Trigger
Last updated
Last updated
The trigger section further enhances the unwanted noise reduction capabilities. With the trigger section, you can
Set what download behavior can be termed as an exfiltration event.
Exclude downloads by trusted apps from being termed as exfiltration events.
In the trigger section, you can set the download behavior, the download frequency to be precise, must be termed as an exfiltration event.
To configure the Trigger section:
Set the minimum number of downloads threshold that must be considered as an exfiltration event.
Set the required time period (frequency). If the minimum download threshold (set in the previous step) is reached or exceeded, within the set time period, an exfiltration event is generated.
In the following image, the configurations are set such that if an asset is downloaded 2 or more times within 10 minutes, an exfiltration event is triggered.
You must set the action frequency carefully. For example, consider that you set the download condition as 5 or more files, within 1 hour. In this case, if a user downloads four assets, every 1 hour, the policy does not trigger a violation, since the condition is not met.
Depending on your environment, a significant number of downloads may be attributed to applications (i.e. backup apps). You may choose to ignore such download events to reduce the noise and focus your monitoring on unexpected application and user download events.
The Exclude apps section allows you to exclude specific applications from being monitored by your policy.
To configure the Exclude apps section, select the applications to exclude from the drop-down menu. Once saved, Nightfall will not alert on download events attributed to the excluded applications.
