1 of 1

Remediation for Windows OS Policies

Managing Violations in Nightfall

Nightfall admins can manage violations from within the Nightfall console. The Events page in Nightfall lists all the violations under the Exfiltration tab. End-users can get a detailed view of each exfiltration violation recorded.

To view violations in Nightfall

Navigate to Exfiltration Prevention from the left menu.

Steps 2-6 help you filter the events to only view the alerts generated by Windows OS.

Click Filter.
Click + Add Filter.
Select Integration.
Select the Windows check box.
Click Apply.

To view historic events, click the Time filter, select the required time period or enter it manually by selecting the Custom Range option. Once the required time period is selected, click Apply. By default, the filter displays results for the Last 7 days. You can click Last 7 Days and choose the required historic time period.

You can click an event to view the details. The detail view window consists of the following tabs.

Summary Tab

The Summary tab consists of the following details.

Assets: The name of the uploaded asset(s) that was exfiltrated.
Policy: The name of the policy violated.
Device ID: The device ID of the device from which the which the file upload was performed.
Machine Name: The physical name of the device from which the file upload was performed.
Browser Name: The name of the browser from which the asset was uploaded.
Domain: The domain URL to which the asset containing sensitive data was uploaded. This field is applicable only for browser uploads. When you hover over a domain that is not added to any Collection, the list of Collections is displayed. You can choose to add the domain to an existing Collection or create a new collection and add the domain to the newly created collection. If you are already leveraging the domain collection as part of your monitoring policies, the new addition will be automatically picked up. For example, if the domain is added to a collection of sanctioned domains your policy is ignoring, future uploads to this destination will be ignored.
Upload Start Time: The start date and start time of the upload.
Upload End Time: The end date and end time of the upload.

The Summary tab also displays a log of activities that occured on the Event. The first log entry is always the asset creation date. The subsequent logs display the actions applied on the event. You can also add comments on the Summary tab. The comments added by you can be viewed by other users as well.

Assets Tab

This tab displays the details of the asset (with sensitive data) that was uploaded to a domain or cloud storage app. The asset tab also displays a number in brackets. This number indicates the number of assets that were uploaded as part of the event.

In the following image, there were two assets which were uploaded and these four uplaods together triggered the event. In such cases when there are multiple assets involved, you can use the drop-down menu to switch between assets and view the asset details.

The Assets tab displays the following details.

Name: The name of the asset uploaded.
Where: The location of the asset in the device.
Medium: The medium used to upload the asset.
User: The username of the device owner.
Size: The size of the downloaded asset.

Asset History

The Assets tab also contains the Asset History section. This section displays the source or origin from where the asset was downloaded. Additionally, it also displays the destinations to which the asset was uploaded. If the source and destination details are not available, this section does not display any information. Users can use the time filter to view historic data.

Device Tab

The device tab displays the details of the device used to upload the asset. You can view the following details on this tab.

Device ID: The device ID of the device from which the asset was uploaded.
Device Name: The name of the device from which the asset was uploaded.
Connection Status: The current status of the device. This can either be Connected or Disconnected. If the device is not in contact with the Nightfall agent for more than 6 hours, the connection status changes to disconnected.
OS: The operating system used on the device. This field always displays Windows OS.
MAC Address: The physical MAC address of the device.
Last Connection: The date and time when the device was last connected.
Agent Version: The Nightfall agent version installed on the device.
OS Version: The Windows OS version used on the device.

Remediation for Windows OS Policies

Managing Violations in Nightfall

To view violations in Nightfall

Navigate to Exfiltration Prevention from the left menu.

Steps 2-6 help you filter the events to only view the alerts generated by Windows OS.

Click Filter.
Click + Add Filter.
Select Integration.
Select the Windows check box.
Click Apply.

You can click an event to view the details. The detail view window consists of the following tabs.

Summary Tab

The Summary tab consists of the following details.

Assets: The name of the uploaded asset(s) that was exfiltrated.
Policy: The name of the policy violated.
Device ID: The device ID of the device from which the which the file upload was performed.
Machine Name: The physical name of the device from which the file upload was performed.
Browser Name: The name of the browser from which the asset was uploaded.
Domain: The domain URL to which the asset containing sensitive data was uploaded. This field is applicable only for browser uploads. When you hover over a domain that is not added to any Collection, the list of Collections is displayed. You can choose to add the domain to an existing Collection or create a new collection and add the domain to the newly created collection. If you are already leveraging the domain collection as part of your monitoring policies, the new addition will be automatically picked up. For example, if the domain is added to a collection of sanctioned domains your policy is ignoring, future uploads to this destination will be ignored.
Upload Start Time: The start date and start time of the upload.
Upload End Time: The end date and end time of the upload.

Assets Tab

The Assets tab displays the following details.

Name: The name of the asset uploaded.
Where: The location of the asset in the device.
Medium: The medium used to upload the asset.
User: The username of the device owner.
Size: The size of the downloaded asset.

Asset History

Device Tab

The device tab displays the details of the device used to upload the asset. You can view the following details on this tab.

Device ID: The device ID of the device from which the asset was uploaded.
Device Name: The name of the device from which the asset was uploaded.
Connection Status: The current status of the device. This can either be Connected or Disconnected. If the device is not in contact with the Nightfall agent for more than 6 hours, the connection status changes to disconnected.
OS: The operating system used on the device. This field always displays Windows OS.
MAC Address: The physical MAC address of the device.
Last Connection: The date and time when the device was last connected.
Agent Version: The Nightfall agent version installed on the device.
OS Version: The Windows OS version used on the device.