Remediation for MAC OS Policies
Last updated
Last updated
This document explains what admins and end-users can do once a policy is violated.
Nightfall admins can manage violations from within the Nightfall console. The Events page in Nightfall lists all the violations under the Exfiltration tab. End-users can get a detailed view of each exfiltration violation recorded.
To view violations in Nightfall
Navigate to Exfiltration Prevention from the left menu.
Steps 2-6 help you filter the events to only view the alerts generated by macOS.
Click Filter.
Click + Add Filter.
Select Integration.
Select the macOS check box.
Click Apply.
To view historic events, click the Time filter, select the required time period or enter it manually by selecting the Custom Range option. Once the required time period is selected, click Apply.
The filtered list of events only for macOS are displayed as follows.
You can click an event to view the details. The detail view window is as follows.
As you can view in the above image, the detail view window consists of the following tabs.
The Summary tab consists of the following details.
Assets: The name of the uploaded asset that contains sensitive data.
Policy: The name of the policy violated.
Device ID: The device ID of the device from which the asset was uploaded.
Machine Name: The physical name of the device from which the asset was uploaded.
Browser Name: The name of the browser from which the asset was uploaded. This field is applicable only for browser uploads.
Domain: The domain URL to which the asset containing sensitive data was uploaded. This field is applicable only for browser uploads. When you hover over a domain that is not added to any Collection, you can choose to add it to an existing Collection or create a new one. If you are already leveraging the domain collection as part of your monitoring policies, the new addition will be automatically picked up. For example, if the domain is added to a collection of sanctioned domains your policy is ignoring, future uploads to this destination will be ignored.
App Name: Then name of the cloud storage app to which the asset containing sensitive data was uploaded. This field is applicable only for uploads done to cloud storage apps.
Account Type: The nature of the cloud storage app to which the asset was uploaded. The account type is generally either Personal account or Business account. his field is applicable only for uploads done to cloud storage apps.
Upload Start Time: The start date and start time of the upload.
Upload End Time: The end date and end time of the upload.
The Summary tab for a Browser upload action is as follows.
The Summary tab for a Cloud storage app event is as follows.
The Summary tab also displays the timeline when the event was created. You can also add comments on the Summary tab. The comments added by you can be viewed by other users as well.
The comment is displayed as follows.
This tab displays the details of the asset (with sensitive data) that was uploaded to a domain or cloud storage app. The asset tab also displays a number in brackets. This number indicates the number of assets that were uploaded as part of the event.
In the following image, there is a single asset that was uploaded and it triggered the event.
In the following image, there were two assets which were uploaded and these four uplaods together triggered the event.
In such cases when there are multiple assets involved, you can use the drop-down menu to switch between assets and view the asset details.
The Assets tab displays the following details.
Name: The name of the asset uploaded.
Where: The location of the asset in the device.
Medium: The medium used to upload the asset. This can be browser or cloud storage app.
The Assets tab also contains the Asset History section. This section displays the source or origin from where the asset was downloaded. Additionally, it also displays the destinations to which the asset was uploaded. If the source and destination details are not available, this section does not display any information. Users can use the time filter to view historic data.
The device tab displays the details of the device used to upload the asset. You can view the following details on this tab.
Device ID: The device ID of the device from which the asset was uploaded.
Device Name: The name of the device from which the asset was uploaded.
Connection Status: The current status of the device. This can either be Connected or Disconnected. If the device is not in contact with the Nightfall agent for more than 6 hours, the connection status changes to disconnected.
OS: The operating system used on the device.
MAC Address: The physical MAC address of the device.
Last Connection: The date and time when the device was last connected.
Agent Version: The Nightfall agent version installed on the device.
OS Version: The MAC OS version used on the device.
Important
If you upload the same file to multiple browsers (say 3), 3 exfiltration events are generated. However, if you upload multiple files to the same browser, only a single event is generated.
If multiple violations are recorded within a span of five minutes on the same browser or cloud storage app, all the violations are clubbed under a single exfiltration event. The Assets Tab of this event displays the details of each asset.
However, if you upload multiple files to different browsers or upload multiple files to different cloud storage apps, within a span of five minutes, a separate exfiltration event is generated for each of the uploaded file.
You can perform the following actions on all the three tabs. These actions are present at the bottom.
Copy Event Link: This action copies the link of the event to the clipboard.
Acknowledge: This action modifies the status of the event to Acknowledged.
Resolve: This action resolves the event and modifies the status to resolved.
Ignore: This action ignores the event and modifies the status to ignored.
Asset: The asset window displays the details of the asset and the history of the asset. You can also choose to view historic asset data. If there are multiple assets in a single violation, you can choose which asset's details must be displayed.
Notify Slack: This action sends a Slack notification about the event to the recipient configured in the section.
Notify Email: This action sends an Email notification about the event o the recipient configured in the section.