Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
The Exfiltration policies for MAC allow you to monitor if there are any uploads via browser or cloud storage apps. You can configure the domains in Internet that needs to be monitored and also the cloud storage apps which need to be monitored.
When there are any uploads to the configured domain or cloud storage apps, the Nightfall AI agent notifies this action. You can configure the notification channels through which you wish to receive notifications when there is an attempt to upload files/folders.
Once you have completed the installation of Nightfall agent, you must ensure that the connection is live. If the Nightfall agent cannot connect to the macOS device for more than 6 hours, the connection is closed. When the connection is live, a Connected message is displayed. If the connection is lost, Disconnected message is displayed.
Collections help you refine you monitoring to reduce noise from sanctioned upload destinations as well as closely monitor exfiltration of files originating from high value SaaS applications accessed through the browser. You can also define specific domain collections to closely monitor upload activity to specific categories of upload destinations. For instance, to track files uploaded to social media, you can create a domain collection called social media and add domains like Facebook, Instagram, Twitter, and so on. Similarly, you create a collection for known and sanctioned upload destinations that are safe to upload to so you can ignore from your monitoring policies or monitor upload of items originating from such domains. While creating a policy, you can directly add the collection to be monitored. All the domains in the collection will be monitored.
You can create a domain by either manually entering all the domain URLs manually or by uploading a comma delimited list of domains in a text file.
To group domains:
Log in to the Nightfall app.
Navigate to Integrations from the left menu.
Click Manage on the macOS integration.
Click the Domains tab.
Click + New Collection.
You can either add the domains manually or upload a text file containing the list of domains. The following section has two tabs. The first explains the process of manually adding domains and the second tab explains adding domains by uploading a file.
Click + Add Domain.
Enter a name for the Collection in the Collection Name field (Social media in the following image)
Enter a domain and hit the enter key (facebook.com in the following image).
(Optional) Click + Add Domain to add multiple domains to the collection.
(Optional) Click the delete icon to delete a domain.
Click Save Changes.
Enter a name for the Collection in the Collection Name field.
Click Upload.
Browse and upload the text file containing the list of domains.
All the domains must be separated by a comma. The file must have a .txt extension.
Once you upload the file, the list of domains present in the file are displayed as follows.
(Optional) To add more Domains to the Collection, you can either click + Add Domain and enter the domain manually, or click Upload txt and upload another text file containing domains.
(Optional) Click the delete icon to remove a domain from the Collection.
Click Save Changes.
The detailed steps to configure the MAC device Exfiltration policy is explained in the following documents.
This stage allows you to select the notifications channels. If Nightfall detects sensitive data in any of the selected upload channels, the notifications are sent to the recipients configured in this section.
This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the macOS Exfiltration policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the Google Drive integration, read The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps..
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps.
The Scope section enables you to create an asset lineage based policy in which you can track the journey of an asset from source to destination.
Security administrators can set precise exfiltration policies to protect sensitive files that originate from high-value SaaS locations from being exfiltrated to unsanctioned destinations
High performance security teams can focus their energy and resources on monitoring assets from high value SaaS domains.
By combining content download origin to upload destination, organizations can extend their monitoring to cover any cloud application accessed through the browser, even those without direct API integration.
Allows security teams to monitor and prevent data exfiltration not just through direct browser uploads but also through cloud storage sync applications, providing a multi-layered defense against data leaks.
With lineage-based policies, organizations can proactively identify and manage risks associated with sensitive content movement, ensuring compliance with data security standards and preventing potential breaches before they occur.
The Scope page consists of two sections.
By default, Nightfall monitors all the macOS devices configured in your org. However, you can choose to exclude specific macOS devices from being monitored.
If you have a long list of assets, you can search for an asset by entering the device ID of the asset.
The Asset Origin filter allows you to limit the scope of the policy to only those assets which originated from a specific source. To use the asset origin filter, you must click Add Filter and select Asset Origin.
The Asset origin filter provides the following options:
Any Domain: If you select this option, Nightfall monitors the assets originated from any domain, present in any of the domain collections.
Domain in: If you select this option, you must additionally also select the domain collections, created in the domain collections section. In this case, Nightfall monitors only those assets that originated from a domain, which is a part of any of the selected domain collection(s).
Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
Domain Not in: If you select this option, you must additionally also select the domain collections, created in the domain collections section. In this case, Nightfall does not monitor those assets that originated from a domain, which is a part of any of the selected domain collection(s).
Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
In this stage, you select the Integration for which the policy is created. In this case, Google Drive integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Exfiltration.
Select macOS.
Once you zero down the policy Scope to the required devices and originating domains, you must now define the trigger actions that can be termed as exfiltration events.
Nightfall provides you two types of triggers that you can set as exfiltration events.
Browser Uploads: In this section, if an asset is uploaded through a browser to an online portal (for example social media website), you can define such events as exfiltration events.
Cloud Syncing: In this section, if an asset is uploaded to an online cloud store application (for example Google Drive), you can define such events as exfiltration events.
The steps to use the above triggers are elaborated in the following sections.
Ensure that you have configured domain collections before using the use the browser uploads option.
To monitor browser uploads:
Select the Browser uploads to option.
Select one of the following options.
Any Domain: If you select this option, Nightfall monitors your uploads done to any domain on the Internet.
Domain in: If you select this option, you must additionally also select the domain collections, created in the domain collections section. Nightfall monitors the uploads done to all the domains that belong to the selected domain collections.
Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
Domain Not in: If you select this option, you must additionally also select the domain collections, created in the domain collections section. Nightfall does not monitor the uploads done to all the domains that belong to the selected domain collections.
Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
In this option, you can either choose to monitor uploads done to every cloud sync app or select specific cloud sync apps to which the uploads must be monitored.
Select the Cloud Syncing to option.
Select one of the following options.
Any Storage Apps: If you select this option, Nightfall monitors the uploads done to every cloud sync storage applications.
Specific Storage App(s): If you select this option, you must additionally select the storage apps. Nightfall monitors the uploads done to the selected storage apps.
Once you select a cloud storage application, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional cloud storage apps.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.
This document explains what admins and end-users can do once a policy is violated.
Nightfall admins can manage violations from within the Nightfall console. The Events page in Nightfall lists all the violations under the Exfiltration tab. End-users can get a detailed view of each exfiltration violation recorded.
To view violations in Nightfall
Navigate to Exfiltration Prevention from the left menu.
Steps 2-6 help you filter the events to only view the alerts generated by macOS.
Click Filter.
Click + Add Filter.
Select Integration.
Select the macOS check box.
Click Apply.
To view historic events, click the Time filter, select the required time period or enter it manually by selecting the Custom Range option. Once the required time period is selected, click Apply.
The filtered list of events only for macOS are displayed as follows.
You can click an event to view the details. The detail view window is as follows.
As you can view in the above image, the detail view window consists of the following tabs.
The Summary tab consists of the following details.
Assets: The name of the uploaded asset that contains sensitive data.
Policy: The name of the policy violated.
Device ID: The device ID of the device from which the asset was uploaded.
Machine Name: The physical name of the device from which the asset was uploaded.
Browser Name: The name of the browser from which the asset was uploaded. This field is applicable only for browser uploads.
Domain: The domain URL to which the asset containing sensitive data was uploaded. This field is applicable only for browser uploads. When you hover over a domain that is not added to any Collection, you can choose to add it to an existing Collection or create a new one. If you are already leveraging the domain collection as part of your monitoring policies, the new addition will be automatically picked up. For example, if the domain is added to a collection of sanctioned domains your policy is ignoring, future uploads to this destination will be ignored.
App Name: Then name of the cloud storage app to which the asset containing sensitive data was uploaded. This field is applicable only for uploads done to cloud storage apps.
Account Type: The nature of the cloud storage app to which the asset was uploaded. The account type is generally either Personal account or Business account. his field is applicable only for uploads done to cloud storage apps.
Upload Start Time: The start date and start time of the upload.
Upload End Time: The end date and end time of the upload.
The Summary tab for a Browser upload action is as follows.
The Summary tab for a Cloud storage app event is as follows.
The Summary tab also displays the timeline when the event was created. You can also add comments on the Summary tab. The comments added by you can be viewed by other users as well.
The comment is displayed as follows.
This tab displays the details of the asset (with sensitive data) that was uploaded to a domain or cloud storage app. The asset tab also displays a number in brackets. This number indicates the number of assets that were uploaded as part of the event.
In the following image, there is a single asset that was uploaded and it triggered the event.
In the following image, there were two assets which were uploaded and these four uplaods together triggered the event.
In such cases when there are multiple assets involved, you can use the drop-down menu to switch between assets and view the asset details.
The Assets tab displays the following details.
Name: The name of the asset uploaded.
Where: The location of the asset in the device.
Medium: The medium used to upload the asset. This can be browser or cloud storage app.
The Assets tab also contains the Asset History section. This section displays the source or origin from where the asset was downloaded. Additionally, it also displays the destinations to which the asset was uploaded. If the source and destination details are not available, this section does not display any information. Users can use the time filter to view historic data.
The device tab displays the details of the device used to upload the asset. You can view the following details on this tab.
Device ID: The device ID of the device from which the asset was uploaded.
Device Name: The name of the device from which the asset was uploaded.
Connection Status: The current status of the device. This can either be Connected or Disconnected. If the device is not in contact with the Nightfall agent for more than 6 hours, the connection status changes to disconnected.
OS: The operating system used on the device.
MAC Address: The physical MAC address of the device.
Last Connection: The date and time when the device was last connected.
Agent Version: The Nightfall agent version installed on the device.
OS Version: The MAC OS version used on the device.
Important
If you upload the same file to multiple browsers (say 3), 3 exfiltration events are generated. However, if you upload multiple files to the same browser, only a single event is generated.
If multiple violations are recorded within a span of five minutes on the same browser or cloud storage app, all the violations are clubbed under a single exfiltration event. The #assets-tab of this event displays the details of each asset.
However, if you upload multiple files to different browsers or upload multiple files to different cloud storage apps, within a span of five minutes, a separate exfiltration event is generated for each of the uploaded file.
You can perform the following actions on all the three tabs. These actions are present at the bottom.
Copy Event Link: This action copies the link of the event to the clipboard.
Acknowledge: This action modifies the status of the event to Acknowledged.
Notify Slack: This action sends a Slack notification about the event to the recipient configured in the #admin-alerting section.
Notify Email: This action sends an Email notification about the event o the recipient configured in the #admin-alerting section.
Resolve: This action resolves the event and modifies the status to resolved.
Ignore: This action ignores the event and modifies the status to ignored.
Asset: The asset window displays the details of the asset and the history of the asset. You can also choose to view historic asset data. If there are multiple assets in a single violation, you can choose which asset's details must be displayed.