Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
App Intelligence
Forensic Search
Data exfiltration, also known as data theft, data exportation, or data extrusion, is the unauthorized transfer of data from a device or network. It can occur as part of an automated attack or can be performed manually. The illegitimate transfer of data often looks very similar to legitimate transfers, making it difficult to detect.
Data exfiltration can occur in various ways and through multiple attack methods. Here are some of the most commonly used techniques:
Social Engineering and Phishing Attacks: These attacks trick victims into downloading malware and giving up their account credentials.
Outbound Emails: Cyber criminals employees or intruders use email to exfiltrate any data that sits on organizations’ outbound email systems.
Downloads to Insecure Devices: Data is transferred by users from secure, trusted systems to an insecure device. From there, the attacker can infiltrate the device and exfiltrate the data.
Uploads to Cloud Storage: Data can be exfiltrated from cloud storage when data is uploaded to insecure or misconfigured resources.
Nightfall provides a highly revolutionised solution to data exfiltration. Nightfall AI's exfiltration prevention capabilities easily integrate with existing tools, thus catering to security teams and companies across industries. Nightfall's exfiltration solution is much more than just a tool; it proactively protects against data breaches, providing tangible benefits for organizations striving to secure their sensitive information.
Data exfiltration, also known as data theft, data exportation, or data extrusion, is the unauthorized transfer of data from a device or network. It can occur as part of an automated attack or can be performed manually. The illegitimate transfer of data often looks very similar to legitimate transfers, making it difficult to detect.
Data exfiltration can occur in various ways and through multiple attack methods. Here are some of the most commonly used techniques:
Social Engineering and Phishing Attacks: These attacks trick victims into downloading malware and giving up their account credentials.
Outbound Emails: Cyber criminals employees or intruders use email to exfiltrate any data that sits on organizations’ outbound email systems.
Downloads to Insecure Devices: Data is transferred by users from secure, trusted systems to an insecure device. From there, the attacker can infiltrate the device and exfiltrate the data.
Nightfall provides a highly revolutionised solution to data exfiltration. Nightfall AI's exfiltration prevention capabilities easily integrate with existing tools, thus catering to security teams and companies across industries. Nightfall's exfiltration solution is much more than just a tool; it proactively protects against data breaches, providing tangible benefits for organizations striving to secure their sensitive information.
Uploads to Cloud Storage: Data can be exfiltrated from cloud storage when data is uploaded to insecure or misconfigured resources.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.
Nightfall for Windows OS allows you to detect exfiltration events on your Windows OS devices. The Nightfall exfiltration feature can monitor any files being uploaded through supported cloud storage apps or browsers on Windows OS devices.
To use Nightfall for macOS, you must install the Nightfall AI agent. This agent monitors your Windows OS device continuously. You can install the agent either manually or through a Mobile device management (MDM) tool. You can request the Nightfall deployment bundle which contains the data required for your MDM deployment.
At this time the Nightfall AI Endpoint Agent does not support the ARM processor architecture. However, ARM compatibility is being prioritized in a future release.
Exfiltration policies allow you to monitor download events across your Google Drive environment. Through real-time download monitoring, you can identify insider risk and anomalous behaviour before it escalates to large scale security incidents. You can monitor download activity for specific users or user groups, specific drives containing valuable sensitive assets, or downloads of any files containing sensitive data types as discovered and classified by Nightfall's ML/AI based detectors.
You can set up your policies to monitor only, to educate users in real-time about your download and data governance policies, or to automatically suspend user access to the Google Workspace to enforce zero tolerance policies.
The detailed steps to configure the Google Drive Exfiltration policy is explained in the following documents.
In this stage, you select the Integration for which the policy is created. In this case, Google Drive integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Nightfall supports exfiltration prevention in endpoint devices. The exfiltration prevention in endpoint devices prevents your organization's employees from exfiltrating data out of your organization. This feature is available for devices running on the macOS and Windows OS.
To monitor each device for exfiltration, you must first install the Nightfall agent on the devices that require monitoring. You can install the Nightfall agent either manually on each device. Alternatively, you can also use an MDM to install the agent. Once you install the Nightfall agent, you must create policies to start the monitoring. Nightfall monitors the devices as per the policy rules set.
You can learn about how to install the Nightfall AI agent for macOS/Windows OS and the process to create policies from the following links.
In this stage, you select the Integration for which the policy is created. In this case, Google Drive integration must be selected.
Click Policies from the left menu.
Click + New Policy.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next
Select Endpoint.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.
If you manage Chrome extensions via Google Workspace Admin Console
Before deploying the Nightfall Agent, you must configure Chrome's PolicyMergeList setting in your Google Admin Console. Without this, the Nightfall extension's machine-level Chrome policy will override your existing Google Workspace-managed extensions, causing them to disappear from users' browsers.
To configure PolicyMergeList:
Go to Admin Console → Devices → Chrome → Settings
Search for PolicyMergeList
Select the Organizational Unit that covers your managed devices
In the Configuration field, enter a specific policy name to allow the Nightfall policy to be merged across sources
Click Save
To verify, open Chrome on an affected machine and navigate to chrome://policy. The ExtensionInstallForcelist policy should show Source: Merged
Policy changes can take up to 30 minutes to propagate. You can force a refresh by clicking Reload policies in chrome://policy.
Not sure if this applies to you? If your IT team uses Google Workspace (Google Admin Console) to manage which Chrome extensions are force-installed on employee machines, this applies to you.
Nightfall supports the following agent installation methods for Windows:
Select Exfiltration.
Select the Google Drive integration.
Learn how to install the Nightfall agent on Microsoft Windows OS using the Rippling MDM.
You have the Device Administrator role in Rippling.
Target Windows devices have been onboarded into Rippling MDM.
On your Nightfall console, navigate to and click the Download Package button on the top right corner of the page. Click Download Package for Windows. A .msiextension file is downloaded.
Learn how to configure admin alerts in Nightfall exfiltration policies.
This stage allows you to select the notifications channels. If Nightfall detects sensitive data in any of the selected upload channels, the notifications are sent to the recipients configured in this section.
This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the mac/Windows OS Exfiltration policies, you must configure alerts at the integration level. To learn more about how to configure integration-level alerts, read .
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to for steps.
The trigger section further enhances the unwanted noise reduction capabilities. With the trigger section, you can
Set what download behavior can be termed as an exfiltration event.
Exclude downloads by trusted apps from being termed as exfiltration events.
In the trigger section, you can set the download behavior, the download frequency to be precise, must be termed as an exfiltration event.
To configure the Trigger section:
Set the minimum number of downloads threshold that must be considered as an exfiltration event.
Set the required time period (frequency). If the minimum download threshold (set in the previous step) is reached or exceeded, within the set time period, an exfiltration event is generated.
In the following image, the configurations are set such that if an asset is downloaded 2 or more times within 10 minutes, an exfiltration event is triggered.
You must set the action frequency carefully. For example, consider that you set the download condition as 5 or more files, within 1 hour. In this case, if a user downloads four assets, every 1 hour, the policy does not trigger a violation, since the condition is not met.
Depending on your environment, a significant number of downloads may be attributed to applications (i.e. backup apps). You may choose to ignore such download events to reduce the noise and focus your monitoring on unexpected application and user download events.
The Exclude apps section allows you to exclude specific applications from being monitored by your policy.
To configure the Exclude apps section, select the applications to exclude from the drop-down menu. Once saved, Nightfall will not alert on download events attributed to the excluded applications.
Nightfall Exfiltration for Salesforce helps you to keep tab of the exfiltration activities in your Salesforce orgs. Nightfall leverages Salesforce Shield Real Time Event Monitoring for exfiltration activities across your Salesforce orgs and identifies activities which are in violation to configured policies.
Download of attachments, files, reports and bulk download of objects are all exfiltration event recognised by Nightfall. You can configure policies to set appropriate thresholds for such events and identify them as unwarranted that may require scrutiny. You may configure the policy to alert the stakeholders who need to be notified and choose one of the available actions to be invoked automatically. You may also choose not to configure automated actions but only act after evaluating the specific exfiltration events.
Nightfall exfiltration leverages Salesforce Shield's Event Monitoring to identify exfiltration events. Salesforce Shield provides multiple security tools to safeguard your Salesforce orgs. Nightfall depends on in Salesforce Shield which is available as an independent module within . You must enable the following Event Monitoring settings for all the Salesforce orgs that you wish to monitor,
Generate event log files - Generate an event log file when events occur in your org.
Enable Lightning Logger Events - Enable collection of Lightning Logger Events in custom components.
Enable the following events for storage and streaming
You can learn more about Salesforce Shield and once enabled, advance to the next steps with
If you have already onboarded your Salesforce org to Nightfall platform, please ensure you have the latest Nightfall DLP package deployed in your Salesforce org. Follow the steps mentioned in to upgrade it to the latest version.
You must perform the above actions only on those Salesforce orgs in which the Salesforce Shield Event monitoring module is enabled.
The installation procedure remains the same as in case of Salesforce DLP for sensitive data. The links to the installation and upgradation documents are as follows.
Exfiltration policies allow you to monitor download events across your Salesforce environment. Through real-time download monitoring, you can identify insider risk and anomalous behaviour before it escalates to large scale security incidents. The following are supported and monitored by Nightfall for exfiltration activities,
Attachments & Files
Reports
Records & Objects
Download of any of the above information containers is an exfiltration activity for Nightfall, and if such activities breach a threshold set in one of the exfiltration policies in Nightfall, then Nightfall will flag it an exfiltration event. You can configure which users should receive notifications and what automatic actions must be taken when an exfiltration event is detected.
The detailed steps to configure the Salesforce Exfiltration policy is explained in the following documents.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.
Learn about the advanced setting options present in the Nightfall exfiltration policy for MAC devices.
The advanced settings pages allows you to configure notifications for Nightfall admins and end-users. Additionally, you can also configure automated actions. The various configurations available in the advanced settings pages are described in the following sections.
In this stage, you select the Integration for which the policy is created. In this case, Salesforce integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Exfiltration.
Select the Salesforce integration.
If the event monitoring module is not setup in Salesforce, event monitoring is displayed as "disabled" on the Scope page as shown in the following image.
Learn about Nyx. Nightfall's AI-powered Copilot.
Nyx is Nightfall’s AI-powered DLP Copilot, designed to help you quickly investigate and understand exfiltration risks. She can surface patterns, summarize user activity, and suggest next steps — all through a simple natural-language conversation.
Click the Comet Icon: In the upper right corner of your Nightfall dashboard, click the comet icon to open Nyx.
Learn more about how automated actions work in a Nightfall exfiltration policy.
This section describes the various actions that Nightfall takes automatically when an exfiltration attempt is detected. This automated action is triggered when the condition set in the section is violated.
The automated action supported by Nightfall is described as follows.
This action automatically blocks the process of file transfer thus preventing an exfiltration attempt. You can use this action to prevent the upload of files with sensitive data, to web browsers or cloud storage apps. You must enable the toggle switch to activate the automated action.
The Scope section determines which areas of Nightfall needs to be monitored by Nightfall for Exfiltration. You can choose one or all of the following data types to be monitored.
Attachments & Files
Reports
The Trigger section in Salesforce policies allows you to define the frequency of action that must be considered as an exfiltration event. In case of Salesforce policies, the download frequency is the trigger.
The download frequency can be defined as the number of downloads over a period to time. This allows you to set custom thresholds in terms of number of downloads over a specific period of time and can be useful to identify anomalous download patterns for specific locations, users or content type. This can be set in combination to other scoping capabilities.
In the Actions section, you can define the download action that must be considered as a potential exfiltration attempt by Nightfall. Nightfall allows you to set the frequency of downloads as the action.
Learn how to configure end user notifications in Nightfall exfiltration policies.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
Enter a custom message to be sent to the end user. This message is sent in an Email or a Slack message. You can modify the default message provided by Nightfall and draft your own. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink https://www.nightfall.ai with the text Nightfall website, you must write < | Nightfall website>.
From UEM, navigate to Groups & Settings > Groups > Assignment Groups > click "+ Add Smart Group" and follow the prompts
Download "NightfallAgent.msi" from the Nightfall console:
Log into Nightfall > Integrations > Manage (Endpoint Windows) > click "Download Package" > click "Download Package for Windows"
Unpack the file.
Additionally, take note of the install command for Windows machines. This will need to be copied later.
This step deploys both the agent and the extension via the same MSI file.
Log into Workspace ONE UEM
Navigate to Resources > Native Apps > click "Add" > select "Application File"
Click "Upload" > click "Choose File" > select "NightfallAgent.msi" > click "Save"
Click "Continue"
Under Details tab > Supported Processor Architecture > Select "64-bit"
Navigate to the Deployment Options tab > Locate "Install Command"
Paste the command from the Nightfall console into "Install Command".
Click "Save & Assign"
Set a Name for the Distribution.
Choose an Assignment Group. NOTE: Use the group that was created from the Prerequisites section.
Decide if the App Delivery Method should be Auto or On Demand. For a manual trigger use On Demand.
Click "Create" > click "Save" > click "Publish"
Bulk API Result Event - Track when a user downloads the results of a Bulk API request
File Event - Track file activity. For example, track when a user downloads or previews a file
Report Event - Track when a user accesses or exports data with reports
SessionHijacking Event - Track when an unauthorised user gains ownership of a Salesforce user’s session with a stolen session identifier
Click Upload Software on the right of the pane and provide the following details.
Name: “Nightfall Endpoint DLP Agent <version>”
<version> is the version of the package your received from Nightfall.
Operating System: “Windows”
Category: “My Uploads” (Default)
Description: “Nightfall Endpoint DLP Agent”.
Upload Icon: use the .png icon file provided.
Upload Installer File: Drop or select the downloaded NightfallAgent.msi file.
Under Silent arguments add /qn /norestart API_KEY="" COMPANY_ID="" INSTALL_NF_DRIVER="1" where the content of API_KEY and COMPANY_ID are the values provided to you by Nightfall. Note that these values must be enclosed in " double quote characters.
Click Submit.
You will receive an email from Rippling with the subject: “Your recently uploaded custom software is processing”
After a period of time (typically less than 1 hour) You will receive an email from Rippling: “Your recently uploaded custom software has been processed successfully!”
You may now proceed to step 2. to deploy the agent.
Click Add on the newly created Software Item in the Rippling Software Catalog.
Click Finished Selecting.
Search or scroll to the newly added item matching the name you used in the previous step.
Click Edit
Select all employees or specific target devices.
The Nightfall Endpoint DLP Agent will now deploy to all selected target devices. This may take up to 72 hours and is dependent on the endpoint devices being turned on, connected.
Start Conversing: Type your question in plain English — no special syntax required.
“What are my most common exfiltration patterns?”
“Summarize Bob’s activity over the last 7 days.”
“What are my most frequent upload domains? Put results in a table.”
"Write an email to Bob's supervisor for me."
Nyx can process up to 100 exfiltration events at a time.
Available for endpoint customers only. Support for other event types coming soon.
Your feedback will directly shape Nyx’s future! After trying her out, let us know what works well and what could be improved.
Get a Nyx demo
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps.
Automated actions allow you to configure automated remediation actions when an exfiltration attempt is detected by Nightfall policy. Nightfall supports the following automated actions for Google Drive. You can choose to implement the automated action immediately after detecting a download attempt or after some time.
Suspend Account: This action suspends the user's account who tried to download files and triggered the exfiltration event.
To enable the automated action, you must turn on the respective toggle switch.
You must now select when exactly after detecting the event, the action must be triggered. if you select the Immediately option, the automated action is triggered immediately after the download attempt is made.
If you select the After option, you must select the time gap after which the automated action must be implemented.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink www.nightfall.ai with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>.
The automation settings allow you to send notifications to end users. You can select one or both the notification methods. You must first turn on the toggle switch to use the automation option. The automation notification channels are as follows
Email: This option sends an Email to the user who attempted the download.
Slack: This option sends a Slack message to the user who attempted the download.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on by their download attempt. You must turn on the toggle switch to use this option. End-users receive the remediation actions in an Email as an action item. The various available remediation actions for end-users are as follows.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
When end-users report alerts as false positive, you can choose the resolution method to be either Automatic or manual.
If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.
You can configure the Scope section and the Trigger section such that you can leverage this feature to:
Block transfer based on file origin: Block the upload of files downloaded from highly sensitive SaaS applications.
Block transfer based on destination: Allow uploads only to sanctioned destinations.
Combine origin and destination: Create powerful DLP policies that factor in both where files came from and where they are headed.
Currently, this action is supported only for MAC devices.
Some use cases scenarios in which you can use the automatic Block action, are as follows.
Employees access confidential reports from an internal data repository and attempt to upload them to personal iCloud or unsanctioned personal email service.
Solution
Configure the filters in the Scope section to scope the policy to include domains to be monitored (for instance your organization *.drive.google.com or *.force.com). Now, any file(s) downloaded from the configured domain(s) are monitored. Configure the Trigger section to trigger an exfiltration action when an attempt is made to upload the downloaded file to an unsanctioned destination (for instance to personal iCloud or a non corporate sanctioned domain). Finally, enable the Block automated action.
In this scenario, if a user downloads a file from an organization's Google Drive or Salesforce and attempts to upload it to their personal iCloud, the action is blocked and user gets the following error message.
Also, other similar scenarios could be
A health department which prevents employees from uploading customer health data, downloaded from organization's domain, to employees' personal Google Drive, OneDrive, or any supported cloud storage app.
An employee working on code repository of an organization, attempting to upload a file to developer forums, LLM services, or generative AI apps like ChatGPT.
An organization allows employees to store work documents only in corporate-managed OneDrive or Google Drive but wants to prevent uploads to personal accounts.
Solution
Configure the filters in the Scope section to scope the policy to include domains to be monitored (for instance your organization Google Drive or OneDrive). Now, any file(s) downloaded from the configured domain(s) are monitored. Configure the Trigger section to monitor only unsanctioned domains. Finally, enable the Block automated action. Now any attempt to upload a file to sanctioned domains is allowed.
After you make the required selection, you can also add filters to monitor specific Salesforce users or Salesforce profiles.
If you have connected multiple Salesforce org, the scope page allows you to select one and only one Salesforce org for the policy.
Nightfall can detect download actions done only from the Salesforce lightning version. Any download action done on the Salesforce Classic version cannot be detected by Nightfall.
In the Data Types section, you must select the Salesforce data types to be monitored. By default, all the three data types are selected. You can choose to either retain all the three data types or clear any of the data types.
It is mandatory to select at least one data type for monitoring.
The Filters section allows you to add additional filters, on top of the selected data types, to narrow down the monitoring scope. Nightfall provides the following two types of filters.
You can choose specific Salesforce users whose activities need to be monitored or excluded from being monitored. Nightfall populates the list of all your users from Salesforce. You need to select either the users whose activities need to be monitored or the users whose activities need to be excluded from monitoring.
To add Users filter, click Add Filter and select Internal Users.
To monitor specific users, select the Monitor specific option. To exclude specific users from being monitored, select the Monitor all, except option.
Nightfall populates the list of Salesforce users in the Search users field. You can select the all the required users.
You can choose specific Salesforce profiles whose activities need to be monitored or excluded from being monitored. Nightfall populates the list of all your Salesforce profiles. You need to select either the profiles whose activities need to be monitored or the profiles whose activities need to be excluded from monitoring.
To monitor specific Salesforce profiles, select the Monitor specific option. To exclude specific Salesforce profiles from being monitored, select the Monitor all, except option.
Nightfall populates the list of Salesforce profiles in the Search profiles field. You can select the all the required users.
Contoso Ltd. uses Salesforce to host their applications. They have three users Steve, Rick, and Matt in their Salesforce org. These users are not Contoso employees. They are employees of Acme corp. which is a prospective customer of Contoso Ltd. Steve, Rick, and Matt are evaluating Constoso's app so that they can check if it meets Acme corp's requirements. Contoso has created a Salesforce profile called Prospective customers and added these three users to this profile
Contoso Ltd. uses Nightfall Salesforce exfiltration and wishes to check if any files with sensitive data is downloaded by any of these three users. They create a Salesforce exfiltration policy to monitor all the data types. They can choose one of the following filter.
They can use the Internal Users filter and add these three users.
They can select the Salesforce Profiles filter and add the Prospective customers profile to it. So, in future if any other prospective customers added, they are also automatically monitored.
Unpack the zip file provided and locate the NightfallAI_Profile.mobileconfig file in the Profiles folder.
Navigate to Management > Configuration Profiles.
Click the Upload button and upload NightfallAI_Profile.mobileconfig.
Configure the settings for your configuration profile.
In the Scope tab, add the target devices or device groups to which this profile should be deployed.
Click Save.
Once assigned, the profile will be automatically deployed to target machines.
On Mosyle, navigate to Management > Install PKG > CDN.
Upload the nightfall-ai-agent-signed.pkg.
This creates a unique CDN reference, e.g.: %MosyleCDNFile:d4d8f767-3f99-4747-8041-253ea90c462d%
Unpack the zip file provided and locate the mdm_pre_installation_check_script.sh file in the mdm_scripts folder.
On Mosyle, navigate to Management > Custom Commands.
Paste the content of mdm_pre_installation_check_script.sh into the script editor.
Update the script as follows:
Remove the exit 0 line at the bottom of the script.
Append the following block at the end of the script:
Target the command to desired devices group
Click Save.
Upload the new version of the .pkg file to the same Install PKG entry in Mosyle.
Update the CDN variable in the script accordingly.
Re-save the custom command profile to trigger an update on target devices.
To configure Actions:
Click the minimum number of files that must be the download threshold.
Set the time period within which the minimum no. of downloads must be considered as exfiltration event.
In the following case, an exfiltration event is created if, there are 2 or more downloads within a minute.
You must set the action frequency carefully. For example, consider that you set the action condition as 5 or more files, within 1 hour as shown in the following image. In this case, if a user downloads four assets, every 1 hour, the policy does not trigger a violation, since the Action condition does not match. So, a user can keep downloading four files every hour and get away with it.
You can either select Email, Slack, or both as an automated notification method. You must turn the toggle switch to use this option. Based on the options selected, end-users receive notifications in their Email or Slack, based on the option(s) enabled.
End-User Remediation (also known as Human Firewall) allows you to configure remediation measures that end-users can take when an exfiltration event is triggered due to their actions. You must turn on the toggle switch to use this option. When you configure end-user remediation, the user whose actions triggered the exfiltration event receives a notification from Nightfall. This notification provides details of the user's actions that caused the exfiltration along with your custom message. End-users can take appropriate actions.
Nightfall supports the following remediation actions for end-users.
Provide Business Justification: This option allows end-users to add a descriptive note on the file transfer or exfiltration event. Basically, users can provide a business justification giving you more context into the file transfer or a business justification. The user input is delivered directly to the console for review, saving you time and helping you assess the risk of the data transfer based on the additional user input.
When an end-user decides to provide a business justification, the following screen is displayed.
Based on the user response, the Exfiltration Event is updated.
The other options available to be configured in this section are:
When a Violation is Reported as False Positive (justified): You can use this option to set actions to be taken when input has been provided by the end-user. You can automatically ignore violations for which the user has provided input.
Remind Every (until Violation expires): You can use this option to adjust the frequency at which Nightfall should remind the user to provide context into their data transfer. You can choose to remind the end user every 24, 48, or 72 hours.
Nightfall for macOS allows you to detect exfiltration events on your macOS devices. The Nightfall exfiltration feature can monitor any files being uploaded through supported cloud storage apps or browsers on macOS devices.
To use Nightfall on macOS, you’ll need to install the Nightfall AI agent. You can install it manually for testing or evaluation purposes, or automate the install through MDM.
Apple requires the use of MDM profiles for applications like Nightfall AI to obtain the necessary permissions to function properly. While you can grant these permissions manually, there is no supported or scriptable alternative to an MDM solution for seamless, unattended deployment at scale.
If you manage Chrome extensions via Google Workspace Admin Console
Before deploying the Nightfall Agent, you must configure Chrome's PolicyMergeList setting in your Google Admin Console. Without this, the Nightfall extension's machine-level Chrome policy will override your existing Google Workspace-managed extensions, causing them to disappear from users' browsers.
To configure PolicyMergeList:
Nightfall supports the following agent installation methods for macOS:
You can install the Nightfall AI macOS agent in stealth/hidden mode. Installing the agent in stealth mode allows you to hide visible UI elements once the Nightfall agent is installed. When you install the agent in silent mode, the Nightfall status bar icon. Additionally, the Nightfall application will not be visible in the Applications folder when viewed in Finder.
Covert Monitoring: If an organization suspects an employee of exfiltrating sensitive data, they can install the agent in stealth mode to monitor the employee's asset without the employee's knowledge.
Ensuring Bias-Free Compliance: An organization wishes to confirm if their employees are adhering to HIPAA/PCI compliances; they can install the agent in stealth mode without giving any indication to their employees (which can prompt a change in their behavior).
Prevent User Distractions: Organizations that do not wish to distract their users about the agent presence and monitoring can depoy in stealth mode.
In the mdm_pre_installation_script.shfile, find the hide_status_iconflag.
Set the flag to true. By default, the flag is set to false.
Stealth mode installation hides the agent only from UI. Employees can find Nightfall if they navigate to the Application folder via Terminal.
Nightfall employs the automatic endpoint update functionality. With this feature, Nightfall can deliver the majority of endpoint agent bug fixes and feature updates directly to endpoints.
Features:
Stay Secure: Receive the latest security patches and updates promptly, reducing the risk of vulnerabilities being exploited.
Remain Compatible: Keep your deployment compatible with the latest operating system updates and other software changes.
Receive New Features: You get access to new features and improvements to exfiltration monitoring without manual intervention.
This document explains the steps to install the Nightfall for Google Drive.
To install the Nightfall DLP for Google Drive integration, you must have the following:
A Google Workspace account, preferably a service account.
An admin user account of your organization's Google Workspace account (or any other Google Workspace account) on which you wish to install the integration.
To install Nightfall for Google Drive:
Log in to Nightfall.
Click Google Drive under the MY INTEGRATIONS section (click Show more if you are unable to view Google Drive)
Click Begin Setup.
The access permission page is displayed as follows. Copy the client ID and Scopes ID generated.
Login to your Google Workspace with an admin account.
Click the menu icon.
Select Admin.
In the Admin console left pane, expand Security and then expand Access and data control.
Click API controls.
Click MANAGE DOMAIN WIDE DELEGATION under Domain wide delegation.
Click Add New.
Paste the Client ID copied from the Nightfall app, in the Client ID field.
Paste the Scopes ID copied from the Nightfall app, under OAuth Scope field. Use comma to add multiple scope IDs.
Click AUTHORIZE.
Return to the Nightfall app and click Next Step.
Click Connect.
Once the installation is completed, you can view the details of your Google Drive in the Nightfall app.
Once the installation is completed, Nightfall connects to your Google Workspace account and fetches all the domains. In the above image, you can see that 3 domains are fetched. These three domains were already present in your Google Workspace and are considered to be internal. You can add additional domains by clicking the ellipsis menu at the right end and selecting Manage Domains.
Below is a step-by-step guide to deploy the Nightfall Endpoint DLP agent for macOS using PDQ's SimpleMDM.
Enroll devices in PDQ SimpleMDM
Create a Device Group with the respective macOS machines assigned to it
Download and unpack Nightfall's install package from the console:
Integrations > Manage (Endpoint Windows) > Download Package > click "Download Package"
PDQ SimpleMDM does not have the ability to run a job to deploy in a specific order. Due to this, follow the steps below explicitly so as to make sure the agent has the appropriate permissions during install.
From within SimpleMDM, navigate to Scripts > click “Scripts” > click “Create Script”
Name: Nightfall Pre-Installation Script
Click “Choose File”
Navigate to Configs > click “Profiles” > click “Create Profile”
Select “Custom Configuration Profile”
Name: Nightfall Profile
Navigate to Apps & Media > click “Catalog” > click “Add App” > select “Custom App”
From the mac_bundle folder, locate the “nightfall-ai-agent-signed.pkg” > click “Open”
Click the “Groups” tab > click “Assign Groups”
Create a job.
Navigate to Scripts > click “Job” > click “Create Job”
Name: Deploy Nightfall Pre-Install Script
Script: Select the “Nightfall Pre-Installation Script”
Run on: Select the Group
Run Options: Select “Run ASAP”
Click “Create”
In testing there were issues with profile deployment unless this was unchecked.
Mobileconfig: Click “Choose File”
From the mac_bundle folder, navigate to “profiles” > select “NightfallAI_Profile_with_Browser_Extensions.mobileconfig”
OS: Only select “macOS”
Navigate to the “Groups” tab
Click “Assign Group”
Select the group > click “Assign”
Navigate back to “Profile” tab > click “Save”
Install Type: Auto
Groups: (select group)
Click “Assign”
Click “Done”
Go to Admin Console → Devices → Chrome → Settings
Search for PolicyMergeList
Select the Organizational Unit that covers your managed devices
In the Configuration field, enter a specific policy name to scope this down to Nightfall policy to be merged across sources
Click Save
To verify, open Chrome on an affected machine and navigate to chrome://policy. The ExtensionInstallForcelist policy should show Source: Merged
Policy changes can take up to 30 minutes to propagate. You can force a refresh by clicking Reload policies in chrome://policy.
Not sure if this applies to you? If your IT team uses Google Workspace (Google Admin Console) to manage which Chrome extensions are force-installed on employee machines, this applies to you.
Minimize Administrative Overhead: IT administrators don't need to manually deploy updates to each endpoint, saving time and resources.
# Define variables
PKG_URL="%MosyleCDNFile:<your-pkg-id-here>%" # Replace with your actual Mosyle CDN variable
SAVE_PATH="/tmp/nightfall-ai-agent-signed.pkg"
# Download and install the agent
curl -L "$PKG_URL" -o "$SAVE_PATH"
installer -pkg "$SAVE_PATH" -target /
# Do NOT include `exit 0` or `exit 1`From UEM, navigate to Groups & Settings > Groups > Assignment Groups > click "+ Add Smart Group" and follow the prompts
Download "mac_bundle.zip" from the Nightfall console:
Log into Nightfall > Integrations > Manage (Endpoint macOS) > click "Download Package" > click "Download Package for macOS"
Unpack the file.
The steps below will immediately push to the Assignment Group what is being published at that time. To deploy everything at once and in a specific flow, use the Freestyle Orchestrator feature.
This guide does not cover the Freestyle Orchestrator Workflow.
This step deploys one script - the pre_installation_script. The "pre installation script" ensures the machine is in a clean state for the Nightfall install and wipes any preexisting Nightfall installations.
From UEM, navigate to Resources > Scripting > Scripts > click "Add" > select "macOS"
Add the Nightfall Pre-Installation Script:
Name the script "Nightfall Pre-Installation Script" and add a description.
Confirm the language is "Bash".
Click "Upload" > navigate to "mac_bundle" > "mdm_scripts" > and select the mdm_pre_installation_script.sh > click "Open" > click "Next"
Click "Save".
Assign the Pre-Installation Script to the smart group.
From the Scripts page > select the "Nightfall Pre-Installation Script" > click "Assign"
Click "New Assignment" at the top-left.
This step deploys the mobileconfig profile to push the browser extension and to give permissions to the agent. Always make sure this step takes place before Step 3 - deploying the PKG.
From Workspace ONE UEM, navigate to Resources > Profiles & Baselines > Profiles
Click the "Add" dropdown > select "Upload Profile" > Select platform: "Apple macOS"
Select "Device Profile" (if desired)
Click "Upload" > "Choose File" > navigate to mac_bundle > profiles
Select the mobileconfig entitled, NightfallAI_Profile_with_Browser_Extensions.mobileconfig
NOTE: If the "with_browser_extensions" file is not selected it will not deploy the Nightfall extension within the browser and key functionality of Nightfall could be lost.
Click "Save" > click "Continue".
Under "Smart Groups", assign target devices by adding the group previously created from the Prerequisite steps. NOTE: All other settings are optional and depend upon your organization's preference.
Click "Save and Publish"
Review to confirm that the device assignment is correct.
Click "Publish"
Once published, the profile will be automatically deployed to target machines.
The Profiles page needs refreshed to see the new profile. Come back to this page and click "View" to see the status of the deployment.
This step deploys the PKG, which pushes out the agent to the targeted devices.
From UEM, navigate to Resources > Apps > Native Apps
Click "Add" dropdown > select "Application File"
Click "Upload" > tick "Local File" > Click "Choose File" > select nightfall-ai-agent-signed.pkg > click "Open" > click "Save" > click "Continue"
Select the preferred Deployment Type as "Full Software Management"
Download and run the Workspace One Admin Assistant and follow the steps to generate a .plist for the Nightfall PKG.
Click "Upload" > click "Choose File" > navigate to the plist file > click "Open" > click "Save"
Click "Continue" > navigate to the "Images" tab > drag over the Nightfall icon generated
Click "Save & Assign"
Name the Distribution and add a description.
Choose the same "Assignment Group" as in Step 2.
Adjust the "App Delivery Method" accordingly > click "Create"
Click "Save"
Review the devices being deployed to, and if correct click "Publish".
Nightfall upgrades the agents automatically when the latest version is available from the console. To push a newer version from Workspace One UEM out-of-band simply perform Step 3 again by uploading a new package.
Once a managed package is uploaded, as in Step 3, it is not possible to upload another package within the already created app. A newly created Native App will be required.
Ensure that Windows endpoint has been enabled on your Nightfall tenant.
Download the Nightfall AI Agent NightfallAgent.msi file from Nightfall.
Download NightfallAgent.msi from Nightfall portal to a local folder on the target machine
Integrations -> Endpoint Windows -> Manage -> Download Package -> Download Package For Windows
Navigate to https://app.nightfall.ai/policies/setup > Exfiltration > Endpoint - (optional)
Copy downloaded NightfallAgent.msi to a folder on a target machine.
Run the Installer:
Launch CMD as an Administrator
b. Navigate to the folder where NightfallAgent.msi is downloaded to.
i. cd C:\\users\\<username>\\Downloads\\ update the above accordingly.
c. Copy the installation command from Nightfall Portal.
i. Note : this includes the necessary command line parameters for the agent to communicate with Nightfall
ii. Integrations -> Endpoint Windows -> Manage -> Download Package -> 'To install, run the command as admin.
d. Paste the msiexec installation command copied from the above step to cmd and press Enter key.
e. Installation should start in silent mode.
Verify Installation
Once installation is complete, check if the agent is running:
Open Task Manager (Ctrl + Shift + Esc).
Look for the Nightfall Agent & NightfallUI processes under the Processes tab.
b. Confirm the Nightfall agent is configured to your Nightfall tenant
i. On the windows machine:
1. Double-click the Nightfall agent icon in the status bar.
2. The displayed UUID should match your Nightfall tenant UUID located under https://app.nightfall.ai/settings/
ii. On the Nightfall console:
1. The newly configured device should be listed under https://app.nightfall.ai/endpoint
The Nightfall AI Agent should now be successfully installed, running on your Windows machine, and connected to your Nightfall tenant. If you run into any issues, please contact Nightfall AI support.
This guide provides instructions for deploying the Nightfall AI Endpoint Agent to macOS devices via JumpCloud MDM. It highlights Software Management (Private Repository) as the preferred method, while also documenting an alternative method using Commands + hosted**.pkg**.
macOS devices enrolled in JumpCloud MDM.
Deployment assets:
Configuration profile (default, recommended): NightfallAI_Profile_with_Browser_Extensions.mobileconfig
Always use the default profile with browser extensions:
In JumpCloud Admin Portal → Device Management → Policy Management → Configuration Profiles.
Create a new macOS Custom Configuration Profile.
Upload NightfallAI_Profile_with_Browser_Extensions.mobileconfig.
The Nightfall agent will only install correctly if the required .mobileconfig profile has been deployed beforehand.
First, run the pre-install script as a Command:
In JumpCloud Admin Console → Device Management → Commands → + Command (macOS).
Attach both scripts:
Important: Always run the script Command first before assigning the managed .pkg. This ensures proper environment setup and avoids unnecessary reinstalls.
nightfall-ai-agent-signed.pkgUse this method if you want scripts and installation tightly coupledIn JumpCloud Admin Console → Device Management → Commands → + Command (macOS).
Attach both scripts:
mdm_pre_installation_script.sh
Paste the following command (update PKG_URL):
Software Management: Check JumpCloud’s app inventory to confirm installation.
Commands: View Commands → Results for logs and exit codes.
On-device: check /var/log/nightfall_install.log.
Default: Use Software Management (Private Repository) with a script Command run first for environment prep.
Alternative: Use Commands + hosted .pkg only if you need script-driven installs inline or cannot use the Private Repository.
Nightfall for Google Drive allows you to configure alerts at the policy level and also at the integration level. Alerts can be sent in Google drive by using the following alert channels.
Slack
Webhook
Jira Tickets
When you configure alert settings at the integration level, the alert settings apply to all the policies, created for the Google Drive integration. However, when you configure alert settings specifically for a policy, which is created in the Google Drive integration, the alert settings are applicable only for that specific policy.
This document explains how to configure alerts at the integration level. To learn about how to configure alerts at the policy level, read .
To use Slack as an alert platform, you must first perform the required Slack configurations. You can refer to to learn more about how to configure Slack as an Alert platform.
To use Webhook as an alert platform, you must first perform the required Webhook configurations. You can refer to to learn more about how to configure Webhook as an Alert platform.
To use JIRA as an alert platform, you must have the DLP for the JIRA app installed from the . You can read more about the DLP for JIRA integration .
You can configure alerts at the integration level once you have installed the Nightfall for Google Drive integration.
To configure alerts at the integration level:
Navigate to the Google Drive integration
Scroll down to the Alerting section.
You can configure one or multiple alert channels.
To configure Slack as an alert channel, click + Slack channel.
In the Slack alert channel field, enter the name of the Slack channel in which you wish to receive the alerts.
Click Save.
A confirmation pop-up box is displayed to confirm if the Slack channel (entered in the second step) must be used only for Google Drive integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for Google Drive, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Email.
Enter the Email ID of the recipient who should receive the notifications.
Click Save.
A confirmation pop-up box is displayed to confirm if the Email ID (entered in the second step) must be used only for Google Drive integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for Google Drive, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Webhook.
Enter the Webhook URL.
Click Test. If the test result is not successful, check the Webhook URL.
When you configure alerts to a Webhook, Nightfall AI sends occasional posts to:
To validate that the Webhook is properly configured before the policy is saved.
Periodically thereafter to ensure that the Webhook is still valid.
Click + Jira Ticket.
Select a JIRA project from the Jira Project drop-down menu.
Select an issue type from the Issue Type drop-down menu.
A confirmation pop-up box is displayed to confirm if the JIRA settings configured for the Google Drive integration must be applied to all the other Nightfall integrations too.
Select No, only integration level to use the configurations only for Google Drive, or select Yes, please to use the selected JIRA configurations for all the Nightfall integrations.
When a Violation occurs, Nightfall sends a notification to the end-user whose actions triggered the violation. While notifying the end-user, Nightfall also sends a text message. You can draft the text message to be sent to the end-user. This message applies to all the policies. Click Save changes once done.
This document explains what admins and end-users can do once a policy is violated.
When end-users violate a policy, the Nightfall admin is notified about the incident. The notification channel used to notify the Nightfall admin depends on the settings configured in the Admin Alerting section. If you have not enabled any notification channels in the Admin alerting section, Nightfall admins are not notified.
If you have enabled the email notification in the Admin alerts section, Nightfall admins receive an email. The email is as shown in the following image.
The Email consists of the following data.
Event: The event that caused the violation. For Google Drive, the event is always a download of assets.
Actor: The Email ID of the user who downloaded the file.
When: The date and time when the email was downloaded.
Also, a Slack message is sent if you have enabled the Slack alerts for the Nightfall admin. The Slack message looks as shown in the following image.
End-users receive notifications and remediation actions if the Nightfall admin has enabled these settings. The notifications are based on the settings configured in the section. The end-user remediation actions are based on the settings configured in the section.
If you have configured the Email notification for end-users and enabled the end-user remediation, end-users can take remediation actions from the Email itself.
If you have configured Slack notifications for end-user and enabled end-user remediation, end-users can view the Slack message.
Nightfall admins can manage violations from within the Nightfall console. The Events page in Nightfall lists all the violations under the Exfiltration tab. End-users can get a detailed view of each exfiltration Event triggered.
To view violations in Nightfall navigate to the Exfiltration Prevention page from the left menu.
The Exfiltration Events page lists all the exfiltration events. To view events with specific statuses, you can click the respective tabs.
To view the past events, click the Time filter and select the required time period. By default, the time period displays Events for the Last 7 Days.
The Event list view consists of the following columns.
You can click an event to view the details. The detail view window consists of the following tabs.
Summary: The Summary tab displays highlights of the event like the name of the downloaded asset, the name of the violated policy, the email ID of the user who violated the policy, and so on.
Asset: The asset window displays the details of the asset and the history of the asset. You can also choose to view historic asset data. If there are multiple assets in a single violation, you can choose which asset's details must be displayed.
Actor: The actor tab displays the details and history of the user who downloaded the asset. You can choose to view historical data of the user. You can also add which can serve as metadata for the violation.
The events list view displays an ellipsis menu at the extreme right corner. Admins can click this menu to take appropriate action on an exfiltration event.
The various available actions are explained as follows.
Acknowledge: This action can be taken when you just wish to acknowledge that you have viewed the violation.
Notify Email: This action sends an email notification to the end-user who caused the violation.
Notify Slack: This action sends a Slack notification to the end-user who caused the violation.
Once the action is implemented, the status of the event changes respectively. By default, an event can have one of the following two statuses.
Active: The event has been generated but no action has been taken.
Input Requested: A notification has been sent to the end-user requesting their response.
You can also take action from the event detail view page. The actions are available at the bottom of the detail view page.
This document explains what admins and end-users can do once a policy is violated.
When end-users violate a policy, the Nightfall admin is notified about the incident. The notification channel used to notify the Nightfall admin depends on the settings configured in the Admin Alerting section. If you have not enabled any notification channels in the Admin alerting section, Nightfall admins are not notified.
If you have enabled the email notification in the Admin alerts section, Nightfall admins receive an email. The email is as shown in the following image.
The Email consists of the following data.
Event: The event that caused the violation. For Salesforce, the event is always download of assets.
Who: The Email ID of the user who downloaded the file.
When: The date and time when the email was downloaded.
Also, a Slack message is sent if you have enabled the Slack alerts for the Nightfall admin.
End-users receive notifications and remediation actions if the Nightfall admin has enabled these settings. The notifications are based on the settings configured in the section. The end-user remediation actions are based on the settings configured in the section.
If you have configured the Email notification for end-users and enabled the end-user remediation, end-users can take remediation actions from the Email itself. The end-user Email is shown in the following image.
If you have configured Slack notifications for end-user and enabled end-user remediation, end-users also get a message in the respective Slack channel configured.
To manage violations in the Nightfall console:
Click Events from the left menu.
Click the Exfiltration tab.
The Exfiltration Events page lists all the exfiltration events. To view events specific to the Salesforce integration:
Click Filters and select + Add Filter.
Select Integration in the Select a filter field.
Select the Salesforce check box in the Select an option field.
Click Apply.
Now, only the Salesforce events are displayed.
To view events with specific statuses, you can click the respective tabs.
To view historic events, click the Time filter and select the required time period.
You can click an event to view the details. The detail view window is as follows.
The detail view window consists of the following tabs.
Summary: The Summary tab displays highlights of the event like the name of the downloaded asset, the name of the violated policy, and the email ID of the user who violated the policy.
Asset: The asset tab displays the details of the asset. You can view details like name of the downloaded asset, size of the downloaded asset, exfiltration action (download), owner's Salesforce ID and IP address. If there are multiple assets in a single violation, you can choose which asset's details must be displayed.
Actor: The actor tab displays the email ID of the Salesforce user who downloaded the asset. You can add notes on this tab which is displayed in the Admin notes section.
The events list view displays an ellipsis menu at the extreme right corner. Admins can click this menu to take appropriate action on an exfiltration event.
The various available actions are explained as follows.
Acknowledge: This action can be taken when you just wish to acknowledge that you have viewed the violation.
Notify Email: This action sends an email notification to the end-user who caused the violation.
Notify Slack: This action sends a Slack notification to the end-user who caused the violation.
Once the action is implemented, the status of the event changes respectively. By default, an event can have one of the following two statuses.
Active: The event has been generated but no action has been taken.
Input Requested: A notification has been sent to the end-user requesting their response.
You can also take action from the event detail view page. The actions are available at the bottom of the detail view page.
This stage allows you to select automated notification channels or actions if a policy violation occurs.
This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Salesforce Exfiltration policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the Salesforce integration, read
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to the document.
Automated actions allow you to configure automated remediation actions when an exfiltration attempt is detected by Nightfall policy. Nightfall supports the following automated actions for Salesforce. You can choose to implement the automated action immediately after detecting a download attempt or after some time.
To enable the automated action, you must turn on the respective toggle switch.
This action logs out the user from the Salesforce account. They cannot login until a Salesforce admin revokes the freeze on the account.
You must now select when exactly after detecting the event, the action must be triggered. if you select the Immediately option, the automated action is triggered immediately after the download attempt is made.
If you select the After option, you must select the time gap after which the automated action must be implemented.
This action revokes the permissions of the user. The user can now only view data across al Salesforce pages. They cannot download any data. This action assigns the user Salesforce's minimum access profile. You can learn more about this profile from this .
You must now select when exactly after detecting the event, the action must be triggered. if you select the Immediately option, the automated action is triggered immediately after the download attempt is made.
If you select the After option, you must select the time gap after which the automated action must be implemented.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>.
The automation settings allow you to send notifications to end users. You can select one or both the notification methods. You must first turn on the toggle switch to use the automation option. The automation notification channels are as follows
Email: This option sends an Email to the user who attempted the download.
Slack: This option sends a Slack message to the user who attempted the download.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on by their download attempt. You must turn on the toggle switch to use this option. End-users receive the remediation actions in an Email as an action item. The various available remediation actions for end-users are as follows.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
When end-users report alerts as false positive, you can choose the resolution method to be either Automatic or manual.
If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.
Managing Violations in Nightfall
Nightfall admins can manage violations from within the Nightfall console. The Events page in Nightfall lists all the violations under the Exfiltration tab. End-users can get a detailed view of each exfiltration violation recorded.
To view violations in Nightfall
Navigate to Exfiltration Prevention from the left menu.
Steps 2-6 help you filter the events to only view the alerts generated by Windows OS.
Click Filter.
Click + Add Filter.
Select Integration.
Select the Windows check box.
Click Apply.
To view historic events, click the Time filter, select the required time period or enter it manually by selecting the Custom Range option. Once the required time period is selected, click Apply. By default, the filter displays results for the Last 7 days. You can click Last 7 Days and choose the required historic time period.
You can click an event to view the details. The detail view window consists of the following tabs.
The Summary tab consists of the following details.
Assets: The name of the uploaded asset(s) that was exfiltrated.
Policy: The name of the policy violated.
Device ID: The device ID of the device from which the file upload was performed.
The Summary tab also displays a log of activities that occured on the Event. The first log entry is always the asset creation date. The subsequent logs display the actions applied on the event. You can also add comments on the Summary tab. The comments added by you can be viewed by other users as well.
This tab displays the details of the asset (with sensitive data) that was uploaded to a domain or cloud storage app. The asset tab also displays a number in brackets. This number indicates the number of assets that were uploaded as part of the event.
In the following image, there were two assets which were uploaded, and these four uploads together triggered the event. In such cases when there are multiple assets involved, you can use the drop-down menu to switch between assets and view the asset details.
The Assets tab displays the following details.
Name: The name of the asset uploaded.
Where: The location of the asset in the device.
Medium: The medium used to upload the asset.
The Assets tab also contains the Asset History section. This section displays the source or origin from where the asset was downloaded. Additionally, it also displays the destinations to which the asset was uploaded. If the source and destination details are not available, this section does not display any information. Users can use the time filter to view historic data.
The device tab displays the details of the device used to upload the asset. You can view the following details on this tab.
Device ID: The device ID of the device from which the asset was uploaded.
Device Name: The name of the device from which the asset was uploaded.
Connection Status: The current status of the device. This can either be Connected or Disconnected. If the device is not in contact with the Nightfall agent for more than 6 hours, the connection status changes to disconnected.
This document explains what admins can do when a macOS policy is violated.
Nightfall admins can manage violations from within the Nightfall console. The Events page in Nightfall lists all the violations under the Exfiltration tab. End-users can get a detailed view of each exfiltration violation recorded.
To view violations in Nightfall
This document explains the process of installing Nightfall AI agent using the Rippling MDM.
NOTE: Rippling MDM has a requirement where the .mobileconfig profile has to be uploaded from a MacBook. It cannot be uploaded from another type of OS; otherwise the upload will not stick.
Please note there are two parts to this process:
Deploy the "mobileconfig" that pushes the profile and permissions.
The Exfiltration policies for MAC and Windows OS allow you to monitor if there are any uploads via browser or cloud storage apps. You can configure the domains in Internet that needs to be monitored and also the cloud storage apps which need to be monitored.
When there are any uploads to the configured domain or cloud storage apps, the Nightfall AI agent notifies this action. You can configure the notification channels through which you wish to receive notifications when there is an attempt to upload files/folders.
Once you have completed the installation of the Nightfall agent, you must ensure that the connection is live. If the Nightfall agent cannot connect to the macOS or the Windows OS device for more than 6 hours, the connection is lost. When the connection is live, a
Click "Next"
Select "Run Once Immediately" > Click "Add"
Click "Save and Publish"
Browser Name: The name of the browser from which the asset was uploaded.
Domain: The domain URL to which the asset containing sensitive data was uploaded. This field is applicable only for browser uploads. When you hover over a domain that is not added to any Collection, the list of Collections is displayed. You can choose to add the domain to an existing Collection or create a new collection and add the domain to the newly created collection. If you are already leveraging the domain collection as part of your monitoring policies, the new addition will be automatically picked up. For example, if the domain is added to a collection of sanctioned domains your policy is ignoring, future uploads to this destination will be ignored.
Upload Start Time: The start date and start time of the upload.
Upload End Time: The end date and end time of the upload.
Size: The size of the downloaded asset.
OS: The operating system used on the device. This field always displays the Windows OS.
MAC Address: The physical MAC address of the device.
Last Connection: The date and time when the device was last connected.
Agent Version: The Nightfall agent version installed on the device.
OS Version: The Windows OS version used on the device.
Policies Violated: The name of the policy that was violated.
Violation Dashboard: The link to the Events screen to view the violation in detail.
Actions: The list of actions that the Nightfall admin can take.
Suspend Account: This action suspends the account of the user who caused the violation.
Ignore: This action ignored the violation. You can take this action when an event is false positive.
Copy Link: This action is only available on the Asset detail view. You can copy the direct link to the Event with this action.
Event type and asset(s)
The nature of the event (asset download) and the name of the asset that is either downloaded or uploaded.
Location
The location of the asset (Google Drive in this case)
When
Number of days/months since the event occured.
Actor
The email ID of the user who downloaded the asset. In some cases, you can also find the name of an app in brackets. This indicates that the app present in your Google Workspace downloaded the asset on behalf of the user. You can find more info in this Google document.
Policy
The name of the policy violated by the event.
Status
THe current status of the event.
Policies Violated: The name of the policy that was violated.
Violation Dashboard: The link to the Events screen to view the violation in detail.
Actions: The list of actions that the Nightfall admin can take.
Ignore: This action ignored the violation. You can take this action when an event is false positive.
Freeze User: This action freezes the user account and logs them out of Salesforce. Users cannot login until admin unfreezes their account.
Revoke User Permission: This permission revokes the user's download privileges. Users can only view data in Salesforce. This action assigns the Salesforce's Minimum access profile to the user. You can learn more about this profile from this Salesforce document.
Unfreeze User: Once you freeze a user, this action is active. You can unfreeze a freezed user with this action.
Pre-install script: mdm_pre_installation_script.sh
Nightfall agent nightfall-ai-agent-signed.pkg (signed for Software Management, or hosted on HTTPS for Commands)
Assign it to device groups or systems.
Save and confirm devices receive the profile.
mdm_pre_installation_script.sh
Assign this command to the same device groups you plan to assign the app.
Run it to ensure systems are properly prepared and to skip reinstall on healthy hosts.
Then, assign the managed app:
In JumpCloud Admin Console → Software Management → Private Repository → Add App → Custom (Apple/macOS).
Upload the signed Nightfall nightfall-ai-agent-signed.pkg.
Assign it to the same device groups.
JumpCloud will install the agent as a managed application.
Assign the command to devices or groups.
Run now or schedule as needed.
Verify the Nightfall agent is running.
Launch Activity Monitor > CPU > Search for Nightfall.
Identify two running processes - one running as root and the second as the user.
Verify the endpoint is communicating with Nightfall.
Open Nightfall web console > Integrations > macOS > Manage.
Confirm the device(s) listed show as Agent Status = Connected
mdm_pre_installation_script.sh
The script is used by MDMs to ensure that a macOS machine is in a clean state before installing the Nightfall Agent. It wipes any existing Nightfall installation and prepares a clean environment for a new install, including:
Loading API keys
Rebuilding folders
Resetting launch daemons
NightfallAI_Profile_with_Browser_Extension.mobileconfig
This profile is designed to pre-authorize and enable what the Nightfall Endpoint Agent requires on a macOS machine without needing user prompts.
Silently installs/enables the Nightfall browser extension
Allows the extension to run without prompts
Authorizes required permissions (content inspection, file uploads, scanning)
Grants macOS Privacy Permissions required by Nightfall:
Full Disk Access (FDA)
System Events/Automation Permissions
Application Control Permissions
Configures the payloads for browser + system integration
Prevents users from tampering with the security controls
Click Save.
200 status code if successful.An example of Webhook request is as follows.
This is part of alert event consumption and can be ignored.
Click Save changes.
#!/bin/bash
set -euo pipefail
LOG="/var/log/nightfall_install.log"
PKG_URL="<https://your-bucket.s3.amazonaws.com/nightfall-ai-agent-signed.pkg>"
PKG_LOCAL="/tmp/nightfall-ai-agent-signed.pkg"
PREP="/tmp/mdm_pre_installation_script.sh"
echo "$(date) — Starting Nightfall install" >>"$LOG"
cp ./mdm_pre_install_check_script.sh "$PRECHECK"
cp ./mdm_pre_installation_script.sh "$PREP"
chmod +x "$PRECHECK" "$PREP"
if "$PRECHECK" >>"$LOG" 2>&1; then
echo "$(date) — Agent already installed & healthy, skipping." >>"$LOG"
exit 0
fi
"$PREP" >>"$LOG" 2>&1
curl -fL "$PKG_URL" -o "$PKG_LOCAL"
/usr/sbin/installer -pkg "$PKG_LOCAL" -target / >>"$LOG" 2>&1
rm -f "$PKG_LOCAL"
echo "$(date) — Nightfall install completed" >>"$LOG"{
"service": "nightfall",
"test": true,
"timestamp": "2024-03-07T23:18:39Z"
}Navigate to Exfiltration Prevention from the left menu.
Steps 2-6 help you filter the events to only view the alerts generated by macOS.
Click Filter.
Click + Add Filter.
Select Integration.
Select the macOS check box.
Click Apply.
Select Integration.
Select the macOS check box.
Select Integration.
Select the macOS check box.
Click Apply.
To view historic events, click the Time filter, select the required time period or enter it manually by selecting the Custom Range option. Once the required time period is selected, click Apply. By default, the filter displays results for the Last 7 days. You can click Last 7 Days and choose the required historic time period.
You can click an event to view the details. The detail view window consists of the following tabs.
The Summary tab consists of the following details.
Assets: The name of the uploaded asset(s) that was exfiltrated.
Policy: The name of the policy violated.
Device ID: The device ID of the device from which the asset was uploaded.
Machine Name: The physical name of the device from which the asset was uploaded.
Browser Name: The name of the browser from which the asset was uploaded. This field is applicable only for those events that were triggered by the browser upload action.
Domain: The domain URL to which the asset containing sensitive data was uploaded. This field is applicable only for browser uploads. When you hover over a domain that is not added to any , you can choose to add it to an existing Collection or create a new one. If you are already leveraging the domain collection as part of your monitoring policies, the new addition will be automatically picked up. For example, if the domain is added to a collection of sanctioned domains your policy is ignoring, future uploads to this destination will be ignored.
App Name: The name of the cloud storage app to which the asset containing sensitive data was uploaded. This field is applicable only for uploads done to cloud storage apps.
Account Type: The nature of the cloud storage app to which the asset was uploaded. The account type is generally either a personal account or a business account. This field is applicable only for uploads done to cloud storage apps.
Account type: Personal → when a personal session is detected
Account type: Corporate → when corporate session is detected
Empty → when session differentiation is not applicable or unavailable
Upload Start Time: The start date and start time of the upload.
Upload End Time: The end date and end time of the upload.
The Summary tab for a Browser upload action is as follows.
The Summary tab for a Cloud storage app event is as follows.
The Summary tab for a Clipboard Paste action is as follows.
The Summary tab also displays a log of activities that occurred on the event. The Summary tab also displays a log of activities that occurred on the event. The first log entry is always the asset creation date. The subsequent logs display the actions applied to the event. You can also add comments on the Summary tab. The comments added by you can be viewed by other users as well.
This tab displays the details of the asset that was uploaded to a domain or cloud storage app. The asset tab also displays a number in brackets. This number indicates the number of assets that were uploaded as part of the event.
In the following image, there are two assets that were uploaded, and these four uploads together triggered the event. In such cases when there are multiple assets involved, you can use the drop-down menu to switch between assets and view the asset details.
The Assets tab displays the following details for the Browser upload action and the Cloud Storage app action.
Name: The name of the asset uploaded.
Where: The location of the asset in the device.
Medium: The medium used to upload the asset. This can be a browser or cloud storage app.
Size: The size of the asset.
If you have configured in the Scope section of the policy and if the asset contains sensitive data, the asset tab also displays a preview of the sensitive data and the detectors violated. Additionally, you can also find a new field called Sensitive Data that displays the name of the detector(s) violated.
The Assets tab also contains the Asset History section. This section displays the source or origin from where the asset was downloaded. Additionally, it also displays the destinations to which the asset was uploaded. If the source and destination details are not available, this section does not display any information. Users can use the time filter to view historic data. By default, the asset history is displayed for the last 7 days. You can click the Last 7 Days drop-down menu to view historic asset details.
The assets tab for the copy/paste action displays the following information.
Content Origin: The site from which the data was copied. If Nightfall cannot find the origin, this field displays Local Machine (Unknown origin).
Content Destination: The location where the copied information was pasted.
Time of Copy: The date and time when the data was copied.
Time of Paste: The date and time when the data was pasted.
If the copy/pasted content contains sensitive data, the asset tab displays the sensitive data and also the text surrounding the sensitive data. The sensitive data is highlighted so that it can be recognized easily.
The asset history section displays the timeline and the number of times data was copied and pasted.
The device tab displays the details of the device used to upload the asset. You can view the following details on this tab.
Device ID: The device ID of the device from which the asset was uploaded.
Device Name: The name of the device from which the asset was uploaded.
Connection Status: The current status of the device. This can either be Connected or Disconnected. If the device is not in contact with the Nightfall agent for more than 6 hours, the connection status changes to disconnected.
OS: The operating system used on the device.
MAC Address: The physical MAC address of the device.
Last Connection: The date and time when the device was last connected.
Agent Version: The Nightfall agent version installed on the device.
OS Version: The MAC OS version used on the device.
Important
If a user uploads the same file to multiple browser destinations (say 3), 3 exfiltration events are generated. However, if you uploads multiple files to the same destination, only a single event is generated.
If multiple violations are recorded within a span of five minutes, all the violations are clubbed under a single exfiltration event. The Assets Tab of this event displays the details of each asset.
However, if you upload multiple files to different browser domains or upload multiple files to different cloud storage apps, within a span of five minutes, a separate exfiltration event is generated for each of the uploaded file.
You can perform the following actions on all three tabs. These actions are present at the bottom.
Copy Event Link: This action copies the link of the event to the clipboard.
Acknowledge: This action modifies the status of the event to Acknowledged.
Notify Slack: This action sends a Slack notification about the event to the recipient configured in theAdvanced Settings section.
Notify Email: This action sends an email notification about the event to the recipient configured in the section.
Resolve: This action resolves the event and modifies the status to resolved.
Ignore: This action ignores the event and modifies the status to ignored.
Step 1 - Create & Deploy Profiles
Deploy the agent via the .PKG and scripts.
Step 2.1 - Create & Configure the Software Package
Step 2.2 - Deploy the Nightfall Endpoint DLP Agent
IMPORTANT: Both Steps 1 and 2 require defining the devices to deploy to. This means that the "mobileconfig" profile requires the devices to be selected to assign to, and the agent requires selecting the devices to assign to as well. Ideally, both lists should match.
Confirm the following:
The macOS devices are onboarded.
Download the package from the console:
On your Nightfall console, navigate to https://app.nightfall.ai/endpoint
Click Download Package for macOS
Unpack the contents of the downloaded file.
(Optional) In the downloaded folder, locate the README.md under /Profiles to learn about the various MDM profiles available.
After confirming, move to "Step 1" as shown below.
To install the Nightfall agent in stealth mode (without notifying the end-user), see Install Nightfall AI Agent for MAC OS.
mdm_pre_installation_script.sh
The script is used by MDMs to ensure that a macOS machine is in a clean state before installing the Nightfall Agent. It wipes any existing Nightfall installation and prepares a clean environment for a new install, including:
Loading API keys
Rebuilding folders
Resetting launch daemons
NightfallAI_Profile_with_Browser_Extension.mobileconfig
This profile is designed to pre-authorize and enable what the Nightfall Endpoint Agent requires on a macOS machine without needing user prompts.
Silently installs/enables the Nightfall browser extension
Allows the extension to run without prompts
Authorizes required permissions (content inspection, file uploads, scanning)
In this step, you will create a custom profile for each of the profiles provided in your Nightfall endpoint payload.
Locate NightfallAI_Profile_with_Browser_Extensions.mobileconfig in the downloaded Nightfall Endpoint payload package.
Navigate to and click Upload.
Upload and save provided config profile.
Policy name: “Nightfall AI Agent Profile”
Policy description: “Nightfall AI Agent profile”
Navigate to . Click the three-dot context menu located on the far right of the new profile. Deploy from
Select all employees or specific target devices.
Click Save to deploy the software.
The below describes the steps to upgrade endpoints with a new version of the agent:
Search or scroll to the old version of the Nightfall Endpoint DLP Agent and click “Edit”.
a. Remove all devices from the installation list and click “Save”.
Follow the steps to configure the new software package for the new version
Follow these steps to deploy the new version.
The Nightfall Endpoint DLP Agent will now deploy to all selected target endpoints. Installation may take up to 48 hours and is dependent on the endpoint devices being turned on and connected.
When a macOS or Windows OS device is disconnected, you can remove the device from the monitored list (Devices tab). To remove a disconnected device from the monitored list, click the delete icon for the respective device.
Clicking the delete icon displays a warning pop-up window as shown in the following image. Click Remove Device to confirm the removal of the device.
If a removed device reconnects, it is automatically added to the monitored list. To permanently prevent the monitoring of a device, you must de-provision the device through MDM (uninstall the Nightfall Agents and remove it from future targeting).
This feature declutters your monitoring list and ensures that only active devices that are being monitored are displayed.
You can leverage this feature efficiently with loaner laptops. When a former employee returns a device, the connection is lost and the status is displayed as disconnected. Security teams can be concerned about the device displaying the Disconnected status for a prolonged period and can initiate an investigation. Instead, you can use this feature and remove the device from the monitored list. When the device is reassigned to another employee, it connects back automatically, and the monitoring resumes.
Similarly, you can use this feature for seasonal and dormant devices; remove them once they are not in use. They will connect back automatically once they are in use again.
Collections help you refine your monitoring to reduce noise from sanctioned upload destinations as well as closely monitor exfiltration of files originating from high-value SaaS applications accessed through the browser. You can also define specific domain collections to closely monitor upload activity to specific categories of upload destinations. For instance, to track files uploaded to social media, you can create a domain collection called social media and add domains like Facebook, Instagram, Twitter, and so on. Similarly, you create a collection for known and sanctioned upload destinations that are safe to upload to so you can ignore them from your monitoring policies or monitor the upload of items originating from such domains. While creating a policy, you can directly add the collection to be monitored. All the domains in the collection will be monitored.
You can create a domain by either manually entering all the domain URLs manually or by uploading a comma-delimited list of domains in a text file.
To group domains:
Log in to the Nightfall app.
Navigate to Integrations from the left menu.
Click Manage on the macOS/Windows OS integration.
Click the Domains tab.
Click + New Collection.
You can either add the domains manually or upload a text file containing the list of domains. The following section has two tabs. The first explains the process of manually adding domains, and the second tab explains adding domains by uploading a file.
Click + Add Domain.
Enter a name for the Collection in the Collection Name field (Social Media in the following image)
Enter a domain and hit the enter key (facebook.com in the following image).
Important
When you add a domain, the sub domain is not included automatically. For instance, if you add abcd.com, docs.abcd.com is not included. To include subdomains, you must enter the full URL containing the subdomain. If you have multiple subdomains, you can use the asterisk wildcard (*) and enter the domain as *.abcd.com
(Optional) Click + Add Domain to add multiple domains to the collection.
(Optional) Click the delete icon to delete a domain.
Click Save Changes.
Enter a name for the Collection in the Collection Name field.
Click Upload.
Browse and upload the text file containing the list of domains.
The detailed steps to configure the MAC OS/Windows OS device exfiltration policy are explained in the following documents.
This document explains the process of installing the Nightfall agent manually.
Ensure that you have root level access to the target macOS device.
On your Nightfall console, navigate to and click the Download Package button on the top right corner of the page. Click Download Package for macOS and unpack the contents of the downloaded file.
Create a default policy for web browser uploads and cloud storage application sync.
To install the Nightfall agent in stealth mode (to hide UI elements), see .
Locate the mdm_pre_installation_script.sh in the payload downloaded from Nightfall.
Open a Terminal window.
Run the mdm_pre_installation_script.shscript on your local machine as a root user, by executing the following command.
Double click the provided nightfall-ai-agent_<version>.pkg.
Click Continue.
Click Install.
Click Use Password to enter your device password and start the installation process.
Once the installation is completed, you get a completion message as shown in the following image.
Click Close.
At the top right corner of your screen, you can view the Nightfall AI agent icon which looks as follows.
When you click this icon, you can view the details of the agent.
These system permissions and handled automatically through MDM profiles. For manual install, enabling these permissions manually is required.
To monitor your MAC device, you must grant access to the hard disk. This section explains the process of granting disk access.
Navigate to System Settings > Privacy & Security > Full Disk Access.
If Nightfall is listed, make sure to toggle the permission to ON
[Optional] Should Nightfall not be listed in the primary list
Click the + icon at the bottom of the list (you may be prompted to enter your macOS password)
Select NightfallAIAgent (under Applications) and click Open.
Click Quit & Reopen.
On the Full Disk Access page, ensure that the toggle switch is turned on for the NightfallAIAgent. This ensures that the full disk access is granted.
For clipboard monitoring, you must grant the Nightfall agent accessibility permissions. This section explains the process.
Navigate to System Settings > Privacy & Security > Accessibility.
If Nightfall is listed, make sure to toggle the permission to ON
[Optional] If Nightfall is not listed in the primary list
Click the + icon at the bottom of the list (you may be prompted to enter your macOS password)
b. Select NightfallAIAgent (under Applications) and click Open.
c. On the Accessibility settings page, ensure that the toggle switch is turned on for the NightfallAIAgent. This ensures that the full disk access is granted.
To ensure changes are picked up by the agent:
Open Activity Monitor > Search of Nightfall > you should see two Nightfall processes running
If you do not see two Nightfall processes, make sure to expand your view to all processes
Apart from the disk access and accessibility permissions, you must also grant permission to the Nightfall AI agent to monitor browser uploads. This section explains the process.
To grant access to browser uploads:
Open a browser instance and upload a test file to any destination.
When prompted, grant the Nightfall AI agent permissions.
At this stage, your manual installation is complete. Your machines should start showing up on you Nightfall AI management console under
Nightfall delivers broad browser coverage with full data exfiltration protection across modern AI browsers and traditional browsers. Customers can confidently deploy Nightfall across supported environments without compromising on security or feature depth.
AI Browsers
Perplexity Comet (macOS only)
ChatGPT Atlas (macOS only)
Chromium-Based Browsers
Google Chrome
Microsoft Edge
Arc
Brave
Other Browsers
Firefox
Operating System Support
macOS - The following browsers are supported on macOS:
Chrome
Edge
To uninstall the Nightfall AI agent, locate the uninstallation script provided as part of the deployment bundle. You must execute the following command on your MAC device, as a root user.
Nightfall for macOS and Nightfall for Windows OS allow you to configure alerts at the policy level and also at the integration level.
You can navigate to the alerts page by executing the following steps:
Click Integrations in the left pane.
Click Manage for either Endpoint macOS or Endpoint Windows widget.
Click the Alerting tab.
Alerts can be sent in macOS and windows OS policies by using the following alert channels.
Slack
Webhook
Jira Tickets
When you configure alert settings at the integration level, the alert settings apply to all the policies, created for the macOS/Windows OS integration. However, when you configure alert settings specifically for a policy, which is created in the macOS/Windows OS integration, the alert settings are applicable only for that specific policy.
This document explains how to configure alerts at the integration level. To learn about how to configure alerts at the policy level, read .
To use Slack as an alert platform, you must first perform the required Slack configurations. You can refer to to learn more about how to configure Slack as an Alert platform.
To use Webhook as an alert platform, you must first perform the required Webhook configurations. You can refer to to learn more about how to configure Webhook as an Alert platform.
To use JIRA as an alert platform, you must have the DLP for the JIRA app installed from the . You can read more about the DLP for JIRA integration .
You can configure alerts at the integration level once you have installed the Nightfall for macOS/ Nightfall for Windows OS integration.
To configure alerts at the integration level:
Navigate to the macOS integration
Scroll down to the Alerting section.
You can configure one or multiple alert channels.
To configure Slack as an alert channel, click + Slack channel.
In the Slack alert channel field, enter the name of the Slack channel in which you wish to receive the alerts.
Click Save.
A confirmation pop-up box is displayed to confirm if the Slack channel (entered in the second step) must be used only for macOS integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for macOS, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Email.
Enter the Email ID of the recipient who should receive the notifications.
Click Save.
A confirmation pop-up box is displayed to confirm if the Email ID (entered in the second step) must be used only for macOS integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for macOS, or select Yes, please to use the selected email address for all the Nightfall integrations.
Click + Webhook.
Enter the Webhook URL.
Click Test. If the test result is not successful, check the Webhook URL.
When you configure alerts to a Webhook, Nightfall AI sends occasional posts to:
To validate that the Webhook is properly configured before the policy is saved.
Periodically thereafter to ensure that the Webhook is still valid.
Click + Jira Ticket.
Select a JIRA project from the Jira Project drop-down menu.
Select an issue type from the Issue Type drop-down menu.
A confirmation pop-up box is displayed to confirm if the JIRA settings configured for the macOS integration must be applied to all the other Nightfall integrations too.
Select No, only integration level to use the configurations only for macOS, or select Yes, please to use the selected JIRA configurations for all the Nightfall integrations.
When a Violation occurs, Nightfall sends a notification to the end-user whose actions triggered the violation. While notifying the end-user, Nightfall also sends a text message. You can draft the text message to be sent to the end-user. This message applies to all the policies. Click Save changes once done.
Learn how to install the Nightfall Agent for Windows using Intune as a Line-of-Business (LOB) app.
The Microsoft Intune installation consists of the following steps:
Connect Microsoft Intune to Nightfall (API-based MDM Onboarding)
Deploy the Nightfall Agent via Intune
You are a Systems Administrator in Nightfall
You must have access to Microsoft Intune with the necessary admin privileges. An Intune administrator account with permission to approve OAuth access
Get the .msi package and command arguments form
This step enables automated mapping of user profiles to devices without requiring manual scripts.
API-based MDM onboarding allows Nightfall to automatically map the user email attribute to specific devices by syncing device inventory from your Microsoft Intune tenant using OAuth-based authentication.
Log in to the Nightfall Console at
Navigate to Settings - MDM Profile
Click Add MDM
Once authentication is complete, Nightfall will automatically connect to your Intune tenant and begin syncing device data.
Important: This API-based connection enables Nightfall to automatically map user email addresses to devices. You do not need to deploy any additional scripts for user-to-device mapping when using this method.
Nightfall requests the following Microsoft Graph API permissions:
DeviceManagementManagedDevices.Read.All - Read managed device information
User.Read.All - Read user profiles
Organization.Read.All - Read basic organization details
These are read-only permissions. Nightfall does not modify device settings or configurations.
Once connected, Nightfall will periodically sync device inventory from Microsoft Intune. You can now proceed to deploy the Nightfall agent to your devices following the steps below.
Log into the Intune Admin Center
Navigate to .
Go to: Home > Apps > All Apps > Add
Do I still need to install a Nightfall agent on devices after API-based onboarding?
Yes. API-based MDM onboarding enables Nightfall to map user email addresses to devices automatically. You still need to deploy the Nightfall agent to the devices using the steps above.
What permissions does Nightfall need in Microsoft Intune?
Nightfall requires least privilege read-only access to device inventory and user information via Microsoft Graph API. It does not modify device settings or configurations. The user email to device attribution is automatically managed with API-based MDM onboarding and no manual scripts are needed.
Is OAuth-based authentication secure?
Yes. Nightfall uses Microsoft's OAuth 2.0 authentication flow with encrypted connections. Credentials are securely stored and refreshed automatically.
What happens if OAuth permissions are revoked?
If OAuth permissions are revoked:
Device syncing will stop. New devices added or removed will not be reflected in Nightfall during that time.
Nightfall will surface an error in the console.
You can re-authenticate without reconfiguring policies by reconnecting from Settings → MDM Profile.
Can I disconnect or change my MDM connection later?
Yes. Contact Nightfall Support to disconnect or update your MDM connection from Settings → MDM Profile.
What device types are supported with Intune?
Microsoft Intune supports both Windows and macOS devices. Nightfall will sync inventory for both device types when connected via API-based onboarding.
Who should I contact if onboarding fails?
If you encounter issues:
Verify you have admin permissions in Microsoft Intune
Check the error message in the Nightfall console
Ensure you approved all requested OAuth permissions
Drop or select NightfallAI_Profile_with_Browser_Extensions.mobileconfig.
Click Save & continue.
Navigate to: https://app.rippling.com/hardware/software
Click Upload Software on the right of the page.
Name: “Nightfall Endpoint DLP Agent <version>”
<version> is the version of the package your received from Nightfall.
Operating System: “macOS”
Category: “My Uploads” (Default)
Description: “Nightfall Endpoint DLP Agent”.
Upload Installer File: drop or select the provided nightfall-ai-agent-signed.pkg file.
Install-check script: provided in your package as mdm_pre_install_check_script.sh
Pre-install script: provided in your package as mdm_pre_installation_script.sh
Click Submit.
Click Add on the newly created Software Item.
Click Finished Selecting.
Search or scroll to the newly added Software Item matching the name you used in "Step 2.1".
Click Edit. NOTE: If the Software Item was just recently created it may take a few minutes to leave from the "Pending" status.
Select all employees or specific target devices.
Click Save.
The Nightfall Endpoint DLP Agent will now deploy to all selected target devices. This may take up to 72 hours and is dependent on the endpoint devices being turned on, connected, and pre-requisite profiles deployed.
Grants macOS Privacy Permissions required by Nightfall:
Full Disk Access (FDA)
System Events/Automation Permissions
Application Control Permissions
Configures the payloads for browser + system integration
Prevents users from tampering with the security controls
Vivaldi
Arc
Brave
Vivaldi
Perplexity Comet
ChatGPT Atlas
Windows - The following browsers are supported on Windows:
Chrome
Edge
Firefox
Arc
Brave
Vivaldi
Not supported on Windows:
ChatGPT Atlas (not available on Windows)
Perplexity Comet (Windows version does not allow installation of browser extensions)
Click Save.
200 status code if successful.An example of Webhook request is as follows.
This is part of alert event consumption and can be ignored.
Click Save changes.
sudo ./mdm_pre_installation_script.shmdm_nightfall_ai_agent_uninstall.sh{
"service": "nightfall",
"test": true,
"timestamp": "2024-03-07T23:18:39Z"
}All the domains must be separated by a comma. The file must have a .txt extension.
Once you upload the file, the list of domains present in the file are displayed as follows.
Important
When you add a domain, the sub domain is not included automatically. For instance, if you add abcd.com, docs.abcd.com is not included. To include subdomains, you must enter the full URL containing the subdomain. If you have multiple subdomains, you can use the asterisk wildcard (*) and enter the domain as *.abcd.com
(Optional) To add more Domains to the Collection, you can either click + Add Domain and enter the domain manually, or click Upload txt and upload another text file containing domains.
(Optional) Click the delete icon to remove a domain from the Collection.
Click Save Changes.
Download the .msi installer file for the Nightfall Agent.
Note the API Key and Company ID in the command line provided by Nightfall.
Click Microsoft Intune Login
You will be redirected to Microsoft's login page
Authenticate with your Microsoft admin account
Review and approve the requested permissions:
Read device information
Read user profiles
Access basic organization information
Click Accept to grant permissions
Select App Type
Under App type, choose: Line-of-business app
Add App Package
In the App package file section, click Select app package file.
Upload the NightfallAgent.msi file.
Configure App Information
Fill in the Name, Description, and other fields as desired.
Click Next.
Specify Install Command Line
In the Command-line arguments field, enter:
Assign the App
Assign the app to the appropriate device groups or users.
Click Next and complete the wizard.
Monitor Deployment
Go to Monitor > App Install Status to confirm successful deployment.
Verify Installation on a target/test machine
Once installation shows as successfull by Intune, check if the agent is running:
Open Task Manager (Ctrl + Shift + Esc).
Look for the Nightfall Agent & NightfallUI processes under the Processes tab.
Confirm the Nightfall agent is configured to your Nightfall tenant
On the windows machine:
Double-click the Nightfall agent icon in the status bar.
When there is a high volume of exfiltration (basically download) in your organization, the scoping capability enables you to reduce the noise from low risk events so that you can zero in on genuine exfiltration events and resolve them.
Exfiltration (Download monitoring) can be scoped to:
Location: All or a specific set of drives
This allows you create flexible policies to monitor all or specific high-risk locations. This is a required scope for all policies.
User or User Group (Actor): Any or a specific set of users or user groups
This allows you to create custom policies for specific high-risk individuals or user groups. As such, you can create policies to monitor download activity by a disgruntled employee or departing employees. This can be set in combination to other scoping capabilities.
Permissions: Public, Organization or Restricted
This allows you to tailor your policies to drives or files with specific access restrictions. This can be set in combination to other scoping capabilities.
Detection rules: Any or a specific set of sensitive data protection detection rules
You can reuse any of detection rules you've already created or create new ones. This helps focus your detection on files which have associated sensitive data violations identified by your sensitive data scanning product. This can be set in combination to other scoping capabilities.
The Scope stage consists of two main sections.
Drive Selection: This section allows you to include various files and drives for monitoring. In this section, you can select the different types of drives to be monitored.
Add Filters: This section allows you to scrutinize your policy scope at more granular levels. While the Drive selection section allows you to select the whole drive to be monitored, this section provides you more granular level filters. You can select specific files within the selected drives for monitoring.
The Drive Selection section allows you to select various drives for monitoring. You can select either User Drives or Shared Drives to be monitored by Nightfall for exfiltration.
This section allows you to select various drives in your Google Drive to be monitored. There are two options in this section. You can either choose to scan the User drives, Shared drives, or both.
User Drives: The User Drives is the personal drive of the user. The files in this drive are visible only to the owner of the file and other users to whom the owner has granted access. User Drive is commonly known as My Drive in Google Drive. To monitor a User Drive, you must select the User drives check box as shown in the following image.
IMPORTANT
If you choose to monitor the User drives, all the User drives in your Google domain are selected for monitoring. You do not have the option to choose specific User drives for monitoring.
Shared Drives: Shared drives are common storage locations accessed by all the users in your Workspace. To select this option, you must select the Shared drives check box.
IMPORTANT
If you choose to monitor the Shared Drives, you can select whether to monitor all the Shared drives or only specific shared drives. Nightfall provides the following options.
If you select the All Drives
The following image displays the scenarios when you select the Shared Drives check box.
If you select the All Drives, except for option, you must also select the shared drives which must be excluded from monitoring.
Similarly, if you select the Specific Drive(s) option, you must also select the specific shared drives which must be monitored.
The filters section provides you the flexibility to include and exclude users at a granular level.
For instance, in the previous section, irrespective of whether you selected Shared Drive, User Drive, or specific User Drives, you ended up selecting one or a set of Drives for monitoring.
Once you select the Drives to monitor, in this section, you can overlay additional filters to further scope your monitoring. Nightfall provides the following additional filters:
Specific User(s): Choose this option to monitor one or a specific set of internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in . You must select the required users.
All Users, except for: Choose this option to exclude specific individuals from your monitoring policy. Once you choose this option, Nightfall populates the list of users from the synced IdPs in . You must select the required users.
Note
If you have not configured the feature, the users list is populated from the . As a result, you can see the Google Drive icon before the user name. However, if you have set up Directory sync, the users list is fetched from the IdP used for the configuration. In the above image, the users list is populated from the Microsoft Azure IdP and hence you can see the Azure icon before the users’ names.
Important
For exclusions, Nightfall only checks the file ownership. For inclusions, Nightfall checks both file ownership and shared access. This rule is applicable to all the filters.
Specific User(s): Choose this option to monitor one or a specific set of external users. Once you choose this option, you must manually enter the email ID(s) of the external users and hit the enter key.
All Users, except for: Choose this option to exclude specific external users, from being monitored. Once you choose this option, you must manually enter the email ID(s) of the external users and hit the enter key.
Specific Group(s): Choose this option to monitor one specific or a set of internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in . You must select at least one group.
All Groups, except for: Choose this option to exclude one specific, or a set of, internal groups from being monitored. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in . You must select the required users.
Specific Group(s): Choose this option if you have external user groups defined in your IdP and would like to monitor one specific or a set of external groups. Once you choose this option, you must select at least one external user group to monitor then hit the enter key.
All Groups, except for: Choose this option if you have external user groups defined in your IdP and would like to exclude one or more external groups from being monitored. Once you choose this option, you must select at least one external user group to monitor then hit the enter key.
Before understanding the Permission filters, we must understand Google's General Access feature.
The general access feature in Google Workspace consists of three types of access, which are as follows.
Restricted: Files with this permission can only be accessed by users who have been granted access.
Target Audience: Files with this permission can be accessed by the users of the selected target audience group. There is a default target audience that gets created when the Google workspace is provisioned. This target audience has the same name as provisioned in the Google Workspace and includes all members of the organization. You can refer to this to learn more about the target audiences.
Anyone with the Link: Files with this permission can be accessed by any user who has the file link.
Nightfall also provides inclusion and exclusion of files in policy scope that resembles the General Access sharing principle in Google Workspace. The Nightfall General Access permission options are as follows.
Restricted: Choose this option to scope monitoring to files with restricted access.
Shared with target audiences: Choose this option to scope monitoring to files shared with target audiences within your Google Workspace environment.
Anyone with the link: Choose this option to scope monitoring to files shared with anyone with a link.
The consist of a single or multiple detectors. You can use this filter to either include all the detection rules or include only specific detection rules. Note that upon a download event, Nightfall will check if the downloaded file has been previously scanned, and results matched at least one of the selected detection rules (i.e. The file is not rescanned upon download).
All: If you select this option, all the detection rules are included.
Specific Detection Rule(s): If you select this option, you must also select the required detection rules. Nightfall scans your files only for the selected detection rules.
A Label is a metadata that you can create to help users organize, find, and apply policy to files in Google Drive. To learn more about Google Drive Labels, refer to this .
Before utilizing filters for Labels, you must as per instructions and create labels in your Google Drive.
You can choose one of the following options.
Specific Label(s): You must choose this option to monitor only those files that contain the selected Labels. Once you choose this option, you must select the Labels. Nightfall only monitors those files that have the selected labels.
All Labels, except for: You must choose this option to exclude the monitoring of files that contain the selected Labels. Once you choose this option, you must select the Labels. Nightfall does not monitor the files that contain the selected labels.
Nightfall Exfiltration prevention for Salesforce allows you to configure alerts at the policy level and also at the integration level. Alerts can be sent in Salesforce by using the following alert channels.
Slack
Webhook
Jira Tickets
When you configure alert settings at the integration level, the alert settings apply to all the policies, created for the Salesforce integration. However, when you configure alert settings specifically for a policy, which is created in the Salesforce integration, the alert settings are applicable only for that specific policy.
This document explains how to configure alerts at the integration level. To learn about how to configure alerts at the policy level, read .
To use Slack as an alert platform, you must first perform the required Slack configurations. You can refer to to learn more about how to configure Slack as an Alert platform.
To use Webhook as an alert platform, you must first perform the required Webhook configurations. You can refer to to learn more about how to configure Webhook as an Alert platform.
To use JIRA as an alert platform, you must have the DLP for the JIRA app installed from the . You can read more about the DLP for JIRA integration .
You can configure alerts at the integration level once you have installed the Nightfall for Salesforce integration.
To configure alerts at the integration level:
Navigate to the Salesforce integration
Scroll down to the Alerting section.
You can configure one or multiple alert channels.
To configure Slack as an alert channel, click + Slack channel.
In the Slack alert channel field, enter the name of the Slack channel in which you wish to receive the alerts.
Click Save.
A confirmation pop-up box is displayed to confirm if the Slack channel (entered in the second step) must be used only for Salesforce integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for Salesforce, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Email.
Enter the Email ID of the recipient who should receive the notifications.
Click Save.
A confirmation pop-up box is displayed to confirm if the Email ID (entered in the second step) must be used only for Salesforce integration or all the Nightfall integrations.
Select No, only integration level to use the Slack channel only for Salesforce, or select Yes, please to use the selected Slack channel for all the Nightfall integrations.
Click + Webhook.
Enter the Webhook URL.
Click Test. If the test result is not successful, check the Webhook URL.
When you configure alerts to a Webhook, Nightfall AI sends occasional posts to:
To validate that the Webhook is properly configured before the policy is saved.
Periodically thereafter to ensure that the Webhook is still valid.
Click + Jira Ticket.
Select a JIRA project from the Jira Project drop-down menu.
Select an issue type from the Issue Type drop-down menu.
A confirmation pop-up box is displayed to confirm if the JIRA settings configured for the Salesforce integration must be applied to all the other Nightfall integrations too.
Select No, only integration level to use the configurations only for Salesforce, or select Yes, please to use the selected JIRA configurations for all the Nightfall integrations.
When a Violation occurs, Nightfall sends a notification to the end-user whose actions triggered the violation. While notifying the end-user, Nightfall also sends a text message. You can draft the text message to be sent to the end-user. This message applies to all the policies. Click Save changes once done.
This document explains the process of installing the Nightfall AI agent using JAMF.
The JAMF installation consists of the following steps.
API_KEY=your_api_key_here COMPANY_ID=your_company_id_here
⚠️ Important:
- Do NOT include msiexec /i NightfallAgent.msi — This is handled automatically.
- Do NOT wrap the values in double quotes.
✅ Correct Example: API_KEY=ufapuhaefaw COMPANY_ID=qohuifpqrwfOn the Nightfall console:
The newly configured device should be listed under https://app.nightfall.ai/endpoint.
If you select the All Drives, except for option, you can exclude some shared drives from being monitored.
If you select the Specific Shared Drives option, you get the option to choose specific Shared drives for monitoring.
Click Save.
200 status code if successful.An example of Webhook request is as follows.
This is part of alert event consumption and can be ignored.
Click Save changes.
{
"service": "nightfall",
"test": true,
"timestamp": "2024-03-07T23:18:39Z"
}You are a Systems Administrator in Nightfall
You have administrator access to Kandji
The Kandji APN is set.
The target macOS devices are onboarded.
On your Nightfall console, navigate to https://app.nightfall.ai/endpoint and click the Download Package button on the top right corner of the page. Click Download Package for macOS and unpack the contents of the downloaded file.
To install the Nightfall agent in stealth mode (without notifying the end-user), see Install Nightfall AI Agent for MAC OS.
mdm_pre_installation_script.sh
The script is used by MDMs to ensure that a macOS machine is in a clean state before installing the Nightfall Agent. It wipes any existing Nightfall installation and prepares a clean environment for a new install, including:
Loading API keys
Rebuilding folders
Resetting launch daemons
NightfallAI_Profile_with_Browser_Extension.mobileconfig
This profile is designed to pre-authorize and enable what the Nightfall Endpoint Agent requires on a macOS machine without needing user prompts.
Silently installs/enables the Nightfall browser extension
Allows the extension to run without prompts
Authorizes required permissions (content inspection, file uploads, scanning)
This step enables automated mapping of user profiles to devices without requiring manual scripts.
API-based MDM onboarding allows Nightfall to automatically map the user email attribute to specific devices by syncing device inventory from your Iru (Kandji) instance.
To connect Iru (Kandji) to Nightfall, you'll need:
Iru (Kandji) Organization API URL (for example: yourcompany.api.kandji.io)
API Token with read access to device inventory
Log in to your Iru (Kandji) instance
Navigate to Settings > Access > API Token
Click Generate New Token
Configure the following:
Name: Nightfall Integration
Permissions: Select Read for:
Devices
Click Generate Token
Copy the API Token - you'll need this in the next step and it will only be shown once
Important: Store the API token securely. It will not be displayed again after you close the dialog.
Your Kandji Organization API URL follows this format: yourcompany.api.kandji.io
Where yourcompany is your organization's subdomain in Kandji.
You can find this in your Kandji admin panel:
Log in to Kandji
Look at your browser URL (e.g., https://yourcompany.kandji.io)
Your API URL is: yourcompany.api.kandji.io
Log in to the Nightfall Console at https://app.nightfall.ai
Navigate to Settings → MDM Profile
Click Add MDM
Select Kandji from the list of supported MDM providers
Enter the following information:
Kandji Organization API URL: Your Kandji API URL (e.g., yourcompany.api.kandji.io)
API Token: The API Token you created in Kandji
Click Connect
Nightfall will validate the credentials and begin syncing device information automatically.
Important: This API-based connection enables Nightfall to automatically map user email addresses to devices. You do not need to deploy any additional scripts for user-to-device mapping when using this method.
Once connected, Nightfall will periodically sync device inventory from Kandji. You can now proceed to deploy the Nightfall agent to your devices following the steps below.
Navigate to https://<your-company-name>.kandji.io/blueprints
Click New Blueprint on the top right corner.
Click New Blueprint on the pop up menu.
Enter a name for the blueprint in the Blueprint name field.
Enter a description for the blueprint in the Blueprint description field.
Click Create Blueprint.
In this section, we create a custom profile for each of the profiles provided in the Nightfall endpoint payload and assign them to the blueprint you have created in the previous section.
In the downloaded folder, locate the README.md under /Profiles to learn about the various MDM profiles available.
Choose the NightfallAI_Profile_with_Browser_Extensions.mobileconfig.
Navigate to https://<your-company-name>.kandji.io/library.
a. Click Add new.
b. Select Custom Profile and click Add & Configure on the pop-up window.
c. Add Title, Select Blueprint, and finally drag and drop the .mobileconfig file.
d. Click Save.
In this section, we will create a custom app item for Nightfall Endpoint Agent.
Navigate to https://<your-company-name>.kandji.io/library.
Click Add New.
Click Custom App
Click Add & Configure on the pop-up window.
a. Add Title, Select the Blueprint you previously created.
b. Select the Audit and enforce option.
c. Paste the content of mdm_kandji_audit_script into the Audit Script text box.
d. Choose the Installer Package option.
e. Add Preinstall Script & Upload the installer package.
I. Paste the content of mdm_pre_installation_script into the Pre-install Script text box.
II. Upload the installer package
i. Drag and drop or click to upload the provided nightfall-ai-agent_v*.*.*.pkg file
Save the change and wait for the changes to get deployed on the node machine.
Do I still need to install a Nightfall agent on devices after API-based onboarding?
Yes. API-based MDM onboarding enables Nightfall to map user email addresses to devices automatically. You still need to deploy the Nightfall agent to the devices using the steps above.
What permissions does Nightfall need in Kandji?
Nightfall requires least privilege access to device inventory. It does not modify device settings or configurations. The user email to device attribution is automatically managed with API-based MDM onboarding and no manual scripts are needed.
What happens if API credentials expire or are revoked?
If credentials expire or are revoked:
Device syncing will stop. New devices added or removed will not be reflected in Nightfall during that time.
Nightfall will surface an error in the console.
You can re-authenticate or update credentials without reconfiguring policies.
Can I disconnect or change my MDM connection later?
Yes. Contact Nightfall Support to disconnect or update your MDM connection from Settings → MDM Profile.
Who should I contact if onboarding fails?
If you encounter issues:
Verify API credentials and permissions in Kandji
Check the error message in the Nightfall console
Contact Nightfall Support for assistance
You are a Systems Administrator in Nightfall
You have administrator access to JAMF Pro
Target macOS devices are onboarded.
On your Nightfall console, navigate to and click the Download Package button on the top right corner of the page. Click Download Package for macOS and unpack the contents of the downloaded file.
To install the Nightfall agent in stealth mode (without notifing the end-user), see Install Nightfall AI Agent for MAC OS.
mdm_pre_installation_script.sh
The script is used by MDMs to ensure that a macOS machine is in a clean state before installing the Nightfall Agent. It wipes any existing Nightfall installation and prepares a clean environment for a new install, including:
Loading API keys
Rebuilding folders
Resetting launch daemons
NightfallAI_Profile_with_Browser_Extension.mobileconfig
This profile is designed to pre-authorize and enable what the Nightfall Endpoint Agent requires on a macOS machine without needing user prompts.
Silently installs/enables the Nightfall browser extension
Allows the extension to run without prompts
Authorizes required permissions (content inspection, file uploads, scanning)
This step enables automated mapping of user profiles to devices without requiring manual scripts.
API-based MDM onboarding allows Nightfall to automatically map the user email attribute to specific devices by syncing device inventory from your JAMF Pro instance.
To connect JAMF Pro to Nightfall, you'll need:
Jamf Pro URL (for example: https://yourcompany.jamfcloud.com)
Client ID
Client Secret
The Jamf Pro API client must have permissions to read device and computer inventory.
Log in to your JAMF Pro instance
Navigate to Settings > System > API Roles and Clients
Under the API Roles tab, click the + New button.
Log in to the Nightfall Console at
Navigate to Settings → MDM Profile
Click Add MDM
Nightfall will validate the credentials and begin syncing device information automatically.
Important: This API-based connection enables Nightfall to automatically map user email addresses to devices. You do not need to deploy any additional scripts for user-to-device mapping when using this method.
Once connected, Nightfall will periodically sync device inventory from JAMF Pro. You can now proceed to deploy the Nightfall agent to your devices following the steps below.
Do I still need to install a Nightfall agent on devices after API-based onboarding?
Yes. API-based MDM onboarding enables Nightfall to map user email addresses to devices automatically. You still need to deploy the Nightfall agent to the devices using the steps above.
What permissions does Nightfall need in JAMF Pro?
Nightfall requires least privilege access to device inventory. It does not modify device settings or configurations. The user email to device attribution is automatically managed with API-based MDM onboarding and no manual scripts are needed.
What happens if API credentials expire or are revoked?
If credentials expire or are revoked:
Device syncing will stop. New devices added or removed will not be reflected in Nightfall during that time.
Nightfall will surface an error in the console.
You can re-authenticate or update credentials without reconfiguring policies.
Can I disconnect or change my MDM connection later?
Yes. Contact Nightfall Support to disconnect or update your MDM connection from Settings → MDM Profile.
Who should I contact if onboarding fails?
If you encounter issues:
Verify API credentials and permissions in JAMF Pro
Check the error message in the Nightfall console
Contact Nightfall Support for assistance
This guide explains multiple ways to deploy the Nightfall Agent (NightfallAgent.msi) with the required API_KEY and COMPANY_ID parameters.
We cover:
PowerShell scripts (local, network share, download from URL)
You have the MSI installer (NightfallAgent.msi) provided by Nightfall.
Installation requires two properties:
API_KEY="YOUR-API-KEY"
Use this if you or your RMM tool place the .msi directly on the machine before running the script.
Use this if you keep the MSI on a file server. Make sure Domain Computers or the target machines have read access to the share.
⚠️ Use UNC paths (\\server\share\...) — mapped drives won’t work for GPO Startup scripts.
Use this if you host the MSI on an internal HTTPS server or CDN.
Recommended for domain-joined Windows machines. Use a Startup Script because the built-in “Software Installation” GPO cannot pass custom properties like API_KEY.
Steps:
Place the script (e.g., Install-NightfallAgent-FromShare.ps1) in
\\<domain>\SYSVOL\<domain>\scripts\Nightfall\
Ensure Domain Computers have read access.
In Group Policy Management:
If you have an MST transform that embeds API_KEY and COMPANY_ID, you can deploy the MSI via:
Computer Configuration → Policies → Software Settings → Software installation.
Add the MSI via UNC path.
Open its Properties → Modifications → Add your .mst.
Without an MST, use GPO via Startup Script instead. One-liner for Testing
Run manually on a single machine (PowerShell elevated):
Check for expected services:
Confirm presence of the Nightfall AI icon in the system tray (this may take a few seconds).
Double click the icon
You should see a connected status as seen in the image above.
Instructions on how to install the Nightfall agent on Microsoft Windows using the JumpCloud MDM.
Configure the following:
Display Name: Nightfall API Role
Privileges: Grant access to:
Read Computer Inventory Collection
Read Mobile Device Inventory Collection
Read Computers
Click Save
Next, navigate to the API Clients tab and click the + New button.
Configured the following:
Display Name: Nightfall API Client
API roles: Select the newly created role.
Enable/disable API Client: Enable the API client.
Click Save
Copy the Client ID and Client Secret. You will need these in the next step.
Enter the following information:
Jamf Pro URL: Your JAMF instance URL (e.g., https://yourcompany.jamfcloud.com)
Client ID: The Client ID you created in JAMF Pro
Client Secret: The Client Secret you created in JAMF Pro
Click Connect
Choose NightfallAI_Profile_with_Browser_Extensions.mobileconfig.
Log in to your Jamf Pro account.
Navigate to Computers > Configuration Profiles.
Click the Upload button.
Click the Upload button and upload NightfallAI_Profile_with_Browser_Extensions.mobileconfig.
In the Scope tab, add the target devices or device groups to which this profile should be deployed.
Click Save.
Once assigned, profiles will be automatically deployed as part of the next Jamf inventory cycle.
The MDM profile has to be deployed on target machines prior to deploying additional payload. In Jamf, you can enforce this requirement through the creation of a Smart Group in which you can set the presence of the profile created above as a pre-requisite for any other payload targeting the group.
mdm_pre_install_check_script.sh file under the .\\mdm_scripts\\ folderOn Jamf Pro, navigate to Settings > Computer management > Scripts
Click the + New button.
Enter a display name for the script (e.g., "Nightfall AI Pre-Installation Check").
Click on the Script tab.
Paste the contents of mdm_pre_install_check_script.sh into the script editor.
Click Save.
mdm_pre_installation_script.sh file under the .\\mdm_scripts\\ folderOn Jamf Pro, navigate to Settings > Computer management > Scripts
Click the New button.
Enter a display name for the script (e.g., "Nightfall AI Pre-Installation Script").
Click on the Script tab.
Paste the contents of mdm_pre_installation_script.sh into the script editor.
Click Save.
Click the + New button.
Enter a display name for the package (e.g., "Nightfall AI Agent").
Click the Choose File button and upload nightfall-ai-agent-signed.pkg.
Click Save.
Click the + New button.
Enter a display name for the policy (e.g., "Deploy Nightfall AI").
From the General tab, configure the Trigger and Execution Frequency as needed.
Click Package from the left pane & click on configure
Add Nightfall AI Agent package
Click on Scripts from the left pane & click on configure
Add Pre-Install Check Script and Pre-Install Script. Ensure the Priority is Before and the sequence is [ The scripts must be run once & in sequence to prepare the machine for the package install. ] -
Pre-Install Check Script
Pre-Install Script
Click on Scope and determine the Target, Limitations, and Exclusions per need.
Click Save.
Grants macOS Privacy Permissions required by Nightfall:
Full Disk Access (FDA)
System Events/Automation Permissions
Application Control Permissions
Configures the payloads for browser + system integration
Prevents users from tampering with the security controls
Device Details
Users
Grants macOS Privacy Permissions required by Nightfall:
Full Disk Access (FDA)
System Events/Automation Permissions
Application Control Permissions
Configures the payloads for browser + system integration
Prevents users from tampering with the security controls
Installation is silent (/qn /norestart) and requires administrator rights.
Logging is enabled with /l*v for troubleshooting.
Go to Computer Configuration → Policies → Windows Settings → Scripts (Startup/Shutdown).
Add a Startup Script.
Script name: powershell.exe
Script parameters: -ExecutionPolicy Bypass -File "\\SYSVOL<domain>\scripts\Nightfall\Install-NightfallAgent-FromShare.ps1"
Apply the GPO to the desired OU.
Run gpupdate /force or reboot a target machine.
# Install-NightfallAgent-Local.ps1
$msiPath = "C:\Temp\NightfallAgent.msi"
$apiKey = "REPLACE_WITH_API_KEY"
$companyId = "REPLACE_WITH_COMPANY_ID"
$logDir = "C:\Windows\Temp\Nightfall"
$logFile = Join-Path $logDir "NightfallAgent_Install.log"
New-Item -ItemType Directory -Path $logDir -Force | Out-Null
if (Test-Path $msiPath) {
Write-Output "MSI found at $msiPath. Starting install..."
$args = "/i `"$msiPath`" API_KEY=`"$apiKey`" COMPANY_ID=`"$companyId`" /qn /norestart /l*v `"$logFile`""
$proc = Start-Process "msiexec.exe" -ArgumentList $args -Wait -PassThru -NoNewWindow
if ($proc.ExitCode -eq 0) {
Write-Output "Nightfall agent installed successfully."
} else {
Write-Output "Installer returned exit code $($proc.ExitCode). Check log: $logFile"
exit $proc.ExitCode
}
} else {
Write-Output "MSI not found at $msiPath. Skipping install."
exit 2
}# Install-NightfallAgent-FromShare.ps1
$sourceMsi = "\\fileserver\software\Nightfall\NightfallAgent.msi"
$localMsi = "C:\Temp\NightfallAgent.msi"
$apiKey = "YOUR_API_KEY_HERE"
$companyId = "YOUR_SECRET_VALUE"
$logDir = "C:\Windows\Temp\Nightfall"
$logFile = Join-Path $logDir "NightfallAgent_Install.log"
New-Item -ItemType Directory -Path $logDir -Force | Out-Null
New-Item -ItemType Directory -Path (Split-Path $localMsi) -Force | Out-Null
Write-Output "Copying MSI from $sourceMsi to $localMsi..."
Copy-Item -Path $sourceMsi -Destination $localMsi -Force -ErrorAction Stop
if (Test-Path $localMsi) {
Write-Output "Copy complete. Starting install..."
$args = "/i `"$localMsi`" API_KEY=`"$apiKey`" COMPANY_ID=`"$companyId`" /qn /norestart /l*v `"$logFile`""
$proc = Start-Process "msiexec.exe" -ArgumentList $args -Wait -PassThru -NoNewWindow
if ($proc.ExitCode -eq 0) {
Write-Output "Nightfall agent installed successfully."
} else {
Write-Output "Installer returned exit code $($proc.ExitCode). Check log: $logFile"
exit $proc.ExitCode
}
} else {
Write-Output "MSI copy failed. Check share permissions and path."
exit 3
}# Install-NightfallAgent-FromUrl.ps1
# Purpose: Download the Nightfall MSI from a URL, validate it looks like a real MSI, then install silently.
# Notes:
# - Run elevated (admin). Works as a GPO Startup script.
# --- EDIT THESE VALUES ---
$downloadUrl = "https://example.com/NightfallAgent.msi" # <-- Replace with your direct MSI URL
$localMsi = "C:\Temp\NightfallAgent.msi"
$apiKey = "<API_KEY>" # <-- Replace
$companyId = "<COMPANY_ID>" # <-- Replace
# --------------------------
$ErrorActionPreference = "Stop"
# Paths for logging
$logDir = "C:\Windows\Temp\Nightfall"
$logFile = Join-Path $logDir "NightfallAgent_Install.log"
# Ensure folders exist
New-Item -ItemType Directory -Path (Split-Path $localMsi) -Force | Out-Null
New-Item -ItemType Directory -Path $logDir -Force | Out-Null
# Helper: quick MSI signature + size sanity check
function Test-IsMsi {
param([string]$Path)
if (-not (Test-Path $Path)) { return $false }
$len = (Get-Item $Path).Length
if ($len -lt 1MB) { return $false } # tiny files are likely HTML/error pages
# MSI is a CFBF (OLE) container: header D0 CF 11 E0 A1 B1 1A E1
$fs = [System.IO.File]::Open($Path, 'Open', 'Read', 'ReadWrite')
try {
$buf = New-Object byte[] 8
[void]$fs.Read($buf, 0, 8)
$hex = ($buf | ForEach-Object { $_.ToString("X2") }) -join " "
return ($hex -eq "D0 CF 11 E0 A1 B1 1A E1")
} finally {
$fs.Close()
}
}
Write-Output "Downloading MSI from $downloadUrl ..."
try {
# Use HttpClient for robust redirects + streaming
Add-Type -AssemblyName System.Net.Http
$handler = New-Object System.Net.Http.HttpClientHandler
$handler.AllowAutoRedirect = $true
$handler.AutomaticDecompression = [System.Net.DecompressionMethods]::GZip -bor `
[System.Net.DecompressionMethods]::Deflate -bor `
[System.Net.DecompressionMethods]::Brotli
$client = New-Object System.Net.Http.HttpClient($handler)
$client.Timeout = [TimeSpan]::FromMinutes(10)
$client.DefaultRequestHeaders.UserAgent.ParseAdd("Nightfall-Agent-Installer/1.0")
$response = $client.GetAsync($downloadUrl, [System.Net.Http.HttpCompletionOption]::ResponseHeadersRead).GetAwaiter().GetResult()
if (-not $response.IsSuccessStatusCode) {
throw "HTTP $([int]$response.StatusCode) $($response.ReasonPhrase)"
}
$stream = $response.Content.ReadAsStreamAsync().GetAwaiter().GetResult()
$tmp = "$localMsi.download"
$fs = [System.IO.File]::Open($tmp, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None)
try {
$buffer = New-Object byte[] (1024*256) # 256 KB chunks
while (($read = $stream.Read($buffer, 0, $buffer.Length)) -gt 0) {
$fs.Write($buffer, 0, $read)
}
} finally {
$fs.Dispose()
$stream.Dispose()
$client.Dispose()
$handler.Dispose()
}
if (Test-Path $localMsi) { Remove-Item $localMsi -Force }
Move-Item $tmp $localMsi -Force
} catch {
Write-Error "Download failed: $($_.Exception.Message)"
exit 100
}
# Validate the download looks like a real MSI
if (-not (Test-IsMsi -Path $localMsi)) {
$size = (Get-Item $localMsi).Length
Write-Error "Downloaded file does not look like a valid MSI (size=$size bytes). The URL may be a landing page or error."
exit 101
}
# Remove MOTW just in case
try { Unblock-File -Path $localMsi -ErrorAction SilentlyContinue } catch {}
# Install silently with logging
Write-Output "MSI validated. Installing Nightfall Agent..."
$args = "/i `"$localMsi`" API_KEY=`"$apiKey`" COMPANY_ID=`"$companyId`" /qn /norestart /l*v `"$logFile`""
$proc = Start-Process "msiexec.exe" -ArgumentList $args -Wait -PassThru -NoNewWindow
switch ($proc.ExitCode) {
0 { Write-Output "Nightfall Agent installed successfully."; exit 0 }
1603 { Write-Error "Fatal error during installation (1603). See log: $logFile"; exit 1603 }
1618 { Write-Error "Another installation is already in progress (1618)."; exit 1618 }
1620 { Write-Error "Package could not be opened (1620). File may be invalid. See log: $logFile"; exit 1620 }
default { Write-Error "Installer returned exit code $($proc.ExitCode). See log: $logFile"; exit $proc.ExitCode }
}$msiPath="C:\Temp\NightfallAgent.msi"; Start-Process msiexec.exe -ArgumentList "/i `"$msiPath`" API_KEY=`"YOUR_API_KEY_HERE`" COMPANY_ID=`"YOUR_SECRET_VALUE`" /qn /norestart /l*v `"`"C:\Windows\Temp\Nightfall\NightfallAgent_Install.log`"`"" -WaitGet-Service Nightfall*$ProductName = "NightfallAI Agent"
# Function to retrieve installed products matching product name
function Get-MatchingProducts($name) {
Write-Host "Searching for products matching: '$name'..."
Get-WmiObject -Class Win32_Product -ErrorAction SilentlyContinue |
Where-Object { $_.Name -like "*$name*" }
}
# Function to uninstall a product by ProductCode
function Uninstall-Product($product) {
$name = $product.Name
$productCode = $product.IdentifyingNumber
if ($productCode) {
Write-Host "Uninstalling '$name' (ProductCode: $productCode)..." -ForegroundColor Green
Start-Process "msiexec.exe" -ArgumentList "/x $productCode /qn" -Wait -NoNewWindow
Write-Host "Uninstalled: $name" -ForegroundColor Green
} else {
Write-Warning "Skipping ${name}: missing ProductCode."
}
}
# Try finding the initial product
$products = Get-MatchingProducts -name $ProductName
# If not found, try old NightfallAI Agent name 'Agent'
if (-not $products -or $products.Count -eq 0) {
Write-Warning "No installed products found matching: '$ProductName'"
Write-Host "Trying to search for old NightfallAgent name : 'Agent'" -ForegroundColor Yellow
$products = Get-MatchingProducts -name "Agent"
}
# Final check before uninstall
if (-not $products -or $products.Count -eq 0) {
Write-Host "No matching products found for either '${ProductName}' or 'Agent'."
exit 1
}
foreach ($product in $products) {
Uninstall-Product -product $product
}
The Nightfall Windows Agent (MSI) and associated parameters (API_KEY / COMPANY_ID) as from the Nightfall Endpoint page → Download Packages.
Internal device group or OU targeting plan within JumpCloud (for example: Windows corporate laptops, desktops, etc).
Communication to end-users (if needed) and any documentation of maintenance windows or reboots.
Valid credentials / admin rights on target Windows devices (or ability via MDM / script to install silently).
Use JumpCloud’s Commands/Policies feature to deploy the Nightfall Agent silently to the target Windows device group:
In JumpCloud Admin Portal: Device Management → Commands → Commands tab → click + Command (or use Policies if available)
Type: Windows
Check "Windows PowerShell"
Command: Copy/paste in the command shown below.
Replace the File Destination ($msi value) as needed or leave as-is.
Replace the API_KEY and COMPANY_ID with what is in the Nightfall console.
Command Name: (e.g., “Install Nightfall Agent Windows”)
Under Files > click + File > upload the NightfallAgent.msi
Copy the File Destination where the MSI would be copied onto the enrolled devices by jumpcloud mdm.
Choose a Device Group
Navigate to the Device Groups tab.
Check the group to use for deployment.
Click "Save".
Click "Run Now".
After installation, verify that the Nightfall Agent is functioning correctly:
In JumpCloud, Device Management → Devices, check that the device remains active and that there are no policy conflicts or errors.
In the Nightfall Console → Integrations → Manage (macOS or Windows) → confirm the device is in the “Connected” state.
On the Windows machine, check Programs & Features to confirm “Nightfall Agent” appears.
In Services (services.msc), verify the Nightfall service is installed and running.
Confirm that the NightfallUI app is shown on the taskbar and that the Version, Company UUID, and Device ID are correct.
Conduct a simple test of exfiltration detection (per your internal policy) to ensure the agent is monitoring as expected.
Ensure that the MSI installation parameters (API_KEY, COMPANY_ID) are correct and correspond to your Nightfall account.
If installation fails silently, re-run the installation with log flags and check the install log file:
If devices have pending reboots or other software installations, consider staging installation to avoid conflicts.
Because you’re installing via JumpCloud, ensure the device’s JumpCloud Agent is up-to-date and reporting properly before deploying Nightfall.
For stealth or minimal-disruption deployment (if desired), schedule installs during off-hours and consider using silent /qn /norestart. The Nightfall Windows guide supports silent installs.
Document versioning of Nightfall Agent: if you need to upgrade later, consider how you’ll script uninstall + reinstall or patch. The MSI guide covers uninstall.
Monitor JumpCloud’s device compliance and policy execution logs to ensure the command executed successfully.
In JumpCloud Admin Portal: Device Management → Commands → + Command
Type: Windows
Check "Windows PowerShell"
Command: Copy/paste in the command shown below:
Command Name: (e.g., “Uninstall NightfallAI Agent Windows”)
Choose a Device Group
Navigate to the Device Groups tab.
Check the group to use for deployment.
Run whenever needed.
Nightfall Windows Agent MSI Deployment Guide – Nightfall Help Center: Install Nightfall AI Agent for Windows OS
JumpCloud Windows Agent Installation Walk-through – JumpCloud Support: JumpCloud Agent Windows Installation Walkthrough
JumpCloud Commands / Remote Application Install guide: Install Applications Remotely via JumpCloud
No. It must be explicitly enabled in endpoint exfiltration policies.
Session differentiation only applies to supported domains and actions. If unavailable, the field remains empty.
Yes. Differentiation is based on account session, not just domain.
Yes. Use Domain in with Corporate Domains and enable User Session Check.
Nightfall automatically populates the Corporate Domains collection by analyzing user email addresses and email alias domains from all connected identity providers (IdPs), including Okta, Entra ID, and Google Directory. Any domain or alias domain associated with users in these directory services is treated as a corporate domain.
The initial population happens when the Nightfall endpoint agent is first enabled (on the first provisioned OS, macOS or Windows). At that time, Nightfall fetches all user email and alias domains from the connected identity providers and populates the Corporate Domains collection.
After the initial population, the collection is periodically refreshed (hourly) to capture any newly discovered domains or updates from the connected identity providers.
Yes. All supported browsers provide identical protection across file uploads, clipboard actions, and personal vs. business enforcement.
Safari is supported but Nightfall has not yet enabled Safari extension distribution. As a result, customers cannot currently deploy a publicly available Nightfall plugin on Safari but can install a private package.
Perplexity Comet’s Windows version prevents third-party browser extension installation, which blocks Nightfall deployment.
ChatGPT Atlas is not available on Windows at this time.
The below capabilities are not support on Perplexity Comet and OpenAI/ChatGPT Atlas.
ChatGPT Atlas
Personal vs. Business, menu + paste blocking are not supported; File upload monitoring and blocking is supported
Sidebar assistant: Cannot monitor activity in the sidebar assistant
Perplexity Comet
File upload monitoring and blocking is supported
Nightfall browser plugin cannot track activity until a URL is loaded
Paste-then-navigate scenario: If users paste content in the initial attempt before URL changes, Nightfall cannot track it
No. Arc, Brave, and Vivaldi receive full feature parity with Chrome.
Yes. Nightfall policies apply consistently across all supported browsers and operating systems.
Below is a concise summary of Nightfall functionality across each supported browser and operating system.
Google Chrome
macOS & Windows: Fully supported
Capabilities: File uploads, clipboard copy/paste, and personal vs. business detection
Notes: Full feature parity across both operating systems
Microsoft Edge
macOS & Windows: Fully supported
Capabilities: File upload protection, clipboard monitoring, and personal vs. business enforcement
Notes: Equivalent security coverage to Chrome
Firefox
macOS & Windows: Fully supported
Capabilities: Full data exfiltration protection including file uploads, clipboard actions, and personal vs. business detection
Notes: No functional differences across OS
Arc
macOS & Windows: Fully supported
Capabilities: File uploads, clipboard protection, and personal vs. business detection
Notes: Full feature parity with Chrome
Brave
macOS & Windows: Fully supported
Capabilities: Complete exfiltration protection including file uploads, clipboard actions, and personal vs. business detection
Notes: No feature gaps compared to Chrome
Vivaldi
macOS & Windows: Fully supported
Capabilities: Full coverage for file uploads, clipboard monitoring, and personal vs. business enforcement
Notes: Consistent functionality across OS
Perplexity Comet
macOS: Supported
Windows: Not supported
Capabilities (macOS): Exfiltration protection including file uploads, clipboard actions.
ChatGPT Atlas
macOS: Supported
Windows: Not available
Capabilities (macOS): File uploads, clipboard monitoring
Safari
macOS: Not currently supported for deployment
Windows: Not supported
Notes: Safari extension distribution is not yet available
While configuring the Scope section, if I use the Filter and add my Slack domain. Now, if I download a file from the Slack app will Nightfall monitor this download?
Yes. Nightfall monitors the downloads even from the Slack app.
What happens if I don’t configure any removable media filters?
If no Device Type, Vendor, or Serial Number filters are configured, the policy applies to all removable media by default. This is equivalent to selecting Monitor all for every device filter.
How do include and exclude filters work together?
Nightfall evaluates device filters using the following precedence:
Include rules are evaluated first
Exclude rules always override include rules
If no include filters are set, the policy defaults to include all
This ensures that exclusions (for example, approved corporate devices) are always respected.
What if I select a specific vendor and a specific serial number in the removable media filters?
Both conditions must match for the policy to apply:
The device must belong to the selected vendor
The device’s serial number must match the specified serial number
If either condition does not match, the policy is not triggered.
What happens if a removable media device matches an included vendor but is explicitly excluded by serial number?
The device will not trigger the policy. Serial number exclusions always take precedence, even if the vendor or device type is included.
What if the device does not report a serial number?
If a removable device does not expose a serial number:
Vendor and Device Type filters are still evaluated
Serial number–based include or exclude rules will not match
In these cases, enforcement behavior is determined by the remaining configured filters.
Can I allow only a small number of approved USB devices?
Yes. Configure:
Action: To removable media
Serial Number: Specific serial numbers
Enforcement: Block
Only the listed devices will be allowed. All other removable media will be blocked.
Can I block unknown USB drives but allow corporate-issued ones?
Yes. You can either:
Exclude approved vendors, or
Exclude approved serial numbers
All other removable devices will remain in scope for enforcement.
Does Nightfall continuously support new removable media vendors?
Yes. Nightfall supports ~1,200 removable media vendors out of the box, and vendor recognition is continuously updated as new devices are observed in the wild.
Customers do not need to manually onboard new vendors to receive baseline coverage.
Is enforcement applied if no sensitive data is detected?
Removable media policies are only enforced when sensitive content is detected according to your configured detection rules. If no sensitive data is found, the file transfer is allowed. You can also block usage of removable media based on a data lineage policy without any content scanning enabled.
Can I both monitor and block removable media activity?
Yes. Policies can be configured to block transfers while still logging events for audit and investigation purposes.
Which operating systems are supported?
Endpoint Exfiltration Prevention for removable media is supported on:
Windows endpoints
macOS endpoints
Behavior may vary slightly based on OS-level device reporting, but enforcement logic remains consistent.
Does Nightfall inspect or scan my source code?
No. Git Push Monitoring does not inspect source code, commits, diffs, file names, or repository contents. Nightfall evaluates only metadata associated with the Git push action, such as the destination URL, repository name, user, and device. To scan secrets or any other PII, PCI, PHI or file classifiers in GitHub, you can use Nightfall’s detection and response policies.
Is any code copied, stored, or transmitted to Nightfall?
No. Nightfall does not collect or store source code. Only high-level metadata required to identify the Git push event is processed.
Does Nightfall block Git pushes?
No. Git Push Monitoring is a monitor-only control. Git operations always complete successfully. When a policy violation occurs, Nightfall generates an event but does not interrupt developer workflows.
What Git commands are supported?
Nightfall detects Git push activity regardless of how the push is initiated. The following commands are supported and validated through testing:
git push
git push origin <branch>
git push --set-upstream origin <branch>
git push -u origin <branch>
Pushes triggered indirectly (for example, by scripts or wrappers that ultimately invoke git push) are also detected.
Are both HTTPS and SSH Git pushes supported?
Yes. Git Push Monitoring supports:
HTTPS-based Git remotes (e.g., https://github.com/org/repo.git)
SSH-based Git remotes (e.g., [email protected]:org/repo.git)
The destination domain is extracted and evaluated consistently across both protocols.
Are IDE-based Git actions supported?
Yes. Git pushes initiated from popular IDEs and Git clients are supported, including:
VS Code Git integration
JetBrains IDEs (IntelliJ, PyCharm, WebStorm, etc.)
GitHub Desktop
Sourcetree
As long as the IDE ultimately invokes a Git push operation on a managed endpoint, Nightfall detects the activity.
Are terminal / CLI Git pushes supported?
Yes. Git pushes executed directly from:
macOS Terminal
iTerm
Windows Git Bash / PowerShell (where supported by the endpoint agent)
are fully supported.
How does Nightfall handle multiple Git remotes?
If a repository has multiple remotes configured (for example, origin and personal), Nightfall evaluates the specific remote used during the push.
Example:
git push origin main → evaluated against origin destination
git push personal main → evaluated against personal destination
Events accurately reflect the remote and destination URL used.
What happens with new, empty, or scratch repositories?
Nightfall detects Git pushes to:
Newly created repositories
Empty repositories
Scratch or temporary repositories
Even if the repository has no prior history, detection is based on the destination domain and repository URL.
How are corporate GitHub and GitLab organizations supported?
Customers can define approved Git destinations using Domain Collections, including:
GitHub organizations (e.g., github.com/company-org/*)
GitLab cloud namespaces
Wildcard matching is supported to simplify configuration.
What happens if a developer pushes to a personal GitHub account?
If the destination domain or repository does not match the approved domain list:
The push succeeds
A Git Push event is generated
Security teams can investigate and respond
Are unmanaged devices monitored?
No. Git Push Monitoring requires the Nightfall endpoint agent. Git activity from unmanaged or offline devices is not detected.
What are the supported scenarios and capabilities with git push monitoring?
Support Matrix - The following matrix summarizes supported scenarios with git push monitoring by Nightfall:
$args = @(
'/i', ""$msi""
'API_KEY="<API_KEY>"'
'COMPANY_ID="<COMPANY_ID>"'
'INSTALL_NF_DRIVER=1'
'/qn'
'/L*V’,'C:\\Windows\\Temp\\NightfallAgent-install.log’
)
# Uninstall "NightfallAI Agent" silently via MSI ProductCode, with full logging.
# Works for both 64-bit and 32-bit (WOW6432Node) installs.
$TargetDisplayName = 'NightfallAI Agent'
$UninstallHives = @(
'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
'HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall'
)
Write-Host "Searching for '$TargetDisplayName' in uninstall registry..." -ForegroundColor Cyan
$found = $null
foreach ($hive in $UninstallHives) {
if (-not (Test-Path $hive)) { continue }
foreach ($sub in Get-ChildItem $hive -ErrorAction SilentlyContinue) {
try {
$p = Get-ItemProperty $sub.PSPath -ErrorAction SilentlyContinue
if ($p.DisplayName -eq $TargetDisplayName) {
$found = [pscustomobject]@{
KeyName = $sub.PSChildName
KeyPath = $sub.PSPath
DisplayName = $p.DisplayName
UninstallString = $p.UninstallString
}
break
}
} catch { }
}
if ($found) { break }
}
if (-not $found) {
Write-Host "Not installed: $TargetDisplayName — nothing to do." -ForegroundColor Yellow
exit 0
}
Write-Host "Found:" -ForegroundColor Green
Write-Host " Key: $($found.KeyPath)"
Write-Host " UninstallString: $($found.UninstallString)"
# Try to extract ProductCode (GUID) from key name or UninstallString
$guid = $null
if ($found.KeyName -match '^\\{[0-9A-Fa-f-]{36}\\}$') { $guid = $found.KeyName }
elseif ($found.UninstallString -match '\\{[0-9A-Fa-f]{8}(-[0-9A-Fa-f]{4}){3}-[0-9A-Fa-f]{12}\\}') { $guid = $matches[0] }
$LogPath = 'C:\\Windows\\Temp\\NightfallAgent-uninstall.log'
if ($guid) {
Write-Host "Using ProductCode $guid for silent uninstall via msiexec..."
$args = @('/x', $guid, '/qn', '/norestart', '/L*V', $LogPath)
$proc = Start-Process -FilePath msiexec.exe -ArgumentList $args -Wait -PassThru -NoNewWindow
$code = $proc.ExitCode
Write-Host "msiexec exit code: $code"
if (Test-Path $LogPath) { Write-Host "MSI log: $LogPath" }
exit $code
}
else {
# Fallback: run the UninstallString directly (best effort).
# If it's msiexec without silent flags, try to add /qn /norestart.
$cmd = $found.UninstallString
if ([string]::IsNullOrWhiteSpace($cmd)) {
Write-Error "UninstallString missing — cannot continue."
exit 1
}
if ($cmd -match 'msiexec(\\.exe)?\\s+/I\\s*(\\{[^\\}]+\\})') {
# Convert /I to /x for remove, add silent + log
$guid2 = $matches[2]
Write-Host "Converting msiexec /I to silent remove for $guid2"
$args = @('/x', $guid2, '/qn', '/norestart', '/L*V', $LogPath)
$proc = Start-Process -FilePath msiexec.exe -ArgumentList $args -Wait -PassThru -NoNewWindow
$code = $proc.ExitCode
Write-Host "msiexec exit code: $code"
if (Test-Path $LogPath) { Write-Host "MSI log: $LogPath" }
exit $code
}
elseif ($cmd -match 'msiexec(\\.exe)?') {
# It's some other msiexec form; append silent flags if missing
$aug = $cmd
if ($aug -notmatch '/qn') { $aug += ' /qn' }
if ($aug -notmatch '/norestart'){ $aug += ' /norestart' }
if ($aug -notmatch '/L\\*V') { $aug += " /L*V `"$LogPath`"" }
Write-Host "Running: $aug"
$proc = Start-Process -FilePath 'cmd.exe' -ArgumentList '/c', $aug -Wait -PassThru -NoNewWindow
$code = $proc.ExitCode
Write-Host "msiexec exit code: $code"
if (Test-Path $LogPath) { Write-Host "MSI log: $LogPath" }
exit $code
}
else {
# Non-MSI uninstaller (unlikely for your MSI). Launch as-is.
Write-Host "Non-MSI uninstall string; executing as-is."
$proc = Start-Process -FilePath 'cmd.exe' -ArgumentList '/c', $cmd -Wait -PassThru -NoNewWindow
$code = $proc.ExitCode
Write-Host "Uninstaller exit code: $code"
exit $code
}
}$msi = 'C:\\Windows\\Temp\\NightfallAgent.msi'
$args = @(
'/i', "`"$msi`""
'API_KEY="<API_KEY>"'
'COMPANY_ID="<COMPANY_ID>"'
'INSTALL_NF_DRIVER=1'
'/qn'
)
Start-Process msiexec.exe -ArgumentList $args -Wait -NoNewWindowSidebar: Cannot monitor sidebar activity
git push <remote> <branch>
git push --force / git push -f
git push --tags
✅
Tag Pushes
✅
Approved Domain Allowlist
✅
Domain Not-In Enforcement
✅
Managed Endpoints
✅
Unmanaged Endpoints
❌
Push Blocking
❌
Category
Supported
Git Push (CLI)
✅
Git Push (IDE-integrated)
✅
HTTPS Git Remotes
✅
SSH Git Remotes
✅
Multiple Git Remotes
✅
New / Empty Repositories
✅
Force Push (--force)
Learn the details available on the Nightfall Exfiltration Events page
The Nightfall Exfiltration page displays various details of the Exfiltration Events. An Exfiltration Event is automatically created in Nightfall when an Exfiltration policy is violated. The Event displays useful information like the integration on which the exfiltration occurred (Google Drive, Salesforce, macOS/Windows Endpoint), the name of the policy violated, the details of the asset responsible for the violation, and so on.
You can navigate to the Exfiltration Event page by clicking Exfiltration Prevention button from the left menu.
Once you land on the Exfiltration Events page, all the Exfiltration Events are listed. This view can be called as the Event list view. When you click an Event on the Event list view, the details of only the selected Event is displayed. We can call it the Event Detail view.
Some of the Event features are common to both Exfiltration and Data Detection and Response. In such cases, we will provide a link to the respective section in Data Detection and Response.
The Event list view contains a table which displays details of the Events. You can to learn more about the details displayed in the Event list view.
You can filter the data on the list view by date or by integrations. To filter the data by integrations, you must execute the following steps.
Navigate to Exfiltration Prevention from the left menu.Steps 2-6 help you filter the events to only view the alerts generated by Windows OS.
Click Filter.
Click + Add Filter.
You can also use the date filter to view historic Exfiltration events. To learn more about how to use the historic time filter, .
Nightfall provides a powerful search bar to search specific Exfiltration events. Nightfall provides you various search operators to perform your search. You must use the following syntax to search data.
For example, to search events that are in active state, you must use the State search operator with the following syntax.
The various Exfiltration search operators provided by Nightfall are as follows.
To learn more about how to search special characters, refer to . Nightfall allows you to share and download the Event data. The Share button creates a link to the current view with all the filters applied. When you click this link, the Events page opens with all the filters applied.
Once you zero in on the policy to the required devices and originating domains, you must now define the trigger actions that can be termed as exfiltration events.
Nightfall provides you with three types of triggers that you can set as exfiltration events.
Browser Uploads: In this section, if an asset is uploaded through a browser to an online portal (for example, a social media website), you can define such events as exfiltration events.
Cloud Syncing: In this section, if an asset is uploaded to an online cloud store application (for example, Google Drive), you can define such events as exfiltration events.
Select the check box required integration(s).
Click Apply.
last_actioned_by
Search for the user who last took an action on the event.
notes
Search the notes entered in an Event.
policy_id
Search the unique policy ID.
policy_name
Search the policy name.
resource_content_type
Search the resource type of the file that was exfiltrated. Resource type refers to the file format and can be PDF, .doc, d.ocx, and so on.
resource_id
Search the resource ID. This unique identifier is assigned to resources by their integration (Google Drive, Salesforce)
resource_name
Search the resource name (file name) that was exfiltrated.
resource_owner_email
Search the email of the user who owns the exfiltrated file.
resource_owner_name
Search the name of the user who owns the exfiltrated file.
state
Search the current status of the Event. This could be Active, Acknowledge, and so on.
violation_id
Search the unique violation ID of the event.
violation_type
Search the violation type
Endpoint (Browser upload)
endpoint.browser_upload.origin.domain
Search the domain from which the exfiltrated file emerged.
Endpoint (Browser upload)
endpoint.browser_upload.origin.url
Search the exact URL from which the exfiltrated file emerged.
Endpoint (Browser upload)
endpoint.browser_upload.url
Search the URL used to upload the exfiltrated file.
Endpoint (Clipboard Copy/Paste)
endpoint.clipboard_copy.destination.browser_name
Search the destination browser name to which the copied data was pasted.
Endpoint (Clipboard Copy/Paste)
endpoint.clipboard_copy.destination.domain
Search the destination domain name to which the copied data was pasted.
Endpoint (Clipboard Copy/Paste)
endpoint.clipboard_copy.origin.browser_name
Search the origin browser name from which the data was copied.
Endpoint (Clipboard Copy/Paste)
endpoint.clipboard_copy.origin.domain
Search the origin domain name from which the data was copied.
Endpoint (Clipboard Copy/Paste)
endpoint.clipboard_copy.origin.url
Search the origin URL from which the data was copied.
Endpoint (Cloud Sync)
endpoint.cloud_sync.account_name
Search the name of the account to which the file was uploaded.
Endpoint (Cloud Sync)
endpoint.cloud_sync.account_type
Search the account type (personal/business) of the account to which the file was uploaded.
Endpoint (Cloud Sync)
endpoint.cloud_sync.app
Search the cloud storage app name (Google Drive, OneDrive) to which the file was uploaded.
Endpoint (Cloud Sync)
endpoint.cloud_sync.destination_file_path
Search the destination directory in the storage app to which the file was exfiltrated.
Endpoint (Cloud Sync)
endpoint.cloud_sync.email
Search the email ID of the account to which the file was uploaded.
Endpoint (Cloud Sync)
endpoint.cloud_sync.file_name
Search the name of the file which was uploaded to a cloud storage app.
Endpoint
endpoint.device_id
Search the endpoint device ID of the device from which the exfiltration was performed.
Endpoint
endpoint.machine_name
Search the endpoint device name from which the exfiltration was performed.
Google Drive
gdrive.drive
Search a drive within Google Drive. Returns all the events that were exfiltrated from the searched drive.
Google Drive
gdrive.file_owner
Search a Google Drive user. Returns all the events that were owned by the searched user and were exfiltrated.
Google Drive
gdrive.label_name
Search a Google Drive label. Returns all the events that contained the searched label and were exfiltrated.
Google Drive
gdrive.permission
Search a Google drive permission (restricted, pubic). Returns all the events that contain the searched permission and exfiltrated.
Google Drive
gdrive.shared_external_email
Search the shared Gmail external email ID.
Google Drive
gdrive.shared_internal_email
Search the shared Gmail internal email ID.
Salesforce
salesforce.file.session_level
Search for Salesforce session level file
Salesforce
salesforce.file.source_ip
Search the IP address of the source machine that initiated the exfiltration of the file.
Salesforce
salesforce.report.description
Search the description provided in Salesforce report.
Salesforce
salesforce.report.event_source
Search the Salesforce report event source.
Salesforce
salesforce.report.operation
Search the Salesforce report operation.
Salesforce
salesforce.report.scope
Search the Salesforce report scope.
Salesforce
salesforce.report.session_level
Search the Salesforce session level report.
Salesforce
salesforce.report.source_ip
Search the source IP address of the Salesforce report.
actor_Email
Search using the Email ID of the actor whose action triggered the Event.
actor_Name
Search using the name of the actor (device name) from which the Event was triggered.
event_id
Search the unique Exfiltration event ID.
event_type
Search the Exfiltration event type.
integration_name
Search the integration name.
last_action
Search the last action implemented on an event. Example of action can be Acknowledge, Ignore, Resolve, and so on.
Endpoint (Browser upload)
endpoint.browser_upload.browser_name
Search the Web browser that was used to upload file.
Endpoint (Browser upload)
endpoint.browser_upload.domain
Search the domain name that was used to upload file.
Endpoint (Browser upload)
endpoint.browser_upload.file_name
Search the name of the file.
Endpoint (Browser upload)
endpoint.browser_upload.origin.browser_name
Search the browser from which the exfiltrated file emerged.
search operator name:"search term"State:"Active"Clipboard Paste: In this section, if data is copied from a source and pasted to a destination, you can define such events as exfiltration events.
Git Push: Git Push Monitoring helps organizations detect when source code is pushed from managed endpoints to non‑approved Git destinations. This feature is designed to prevent accidental or intentional source‑code exfiltration. Detection is based on source and destination metadata.
The steps to use the above triggers are elaborated in the following sections.
Ensure that you have configured domain collections before using the browser uploads option.
To monitor browser uploads:
Select the Browser uploads to option.
Select one of the following options.
Any Domain: If you select this option, Nightfall monitors your uploads done to any domain on the Internet.
Domain in: If you select this option, you must additionally also select the domain collections created in the domain collections section. Nightfall monitors the uploads done to all the domains that belong to the selected domain collections.
Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
Domain Not in: If you select this option, you must additionally also select the domain collections created in the domain collections section. Nightfall does not monitor the uploads done to all the domains that belong to the selected domain collections.
Once you select a domain collection from the drop-down menu, it is displayed on the screen and grayed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
In this option, you can either choose to monitor uploads done to every cloud sync app or select specific cloud sync apps to which the uploads must be monitored.
Select the Cloud Syncing option.
Select one of the following options.
Any Storage Apps: If you select this option, Nightfall monitors the uploads done to every cloud sync storage application.
Specific Storage App(s): If you select this option, you must additionally select the storage apps. Nightfall monitors the uploads done to the selected storage apps.
Once you select a cloud storage application from the drop-down menu, the selected option is displayed on the screen and grayed out from the drop-down menu. You can use the drop-down menu to select additional cloud storage apps.
In this option, you can choose to monitor the copy/paste actions performed by end-users. If end-users copy some data and paste it to unsanctioned locations.
Apart from text data, Nightfall can also detect non-text clipboard content, including images and screenshots. Clipboard Paste trigger uses the optical character recognition (OCR) technology in combination with Nightfall detectors to prevent the exfiltration of sensitive data present in visuals like copied screenshots, scanned documents, or copied images from web browsers.
Use cases
A typical example of this trigger can be a scenario in which an end-user copies an API key and pastes it in a prompt in ChatGPT/Deepseek or any other Gen AI apps while attempting to generate a piece of code.
An employee attempting to capture a screenshot of dashboards, reports, or customer data from sensitive SaaS apps into unsanctioned destinations.
To enable the Clipboard Paste trigger:
Select the Paste To option.
Select one of the following options.
Any Domain: If you select this option, Nightfall monitors your paste actions performed on any domain on the Internet.
Domain in: If you select this option, you must additionally also select the domain collections created in the section. Nightfall monitors the uploads done to all the domains that belong to the selected domain collections. The process of domain selection remains the same as demonstrated in the case of the section.
Domain Not in: If you select this option, you must additionally also select the domain collections created in the section. Nightfall does not monitor the uploads done to all the domains that belong to the selected domain collections.
Once you select a domain collection from the drop-down menu, it is displayed on the screen and grayed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
If end-users attempt to paste content, once you enable the Clipboard Paste trigger, they receive an error message as shown in the following image.
Nightfall’s removable media controls allow you to monitor or block sensitive data exfiltration to external storage devices such as USB drives and external HDD/SSD. Policies are evaluated at the endpoint and can be scoped with device type, vendor, and serial number filters for precise enforcement.
Out of the box, Nightfall supports ~1,200 removable media vendors, enabling immediate coverage without manual vendor onboarding.
Nightfall detects and can block the following removable media categories:
USB storage devices (thumb drives, external HDD/SSD)
These are internally represented as removable media types and can be included or excluded in the policy configuration.
How Removable Media Policies Work
A removable media policy is evaluated using three layers of filters:
Origin - Where the content originated from
Destination Removable Media Filters - Which removable devices the rule applies to
Content Detection - Whether sensitive data is present
Endpoint Device - Which devices are included or excluded in the policy
If all conditions match, the configured enforcement (Monitor or Block) is applied.
Policy configuration:
Step 1 - To apply a policy to removable devices:
Set Action to “To removable media”
This ensures the rule only evaluates file transfers where data is being written to an external device.
Step 2 - Removable media filters
Removable media filters allow you to precisely control which removable devices are included in enforcement.
Device Type
Monitor all – Applies to all removable media types
Once a removable media action and device match, Nightfall evaluates the content being transferred:
Sensitive data types (PII, credentials, secrets, etc.), file classifiers or any other applicable detectors in the configured detection rules
If sensitive content is detected, enforcement is applied. Each policy can be configured to:
Monitor – Log the event for visibility and auditing
Block – Prevent the transfer to removable media
Both modes can be enabled simultaneously to provide audit visibility even when blocking.
Common Configuration Examples
Example 1: Block All USB Devices
Action: To removable media
Device Type: USB
Vendor: Monitor all
Serial Number: Monitor all
Enforcement: Block
Example 2: Allow Only Approved Vendors
Action: To removable media
Vendor: Specific vendor(s)
Enforcement: Block
Example 3: Allow Only Specific Devices
Action: To removable media
Serial Number: Specific serial numbers
Example 4: Exclude Corporate USB Drives
Action: To removable media
Vendor: All vendors
Serial Number: All serial numbers except
For exfiltration events involving removable media, Nightfall surfaces additional asset-level metadata to help security teams understand where data was written and which physical device was involved.
In the Asset details panel, you can expect the following removable media–specific fields:
Medium – Indicates the destination medium as Removable Media
Mount Path – The local mount location of the device on the endpoint (for example, /Volumes/My USB Device on macOS)
Volume Label – The human-readable label assigned to the removable device
Media Type – The category of removable media (for example, USB, HDD/SSD)
Vendor ID – The hardware vendor identifier reported by the operating system
Serial Number – The device’s unique serial number, when available
These fields are available only for removable media events and enable precise investigations, device allowlisting, and policy tuning.
All other event information - including user identity, endpoint details, timestamps, policy action, file preview, activity log and risk context, manual actions - is consistent with other Endpoint Exfiltration events and is available in the Summary and Device tabs.
Nightfall monitors the following signals during a Git push operation:
The endpoint where the push originates
The user performing the push
The Git protocol (HTTPS / SSH)
The remote destination URL
The repository name and configured remotes
A Git Push Monitoring policy evaluates where code is being pushed, not what is being pushed. If the destination does not match your approved Git domains, Nightfall generates an exfiltration event.
Supported Git Destinations
Git Push Monitoring supports:
GitHub Cloud
GitLab Cloud
Bitbucket
Any Git server accessible via HTTPS or SSH
Policy Configuration
Step 1: Define Approved Git Destinations
Customers define approved Git hosting locations using Domain Collections.
Examples:
github.com/my‑company‑org/*
gitlab.company.com/*
bitbucket.org/company/*
These domains represent where source code is allowed to be pushed.
Step 2: Configure Git Push Monitoring Policy
Policy Type: Endpoint Exfiltration Action: Git Push
Destination Condition Options:
Any domain
Domain in approved list
Domain not in approved list (recommended)
Recommended Configuration:
This configuration alerts when developers push code outside approved repositories.
Example Use Cases
Prevent Personal GitHub Usage
Approved: github.com/company‑org/*
Detected: github.com/john‑doe/test‑repo
Monitor Scratch or Temporary Repositories
Even if the repository is newly created or unnamed, Nightfall detects the push if the destination domain is not approved.
Enforce Corporate GitHub & GitLab Usage
Ensure all production code stays within:
Corporate GitHub organizations
Event Details
When a Git push violates policy, Nightfall generates an event with metadata‑only context.
Event Summary Fields
Field
Description
Event Type
Git Push
Repository
Repository name
Actor
User performing the push
Device
Endpoint hostname
Destination URL
Git remote URL
Git Remotes
origin, personal, etc.
Example Scenarios
The following scenarios illustrate the support matrix for this capability.
Push to Approved Repository
Git operation succeeds
No alert generated
Push to Non‑Approved Repository
Git operation succeeds (no blocking)
Exfiltration event generated
HTTPS and SSH Both Supported
Detection works for both authentication methods
Multiple Remotes Supported
Events reflect the actual remote used for the push
Unmanaged Devices
No detection occurs without an endpoint agent
Git Push Monitoring provides organizations with a simple and effective control to:
Detect source code exfiltration
Enforce approved Git destinations
Gain visibility into developer Git activity
Perform insider risk investigations and threat hunting across all detected data exfiltration events — not only policy-triggered alerts.
Managed Endpoint with Nightfall agent
└── git push
├── Action: Git Push
├── Source: Managed device
└── Destination:
├── Approved domain → Allowed
└── Non‑approved domain → Exfiltration Event generatedAction: Git Push
For: Domain not in <Approved Git Domains>Specific types – Limit enforcement to selected media types (USB, HDD/SSD)
All device types except – Exclude specific device types from enforcement
If no specific type is selected, all removable media types are included by default.
Vendor filtering
Nightfall supports ~1,200 removable media vendors out of the box.
You can configure vendor behavior as follows:
Monitor all vendors (default)
Specific vendor(s) – Apply the rule only to selected vendors
All vendors except – Exclude specific vendors from enforcement
Vendor matching is based on device metadata reported by the operating system.
Example use cases:
Allow corporate-approved encrypted USB vendors
Block unknown or consumer-grade USB brands
Device Serial Number Filtering
Serial number filters provide the most granular level of control.
Options:
Monitor all (default)
Specific serial numbers – Apply enforcement only to listed devices
All serial numbers except – Exclude specific devices from enforcement
Serial numbers are matched exactly as reported by the endpoint OS.
Example use cases:
Allow a small set of approved devices
Exempt forensic or IT-issued USB drives
Filter precedence and evaluation logic
When multiple device filters are configured, Nightfall evaluates them together using the following rules:
Include rules are evaluated first
Exclude rules override include rules
If no include filters are specified, the rule defaults to include all
Practical Implications
If you select Specific vendors, only those vendors are eligible
If you then exclude a serial number, that device will never trigger the policy
All other vendors will be blocked.
Only listed devices will be allowed; all others blocked.
Enforcement: Block
Corporate-approved devices are excluded from enforcement.
Risk
Critical, High, Medium, Low
Forensic Search provides a searchable timeline of detected data exfiltration events across your employee base. The search events include all events for all supported exfiltration vectors — not only policy-triggered alerts.
Security teams use Forensic Search to investigate how organizational data moves to external destinations such as cloud storage platforms, SaaS applications, and external email systems.
The interface allows analysts to search, filter, and review exfiltration events to determine:
which user moved data
which device performed the action
where the data was sent
whether sensitive data was involved
This enables rapid investigation of insider risk incidents and potential data exfiltration activity.
Forensic Search with Date Range and Actions filter applied.
Use the following steps to quickly investigate suspicious data movement.
Navigate to Discovery → Forensic Search.
Select the user of interest with User filter.
Set the Time Range to Last 7 days.
Add a Risk filter and select:
Critical
High
Sort the event table by Timestamp to review the most recent events first.
Scan the Destination column for external services such as:
personal cloud sync
personal accounts
Click any event to open the Event Detail Panel.
Review the following fields:
User – who performed the action
Asset – what file or content was transferred
If suspicious activity is confirmed, include all events by deleting the Risk Filter, and click Export Events to download a CSV for documentation or further investigation.
Filtering to Critical and High risk events is the fastest way to identify suspicious data transfers.
Security teams use Forensic Search to investigate how organizational data moves to external destinations and to identify potential data exfiltration activity.
Common investigation scenarios include:
Investigating departing employees
Reviewing unusual data transfer alerts
Performing threat hunting for data exfiltration
Auditing data movement to external services
Identifying early adopters of Gen AI and AI Agent tools
Investigating suspicious cloud storage activity
Forensic Search tool zeroing in on a suspicious cloud sync activity.
Forensic Search allows analysts to reconstruct how data moved outside the organization by examining sequences of exfiltration events.
Data exfiltration rarely occurs as a single action. Instead, it typically appears as a pattern of related events occurring over a short period of time.
Security analysts often look for the following behavioral patterns when investigating potential exfiltration.
Burst Uploads
Large numbers of uploads occurring in a short time window.
May indicate bulk data staging prior to exfiltration.
Off-Hours Activity
Transfers occurring late at night or on weekends.
Unexpected activity outside normal working hours may indicate suspicious behavior.
Multiple External Destinations
Sequential uploads to several different services.
May indicate attempts to bypass security controls or distribute data across multiple locations.
Personal Cloud Storage
Uploads to personal accounts such as Google Drive (Personal) or Dropbox (Personal).
Most investigations follow this workflow:
Identify suspicious data movement or receive an alert.
Filter events by user and/or time range.
Review event details and destinations.
Identify patterns of data movement.
Export events for investigation documentation.
This workflow allows analysts to quickly determine whether activity represents legitimate work or potential data exfiltration.
To assist in identifying potentially risky behavior, Nightfall assigns a risk score to individual exfiltration events observed in Forensic Search. Each event receives a risk level that helps analysts prioritize investigations and quickly surface higher-risk data transfers.
Event-level risk scoring is currently in beta and is intended to provide investigation guidance rather than definitive risk determinations. Analysts should evaluate events within the broader context of user activity and look for patterns of behavior across multiple events, rather than relying on a single event score.
🚨 Critical
Immediate investigation recommended
🔴 High
Elevated risk signals detected
🟡 Medium
Moderate risk indicators
🟢 Low
Activity appears consistent with expected usage
⚪ Unknown
Insufficient context to determine risk
In the current release, event risk scores are calculated are based on two primary signals:
Application Risk Level
User Session Context (Corporate vs Personal Account)
These signals help determine whether data is being transferred to a higher-risk application or outside corporate identity boundaries.
Every destination application detected in an exfiltration event inherits a baseline risk level from App Intelligence.
App Intelligence continuously discovers and classifies the web applications employees interact with. Each application is categorized based on its function and typical data exposure risk, such as:
Cloud storage
File sharing
Developer tools
GenAI and AI Agent tools
Business SaaS
Applications that enable easy external data transfer or lack strong identity controls typically carry higher baseline risk.
App Intelligence provides the discovery and classification layer used for application risk scoring.
Risk scoring also considers whether the user is operating within a corporate identity boundary.
When available, Nightfall determines whether a user is authenticated to a corporate account or a personal account within the destination application.
Examples:
Upload to corporate Google Drive
Low risk
Upload to personal Google Drive
Critical risk
Files uploaded or copy-pastes to a GenAI site using a corporate account
Low risk
Files uploaded or copy-pastes to a GenAI site using a personal account
High risk
Transfers to personal accounts represent a significantly higher risk of data exfiltration because the organization does not control those accounts.
Session detection requires the Nightfall browser extension to be installed.
Investigators can export results using Export Events.
Exports include:
event fields
timestamps
risk scores
Exports are commonly used for:
incident response documentation
compliance reporting
deeper analysis in SIEM platforms
Exports respect active filters, allowing analysts to export specific investigation scopes.
Open Forensic Search.
Set the time range to Last 30 days.
Filter by the employee's email.
Review the timeline histogram for activity spikes.
Filter to Critical and High risk events.
Review destinations and file metadata.
Zoom in on suspicious events by clicking on timeline.
Remove Risk filter and expand date range to review surrounding behaviors.
Export relevant events for documentation.
Set the time range to Last 7 days.
Review the timeline for late-night activity.
Zoom into suspicious time windows.
Filter by High and Critical risk events.
Review upload destinations.
Filter by Upload or Cloud Sync.
Filter by Critical and High risk events.
Look for sequential transfers to external services.
Review event details to confirm file types and destinations.
Export events if escalation is required.
Events can be searched for up to 180 days. Currently, the earliest available events begin on February 6, 2026, so searches cannot return events earlier than that date.
Events typically appear within 30 minutes of occurring.
Yes. Events matching current filters can be exported to CSV.
Saved searches are planned for a future release.
Access is controlled through Nightfall role-based permissions.
The Scope section enables you to create an asset lineage based policy in which you can track the journey of an asset from source to destination.
Security administrators can set precise exfiltration policies to protect sensitive files that originate from high-value SaaS locations from being exfiltrated to unsanctioned destinations
High performance security teams can focus their energy and resources on monitoring assets from high value SaaS domains.
By combining content download origin to upload destination, organizations can extend their monitoring to cover any cloud application accessed through the browser, even those without direct API integration.
Allows security teams to monitor and prevent data exfiltration not just through direct browser uploads but also through cloud storage sync applications, providing a multi-layered defense against data leaks.
With lineage-based policies, organizations can proactively identify and manage risks associated with sensitive content movement, ensuring compliance with data security standards and preventing potential breaches before they occur.
The Scope page consists of the following sections.
This section allows you to select the operating systems to which the policy must be scoped. Nightfall supports the Microsoft's Windows and Apple's MAC operating systems. You can either choose any one of the operating system or both the operating systems, based on your organization's requirements. You must click the check box of the respective operating system to include it in the scope of the policy. All the devices that belong to the selected operating system(s) are monitored by Nightfall.
Kindly note that some of the advanced policy features like , , and automated actions are not yet available on Windows—but stay tuned, as we’re working to bring these capabilities soon!
By default, Nightfall monitors all the devices that belong to the selected operating system(s). However, you can choose to exclude trusted devices from being monitored. The Exclude Devices section consists of a drop-down menu. This menu lists all the devices that belong to the selected operating system(s). You can select the devices that you wish to exclude from being monitored.
If you have a long list of assets, you can search for an asset by entering the device ID of the asset.
The Content Scanning section allows you to scan the downloaded content for sensitive data. You can choose the that you wish to use for scanning the downloaded data. With this feature, you can monitor exfiltration attempts on sensitive data. For instance, you can monitor if any of the content uploaded to unsanctioned destinations contains regulated information like PCI, PII, PHI or organization's secrets like credentials, API keys, and so on. You can combine content scanning with and the Block features to prevent any exfiltration files containing sensitive data.
To use this feature, you must first select the On option from the drop-down menu and then select the required Nightfall detectors.
If a downloaded file contains sensitive data, it is reported in the exfiltration event. You can check the assets tab of an exfiltration event to view the sensitive data found. In the following image, you can see that a called Credit Card Number is violated 20 times in one of the files uploaded to through the browser.
The filters section provides you the flexibility to include and exclude users at a granular level. Once you select the operating system and the devices to be monitored, you can further drill down your scope by using filters. You can apply filters to only monitor assets downloaded from specific domains. Conversely, you can also choose to exclude the monitoring of assets downloaded from specific domains. Additionally, you can also apply filters to only monitor or exclude the monitoring of assets downloaded by specific high risk, like departing users, or function user groups, like HR, Finance or Engineering.
You must configure the feature to use the and filters.
The Asset Origin filter allows you to limit the scope of the policy to only those assets which originated from a specific source. To use the asset origin filter, you must click Add Filter and select Asset Origin.
The Asset Origin filter provides the following options:
Any Domain: If you select this option, Nightfall monitors the assets originated (downloaded) from any domain, present in any of the .
Domain in: If you select this option, you must additionally also select the domain collections, created in the section. In this case, Nightfall monitors only those assets that originated from a domain, which is a part of any of the selected domain collection(s).
Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
Domain Not in: If you select this option, you must additionally also select the domain collections, created in the section. In this case, Nightfall does not monitor those assets that originated from a domain, which is a part of any of the excluded domain collection(s).
Once you select a domain collection, it is displayed on the screen and greyed out from the drop-down menu. You can use the drop-down menu to select additional domain collections.
User Session Differentiation (also referred to as User Session Check) enables Nightfall to distinguish between personal and corporate user accounts on supported SaaS applications, cloud storage platforms, and AI web apps. This capability addresses a critical data exfiltration capability by detecting and enforcing policies when sensitive data moves from corporate contexts to personal contexts, even when both occur on the same domain.
This feature is available on macOS and Windows.
Traditional DLP solutions struggle to differentiate who a user is logged in as on dual-use platforms like Google Drive, Microsoft 365, or AI assistants. This creates blind spots where users can bypass controls by switching to personal accounts.
User Session Differentiation enables:
Prevention of shadow exfiltration via personal accounts
Context-aware enforcement (corporate to corporate vs. corporate to personal)
Clear audit trails showing account type involved in an event
Confident blocking of high-risk transfers without disrupting legitimate workflows.
When enabled, Nightfall:
Detects whether the source and/or destination account is corporate or personal
Applies policy logic based on session context (not just domain)
Captures session metadata for investigation and audit
As an example, if an employee:
Downloads a file from their corporate Google Drive
Uploads it to their personal Google Drive
Nightfall can detect, alert, or block this action.
Supported Coverage
User Session Differentiation works across 35+ supported domains, including:
Google Workspace
Drive, Docs, Gmail, Calendar, Meet, Keep
Microsoft 365
OneDrive, SharePoint, Teams, Outlook, Office apps
Cloud Storage
Dropbox, Box, iCloud
AI / Shadow AI Apps
ChatGPT, Claude.ai, Gemini, Copilot, Perplexity
Session context is captured for:
Browser file uploads
Clipboard copy/paste actions
How It Works
Browser Extension captures session context on supported domains
Directory Sync from Okta, Entra ID, Google Directory identifies corporate accounts and domains
Corporate Domains collection is populated automatically with the domains from directory sync
Corporate Domains Collection
The Corporate Domains collection represents domains associated with corporate identities (for example, contoso.com). It is required for session differentiation.
Automatically populated when the endpoint agent is enabled and once the directory sync is setup
Happens once, based on the first OS provisioned (macOS or Windows)
After initial population, the collection is refreshed via an hourly job
Note: Corporate Domains are populated immediately upon directory sync and once one or more endpoint agents are installed.
Enabling User Session Differentiation
Requirements
Endpoint agent with browser extension
macOS: Chrome (1.2.9.x+)
Windows: Chrome, Edge, Firefox (1.2.32+)
macOS (MDM)
Deploy NightfallAI_Profile_with_Browser_Extensions.mobileconfig
Automatically installs browser extension and logs users in
Windows
No additional MDM profile required
User Session Differentiation is available in Endpoint Exfiltration policies and requires the User session check toggle to be enabled.
Where It Appears
The toggle is shown when:
Monitoring supported domains
Using Domain / URL-based sources or destinations
How to Configure User Session Check
Asset Origin (Trigger)
Defines where data originates from.
Supported operators:
Domain in, Domain not in, Any domain
Action (Destination)
Defines where data is going (upload, paste, transfer).
Supported actions include:
Browser uploads to, Clipboard copy/paste
Common Policy Use-Cases
Block Corporate to Personal AI Uploads
Source: Domain in → Corporate Domains
Action: Browser upload to → Domain in → AI Assistants
Specific User(s): You must choose this option to monitor the actions of specific internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in . You must select the required users.
All Users, except for: You must select this option to exclude the monitoring of specific internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in . You must select the required users.
Specific Group(s): You must choose this option to monitor of specific internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in . You must select the required groups.
All Groups, except for: You must choose this option to exclude monitoring of specific internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in . You must select the required groups.
Endpoint URL and subpath filtering allows administrators and security teams to precisely control which file exfiltration events are reported or blocked by Nightfall. By creating exclusions at the file, file path, or file type (extension) level, teams can reduce noise, prevent false positives, and maintain focus on genuine data risk. This section explains:
How URL and subpath filtering works
The end‑to‑end user experience
Supported exclusion types
Practical use‑cases
This functionality is available within:
Exfiltration Prevention → Event Details → Assets tab
Integrations → Endpoint → Exclusion List
It applies to endpoint‑level exfiltration signals such as:
Browser uploads
File transfers via removable media
File sync
How it works
Exfiltration Event Detected An endpoint event (for example, a Browser Upload) is detected and logged under Exfiltration Prevention. Each event includes:
Risk level (Low / Medium / High)
Actor (device and user)
Asset involved (file name, path, size, medium)
Viewing Asset Details When an event is opened:
Navigate to the Assets tab
Select the relevant asset (e.g., Customer List.xlsx)
The Asset Details panel displays:
File name
Full local file path (e.g., /Users/anantmahajan/Downloads/Customer List.xlsx)
Medium (Browser)
Activating File or Path Exclusion From the Asset Details panel:
Click “Click to activate file & file path exclusion (macOS only)”
A modal titled File & File Path Exclusion appears with three options:
Exclusion Options
Ignore file
Excludes this exact file (specific file name + path)
Ignore path
Excludes all files within the selected directory and its subpaths
Selecting an option and clicking Continue proceeds to confirmation.
Confirmation Modal
A confirmation dialog clearly states: "Future activity involving this file will not be reported. Existing events won't be affected."
Optional setting:
Apply rule to all endpoints (if enabled, the exclusion applies globally rather than device‑specific)
Click Ignore to finalize the exclusion.
Exclusion Is Applied
Once confirmed:
The exclusion takes effect immediately
Future matching events are suppressed
Past events remain visible for audit and investigation
The exclusion appears under: Integrations → Endpoint → Exclusion List
Each entry shows:
Excluded item (file, path, or extension)
Type (File Name, File Path, or Extension)
Time created
User who created the exclusion
URL & Subpath Filtering Behavior
URL Matching
When a browser upload occurs, Nightfall evaluates:
The destination domain (e.g., drive.google.com)
The local file path on the endpoint
If the local file matches an exclusion rule, the upload event is:
Not reported
Not blocked (unless another policy applies)
Subpath Matching
For Ignore path exclusions:
All files under the selected directory are excluded
Subdirectories are included automatically
Example:
/Users/johndoe/Downloads/
Excludes:
/Users/johndoe/Downloads/Customer List.xlsx
/Users/johndoe/Downloads/Exports/Q4/customers.csv
Supported Exclusion Types
Common Use‑Cases
Suppressing Known Safe Files
Scenario: A finance team routinely uploads a standardized customer spreadsheet to Google Drive.
Solution: Ignore file: Customer List.xlsx
Best Practices
Exclusions apply only to future activity and Existing events are never retroactively modified.
Path exclusions are recursive and include subpaths.
Extension‑based exclusions are global and high‑impact.
URL and subpath filtering for endpoint exclusions gives security teams fine‑grained control over exfiltration monitoring. By embedding exclusions directly into the investigation workflow, Nightfall enables fast, contextual decisions without compromising visibility into real risk.
This approach balances strong data security with practical, low‑friction operations.
Identify, classify, and assess risk for SaaS and AI applications used across your environment.
App Intelligence gives your security team a complete, continuously updated view of every SaaS application and AI tool your employees are actually using — not just the ones on your approved list.
In most organizations, employees use five to fifteen times more applications than IT formally manages. This includes AI assistants like ChatGPT and Claude, personal cloud storage, file-sharing services, and agentic AI tools that act on behalf of users. Until now, this activity has been largely invisible to security teams.
App Intelligence changes that. Using data movement APIs provided by Apple and Microsoft, Nightfall's lightweight agent detects paste and file upload activity to automatically discover these applications, assign a risk score, categorize them by functional type, and surface early adopters — with none of the latency associated with traditional DLP tools.
Nightfall classifies every detected app into one of twelve categories. Categories reflect the nature of the product and its typical data exposure potential — they form the foundation of how risk is calculated. Your team can use categories to filter, prioritize, and focus on the parts of your app landscape that matter most.
A note on cloud productivity suites: Nightfall classifies by the actual product surface an employee uses, not the parent company brand. For example, Google Workspace Mail and Google Docs are classified as Business SaaS because their primary function is collaboration and editing. Google Drive is classified as Cloud Storage / Sync because its primary function is file storage and bulk sync. The same principle applies to Microsoft 365, AWS, and Salesforce subdomains.
Every app in App Intelligence displays one of four risk labels: Low, Medium, High, or Critical. These reflect Nightfall's assessment of how much data exposure risk the app represents in your environment.
Risk is calculated in two steps. First, every app starts with a baseline risk level inherited from its category — for example, File Sharing apps start at Critical and Core Systems start at Low. Second, Nightfall adjusts the score for the specific app within that category: if an app is consumer-focused, allows anonymous access, or is less governed than its peers, the risk increases. If the app is unusually well-governed for its category — for example, enterprise-only access with mandatory SSO — the risk may decrease.
Access App Intelligence from the Discovery section of the left-hand navigation menu.
The App Intelligence list view, showing 5,892 total apps discovered across the organization.
The page is divided into two main sections:
App Insights (Top Panel) The insights panel gives you a quick summary of what's happening across your app landscape. It shows:
Total Apps discovered, AI Apps in use, and Total Users observed
Top AI Apps by Adoption — the GenAI tools growing fastest in your environment over the last 30 days, shown as a percentage of users
Top Apps by Data Volume — the apps handling the most data, with user counts and data sizes
App List (Bottom Panel) The full table of all discovered applications. Each row shows:
Use the filter bar above the app list to narrow results by:
Time range (e.g., Last 30 Days)
App Name — search by name or keyword
Domain — filter to a specific domain
Clicking any app in the list opens its detail page.
The App Details view for Wisprflow (wisprflow.ai), an AI agent platform classified as High risk.
The detail view includes:
Summary stats — total users, when first and last seen
App Risk panel — a plain-language explanation of why Nightfall assigned this risk level, covering category, identity boundaries, and data exposure
Destination List — a breakdown of every subdomain or endpoint within the app where data was sent, including per-destination user counts, data volume, and activity timestamps. This helps you understand whether a tool is being used for its core purpose or whether data is flowing to admin panels, APIs, or documentation portals.
Goal: Understand which apps are active in your environment and identify where to focus first.
Steps:
Navigate to Discovery → App Intelligence in the left sidebar.
Review the App Insights panel at the top of the page. Note:
How many Total Apps have been discovered.
Goal: Understand why an app received a high risk score and gather the information your team needs to take action.
Steps:
Filter the App List by Risk = High and sort by Users to surface the most widely adopted high-risk apps first.
Click on an app to open its Detail View.
Read the App Risk explanation on the right side. This gives you Nightfall's reasoning in plain language — for example, whether the tool is an AI agent that can access data on behalf of users, or whether it lacks standard enterprise governance controls.
Goal: Understand the risk signals behind a specific app and determine whether action is needed.
Steps:
Identify an app of interest in the App List — for example, an AI Agents tool or a GenAI service you don't recognize.
Wisprflow appears in the App List as an AI Agents tool with a High risk rating, 28 users, and 2.2 GB of data sent — with activity as recently as 5 hours ago.
Click the app row to open its Detail View.
In the App Risk panel, read Nightfall's risk explanation. For an AI Agents tool, this will typically explain that the platform is designed to build and deploy autonomous agents that can access and move data across multiple systems — and why this elevates the risk classification above the category baseline.
Check Total Users and compare it to First Seen. If a large number of users adopted the tool quickly, that's a signal of fast organic growth that may have outpaced governance review.
A security team at a mid-size technology company suspects employees are using unauthorized GenAI tools but has no visibility into which ones or how widely.
They open App Intelligence, filter by Category = GenAI, and sort by Users. Within minutes, they can see that three GenAI tools not on the approved list have been adopted by dozens of employees. They use the details view to assess each tool's risk score and destination activity, then route the highest-risk findings to the IT governance team with the context they need to take action.
An insider risk analyst receives an alert about unusual data movement patterns. They open App Intelligence and sort by Last Seen to find recently active apps. They spot an AI Agents platform that was first seen a month ago but has seen a spike in data volume in the last 24 hours.
Clicking into the app detail, they see the risk explanation highlights that the tool is designed to build autonomous agents capable of accessing data across multiple systems — and that several API-level destinations are active. The analyst notes their findings and escalates to the security team for deeper investigation.
An IT Policy Owner needs to audit which high-risk apps are active in the environment as part of a quarterly governance review. Rather than sifting through all discovered apps manually, they filter the App List to Risk = High or Critical, sort by Users, and work through the results.
Using the risk scores and destination breakdowns, the owner quickly identifies which apps need immediate attention from the security team and which are low-risk tools that don't require escalation. Within a single session they have a clear picture of their app risk landscape to bring into the governance review.
A data security engineer reviewing App Intelligence notices a file-sharing site with Critical risk that has been used by multiple employees to send data externally. Rather than just flagging it for review, they want to act immediately.
From the app's detail page, they click Add to Collection and add the domain to their organization's block list collection — the same list already enforced by Nightfall's exfiltration control policies. The domain is now blocked from receiving corporate data without any separate policy configuration required. For a second app — an approved cloud storage tool that was mistakenly triggering alerts — they add it to the allow list collection instead, suppressing false positives going forward.
App Intelligence becomes the discovery layer that feeds directly into enforcement, closing the loop between visibility and protection.
A CISO preparing for an upcoming compliance review needs a clear picture of all AI tools in use across the organization, including what data types are being transmitted. They use the Top AI Apps by Adoption insight to see which GenAI tools are most widely used, then filter the app list to Category = GenAI to review risk levels across the full set.
For any GenAI tool with a High risk rating, they open the detail view to review the risk explanation and destination breakdown. This gives them the documentation they need to demonstrate that the organization has visibility into AI tool usage and the risk signals associated with each one.
How often is the app data refreshed? App Intelligence data is refreshed hourly. The "Last updated" timestamp in the top right corner of the page shows when the data was last synced.
How does Nightfall discover which apps employees are using? Nightfall uses data movement APIs provided by Apple and Microsoft to detect paste and file upload activity on enrolled devices — not network traffic or keystrokes. This lightweight approach means App Intelligence can identify which apps employees are sending data to without the performance impact or latency of traditional DLP tools. No additional configuration is required; new apps are detected automatically.
How exactly is an app's risk score calculated? Nightfall uses a two-step process. First, every app starts with a baseline risk level inherited from its category — for example, File Sharing apps start at Critical and Core Systems start at Low. Second, Nightfall evaluates the specific app within its category: if it's consumer-focused, allows anonymous access, or is less governed than peers, the risk increases. If the app is unusually well-governed for its category — mandatory SSO, enterprise-only access — the risk may decrease. This category-based assessment is then combined with usage signals including behavioral patterns and identity boundary data to produce the final label.
When reviewing individual events in Forensic Search, scoring goes a step further. If your organization has completed MDM integration, Nightfall can determine whether a user is sending data to a corporate or personal account at a given destination — for example, distinguishing between a managed Google Workspace account and a personal Gmail account at the same domain (mail.google.com). This account context is factored into the event-level risk score in Forensic Search, giving you a more precise signal when investigating specific user activity.
Can I override the risk level Nightfall assigns? Not in v1. The ability to apply custom risk overrides is planned for a future release.
Why do some apps show a high Destination Count? Destination Count reflects the number of distinct subdomains or endpoints Nightfall has observed data flowing to within a single app's domain. For many apps, destinations are specific enough to tell you something meaningful about how the app is being used.
GitHub is a good example: each destination corresponds to a specific repository. A SecOps admin reviewing GitHub's destination list can research individual repos to determine whether employees are pushing data to a corporate repository, a public open-source project, or a personal account — a meaningful distinction when assessing data exposure risk. The same principle applies to other developer tools, cloud storage platforms, and any app where the destination encodes context about the recipient or purpose.
Will App Intelligence block apps or take enforcement actions? App Intelligence itself is a visibility tool — it does not block apps directly. However, you can act on what you find by using the Add to Collection button in any app's detail view. This lets you add the app's domain to a domain collection, which feeds directly into Nightfall's exfiltration control policies. Adding a domain to a block list collection will prevent data from being sent to that destination; adding it to an allow list collection explicitly permits it and suppresses false positives. Automated enforcement actions beyond this are planned for a future release.
Does App Intelligence cover desktop apps like Slack or Zoom? Not yet — but coming soon! The current release focuses on web apps and GenAI tools accessed through the browser. Coverage for native desktop applications is on the roadmap for an upcoming release.
What should I do first if I'm new to App Intelligence? Start with the App Insights panel to understand the shape of your environment — how many apps are active, which AI tools are growing fastest, and where the most data is flowing. Then filter the App List to Risk = High or Critical, sort by Users, and work through the results. This gives you a focused view of the apps that carry the most risk and the widest reach across your organization.
For additional help, contact Nightfall support or reach out to your Customer Success Manager.
Policy enforcement occurs based on configuration
Corporate Domains collection configured
Browser extension deployed (via MDM or manual install)
Monitor Corporate Sources Only - Use case: Detect data originating from corporate accounts only.
Source: Domain in equals Corporate Domains
User session check: Enabled
Exclude Corporate Sources - Use case: Focus on external or unmanaged sources.
Source: Domain not in equals Corporate Domains
Domain in, Domain not in, Any domain
Outcome: Blocks uploads when destination account is personal
Allow Corporate → Corporate, Block Corporate → Personal
Source: Domain in → Corporate Domains
Destination: Domain in → Supported Domains
User session check: Enabled
Result:
Corporate → corporate transfers allowed
Corporate → personal transfers blocked
Detect Personal Account Usage on Approved Apps
Action: Browser uploads to → Domain in → Google Workspace
User session check: Enabled
Use case: Visibility into personal account usage on approved SaaS.
Broad Monitoring (Any → Personal)
Source: Any domain
Destination: Domain in → Supported Domains
User session check: Enabled
Use case: Identify any data entering personal accounts.
Important behavioral details and limitations
Ignore all files with .xlsx extension
Excludes all Excel files across the endpoint
Scope (specific device or all endpoints)
Prevents repeated high‑risk alerts for a known workflow
Maintains visibility into other files
Ignoring Automated Export Directories
Scenario: An application exports reports into a fixed local directory before upload.
Solution: Ignore path: /Users/*/Downloads/Exports/
Outcome:
Eliminates alert noise from automated processes
Still monitors uploads from other locations
Reducing Alert Fatigue from Common File Types
Scenario: Large volumes of Excel files are shared internally and trigger frequent alerts.
Solution: Ignore all files with .xlsx extension
Outcome:
Significant noise reduction
Should be used carefully due to broad scope
Incident‑Driven Exception Handling
Scenario: An investigation confirms a flagged upload was legitimate.
Solution: Create a targeted file or path exclusion directly from the event
Outcome:
Fast remediation
No policy rewrites required
Periodically review the Exclusion List for stale rules. Document the reason for exclusions internally when possible.
File
Single file only
Known safe document repeatedly triggering alerts
Path
Directory + subdirectories
Trusted export folders or generated reports
Extension
All files of a type
Suppress noisy file types like .log or .xlsx
unfamiliar SaaS domains
Device – which device performed the action
Personal accounts are outside corporate control and represent higher exfiltration risk.
Public Web
Low
General consumer or informational websites not primarily designed for file transfer.
YouTube, Wikipedia, Medium, Amazon
Social / Messaging
Medium
External messaging or social platforms where users can send or post corporate data.
WhatsApp Web, Telegram, Discord, LinkedIn, X/Twitter
Cloud Providers / Infra
Medium
Cloud consoles and infrastructure administration surfaces.
AWS Console, GCP Console, Azure Portal, Cloudflare
GenAI
High
LLMs, AI assistants, and AI-powered creation tools that may ingest internal data.
ChatGPT, Claude.ai, Gemini, Perplexity, DeepSeek
Developer Tools
High
Platforms hosting source code, configuration, logs, or automation pipelines.
GitHub, GitLab, Replit, Databricks, Netlify
Unknown
High
Domains that cannot be reliably classified (e.g., raw IPs or unrecognized destinations).
Unclassified IPs, localhost, unresolved domains
AI Agents
Critical
Autonomous or semi-autonomous systems that act on behalf of users to access and move data.
Wisprflow, Glean, n8n, Zapier Desktop Runner
Cloud Storage / Sync
High
Cloud-based file storage and synchronization platforms with high exfiltration risk due to bulk file movement and multi-device sync.
Google Drive, Dropbox, Box, iCloud, OneDrive
File Sharing
Critical
Public or anonymous file-sharing services with minimal identity boundaries.
WeTransfer, file.io, Snapdrop, Pastebin
Data Volume
Total data transmitted to this destination
First Seen
When Nightfall first detected activity to this app
Last Seen
Most recent observed activity
Risk — focus on High or Critical apps
Add to Collection — a button that lets you add the app's domain directly to a domain collection. Domain collections are the allow lists and block lists that power Nightfall's exfiltration control policies. Adding an app here is how you translate App Intelligence findings into active data protection — for example, blocking a risky file-sharing site or explicitly allowing an approved storage tool.
Which AI Apps have the greatest adoption (Top AI Apps by Adoption chart).
Which apps have the most users over the last 30 days (Top Apps by User Count, 30d).
In the App List, sort by Risk to bring the highest-risk apps to the top. Look for any apps labeled Critical or High that you don't recognize.
Example showing a small tenant environment. Deepseek is flagged as Critical risk — a GenAI tool with elevated data exposure signals.
Sort by Last Seen to find apps with very recent activity, then cross-reference with First Seen to spot newly adopted tools your team may not be aware of.
Use the Category filter and select GenAI and AI Agents to see all AI tools in use. This is a fast way to understand your organization's AI footprint.
Review the Destination List to understand how the app is being used. Are employees accessing only the main product domain, or is data also flowing to API endpoints or admin subdomains? Higher destination counts can indicate more complex, potentially automated workflows.
Note the Total Users and First Seen date. If adoption is recent and growing, that context is useful when escalating to your IT or security governance team.
If your team decides to act on what you've found, use the Add to Collection button to add the app's domain to a domain collection. Choose a block list collection to prevent data from flowing to the app, or an allow list collection to explicitly permit it within your exfiltration control policies.
Review the Destination List to see exactly where data is flowing within the app's ecosystem. For example, if you see traffic to both the main product domain and an API subdomain, it suggests programmatic or automated use — not just manual browser sessions.
Cross-reference the Data Volume against the number of users. Disproportionately high data volume relative to user count can indicate automated workflows, bulk uploads, or exfiltration-style behavior.
Click Show Events on a destination row to see the individual users and corresponding events associated with that site. This is one of the most powerful features in App Intelligence — it lets you move from aggregate risk signals to the specific people and actions driving them.
Share your findings with your IT or security governance team, including the risk score, user count, data volume, any API-level destinations observed, and the specific user activity surfaced via Show Events.
Core System
Low
Business systems of record with strict identity controls and low exfiltration risk.
Workday, NetSuite, SAP, Salesforce CRM
Business SaaS
Low
Enterprise productivity and collaboration tools.
Slack, Notion, Figma, Canva, Asana, Loom
Internal Apps
Low
Internal or private applications, staging/QA environments, and SSO-only portals.
🟢 Low
Minimal concern; typically well-governed, established tools with strong identity boundaries.
🟡 Medium
Worth monitoring; may involve less-governed surfaces or moderate data exposure potential.
🔴 High
Requires attention; elevated data risk or boundary concerns detected.
🚨 Critical
Immediate review recommended; significant risk signals across multiple dimensions.
App Name
The detected application, grouped under its canonical domain
Domain
The primary domain associated with the app
Destination Count
Number of distinct subdomains or destinations observed
Category
App type classification
Risk
Nightfall's computed risk level
Users
Number of users or unique devices observed accessing this app
Internal dashboards, staging portals, *.internal domains
