files came from and where they are headed.

Currently, this action is supported only for MAC devices.

Some use cases scenarios in which you can use the automatic Block action, are as follows.

Scenario 1: Prevent Exfiltration of sensitive data to unsanctioned destinations

Employees access confidential reports from an internal data repository and attempt to upload them to personal iCloud or unsanctioned personal email service.

Solution

Configure the filters in the section to scope the policy to include domains to be monitored (for instance your organization *.drive.google.com or *.force.com). Now, any file(s) downloaded from the configured domain(s) are monitored. Configure the section to trigger an exfiltration action when an attempt is made to upload the downloaded file to an unsanctioned destination (for instance to personal iCloud or a non corporate sanctioned domain). Finally, enable the Block automated action.

In this scenario, if a user downloads a file from an organization's Google Drive or Salesforce and attempts to upload it to their personal iCloud, the action is blocked and user gets the following error message.

Also, other similar scenarios could be

A health department which prevents employees from uploading customer health data, downloaded from organization's domain, to employees' personal Google Drive, OneDrive, or any supported cloud storage app.
An employee working on code repository of an organization, attempting to upload a file to developer forums, LLM services, or generative AI apps like ChatGPT.

Scenario 2: Allowing upload action only to approved destinations

An organization allows employees to store work documents only in corporate-managed OneDrive or Google Drive but wants to prevent uploads to personal accounts.

Solution

Configure the filters in the section to scope the policy to include domains to be monitored (for instance your organization Google Drive or OneDrive). Now, any file(s) downloaded from the configured domain(s) are monitored. Configure the section to monitor only unsanctioned domains. Finally, enable the Block automated action. Now any attempt to upload a file to sanctioned domains is allowed.

End-User Notifications

Learn how to configure end user notifications in Nightfall exfiltration policies.

This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.

Custom Message

Enter a custom message to be sent to the end user. This message is sent in an Email or a Slack message. You can modify the default message provided by Nightfall and draft your own. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink https://www.nightfall.ai with the text Nightfall website, you must write < | Nightfall website>.

Automation

You can either select Email, Slack, or both as an automated notification method. You must turn the toggle switch to use this option. Based on the options selected, end-users receive notifications in their Email or Slack, based on the option(s) enabled.

End-User Remediation

End-User Remediation (also known as Human Firewall) allows you to configure remediation measures that end-users can take when an exfiltration event is triggered due to their actions. You must turn on the toggle switch to use this option. When you configure end-user remediation, the user whose actions triggered the exfiltration event receives a notification from Nightfall. This notification provides details of the user's actions that caused the exfiltration along with your custom message. End-users can take appropriate actions.

Nightfall supports the following remediation actions for end-users.

Provide Business Justification: This option allows end-users to add a descriptive note on the file transfer or exfiltration event. Basically, users can provide a business justification giving you more context into the file transfer or a business justification. The user input is delivered directly to the console for review, saving you time and helping you assess the risk of the data transfer based on the additional user input.

When an end-user decides to provide a business justification, the following screen is displayed.

Based on the user response, the Exfiltration Event is updated.

The other options available to be configured in this section are:

When a Violation is Reported as False Positive (justified): You can use this option to set actions to be taken when input has been provided by the end-user. You can automatically ignore violations for which the user has provided input.
Remind Every (until Violation expires): You can use this option to adjust the frequency at which Nightfall should remind the user to provide context into their data transfer. You can choose to remind the end user every 24, 48, or 72 hours.

Creating Policy

In this final stage, you assign a name to the policy, verify your configurations, and create the policy.

Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.

Remediation for MAC OS Policies

This document explains what admins can do when a macOS policy is violated.

Managing Violations in Nightfall

To view violations in Nightfall

Navigate to Exfiltration Prevention from the left menu.

Steps 2-6 help you filter the events to only view the alerts generated by macOS.

Click Filter.
Click + Add Filter.
Select Integration.
Select the macOS check box.
Click Apply.
Select Integration.
Select the macOS check box.
Select Integration.
Select the macOS check box.
Click Apply.

To view historic events, click the Time filter, select the required time period or enter it manually by selecting the Custom Range option. Once the required time period is selected, click Apply. By default, the filter displays results for the Last 7 days. You can click Last 7 Days and choose the required historic time period.

You can click an event to view the details. The detail view window consists of the following tabs.

Summary Tab

The Summary tab consists of the following details.

Assets: The name of the uploaded asset(s) that was exfiltrated.
Policy: The name of the policy violated.
Device ID: The device ID of the device from which the asset was uploaded.
Machine Name: The physical name of the device from which the asset was uploaded.
Browser Name: The name of the browser from which the asset was uploaded. This field is applicable only for those events that were triggered by the browser upload action.
Domain: The domain URL to which the asset containing sensitive data was uploaded. This field is applicable only for browser uploads. When you hover over a domain that is not added to any Collection, you can choose to add it to an existing Collection or create a new one. If you are already leveraging the domain collection as part of your monitoring policies, the new addition will be automatically picked up. For example, if the domain is added to a collection of sanctioned domains your policy is ignoring, future uploads to this destination will be ignored.

App Name: The name of the cloud storage app to which the asset containing sensitive data was uploaded. This field is applicable only for uploads done to cloud storage apps.
Account Type: The nature of the cloud storage app to which the asset was uploaded. The account type is generally either a personal account or a business account. This field is applicable only for uploads done to cloud storage apps.
Upload Start Time: The start date and start time of the upload.
Upload End Time: The end date and end time of the upload.

The Summary tab for a Browser upload action is as follows.

The Summary tab for a Cloud storage app event is as follows.

The Summary tab for a Clipboard Paste action is as follows.

The Summary tab also displays a log of activities that occurred on the event. The Summary tab also displays a log of activities that occurred on the event. The first log entry is always the asset creation date. The subsequent logs display the actions applied to the event. You can also add comments on the Summary tab. The comments added by you can be viewed by other users as well.

Assets Tab

This tab displays the details of the asset that was uploaded to a domain or cloud storage app. The asset tab also displays a number in brackets. This number indicates the number of assets that were uploaded as part of the event.

In the following image, there are two assets that were uploaded, and these four uploads together triggered the event. In such cases when there are multiple assets involved, you can use the drop-down menu to switch between assets and view the asset details.

The Assets tab displays the following details for the Browser upload action and the Cloud Storage app action.

Name: The name of the asset uploaded.
Where: The location of the asset in the device.
Medium: The medium used to upload the asset. This can be a browser or cloud storage app.
Size: The size of the asset.

If you have configured Content Scanning in the Scope section of the policy and if the asset contains sensitive data, the asset tab also displays a preview of the sensitive data and the detectors violated. Additionally, you can also find a new field called Sensitive Data that displays the name of the detector(s) violated.

Asset History

The Assets tab also contains the Asset History section. This section displays the source or origin from where the asset was downloaded. Additionally, it also displays the destinations to which the asset was uploaded. If the source and destination details are not available, this section does not display any information. Users can use the time filter to view historic data. By default, the asset history is displayed for the last 7 days. You can click the Last 7 Days drop-down menu to view historic asset details.

Asset Tab for Clipboard Paste Action

The assets tab for the copy/paste action displays the following information.

Content Origin: The site from which the data was copied. If Nightfall cannot find the origin, this field displays Local Machine (Unknown origin).
Content Destination: The location where the copied information was pasted.
Time of Copy: The date and time when the data was copied.
Time of Paste: The date and time when the data was pasted.

If the copy/pasted content contains sensitive data, the asset tab displays the sensitive data and also the text surrounding the sensitive data. The sensitive data is highlighted so that it can be recognized easily.

The asset history section displays the timeline and the number of times data was copied and pasted.

Device Tab

The device tab displays the details of the device used to upload the asset. You can view the following details on this tab.

Device ID: The device ID of the device from which the asset was uploaded.
Device Name: The name of the device from which the asset was uploaded.
Connection Status: The current status of the device. This can either be Connected or Disconnected. If the device is not in contact with the Nightfall agent for more than 6 hours, the connection status changes to disconnected.
OS: The operating system used on the device.
MAC Address: The physical MAC address of the device.
Last Connection: The date and time when the device was last connected.
Agent Version: The Nightfall agent version installed on the device.
OS Version: The MAC OS version used on the device.

Important

If a user uploads the same file to multiple browser destinations (say 3), 3 exfiltration events are generated. However, if you uploads multiple files to the same destination, only a single event is generated.

If multiple violations are recorded within a span of five minutes, all the violations are clubbed under a single exfiltration event. The Assets Tab of this event displays the details of each asset.

However, if you upload multiple files to different browser domains or upload multiple files to different cloud storage apps, within a span of five minutes, a separate exfiltration event is generated for each of the uploaded file.

Actions

You can perform the following actions on all three tabs. These actions are present at the bottom.

Copy Event Link: This action copies the link of the event to the clipboard.
Acknowledge: This action modifies the status of the event to Acknowledged.
Notify Slack: This action sends a Slack notification about the event to the recipient configured in the⁣Advanced Settings section.
Notify Email: This action sends an email notification about the event to the recipient configured in the Advanced Settings section.
Resolve: This action resolves the event and modifies the status to resolved.
Ignore: This action ignores the event and modifies the status to ignored.

FAQs

While configuring the Scope section, if I use the Filter and add my Slack domain. Now, if I download a file from the Slack app will Nightfall monitor this download?

Yes. Nightfall monitors the downlaods even from the Slack app.

Remediation for Windows OS Policies

Managing Violations in Nightfall

To view violations in Nightfall

Navigate to Exfiltration Prevention from the left menu.

Steps 2-6 help you filter the events to only view the alerts generated by Windows OS.

Click Filter.
Click + Add Filter.
Select Integration.
Select the Windows check box.
Click Apply.

You can click an event to view the details. The detail view window consists of the following tabs.

Summary Tab

The Summary tab consists of the following details.

Assets: The name of the uploaded asset(s) that was exfiltrated.
Policy: The name of the policy violated.
Device ID: The device ID of the device from which the file upload was performed.
Machine Name: The physical name of the device from which the file upload was performed.
Browser Name: The name of the browser from which the asset was uploaded.
Domain: The domain URL to which the asset containing sensitive data was uploaded. This field is applicable only for browser uploads. When you hover over a domain that is not added to any , the list of Collections is displayed. You can choose to add the domain to an existing Collection or create a new collection and add the domain to the newly created collection. If you are already leveraging the domain collection as part of your monitoring policies, the new addition will be automatically picked up. For example, if the domain is added to a collection of sanctioned domains your policy is ignoring, future uploads to this destination will be ignored.
Upload Start Time: The start date and start time of the upload.
Upload End Time: The end date and end time of the upload.

The Summary tab also displays a log of activities that occured on the Event. The first log entry is always the asset creation date. The subsequent logs display the actions applied on the event. You can also add comments on the Summary tab. The comments added by you can be viewed by other users as well.

Assets Tab

This tab displays the details of the asset (with sensitive data) that was uploaded to a domain or cloud storage app. The asset tab also displays a number in brackets. This number indicates the number of assets that were uploaded as part of the event.

In the following image, there were two assets which were uploaded, and these four uploads together triggered the event. In such cases when there are multiple assets involved, you can use the drop-down menu to switch between assets and view the asset details.

The Assets tab displays the following details.

Name: The name of the asset uploaded.
Where: The location of the asset in the device.
Medium: The medium used to upload the asset.
User: The username of the device owner.
Size: The size of the downloaded asset.

Asset History

Device Tab

The device tab displays the details of the device used to upload the asset. You can view the following details on this tab.

Device ID: The device ID of the device from which the asset was uploaded.
Device Name: The name of the device from which the asset was uploaded.
Connection Status: The current status of the device. This can either be Connected or Disconnected. If the device is not in contact with the Nightfall agent for more than 6 hours, the connection status changes to disconnected.
OS: The operating system used on the device. This field always displays the Windows OS.
MAC Address: The physical MAC address of the device.
Last Connection: The date and time when the device was last connected.
Agent Version: The Nightfall agent version installed on the device.
OS Version: The Windows OS version used on the device.

Exfiltration Prevention for Salesforce

Nightfall Exfiltration for Salesforce

Nightfall Exfiltration for Salesforce helps you to keep tab of the exfiltration activities in your Salesforce orgs. Nightfall leverages Salesforce Shield Real Time Event Monitoring for exfiltration activities across your Salesforce orgs and identifies activities which are in violation to configured policies.

Download of attachments, files, reports and bulk download of objects are all exfiltration event recognised by Nightfall. You can configure policies to set appropriate thresholds for such events and identify them as unwarranted that may require scrutiny. You may configure the policy to alert the stakeholders who need to be notified and choose one of the available actions to be invoked automatically. You may also choose not to configure automated actions but only act after evaluating the specific exfiltration events.

Prerequisites

Nightfall exfiltration leverages Salesforce Shield's Event Monitoring to identify exfiltration events. Salesforce Shield provides multiple security tools to safeguard your Salesforce orgs. Nightfall depends on Event Monitoring in Salesforce Shield which is available as an independent module within Salesforce Shield. You must enable the following Event Monitoring settings for all the Salesforce orgs that you wish to monitor,

Generate event log files - Generate an event log file when events occur in your org.
Enable Lightning Logger Events - Enable collection of Lightning Logger Events in custom components.
Enable the following events for storage and streaming
- Bulk API Result Event - Track when a user downloads the results of a Bulk API request
- File Event - Track file activity. For example, track when a user downloads or previews a file
- Report Event - Track when a user accesses or exports data with reports
- SessionHijacking Event - Track when an unauthorised user gains ownership of a Salesforce user’s session with a stolen session identifier

You can learn more about Salesforce Shield here and once enabled, advance to the next steps with Installing Nightfall DLP for Salesforce

If you have already onboarded your Salesforce org to Nightfall platform, please ensure you have the latest Nightfall DLP package deployed in your Salesforce org. Follow the steps mentioned in Upgrading Nightfall DLP to upgrade it to the latest version.

You must perform the above actions only on those Salesforce orgs in which the Salesforce Shield Event monitoring module is enabled.

Installation Doc Links

The installation procedure remains the same as in case of Salesforce DLP for sensitive data. The links to the installation and upgradation documents are as follows.

Configuring Integration Alerts

Nightfall Exfiltration prevention for Salesforce allows you to configure alerts at the policy level and also at the integration level. Alerts can be sent in Salesforce by using the following alert channels.

Slack
Email
Webhook
Jira Tickets

When you configure alert settings at the integration level, the alert settings apply to all the policies, created for the Salesforce integration. However, when you configure alert settings specifically for a policy, which is created in the Salesforce integration, the alert settings are applicable only for that specific policy.

This document explains how to configure alerts at the integration level. To learn about how to configure alerts at the policy level, read this document.

Prerequisites

To use Slack as an alert platform, you must first perform the required Slack configurations. You can refer to this document to learn more about how to configure Slack as an Alert platform.
To use Webhook as an alert platform, you must first perform the required Webhook configurations. You can refer to this document to learn more about how to configure Webhook as an Alert platform.
To use JIRA as an alert platform, you must have the DLP for the JIRA app installed from the Atlassian Marketplace. You can read more about the DLP for JIRA integration here.

Configure Alerts at the Integration Level

You can configure alerts at the integration level once you have installed the Nightfall for Salesforce integration.

To configure alerts at the integration level:

Navigate to the Salesforce integration
Scroll down to the Alerting section.
You can configure one or multiple alert channels.

Configuring Slack as an Alert Channel

To configure Slack as an alert channel, click + Slack channel.

In the Slack alert channel field, enter the name of the Slack channel in which you wish to receive the alerts.
Click Save.

A confirmation pop-up box is displayed to confirm if the Slack channel (entered in the second step) must be used only for Salesforce integration or all the Nightfall integrations.

Select No, only integration level to use the Slack channel only for Salesforce, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.

Configuring Email as an Alert Channel

Click + Email.

Enter the Email ID of the recipient who should receive the notifications.
Click Save.

A confirmation pop-up box is displayed to confirm if the Email ID (entered in the second step) must be used only for Salesforce integration or all the Nightfall integrations.

Select No, only integration level to use the Slack channel only for Salesforce, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.

Configuring Webhook as an Alert Channel

Click + Webhook.
Enter the Webhook URL.
Click Test. If the test result is not successful, check the Webhook URL.
(Optional) Click Add Header to add headers.
Click Save.

When you configure alerts to a Webhook, Nightfall AI sends occasional posts to:

To validate that the Webhook is properly configured before the policy is saved.
Periodically thereafter to ensure that the Webhook is still valid.

The response to the test Webhooks is 200 status code if successful.

An example of Webhook request is as follows.

{
  "service": "nightfall",
  "test": true,
  "timestamp": "2024-03-07T23:18:39Z"
}

This is part of alert event consumption and can be ignored.

Configuring JIRA as an Alert Channel

Click + Jira Ticket.
Select a JIRA project from the Jira Project drop-down menu.
Select an issue type from the Issue Type drop-down menu.
(Optional) Add comments to be added in the JIRA ticket.
Click Save changes.

A confirmation pop-up box is displayed to confirm if the JIRA settings configured for the Salesforce integration must be applied to all the other Nightfall integrations too.

Select No, only integration level to use the configurations only for Salesforce, or select Yes, please to use the selected JIRA configurations for all the Nightfall integrations.

Configure End-User Notification

Configuring Salesforce Exfiltration Policies

Exfiltration policies allow you to monitor download events across your Salesforce environment. Through real-time download monitoring, you can identify insider risk and anomalous behaviour before it escalates to large scale security incidents. The following are supported and monitored by Nightfall for exfiltration activities,

Attachments & Files
Reports
Records & Objects

Download of any of the above information containers is an exfiltration activity for Nightfall, and if such activities breach a threshold set in one of the exfiltration policies in Nightfall, then Nightfall will flag it an exfiltration event. You can configure which users should receive notifications and what automatic actions must be taken when an exfiltration event is detected.

The detailed steps to configure the Salesforce Exfiltration policy is explained in the following documents.

Salesforce App Selection

Remediation for Salesforce Exfiltration

Salesforce App Selection

In this stage, you select the Integration for which the policy is created. In this case, Salesforce integration must be selected.

Click Policies from the left menu.

Click + New Policy.

Select Exfiltration.

Select the Salesforce integration.

If the event monitoring module is not setup in Salesforce, event monitoring is displayed as "disabled" on the Scope page as shown in the following image.

Scope

The Scope section determines which areas of Nightfall needs to be monitored by Nightfall for Exfiltration. You can choose one or all of the following data types to be monitored.

Attachments & Files
Reports
Records & Objects

After you make the required selection, you can also add filters to monitor specific Salesforce users or Salesforce profiles.

If you have connected multiple Salesforce org, the scope page allows you to select one and only one Salesforce org for the policy.

Nightfall can detect download actions done only from the Salesforce lightning version. Any download action done on the Salesforce Classic version cannot be detected by Nightfall.

Data Types

In the Data Types section, you must select the Salesforce data types to be monitored. By default, all the three data types are selected. You can choose to either retain all the three data types or clear any of the data types.

It is mandatory to select at least one data type for monitoring.

Filters

The Filters section allows you to add additional filters, on top of the selected data types, to narrow down the monitoring scope. Nightfall provides the following two types of filters.

Internal Users

You can choose specific Salesforce users whose activities need to be monitored or excluded from being monitored. Nightfall populates the list of all your users from Salesforce. You need to select either the users whose activities need to be monitored or the users whose activities need to be excluded from monitoring.

To add Users filter, click Add Filter and select Internal Users.

To monitor specific users, select the Monitor specific option. To exclude specific users from being monitored, select the Monitor all, except option.

Nightfall populates the list of Salesforce users in the Search users field. You can select the all the required users.

Salesforce Profiles

You can choose specific Salesforce profiles whose activities need to be monitored or excluded from being monitored. Nightfall populates the list of all your Salesforce profiles. You need to select either the profiles whose activities need to be monitored or the profiles whose activities need to be excluded from monitoring.

To monitor specific Salesforce profiles, select the Monitor specific option. To exclude specific Salesforce profiles from being monitored, select the Monitor all, except option.

Nightfall populates the list of Salesforce profiles in the Search profiles field. You can select the all the required users.

Example Scenario

Contoso Ltd. uses Salesforce to host their applications. They have three users Steve, Rick, and Matt in their Salesforce org. These users are not Contoso employees. They are employees of Acme corp. which is a prospective customer of Contoso Ltd. Steve, Rick, and Matt are evaluating Constoso's app so that they can check if it meets Acme corp's requirements. Contoso has created a Salesforce profile called Prospective customers and added these three users to this profile

Contoso Ltd. uses Nightfall Salesforce exfiltration and wishes to check if any files with sensitive data is downloaded by any of these three users. They create a Salesforce exfiltration policy to monitor all the data types. They can choose one of the following filter.

They can use the Internal Users filter and add these three users.
They can select the Salesforce Profiles filter and add the Prospective customers profile to it. So, in future if any other prospective customers added, they are also automatically monitored.

Trigger

The Trigger section in Salesforce policies allows you to define the frequency of action that must be considered as an exfiltration event. In case of Salesforce policies, the download frequency is the trigger.

The download frequency can be defined as the number of downloads over a period to time. This allows you to set custom thresholds in terms of number of downloads over a specific period of time and can be useful to identify anomalous download patterns for specific locations, users or content type. This can be set in combination to other scoping capabilities.

Configuring Triggers

In the Actions section, you can define the download action that must be considered as a potential exfiltration attempt by Nightfall. Nightfall allows you to set the frequency of downloads as the action.

To configure Actions:

Click the minimum number of files that must be the download threshold.

Set the time period within which the minimum no. of downloads must be considered as exfiltration event.

In the following case, an exfiltration event is created if, there are 2 or more downloads within a minute.

You must set the action frequency carefully. For example, consider that you set the action condition as 5 or more files, within 1 hour as shown in the following image. In this case, if a user downloads four assets, every 1 hour, the policy does not trigger a violation, since the Action condition does not match. So, a user can keep downloading four files every hour and get away with it.

Advanced Settings

This stage allows you to select automated notification channels or actions if a policy violation occurs.

Admin Alerting

This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.

The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Salesforce Exfiltration policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the Salesforce integration, read Configuring Integration Alerts

The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to the Configure Alerts at the Integration Level document.

Automated Actions

Automated actions allow you to configure automated remediation actions when an exfiltration attempt is detected by Nightfall policy. Nightfall supports the following automated actions for Salesforce. You can choose to implement the automated action immediately after detecting a download attempt or after some time.

To enable the automated action, you must turn on the respective toggle switch.

Freeze Salesforce User Account

This action logs out the user from the Salesforce account. They cannot login until a Salesforce admin revokes the freeze on the account.

If you select the After option, you must select the time gap after which the automated action must be implemented.

Revoke User Permissions

This action revokes the permissions of the user. The user can now only view data across al Salesforce pages. They cannot download any data. This action assigns the user Salesforce's minimum access profile. You can learn more about this profile from this Salesforce document.

If you select the After option, you must select the time gap after which the automated action must be implemented.

End-User Notification

This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.

Custom Message

Automation

Email: This option sends an Email to the user who attempted the download.
Slack: This option sends a Slack message to the user who attempted the download.

End-User Remediation

Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.

When end-users report alerts as false positive, you can choose the resolution method to be either Automatic or manual.

If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.

Creating Policy

In this final stage, you assign a name to the policy, verify your configurations, and create the policy.

Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.

Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.

Remediation for Salesforce Exfiltration

This document explains what admins and end-users can do once a policy is violated.

Admin Notification and Remediation

When end-users violate a policy, the Nightfall admin is notified about the incident. The notification channel used to notify the Nightfall admin depends on the settings configured in the section. If you have not enabled any notification channels in the Admin alerting section, Nightfall admins are not notified.

If you have enabled the email notification in the Admin alerts section, Nightfall admins receive an email. The email is as shown in the following image.

The Email consists of the following data.

Event: The event that caused the violation. For Salesforce, the event is always download of assets.
Who: The Email ID of the user who downloaded the file.
When: The date and time when the email was downloaded.
What: The name of the file that was downloaded.
Policies Violated: The name of the policy that was violated.
Violation Dashboard: The link to the Events screen to view the violation in detail.
Actions: The list of actions that the Nightfall admin can take.

Also, a Slack message is sent if you have enabled the Slack alerts for the Nightfall admin.

End-User Notification and Remediation

End-users receive notifications and remediation actions if the Nightfall admin has enabled these settings. The notifications are based on the settings configured in the section. The end-user remediation actions are based on the settings configured in the section.

If you have configured the Email notification for end-users and enabled the end-user remediation, end-users can take remediation actions from the Email itself. The end-user Email is shown in the following image.

If you have configured Slack notifications for end-user and enabled end-user remediation, end-users also get a message in the respective Slack channel configured.

Manage Violations in Nightfall

To manage violations in the Nightfall console:

Click Events from the left menu.

Click the Exfiltration tab.

The Exfiltration Events page lists all the exfiltration events. To view events specific to the Salesforce integration:

Click Filters and select + Add Filter.

Select Integration in the Select a filter field.

Select the Salesforce check box in the Select an option field.

Click Apply.

Now, only the Salesforce events are displayed.

To view events with specific statuses, you can click the respective tabs.

To view historic events, click the Time filter and select the required time period.

You can click an event to view the details. The detail view window is as follows.

The detail view window consists of the following tabs.

Summary: The Summary tab displays highlights of the event like the name of the downloaded asset, the name of the violated policy, and the email ID of the user who violated the policy.
Asset: The asset tab displays the details of the asset. You can view details like name of the downloaded asset, size of the downloaded asset, exfiltration action (download), owner's Salesforce ID and IP address. If there are multiple assets in a single violation, you can choose which asset's details must be displayed.

Actor: The actor tab displays the email ID of the Salesforce user who downloaded the asset. You can add notes on this tab which is displayed in the Admin notes section.

Taking Actions on the Events Page

The events list view displays an ellipsis menu at the extreme right corner. Admins can click this menu to take appropriate action on an exfiltration event.

The various available actions are explained as follows.

Acknowledge: This action can be taken when you just wish to acknowledge that you have viewed the violation.
Notify Email: This action sends an email notification to the end-user who caused the violation.
Notify Slack: This action sends a Slack notification to the end-user who caused the violation.
Ignore: This action ignored the violation. You can take this action when an event is false positive.
Freeze User: This action freezes the user account and logs them out of Salesforce. Users cannot login until admin unfreezes their account.
Revoke User Permission: This permission revokes the user's download privileges. Users can only view data in Salesforce. This action assigns the Salesforce's Minimum access profile to the user. You can learn more about this profile from this .
Unfreeze User: Once you freeze a user, this action is active. You can unfreeze a freezed user with this action.

Once the action is implemented, the status of the event changes respectively. By default, an event can have one of the following two statuses.

Active: The event has been generated but no action has been taken.
Input Requested: A notification has been sent to the end-user requesting their response.

You can also take action from the event detail view page. The actions are available at the bottom of the detail view page.