Exfiltration for Google Drive
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This document explains the steps to install the Nightfall for Google Drive.
To install the Nightfall DLP for Google Drive integration, you must have the following:
A Google Workspace account, preferably a service account.
An admin user account of your organization's Google Workspace account (or any other Google Workspace account) on which you wish to install the integration.
To install Nightfall for Google Drive:
Log in to Nightfall.
Click Google Drive under the MY INTEGRATIONS section (click Show more if you are unable to view Google Drive)
Click Begin Setup.
The access permission page is displayed as follows. Copy the client ID and Scopes ID generated.
Login to your Google Workspace with an admin account.
Click the menu icon.
Select Admin.
In the Admin console left pane, expand Security and then expand Access and data control.
Click API controls.
Click MANAGE DOMAIN WIDE DELEGATION under Domain wide delegation.
Click Add New.
Paste the Client ID copied from the Nightfall app, in the Client ID field.
Paste the Scopes ID copied from the Nightfall app, under OAuth Scope field. Use comma to add multiple scope IDs.
Click AUTHORIZE.
Return to the Nightfall app and click Next Step.
Click Connect.
Once the installation is completed, you can view the details of your Google Drive in the Nightfall app.
Once the installation is completed, Nightfall connects to your Google Workspace account and fetches all the domains. In the above image, you can see that 3 domains are fetched. These three domains were already present in your Google Workspace and are considered to be internal. You can add additional domains by clicking the ellipsis menu at the right end and selecting Manage Domains.
Exfiltration policies allow you to monitor download events across your Google Drive environment. Through real-time download monitoring, you can identify insider risk and anomalous behaviour before it escalates to large scale security incidents. You can monitor download activity for specific users or user groups, specific drives containing valuable sensitive assets, or downloads of any files containing sensitive data types as discovered and classified by Nightfall's ML/AI based detectors.
You can set up your policies to monitor only, to educate users in real-time about your download and data governance policies, or to automatically suspend user access to the Google Workspace to enforce zero tolerance policies.
The detailed steps to configure the Google Drive Exfiltration policy is explained in the following documents.
Data exfiltration, also known as data theft, data exportation, or data extrusion, is the unauthorized transfer of data from a device or network. It can occur as part of an automated attack or can be performed manually. The illegitimate transfer of data often looks very similar to legitimate transfers, making it difficult to detect.
Data exfiltration can occur in various ways and through multiple attack methods. Here are some of the most commonly used techniques:
Social Engineering and Phishing Attacks: These attacks trick victims into downloading malware and giving up their account credentials.
Outbound Emails: Cyber criminals employees or intruders use email to exfiltrate any data that sits on organizations’ outbound email systems.
Downloads to Insecure Devices: Data is transferred by users from secure, trusted systems to an insecure device. From there, the attacker can infiltrate the device and exfiltrate the data.
Uploads to Cloud Storage: Data can be exfiltrated from cloud storage when data is uploaded to insecure or misconfigured resources.
Nightfall provides a highly revolutionised solution to data exfiltration. Nightfall AI's exfiltration prevention capabilities easily integrate with existing tools, thus catering to security teams and companies across industries. Nightfall's exfiltration solution is much more than just a tool; it proactively protects against data breaches, providing tangible benefits for organizations striving to secure their sensitive information.
Data exfiltration, also known as data theft, data exportation, or data extrusion, is the unauthorized transfer of data from a device or network. It can occur as part of an automated attack or can be performed manually. The illegitimate transfer of data often looks very similar to legitimate transfers, making it difficult to detect.
Data exfiltration can occur in various ways and through multiple attack methods. Here are some of the most commonly used techniques:
Social Engineering and Phishing Attacks: These attacks trick victims into downloading malware and giving up their account credentials.
Outbound Emails: Cyber criminals employees or intruders use email to exfiltrate any data that sits on organizations’ outbound email systems.
Downloads to Insecure Devices: Data is transferred by users from secure, trusted systems to an insecure device. From there, the attacker can infiltrate the device and exfiltrate the data.
Uploads to Cloud Storage: Data can be exfiltrated from cloud storage when data is uploaded to insecure or misconfigured resources.
Nightfall provides a highly revolutionised solution to data exfiltration. Nightfall AI's exfiltration prevention capabilities easily integrate with existing tools, thus catering to security teams and companies across industries. Nightfall's exfiltration solution is much more than just a tool; it proactively protects against data breaches, providing tangible benefits for organizations striving to secure their sensitive information.
In this stage, you select the Integration for which the policy is created. In this case, Google Drive integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Exfiltration.
Select the Google Drive integration.
This stage allows you to select automated notification channels or actions if a policy violation occurs.
This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Google Drive Exfiltration policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the Google Drive integration, read .
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to for steps.
Automated actions allow you to configure automated remediation actions when an exfiltration attempt is detected by Nightfall policy. Nightfall supports the following automated actions for Google Drive. You can choose to implement the automated action immediately after detecting a download attempt or after some time.
Suspend Account: This action suspends the user's account who tried to download files and triggered the exfiltration event.
To enable the automated action, you must turn on the respective toggle switch.
You must now select when exactly after detecting the event, the action must be triggered. if you select the Immediately option, the automated action is triggered immediately after the download attempt is made.
If you select the After option, you must select the time gap after which the automated action must be implemented.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
The automation settings allow you to send notifications to end users. You can select one or both the notification methods. You must first turn on the toggle switch to use the automation option. The automation notification channels are as follows
Email: This option sends an Email to the user who attempted the download.
Slack: This option sends a Slack message to the user who attempted the download.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on by their download attempt. You must turn on the toggle switch to use this option. End-users receive the remediation actions in an Email as an action item. The various available remediation actions for end-users are as follows.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
When end-users report alerts as false positive, you can choose the resolution method to be either Automatic or manual.
If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.
This document explains what admins and end-users can do once a policy is violated.
When end-users violate a policy, the Nightfall admin is notified about the incident. The notification channel used to notify the Nightfall admin depends on the settings configured in the section. If you have not enabled any notification channels in the Admin alerting section, Nightfall admins are not notified.
If you have enabled the email notification in the Admin alerts section, Nightfall admins receive an email. The email is as shown in the following image.
The Email consists of the following data.
Event: The event that caused the violation. For Google Drive, the event is always a download of assets.
Actor: The Email ID of the user who downloaded the file.
When: The date and time when the email was downloaded.
Where: The name of the file that was downloaded.
Policies Violated: The name of the policy that was violated.
Violation Dashboard: The link to the Events screen to view the violation in detail.
Actions: The list of actions that the Nightfall admin can take.
Also, a Slack message is sent if you have enabled the Slack alerts for the Nightfall admin. The Slack message looks as shown in the following image.
If you have configured the Email notification for end-users and enabled the end-user remediation, end-users can take remediation actions from the Email itself. The end-user Email is shown in the following image.
If you have configured Slack notifications for end-user and enabled end-user remediation, end-users can view the Slack message as follows.
Nightfall admins can manage violations from within the Nightfall console. The Events page in Nightfall lists all the violations under the Exfiltration tab. End-users can get a detailed view of each exfiltration Event triggered.
To view violations in Nightfall
Navigate to the Exfiltration Prevention page.
The Exfiltration Events page lists all the exfiltration events. To view events with specific statuses, you can click the respective tabs.
To view the past events, click the Time filter and select the required time period. By default, the time period displays Events for the Last 7 Days.
You can click an event to view the details. The detail view window is as follows.
The detail view window consists of the following tabs.
Summary: The Summary tab displays highlights of the event like the name of the downloaded asset, the name of the violated policy, the email ID of the user who violated the policy, and so on.
Asset: The asset window displays the details of the asset and the history of the asset. You can also choose to view historic asset data. If there are multiple assets in a single violation, you can choose which asset's details must be displayed.
Actor: The actor tab displays the details and history of the user who downloaded the asset. You can choose to view historical data of the user. You can also add which can serve as metadata for the violation.
The events list view displays an ellipsis menu at the extreme right corner. Admins can click this menu to take appropriate action on an exfiltration event.
The various available actions are explained as follows.
Acknowledge: This action can be taken when you just wish to acknowledge that you have viewed the violation.
Notify Email: This action sends an email notification to the end-user who caused the violation.
Notify Slack: This action sends a Slack notification to the end-user who caused the violation.
Suspend Account: This action suspends the account of the user who caused the violation.
Ignore: This action ignored the violation. You can take this action when an event is false positive.
Copy Link: This action is only available on the Asset detail view. You can copy the direct link to the Event with this action.
Once the action is implemented, the status of the event changes respectively. By default, an event can have one of the following two statuses.
Active: The event has been generated but no action has been taken.
Input Requested: A notification has been sent to the end-user requesting their response.
You can also take action from the event detail view page. The actions are available at the bottom of the detail view page.
This document explains the process of installing Nightfall AI agent using the Rippling MDM.
Target macOS devices are onboarded.
You have received and unpacked the Nightfall Endpoint payload.
In this step, you will create a custom profile for each of the profiles provided in your Nightfall endpoint payload.
Locate the following .mobileconfig files in your Nightfall Endpoint payload package
NightfallAI_ApplicationSystemEvents.mobileconfig
NightfallAI_Notification.mobileconfig
NightfallAI_PPPC.mobileconfig
Navigate to and click “Add configurations”.
Upload and save provided config profiles.
Drop or select NightfallAI_PPPC.mobileconfig .
Configuration name: “Nightfall AI PPPC”
Configuration description: “Nightfall AI PPPC profile”
Platform: “macOS”
Click Save & continue.
Repeat the above for all remaining .mobileconfig profiles provided.
Select Deploy from the three-dot context menu located on the far right of the first profile.
Select all employees or specific target devices.
Click Save.
Repeat step 4 for each remaining profiles.
Click Upload Software on the right of the page.
Name: “Nightfall Endpoint DLP Agent <version>”
<version> is the version of the package your received from Nightfall.
Operating System: “macOS”
Category: “My Uploads” (Default)
Description: “Nightfall Endpoint DLP Agent”.
Upload Icon: use the .png icon file provided.
Upload Installer File: drop or select the provided nightfall-ai-agent-signed.pkg file.
Install-check script: provided in your package as mdm_pre_install_check_script.sh
Pre-install script: provided in your package as mdm_pre_installation_script.sh
Click Submit.
Click Add on the newly created Software Item.
Click Finished Selecting.
Search or scroll to the newly added item matching the name you used in the previous step.
a. Click Edit.
i. Select all employees or specific target devices.
ii. Click Save.
The Nightfall Endpoint DLP Agent will now deploy to all selected target devices. This may take up to 72 hours and is dependent on the endpoint devices being turned on, connected, and pre-requisite profiles deployed.
The below describes the steps to upgrade endpoints with a new version of the agent:
Search or scroll to the old version of the Nightfall Endpoint DLP Agent and click “Edit”.
a. Remove all devices from the installation list and click “Save”.
The Nightfall Endpoint DLP Agent will now deploy to all selected target endpoints. Installation may take up to 48 hours and is dependent on the endpoint devices being turned on and connected.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.
This document explains the process of installing Nightfall AI agent using the Kandji MDM.
Ensure that the Kandji APN is set.
Ensure that the target macOS devices are onboarded.
Ensure that you have received and unpacked the Nightfall Endpoint payload.
Navigate to
Click New Blueprint on the top right corner.
Click New Blueprint on the pop up menu.
Enter a name for the blueprint in the Blueprint name field.
Enter a description for the blueprint in the Blueprint description field.
Click Create Blueprint.
In this section, we create a custom profile for each of the profiles provided in the Nightfall endpoint payload and assign them to the blueprint you have created in the previous section.
Locate the following .mobileconfig files in your Nightfall Endpoint payload package.
a. Click Add new.
b. Select Custom Profile and click Add & Configure on the pop-up window.
c. Add Title, Select Blueprint, and finally drag and drop the .mobileconfig file.
d. Click Save.
Repeat the above steps for each of the .mobileconfig files provided.
In this section, we will create a custom app item for Nightfall Endpoint Agent.
Click Add New.
Click Custom App
Click Add & Configure on the pop-up window.
a. Add Title, Select the Blueprint you previously created.
b. Select the Audit and enforce option.
c. Paste the content of mdm_kandji_audit_script into the Audit Script text box.
d. Choose the Installer Package option.
e. Add Preinstall Script & Upload the installer package.
I. Paste the content of mdm_pre_install_script into the Pre-install Script text box.
II. Upload the installer package
i. Drag and drop or click to upload the provided nightfall-ai-agent_v*.*.*.pkg file
Save the change and wait for the changes to get deployed on the node machine.
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>.
End-users receive notifications and remediation actions if the Nightfall admin has enabled these settings. The notifications are based on the settings configured in the section. The end-user remediation actions are based on the settings configured in the section.
Navigate to:
Follow the to configure the new software package for the new version
Follow to deploy the new version.
Navigate to .
Navigate to .
Nightfall for macOS allows you to detect exfiltration events on your macOS devices. The Nightfall exfiltration feature can monitor any files being uploaded through supported cloud storage apps or browsers on macOS devices.
To use Nightfall for macOS, you must install the Nightfall AI agent. This agent monitors your macOS device continuously. You can install the agent either manually or through a Mobile device management (MDM) tool. You can request the Nightfall deployment bundle which contains the .pkg and other pre-installation scripts required for your MDM deployment. Here are the manual installation instructions along with example installation steps for MDM deployments.
Installation using the JAMF MDM (contact Nightfall support for installation instructions)
Nightfall employs the automatic endpoint update functionality. With this feature, Nightfall can deliver the majority of endpoint agent bug fixes and feature updates directly to endpoints.
Features:
Stay Secure: Receive the latest security patches and updates promptly, reducing the risk of vulnerabilities being exploited.
Remain Compatible: Keep your deployment compatible with the latest operating system updates and other software changes.
Receive New Features: You get access to new features and improvements to exfiltration monitoring without manual intervention.
Minimize Administrative Overhead: IT administrators don't need to manually deploy updates to each endpoint, saving time and resources.
This document explains the process of installing the Nightfall agent manually.
Ensure that you have root level access to the target macOS device.
Ensure that you have received and unpacked the Nightfall payload containing .pkg package file and the pre installation script files. If not, contact your Nightfall CSM.
Install the following profiles. You can find these files in the Profiles folder that was created after unpacking the .pkg package file.
"ai.nightfall.endpoint.automation" "ai.nightfall.endpoint.notification" "ai.nightfall.endpoint.pppc"
Run the MDM pre installation check script.
This checks if all the required profiles are installed. If the profiles are installed, you get a All required profiles are present message. However, if any of the profile(s) are missing, you get a Missing profile: $profile message.
After profiles, this checks for the version of the agent installed. If the latest version is already installed, it displays a NightfallAIAgent version already at: $agent_version message.
Create a default policy for web browser uploads and cloud storage application sync.
Locate the mdm_pre_installation_script.sh in the payload provided by Nightfall.
Open a Terminal window.
Run the mdm_pre_installation_script.sh script on your local machine as a root user, by executing the following command.
Double click the nightfall-ai-agent_<version>.pkg.
Due to your system settings, you may receive an error as shown in the following image.
In such cases, first click OK.
Next, control click (right click) the nightfall-ai-agent_<version>.pkg file and select Open from the drop-down menu.
A pop up window appears as shown in the following image. Click Open.
Click Continue.
Click Install.
Click Use Password to enter your device password and start the installation process.
Once the installation is completed, you get a completion message as shown in the following image.
Click Close.
At the top right corner of your screen, you can view the Nightfall AI agent icon which looks as follows.
When you click this icon, you can view the details of the agent.
To monitor your MAC device, you must grant access to the hard disk. This section explains the process of granting disk access.
Navigate to System Settings > Privacy & Security > Full Disk Access.
Click the + icon at the bottom of the list (you may be prompted to enter your macOS password)
Select NightfallAIAgent (under Applications) and click Open.
Click Quit & Reopen.
On the Full Disk Access page, ensure that the toggle switch is turned on for the NightfallAIAgent. This ensures that the full disk access is granted.
Apart from the disk access, you must also grant permission to the Nightfall AI agent to monitor browser uploads. This section explains the process.
To grant access to browser uploads:
Open a browser instance and upload a test file.
When prompted, grant the Nightfall AI agent permissions.
To uninstall the Nightfall AI agent, you must execute the following command on your MAC device, as a root user.
When you install the Nightfall agent manually, you must check your system profiles to ensure that all the Nightfall agent profiles are successfully integrated.
To check the system profiles:
Navigate to Privacy & Security > Profiles.
Ensure that the following profiles are present.
Nightfall Notification Profile
Nightfall PPPC Profile
Nightfall System Event Access
The Exfiltration policies for MAC allow you to monitor if there are any uploads via browser or cloud storage apps. You can configure the domains in Internet that needs to be monitored and also the cloud storage apps which need to be monitored.
When there are any uploads to the configured domain or cloud storage apps, the Nightfall AI agent notifies this action. You can configure the notification channels through which you wish to receive notifications when there is an attempt to upload files/folders.
Once you have completed the installation of Nightfall agent, you must ensure that the connection is live. If the Nightfall agent cannot connect to the macOS device for more than 6 hours, the connection is closed. When the connection is live, a Connected message is displayed. If the connection is lost, Disconnected message is displayed.
Collections help you refine you monitoring to reduce noise from sanctioned upload destinations as well as closely monitor exfiltration of files originating from high value SaaS applications accessed through the browser. You can also define specific domain collections to closely monitor upload activity to specific categories of upload destinations. For instance, to track files uploaded to social media, you can create a domain collection called social media and add domains like Facebook, Instagram, Twitter, and so on. Similarly, you create a collection for known and sanctioned upload destinations that are safe to upload to so you can ignore from your monitoring policies or monitor upload of items originating from such domains. While creating a policy, you can directly add the collection to be monitored. All the domains in the collection will be monitored.
You can create a domain by either manually entering all the domain URLs manually or by uploading a comma delimited list of domains in a text file.
To group domains:
Log in to the Nightfall app.
Navigate to Integrations from the left menu.
Click Manage on the macOS integration.
Click the Domains tab.
Click + New Collection.
You can either add the domains manually or upload a text file containing the list of domains. The following section has two tabs. The first explains the process of manually adding domains and the second tab explains adding domains by uploading a file.
Click + Add Domain.
Enter a name for the Collection in the Collection Name field (Social media in the following image)
Enter a domain and hit the enter key (facebook.com in the following image).
(Optional) Click + Add Domain to add multiple domains to the collection.
(Optional) Click the delete icon to delete a domain.
Click Save Changes.
Enter a name for the Collection in the Collection Name field.
Click Upload.
Browse and upload the text file containing the list of domains.
All the domains must be separated by a comma. The file must have a .txt extension.
Once you upload the file, the list of domains present in the file are displayed as follows.
(Optional) To add more Domains to the Collection, you can either click + Add Domain and enter the domain manually, or click Upload txt and upload another text file containing domains.
(Optional) Click the delete icon to remove a domain from the Collection.
Click Save Changes.
The detailed steps to configure the MAC device Exfiltration policy is explained in the following documents.
Nightfall for macOS allows you to configure alerts at the policy level and also at the integration level. Alerts can be sent in macOS policies by using the following alert channels.
Slack
Webhook
Jira Tickets
When you configure alert settings at the integration level, the alert settings apply to all the policies, created for the macOS integration. However, when you configure alert settings specifically for a policy, which is created in the macOS integration, the alert settings are applicable only for that specific policy.
This document explains how to configure alerts at the integration level. To learn about how to configure alerts at the policy level, read this document.
To use Slack as an alert platform, you must first perform the required Slack configurations. You can refer to this document to learn more about how to configure Slack as an Alert platform.
To use Webhook as an alert platform, you must first perform the required Webhook configurations. You can refer to this document to learn more about how to configure Webhook as an Alert platform.
To use JIRA as an alert platform, you must have the DLP for the JIRA app installed from the Atlassian Marketplace. You can read more about the DLP for JIRA integration here.
You can configure alerts at the integration level once you have installed the Nightfall for macOS integration.
To configure alerts at the integration level:
Navigate to the macOS integration
Scroll down to the Alerting section.
You can configure one or multiple alert channels.
To configure Slack as an alert channel, click + Slack channel.
In the Slack alert channel field, enter the name of the Slack channel in which you wish to receive the alerts.
Click Save.
A confirmation pop-up box is displayed to confirm if the Slack channel (entered in the second step) must be used only for macOS integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for macOS, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Email.
Enter the Email ID of the recipient who should receive the notifications.
Click Save.
A confirmation pop-up box is displayed to confirm if the Email ID (entered in the second step) must be used only for macOS integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for macOS, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Webhook.
Enter the Webhook URL.
Click Test. If the test result is not successful, check the Webhook URL.
(Optional) Click Add Header to add headers.
Click Save.
When you configure alerts to a Webhook, Nightfall AI sends occasional posts to:
To validate that the Webhook is properly configured before the policy is saved.
Periodically thereafter to ensure that the Webhook is still valid.
The response to the test Webhooks is 200 status code if successful.
An example of Webhook request is as follows.
This is part of alert event consumption and can be ignored.
Click + Jira Ticket.
Select a JIRA project from the Jira Project drop-down menu.
Select an issue type from the Issue Type drop-down menu.
(Optional) Add comments to be added in the JIRA ticket.
Click Save changes.
A confirmation pop-up box is displayed to confirm if the JIRA settings configured for the macOS integration must be applied to all the other Nightfall integrations too.
Select No, only integration level to use the configurations only for macOS, or select Yes, please to use the selected JIRA configurations for all the Nightfall integrations.
When a Violation occurs, Nightfall sends a notification to the end-user whose actions triggered the violation. While notifying the end-user, Nightfall also sends a text message. You can draft the text message to be sent to the end-user. This message applies to all the policies. Click Save changes once done.
In this stage, you select the Integration for which the policy is created. In this case, Google Drive integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Exfiltration.
Select macOS.
Once you zero down the policy Scope to the required devices and originating domains, you must now define the trigger actions that can be termed as exfiltration events.
Nightfall provides you two types of triggers that you can set as exfiltration events.
Browser Uploads: In this section, if an asset is uploaded through a browser to an online portal (for example social media website), you can define such events as exfiltration events.
Cloud Syncing: In this section, if an asset is uploaded to an online cloud store application (for example Google Drive), you can define such events as exfiltration events.
The steps to use the above triggers are elaborated in the following sections.
Ensure that you have configured domain collections before using the use the browser uploads option.
To monitor browser uploads:
Select the Browser uploads to option.
Select one of the following options.
Any Domain: If you select this option, Nightfall monitors your uploads done to any domain on the Internet.
Domain in: If you select this option, you must additionally also select the domain collections, created in the domain collections section. Nightfall monitors the uploads done to all the domains that belong to the selected domain collections.
Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
Domain Not in: If you select this option, you must additionally also select the domain collections, created in the domain collections section. Nightfall does not monitor the uploads done to all the domains that belong to the selected domain collections.
Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
In this option, you can either choose to monitor uploads done to every cloud sync app or select specific cloud sync apps to which the uploads must be monitored.
Select the Cloud Syncing to option.
Select one of the following options.
Any Storage Apps: If you select this option, Nightfall monitors the uploads done to every cloud sync storage applications.
Specific Storage App(s): If you select this option, you must additionally select the storage apps. Nightfall monitors the uploads done to the selected storage apps.
Once you select a cloud storage application, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional cloud storage apps.
Nightfall for Google Drive allows you to configure alerts at the policy level and also at the integration level. Alerts can be sent in Google drive by using the following alert channels.
Slack
Webhook
Jira Tickets
When you configure alert settings at the integration level, the alert settings apply to all the policies, created for the Google Drive integration. However, when you configure alert settings specifically for a policy, which is created in the Google Drive integration, the alert settings are applicable only for that specific policy.
This document explains how to configure alerts at the integration level. To learn about how to configure alerts at the policy level, read this document.
To use Slack as an alert platform, you must first perform the required Slack configurations. You can refer to this document to learn more about how to configure Slack as an Alert platform.
To use Webhook as an alert platform, you must first perform the required Webhook configurations. You can refer to this document to learn more about how to configure Webhook as an Alert platform.
To use JIRA as an alert platform, you must have the DLP for the JIRA app installed from the Atlassian Marketplace. You can read more about the DLP for JIRA integration here.
You can configure alerts at the integration level once you have installed the Nightfall for Google Drive integration.
To configure alerts at the integration level:
Navigate to the Google Drive integration
Scroll down to the Alerting section.
You can configure one or multiple alert channels.
To configure Slack as an alert channel, click + Slack channel.
In the Slack alert channel field, enter the name of the Slack channel in which you wish to receive the alerts.
Click Save.
A confirmation pop-up box is displayed to confirm if the Slack channel (entered in the second step) must be used only for Google Drive integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for Google Drive, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Email.
Enter the Email ID of the recipient who should receive the notifications.
Click Save.
A confirmation pop-up box is displayed to confirm if the Email ID (entered in the second step) must be used only for Google Drive integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for Google Drive, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Webhook.
Enter the Webhook URL.
Click Test. If the test result is not successful, check the Webhook URL.
(Optional) Click Add Header to add headers.
Click Save.
When you configure alerts to a Webhook, Nightfall AI sends occasional posts to:
To validate that the Webhook is properly configured before the policy is saved.
Periodically thereafter to ensure that the Webhook is still valid.
The response to the test Webhooks is 200 status code if successful.
An example of Webhook request is as follows.
This is part of alert event consumption and can be ignored.
Click + Jira Ticket.
Select a JIRA project from the Jira Project drop-down menu.
Select an issue type from the Issue Type drop-down menu.
(Optional) Add comments to be added in the JIRA ticket.
Click Save changes.
A confirmation pop-up box is displayed to confirm if the JIRA settings configured for the Google Drive integration must be applied to all the other Nightfall integrations too.
Select No, only integration level to use the configurations only for Google Drive, or select Yes, please to use the selected JIRA configurations for all the Nightfall integrations.
When a Violation occurs, Nightfall sends a notification to the end-user whose actions triggered the violation. While notifying the end-user, Nightfall also sends a text message. You can draft the text message to be sent to the end-user. This message applies to all the policies. Click Save changes once done.
When there is a high volume of exfiltration (basically download) in your organization, the scoping capability enables you to reduce the noise from low risk events so that you can zero in on genuine exfiltration events and resolve them.
Exfiltration (Download monitoring) can be scoped to:
Location: All or a specific set of drives
This allows you create flexible policies to monitor all or specific high-risk locations. This is a required scope for all policies.
User or User Group (Actor): Any or a specific set of users or user groups
This allows you to create custom policies for specific high-risk individuals or user groups. As such, you can create policies to monitor download activity by a disgruntled employee or departing employees. This can be set in combination to other scoping capabilities.
Permissions: Public, Organization or Restricted
This allows you to tailor your policies to drives or files with specific access restrictions. This can be set in combination to other scoping capabilities.
Detection rules: Any or a specific set of sensitive data protection detection rules
You can reuse any of detection rules you've already created or create new ones. This helps focus your detection on files which have associated sensitive data violations identified by your sensitive data scanning product. This can be set in combination to other scoping capabilities.
The Scope stage consists of two main sections.
Drive Selection: This section allows you to include various files and drives for monitoring. In this section, you can select the different types of drives to be monitored.
Add Filters: This section allows you to scrutinize your policy scope at more granular levels. While the Drive selection section allows you to select the whole drive to be monitored, this section provides you more granular level filters. You can select specific files within the selected drives for monitoring.
The Drive Selection section allows you to select various drives for monitoring. You can select either User Drives or Shared Drives to be monitored by Nightfall for exfiltration.
This section allows you to select various drives in your Google Drive to be monitored. There are two options in this section. You can either choose to scan the User drives, Shared drives, or both.
User Drives: The User Drives is the personal drive of the user. The files in this drive are visible only to the owner of the file and other users to whom the owner has granted access. User Drive is commonly known as My Drive in Google Drive. To monitor a User Drive, you must select the User drives check box as shown in the following image.
IMPORTANT
If you choose to monitor the User drives, all the User drives in your Google domain are selected for monitoring. You do not have the option to choose specific User drives for monitoring.
Shared Drives: Shared drives are common storage locations accessed by all the users in your Workspace. To select this option, you must select the Shared drives check box.
IMPORTANT
If you choose to monitor the Shared Drives, you can select whether to monitor all the Shared drives or only specific shared drives. Nightfall provides the following options.
If you select the All Drives option, all the Shared drives in your Google Workspace are selected for monitoring.
If you select the All Drives, except for option, you can exclude some shared drives from being monitored.
If you select the Specific Shared Drives option, you get the option to choose specific Shared drives for monitoring.
The following image displays the scenarios when you select the Shared Drives check box.
If you select the All Drives, except for option, you must also select the shared drives which must be excluded from monitoring.
Similarly, if you select the Specific Drive(s) option, you must also select the specific shared drives which must be monitored.
The filters section provides you the flexibility to include and exclude users at a granular level.
For instance, in the previous section, irrespective of whether you selected Shared Drive, User Drive, or specific User Drives, you ended up selecting one or a set of Drives for monitoring.
Once you select the Drives to monitor, in this section, you can overlay additional filters to further scope your monitoring. Nightfall provides the following additional filters:
Monitor specific: Choose this option to monitor one or a specific set of internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.
Monitor all, except: Choose this option to exclude specific individuals from your monitoring policy. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.
If you have not configured the Directory Sync feature, the users list is populated from the Google Drive integration setup. As a result, you can see the Google Drive icon before the user name. However, if you have set up Directory sync, the users list is fetched from the IdP used for the configuration. In the above image, the users list is populated from the Microsoft Azure IdP and hence you can see the Azure icon before the users’ names.
Important
For exclusions, Nightfall only checks the file ownership. For inclusions, Nightfall checks both file ownership and shared access. This rule is applicable to all the filters.
Monitor Specific: Choose this option to monitor one or a specific set of external users. Once you choose this option, you must manually enter the email ID(s) of the external users and hit the enter key.
Monitor all, except: Choose this option to exclude specific external users, from being monitored. Once you choose this option, you must manually enter the email ID(s) of the external users and hit the enter key.
Monitor specific: Choose this option to monitor one specific or a set of internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Sync. You must select at least one group.
Monitor all, except: Choose this option to exclude one specific, or a set of, internal groups from being monitored. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Sync. You must select the required users.
Monitor specific: Choose this option if you have external user groups defined in your IdP and would like to monitor one specific or a set of external groups. Once you choose this option, you must select at least one external user group to monitor then hit the enter key.
Monitor all, except: Choose this option if you have external user groups defined in your IdP and would like to exclude one or more external groups from being monitored. Once you choose this option, you must select at least one external user group to monitor then hit the enter key.
Before understanding the Permission filters, we must understand Google's General Access feature.
The general access feature in Google Workspace consists of three types of access, which are as follows.
Restricted: Files with this permission can only be accessed by users who have been granted access.
Target Audience: Files with this permission can be accessed by the users of the selected target audience group. There is a default target audience that gets created when the Google workspace is provisioned. This target audience has the same name as provisioned in the Google Workspace and includes all members of the organization. You can refer to this Google document to learn more about the target audiences.
Anyone with the Link: Files with this permission can be accessed by any user who has the file link.
Nightfall also provides inclusion and exclusion of files in policy scope that resembles the General Access sharing principle in Google Workspace. The Nightfall General Access permission options are as follows.
Restricted: Choose this option to scope monitoring to files with restricted access.
Shared with target audiences: Choose this option to scope monitoring to files shared with target audiences within your Google Workspace environment.
Anyone with the link: Choose this option to scope monitoring to files shared with anyone with a link.
The Nightfall Detection Rules consist of a single or multiple detectors. You can use this filter to either include all the detection rules or include only specific detection rules. Note that upon a download event, Nightfall will check if the downloaded file has been previously scanned, and results matched at least one of the selected detection rules (i.e. The file is not rescanned upon download).
All: If you select this option, all the detection rules are included.
Monitor Specific: If you select this option, you must also select the required detection rules. Nightfall scans your files only for the selected detection rules.
This document explains what admins and end-users can do once a policy is violated.
Nightfall admins can manage violations from within the Nightfall console. The Events page in Nightfall lists all the violations under the Exfiltration tab. End-users can get a detailed view of each exfiltration violation recorded.
To view violations in Nightfall
Navigate to Exfiltration Prevention from the left menu.
Steps 2-6 help you filter the events to only view the alerts generated by macOS.
Click Filter.
Click + Add Filter.
Select Integration.
Select the macOS check box.
Click Apply.
To view historic events, click the Time filter, select the required time period or enter it manually by selecting the Custom Range option. Once the required time period is selected, click Apply.
The filtered list of events only for macOS are displayed as follows.
You can click an event to view the details. The detail view window is as follows.
As you can view in the above image, the detail view window consists of the following tabs.
The Summary tab consists of the following details.
Assets: The name of the uploaded asset that contains sensitive data.
Policy: The name of the policy violated.
Device ID: The device ID of the device from which the asset was uploaded.
Machine Name: The physical name of the device from which the asset was uploaded.
Browser Name: The name of the browser from which the asset was uploaded. This field is applicable only for browser uploads.
Domain: The domain URL to which the asset containing sensitive data was uploaded. This field is applicable only for browser uploads. When you hover over a domain that is not added to any Collection, you can choose to add it to an existing Collection or create a new one. If you are already leveraging the domain collection as part of your monitoring policies, the new addition will be automatically picked up. For example, if the domain is added to a collection of sanctioned domains your policy is ignoring, future uploads to this destination will be ignored.
App Name: Then name of the cloud storage app to which the asset containing sensitive data was uploaded. This field is applicable only for uploads done to cloud storage apps.
Account Type: The nature of the cloud storage app to which the asset was uploaded. The account type is generally either Personal account or Business account. his field is applicable only for uploads done to cloud storage apps.
Upload Start Time: The start date and start time of the upload.
Upload End Time: The end date and end time of the upload.
The Summary tab for a Browser upload action is as follows.
The Summary tab for a Cloud storage app event is as follows.
The Summary tab also displays the timeline when the event was created. You can also add comments on the Summary tab. The comments added by you can be viewed by other users as well.
The comment is displayed as follows.
This tab displays the details of the asset (with sensitive data) that was uploaded to a domain or cloud storage app. The asset tab also displays a number in brackets. This number indicates the number of assets that were uploaded as part of the event.
In the following image, there is a single asset that was uploaded and it triggered the event.
In the following image, there were two assets which were uploaded and these four uplaods together triggered the event.
In such cases when there are multiple assets involved, you can use the drop-down menu to switch between assets and view the asset details.
The Assets tab displays the following details.
Name: The name of the asset uploaded.
Where: The location of the asset in the device.
Medium: The medium used to upload the asset. This can be browser or cloud storage app.
The Assets tab also contains the Asset History section. This section displays the source or origin from where the asset was downloaded. Additionally, it also displays the destinations to which the asset was uploaded. If the source and destination details are not available, this section does not display any information. Users can use the time filter to view historic data.
The device tab displays the details of the device used to upload the asset. You can view the following details on this tab.
Device ID: The device ID of the device from which the asset was uploaded.
Device Name: The name of the device from which the asset was uploaded.
Connection Status: The current status of the device. This can either be Connected or Disconnected. If the device is not in contact with the Nightfall agent for more than 6 hours, the connection status changes to disconnected.
OS: The operating system used on the device.
MAC Address: The physical MAC address of the device.
Last Connection: The date and time when the device was last connected.
Agent Version: The Nightfall agent version installed on the device.
OS Version: The MAC OS version used on the device.
Important
If you upload the same file to multiple browsers (say 3), 3 exfiltration events are generated. However, if you upload multiple files to the same browser, only a single event is generated.
If multiple violations are recorded within a span of five minutes on the same browser or cloud storage app, all the violations are clubbed under a single exfiltration event. The #assets-tab of this event displays the details of each asset.
However, if you upload multiple files to different browsers or upload multiple files to different cloud storage apps, within a span of five minutes, a separate exfiltration event is generated for each of the uploaded file.
You can perform the following actions on all the three tabs. These actions are present at the bottom.
Copy Event Link: This action copies the link of the event to the clipboard.
Acknowledge: This action modifies the status of the event to Acknowledged.
Notify Slack: This action sends a Slack notification about the event to the recipient configured in the #admin-alerting section.
Notify Email: This action sends an Email notification about the event o the recipient configured in the #admin-alerting section.
Resolve: This action resolves the event and modifies the status to resolved.
Ignore: This action ignores the event and modifies the status to ignored.
Asset: The asset window displays the details of the asset and the history of the asset. You can also choose to view historic asset data. If there are multiple assets in a single violation, you can choose which asset's details must be displayed.
Nightfall Exfiltration for Salesforce helps you to keep tab of the exfiltration activities in your Salesforce orgs. Nightfall leverages Salesforce Shield Real Time Event Monitoring for exfiltration activities across your Salesforce orgs and identifies activities which are in violation to configured policies.
Download of attachments, files, reports and bulk download of objects are all exfiltration event recognised by Nightfall. You can configure policies to set appropriate thresholds for such events and identify them as unwarranted that may require scrutiny. You may configure the policy to alert the stakeholders who need to be notified and choose one of the available actions to be invoked automatically. You may also choose not to configure automated actions but only act after evaluating the specific exfiltration events.
Nightfall exfiltration leverages Salesforce Shield's Event Monitoring to identify exfiltration events. Salesforce Shield provides multiple security tools to safeguard your Salesforce orgs. Nightfall depends on in Salesforce Shield which is available as an independent module within . You must enable the following Event Monitoring settings for all the Salesforce orgs that you wish to monitor,
Generate event log files - Generate an event log file when events occur in your org.
Enable Lightning Logger Events - Enable collection of Lightning Logger Events in custom components.
Enable the following events for storage and streaming
Bulk API Result Event - Track when a user downloads the results of a Bulk API request
File Event - Track file activity. For example, track when a user downloads or previews a file
Report Event - Track when a user accesses or exports data with reports
SessionHijacking Event - Track when an unauthorised user gains ownership of a Salesforce user’s session with a stolen session identifier
You can learn more about Salesforce Shield and once enabled, advance to the next steps with
If you have already onboarded your Salesforce org to Nightfall platform, please ensure you have the latest Nightfall DLP package deployed in your Salesforce org. Follow the steps mentioned in to upgrade it to the latest version.
You must perform the above actions only on those Salesforce orgs in which the Salesforce Shield Event monitoring module is enabled.
The installation procedure remains the same as in case of Salesforce DLP for sensitive data. The links to the installation and upgradation documents are as follows.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.
Exfiltration policies allow you to monitor download events across your Salesforce environment. Through real-time download monitoring, you can identify insider risk and anomalous behaviour before it escalates to large scale security incidents. The following are supported and monitored by Nightfall for exfiltration activities,
Attachments & Files
Reports
Records & Objects
Download of any of the above information containers is an exfiltration activity for Nightfall, and if such activities breach a threshold set in one of the exfiltration policies in Nightfall, then Nightfall will flag it an exfiltration event. You can configure which users should receive notifications and what automatic actions must be taken when an exfiltration event is detected.
The detailed steps to configure the Salesforce Exfiltration policy is explained in the following documents.
Nightfall Exfiltration prevention for Salesforce allows you to configure alerts at the policy level and also at the integration level. Alerts can be sent in Salesforce by using the following alert channels.
Slack
Webhook
Jira Tickets
When you configure alert settings at the integration level, the alert settings apply to all the policies, created for the Salesforce integration. However, when you configure alert settings specifically for a policy, which is created in the Salesforce integration, the alert settings are applicable only for that specific policy.
You can configure alerts at the integration level once you have installed the Nightfall for Salesforce integration.
To configure alerts at the integration level:
Navigate to the Salesforce integration
Scroll down to the Alerting section.
You can configure one or multiple alert channels.
To configure Slack as an alert channel, click + Slack channel.
In the Slack alert channel field, enter the name of the Slack channel in which you wish to receive the alerts.
Click Save.
A confirmation pop-up box is displayed to confirm if the Slack channel (entered in the second step) must be used only for Salesforce integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for Salesforce, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Email.
Enter the Email ID of the recipient who should receive the notifications.
Click Save.
A confirmation pop-up box is displayed to confirm if the Email ID (entered in the second step) must be used only for Salesforce integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for Salesforce, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Webhook.
Enter the Webhook URL.
Click Test. If the test result is not successful, check the Webhook URL.
(Optional) Click Add Header to add headers.
Click Save.
When you configure alerts to a Webhook, Nightfall AI sends occasional posts to:
To validate that the Webhook is properly configured before the policy is saved.
Periodically thereafter to ensure that the Webhook is still valid.
The response to the test Webhooks is 200 status code if successful.
An example of Webhook request is as follows.
This is part of alert event consumption and can be ignored.
Click + Jira Ticket.
Select a JIRA project from the Jira Project drop-down menu.
Select an issue type from the Issue Type drop-down menu.
(Optional) Add comments to be added in the JIRA ticket.
Click Save changes.
A confirmation pop-up box is displayed to confirm if the JIRA settings configured for the Salesforce integration must be applied to all the other Nightfall integrations too.
Select No, only integration level to use the configurations only for Salesforce, or select Yes, please to use the selected JIRA configurations for all the Nightfall integrations.
When a Violation occurs, Nightfall sends a notification to the end-user whose actions triggered the violation. While notifying the end-user, Nightfall also sends a text message. You can draft the text message to be sent to the end-user. This message applies to all the policies. Click Save changes once done.
The Scope section enables you to create an asset lineage based policy in which you can track the journey of an asset from source to destination.
Security administrators can set precise exfiltration policies to protect sensitive files that originate from high-value SaaS locations from being exfiltrated to unsanctioned destinations
High performance security teams can focus their energy and resources on monitoring assets from high value SaaS domains.
By combining content download origin to upload destination, organizations can extend their monitoring to cover any cloud application accessed through the browser, even those without direct API integration.
Allows security teams to monitor and prevent data exfiltration not just through direct browser uploads but also through cloud storage sync applications, providing a multi-layered defense against data leaks.
With lineage-based policies, organizations can proactively identify and manage risks associated with sensitive content movement, ensuring compliance with data security standards and preventing potential breaches before they occur.
The Scope page consists of two sections.
By default, Nightfall monitors all the macOS devices configured in your org. However, you can choose to exclude specific macOS devices from being monitored.
If you have a long list of assets, you can search for an asset by entering the device ID of the asset.
The Asset Origin filter allows you to limit the scope of the policy to only those assets which originated from a specific source. To use the asset origin filter, you must click Add Filter and select Asset Origin.
The Asset origin filter provides the following options:
Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
In this stage, you select the Integration for which the policy is created. In this case, Salesforce integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Exfiltration.
Select the Salesforce integration.
If the event monitoring module is not setup in Salesforce, event monitoring is displayed as "disabled" on the Scope page as shown in the following image.
The trigger section further enhances the unwanted noise reduction capabilities. With the trigger section, you can
Set what download behavior can be termed as an exfiltration event.
Exclude downloads by trusted apps from being termed as exfiltration events.
In the trigger section, you can set the download behavior, the download frequency to be precise, must be termed as an exfiltration event.
To configure the Trigger section:
Set the minimum number of downloads threshold that must be considered as an exfiltration event.
Set the required time period (frequency). If the minimum download threshold (set in the previous step) is reached or exceeded, within the set time period, an exfiltration event is generated.
In the following image, the configurations are set such that if an asset is downloaded 2 or more times within 10 minutes, an exfiltration event is triggered.
You must set the action frequency carefully. For example, consider that you set the download condition as 5 or more files, within 1 hour. In this case, if a user downloads four assets, every 1 hour, the policy does not trigger a violation, since the condition is not met.
Depending on your environment, a significant number of downloads may be attributed to applications (i.e. backup apps). You may choose to ignore such download events to reduce the noise and focus your monitoring on unexpected application and user download events.
The Exclude apps section allows you to exclude specific applications from being monitored by your policy.
To configure the Exclude apps section, select the applications to exclude from the drop-down menu. Once saved, Nightfall will not alert on download events attributed to the excluded applications.
This document explains how to configure alerts at the integration level. To learn about how to configure alerts at the policy level, read .
To use Slack as an alert platform, you must first perform the required Slack configurations. You can refer to to learn more about how to configure Slack as an Alert platform.
To use Webhook as an alert platform, you must first perform the required Webhook configurations. You can refer to to learn more about how to configure Webhook as an Alert platform.
To use JIRA as an alert platform, you must have the DLP for the JIRA app installed from the . You can read more about the DLP for JIRA integration .
Any Domain: If you select this option, Nightfall monitors the assets originated from any domain, present in any of the .
Domain in: If you select this option, you must additionally also select the domain collections, created in the section. In this case, Nightfall monitors only those assets that originated from a domain, which is a part of any of the selected domain collection(s).
Domain Not in: If you select this option, you must additionally also select the domain collections, created in the section. In this case, Nightfall does not monitor those assets that originated from a domain, which is a part of any of the selected domain collection(s).
This stage allows you to select the notifications channels. If Nightfall detects sensitive data in any of the selected upload channels, the notifications are sent to the recipients configured in this section.
This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the macOS Exfiltration policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the Google Drive integration, read The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps..
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps.
The Scope section determines which areas of Nightfall needs to be monitored by Nightfall for Exfiltration. You can choose one or all of the following data types to be monitored.
Attachments & Files
Reports
Records & Objects
After you make the required selection, you can also add filters to monitor specific Salesforce users or Salesforce profiles.
If you have connected multiple Salesforce org, the scope page allows you to select one and only one Salesforce org for the policy.
Nightfall can detect download actions done only from the Salesforce lightning version. Any download action done on the Salesforce Classic version cannot be detected by Nightfall.
In the Data Types section, you must select the Salesforce data types to be monitored. By default, all the three data types are selected. You can choose to either retain all the three data types or clear any of the data types.
It is mandatory to select at least one data type for monitoring.
The Filters section allows you to add additional filters, on top of the selected data types, to narrow down the monitoring scope. Nightfall provides the following two types of filters.
You can choose specific Salesforce users whose activities need to be monitored or excluded from being monitored. Nightfall populates the list of all your users from Salesforce. You need to select either the users whose activities need to be monitored or the users whose activities need to be excluded from monitoring.
To add Users filter, click Add Filter and select Internal Users.
To monitor specific users, select the Monitor specific option. To exclude specific users from being monitored, select the Monitor all, except option.
Nightfall populates the list of Salesforce users in the Search users field. You can select the all the required users.
You can choose specific Salesforce profiles whose activities need to be monitored or excluded from being monitored. Nightfall populates the list of all your Salesforce profiles. You need to select either the profiles whose activities need to be monitored or the profiles whose activities need to be excluded from monitoring.
To monitor specific Salesforce profiles, select the Monitor specific option. To exclude specific Salesforce profiles from being monitored, select the Monitor all, except option.
Nightfall populates the list of Salesforce profiles in the Search profiles field. You can select the all the required users.
Contoso Ltd. uses Salesforce to host their applications. They have three users Steve, Rick, and Matt in their Salesforce org. These users are not Contoso employees. They are employees of Acme corp. which is a prospective customer of Contoso Ltd. Steve, Rick, and Matt are evaluating Constoso's app so that they can check if it meets Acme corp's requirements. Contoso has created a Salesforce profile called Prospective customers and added these three users to this profile
Contoso Ltd. uses Nightfall Salesforce exfiltration and wishes to check if any files with sensitive data is downloaded by any of these three users. They create a Salesforce exfiltration policy to monitor all the data types. They can choose one of the following filter.
They can use the #internal-users filter and add these three users.
They can select the #salesforce-profiles filter and add the Prospective customers profile to it. So, in future if any other prospective customers added, they are also automatically monitored.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.
This document explains what admins and end-users can do once a policy is violated.
When end-users violate a policy, the Nightfall admin is notified about the incident. The notification channel used to notify the Nightfall admin depends on the settings configured in the #admin-alerting section. If you have not enabled any notification channels in the Admin alerting section, Nightfall admins are not notified.
If you have enabled the email notification in the Admin alerts section, Nightfall admins receive an email. The email is as shown in the following image.
The Email consists of the following data.
Event: The event that caused the violation. For Salesforce, the event is always download of assets.
Who: The Email ID of the user who downloaded the file.
When: The date and time when the email was downloaded.
What: The name of the file that was downloaded.
Policies Violated: The name of the policy that was violated.
Violation Dashboard: The link to the Events screen to view the violation in detail.
Actions: The list of actions that the Nightfall admin can take.
Also, a Slack message is sent if you have enabled the Slack alerts for the Nightfall admin.
End-users receive notifications and remediation actions if the Nightfall admin has enabled these settings. The notifications are based on the settings configured in the #automation section. The end-user remediation actions are based on the settings configured in the #end-user-remediation section.
If you have configured the Email notification for end-users and enabled the end-user remediation, end-users can take remediation actions from the Email itself. The end-user Email is shown in the following image.
If you have configured Slack notifications for end-user and enabled end-user remediation, end-users also get a message in the respective Slack channel configured.
To manage violations in the Nightfall console:
Click Events from the left menu.
Click the Exfiltration tab.
The Exfiltration Events page lists all the exfiltration events. To view events specific to the Salesforce integration:
Click Filters and select + Add Filter.
Select Integration in the Select a filter field.
Select the Salesforce check box in the Select an option field.
Click Apply.
Now, only the Salesforce events are displayed.
To view events with specific statuses, you can click the respective tabs.
To view historic events, click the Time filter and select the required time period.
You can click an event to view the details. The detail view window is as follows.
The detail view window consists of the following tabs.
Summary: The Summary tab displays highlights of the event like the name of the downloaded asset, the name of the violated policy, and the email ID of the user who violated the policy.
Asset: The asset tab displays the details of the asset. You can view details like name of the downloaded asset, size of the downloaded asset, exfiltration action (download), owner's Salesforce ID and IP address. If there are multiple assets in a single violation, you can choose which asset's details must be displayed.
Actor: The actor tab displays the email ID of the Salesforce user who downloaded the asset. You can add notes on this tab which is displayed in the Admin notes section.
The events list view displays an ellipsis menu at the extreme right corner. Admins can click this menu to take appropriate action on an exfiltration event.
The various available actions are explained as follows.
Acknowledge: This action can be taken when you just wish to acknowledge that you have viewed the violation.
Notify Email: This action sends an email notification to the end-user who caused the violation.
Notify Slack: This action sends a Slack notification to the end-user who caused the violation.
Ignore: This action ignored the violation. You can take this action when an event is false positive.
Freeze User: This action freezes the user account and logs them out of Salesforce. Users cannot login until admin unfreezes their account.
Revoke User Permission: This permission revokes the user's download privileges. Users can only view data in Salesforce. This action assigns the Salesforce's Minimum access profile to the user. You can learn more about this profile from this Salesforce document.
Unfreeze User: Once you freeze a user, this action is active. You can unfreeze a freezed user with this action.
Once the action is implemented, the status of the event changes respectively. By default, an event can have one of the following two statuses.
Active: The event has been generated but no action has been taken.
Input Requested: A notification has been sent to the end-user requesting their response.
You can also take action from the event detail view page. The actions are available at the bottom of the detail view page.
This stage allows you to select automated notification channels or actions if a policy violation occurs.
This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Salesforce Exfiltration policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the Salesforce integration, read Configuring Integration Alerts
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to the #configure-alerts-at-the-integration-level document.
Automated actions allow you to configure automated remediation actions when an exfiltration attempt is detected by Nightfall policy. Nightfall supports the following automated actions for Salesforce. You can choose to implement the automated action immediately after detecting a download attempt or after some time.
To enable the automated action, you must turn on the respective toggle switch.
This action logs out the user from the Salesforce account. They cannot login until a Salesforce admin revokes the freeze on the account.
You must now select when exactly after detecting the event, the action must be triggered. if you select the Immediately option, the automated action is triggered immediately after the download attempt is made.
If you select the After option, you must select the time gap after which the automated action must be implemented.
This action revokes the permissions of the user. The user can now only view data across al Salesforce pages. They cannot download any data. This action assigns the user Salesforce's minimum access profile. You can learn more about this profile from this Salesforce document.
You must now select when exactly after detecting the event, the action must be triggered. if you select the Immediately option, the automated action is triggered immediately after the download attempt is made.
If you select the After option, you must select the time gap after which the automated action must be implemented.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink www.nightfall.ai with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>.
The automation settings allow you to send notifications to end users. You can select one or both the notification methods. You must first turn on the toggle switch to use the automation option. The automation notification channels are as follows
Email: This option sends an Email to the user who attempted the download.
Slack: This option sends a Slack message to the user who attempted the download.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on by their download attempt. You must turn on the toggle switch to use this option. End-users receive the remediation actions in an Email as an action item. The various available remediation actions for end-users are as follows.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
When end-users report alerts as false positive, you can choose the resolution method to be either Automatic or manual.
If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.
The Trigger section in Salesforce policies allows you to define the frequency of action that must be considered as an exfiltration event. In case of Salesforce policies, the download frequency is the trigger.
The download frequency can be defined as the number of downloads over a period to time. This allows you to set custom thresholds in terms of number of downloads over a specific period of time and can be useful to identify anomalous download patterns for specific locations, users or content type. This can be set in combination to other scoping capabilities.
In the Actions section, you can define the download action that must be considered as a potential exfiltration attempt by Nightfall. Nightfall allows you to set the frequency of downloads as the action.
To configure Actions:
Click the minimum number of files that must be the download threshold.
Set the time period within which the minimum no. of downloads must be considered as exfiltration event.
In the following case, an exfiltration event is created if, there are 2 or more downloads within a minute.
You must set the action frequency carefully. For example, consider that you set the action condition as 5 or more files, within 1 hour as shown in the following image. In this case, if a user downloads four assets, every 1 hour, the policy does not trigger a violation, since the Action condition does not match. So, a user can keep downloading four files every hour and get away with it.
