This stage allows you to select automated notification channels or actions if a policy violation occurs.

Admin Alerting

This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.

The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to the #configure-alerts-at-the-integration-level document.

Automated Actions

Automated actions allow you to configure automated remediation actions when an exfiltration attempt is detected by Nightfall policy. Nightfall supports the following automated actions for Salesforce. You can choose to implement the automated action immediately after detecting a download attempt or after some time.

To enable the automated action, you must turn on the respective toggle switch.

Freeze Salesforce User Account

This action logs out the user from the Salesforce account. They cannot login until a Salesforce admin revokes the freeze on the account.

You must now select when exactly after detecting the event, the action must be triggered. if you select the Immediately option, the automated action is triggered immediately after the download attempt is made.

If you select the After option, you must select the time gap after which the automated action must be implemented.

Revoke User Permissions

This action revokes the permissions of the user. The user can now only view data across al Salesforce pages. They cannot download any data. This action assigns the user Salesforce's minimum access profile. You can learn more about this profile from this Salesforce document.

You must now select when exactly after detecting the event, the action must be triggered. if you select the Immediately option, the automated action is triggered immediately after the download attempt is made.

If you select the After option, you must select the time gap after which the automated action must be implemented.

End-User Notification

This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.

Custom Message

Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink www.nightfall.ai with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>.

Automation

The automation settings allow you to send notifications to end users. You can select one or both the notification methods. You must first turn on the toggle switch to use the automation option. The automation notification channels are as follows

• Email: This option sends an Email to the user who attempted the download.

• Slack: This option sends a Slack message to the user who attempted the download.

End-User Remediation

End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on by their download attempt. You must turn on the toggle switch to use this option. End-users receive the remediation actions in an Email as an action item. The various available remediation actions for end-users are as follows.

• Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.

When end-users report alerts as false positive, you can choose the resolution method to be either Automatic or manual.

If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.

In this final stage, you assign a name to the policy, verify your configurations, and create the policy.

1. Enter a name for the policy.

2. (Optional) Enter a description for the policy.

3. Click Next.

1. Verify if all the policy configurations are set up as per your requirements.

2. (Optional) Click back or click on any specific stage to modify any of the policy configurations.

3. Click Submit.

The Scope section determines which areas of Nightfall needs to be monitored by Nightfall for Exfiltration. You can choose one or all of the following data types to be monitored.

• Attachments & Files

• Reports

• Records & Objects

After you make the required selection, you can also add filters to monitor specific Salesforce users or Salesforce profiles.

Data Types

In the Data Types section, you must select the Salesforce data types to be monitored. By default, all the three data types are selected. You can choose to either retain all the three data types or clear any of the data types.

Filters

The Filters section allows you to add additional filters, on top of the selected data types, to narrow down the monitoring scope. Nightfall provides the following two types of filters.

Internal Users

You can choose specific Salesforce users whose activities need to be monitored or excluded from being monitored. Nightfall populates the list of all your users from Salesforce. You need to select either the users whose activities need to be monitored or the users whose activities need to be excluded from monitoring.

To add Users filter, click Add Filter and select Internal Users.

To monitor specific users, select the Monitor specific option. To exclude specific users from being monitored, select the Monitor all, except option.

Nightfall populates the list of Salesforce users in the Search users field. You can select the all the required users.

Salesforce Profiles

You can choose specific Salesforce profiles whose activities need to be monitored or excluded from being monitored. Nightfall populates the list of all your Salesforce profiles. You need to select either the profiles whose activities need to be monitored or the profiles whose activities need to be excluded from monitoring.

To monitor specific Salesforce profiles, select the Monitor specific option. To exclude specific Salesforce profiles from being monitored, select the Monitor all, except option.

Nightfall populates the list of Salesforce profiles in the Search profiles field. You can select the all the required users.

Example Scenario

Contoso Ltd. uses Salesforce to host their applications. They have three users Steve, Rick, and Matt in their Salesforce org. These users are not Contoso employees. They are employees of Acme corp. which is a prospective customer of Contoso Ltd. Steve, Rick, and Matt are evaluating Constoso's app so that they can check if it meets Acme corp's requirements. Contoso has created a Salesforce profile called Prospective customers and added these three users to this profile

Contoso Ltd. uses Nightfall Salesforce exfiltration and wishes to check if any files with sensitive data is downloaded by any of these three users. They create a Salesforce exfiltration policy to monitor all the data types. They can choose one of the following filter.

• They can use the #internal-users filter and add these three users.

• They can select the #salesforce-profiles filter and add the Prospective customers profile to it. So, in future if any other prospective customers added, they are also automatically monitored.

This document explains what admins and end-users can do once a policy is violated.

Admin Notification and Remediation

When end-users violate a policy, the Nightfall admin is notified about the incident. The notification channel used to notify the Nightfall admin depends on the settings configured in the #admin-alerting section. If you have not enabled any notification channels in the Admin alerting section, Nightfall admins are not notified.

If you have enabled the email notification in the Admin alerts section, Nightfall admins receive an email. The email is as shown in the following image.

The Email consists of the following data.

• Event: The event that caused the violation. For Salesforce, the event is always download of assets.

• Who: The Email ID of the user who downloaded the file.

• When: The date and time when the email was downloaded.

• What: The name of the file that was downloaded.

• Policies Violated: The name of the policy that was violated.

• Violation Dashboard: The link to the Events screen to view the violation in detail.

• Actions: The list of actions that the Nightfall admin can take.

Also, a Slack message is sent if you have enabled the Slack alerts for the Nightfall admin.

End-User Notification and Remediation

End-users receive notifications and remediation actions if the Nightfall admin has enabled these settings. The notifications are based on the settings configured in the #automation section. The end-user remediation actions are based on the settings configured in the #end-user-remediation section.

If you have configured the Email notification for end-users and enabled the end-user remediation, end-users can take remediation actions from the Email itself. The end-user Email is shown in the following image.

If you have configured Slack notifications for end-user and enabled end-user remediation, end-users also get a message in the respective Slack channel configured.

Manage Violations in Nightfall

To manage violations in the Nightfall console:

1. Click Events from the left menu.

1. Click the Exfiltration tab.

The Exfiltration Events page lists all the exfiltration events. To view events specific to the Salesforce integration:

1. Click Filters and select + Add Filter.

1. Select Integration in the Select a filter field.

1. Select the Salesforce check box in the Select an option field.

1. Click Apply.

Now, only the Salesforce events are displayed.

1. To view events with specific statuses, you can click the respective tabs.

To view historic events, click the Time filter and select the required time period.

You can click an event to view the details. The detail view window is as follows.

The detail view window consists of the following tabs.

• Summary: The Summary tab displays highlights of the event like the name of the downloaded asset, the name of the violated policy, and the email ID of the user who violated the policy.

• Asset: The asset tab displays the details of the asset. You can view details like name of the downloaded asset, size of the downloaded asset, exfiltration action (download), owner's Salesforce ID and IP address. If there are multiple assets in a single violation, you can choose which asset's details must be displayed.

• Actor: The actor tab displays the email ID of the Salesforce user who downloaded the asset. You can add notes on this tab which is displayed in the Admin notes section.

Taking Actions on the Events Page

The events list view displays an ellipsis menu at the extreme right corner. Admins can click this menu to take appropriate action on an exfiltration event.

The various available actions are explained as follows.

• Acknowledge: This action can be taken when you just wish to acknowledge that you have viewed the violation.

• Notify Email: This action sends an email notification to the end-user who caused the violation.

• Notify Slack: This action sends a Slack notification to the end-user who caused the violation.

• Ignore: This action ignored the violation. You can take this action when an event is false positive.

• Freeze User: This action freezes the user account and logs them out of Salesforce. Users cannot login until admin unfreezes their account.

• Revoke User Permission: This permission revokes the user's download privileges. Users can only view data in Salesforce. This action assigns the Salesforce's Minimum access profile to the user. You can learn more about this profile from this Salesforce document.

• Unfreeze User: Once you freeze a user, this action is active. You can unfreeze a freezed user with this action.

Once the action is implemented, the status of the event changes respectively. By default, an event can have one of the following two statuses.

• Active: The event has been generated but no action has been taken.

• Input Requested: A notification has been sent to the end-user requesting their response.

The Trigger section in Salesforce policies allows you to define the frequency of action that must be considered as an exfiltration event. In case of Salesforce policies, the download frequency is the trigger.

The download frequency can be defined as the number of downloads over a period to time. This allows you to set custom thresholds in terms of number of downloads over a specific period of time and can be useful to identify anomalous download patterns for specific locations, users or content type. This can be set in combination to other scoping capabilities.

Configuring Triggers

In the Actions section, you can define the download action that must be considered as a potential exfiltration attempt by Nightfall. Nightfall allows you to set the frequency of downloads as the action.

To configure Actions:

1. Click the minimum number of files that must be the download threshold.

1. Set the time period within which the minimum no. of downloads must be considered as exfiltration event.

In the following case, an exfiltration event is created if, there are 2 or more downloads within a minute.

In this stage, you select the Integration for which the policy is created. In this case, Salesforce integration must be selected.

1. Click Policies from the left menu.

1. Click + New Policy.

1. Select Exfiltration.

1. Select the Salesforce integration.

Exfiltration policies allow you to monitor download events across your Salesforce environment. Through real-time download monitoring, you can identify insider risk and anomalous behaviour before it escalates to large scale security incidents. The following are supported and monitored by Nightfall for exfiltration activities,

• Attachments & Files

• Reports

• Records & Objects

Download of any of the above information containers is an exfiltration activity for Nightfall, and if such activities breach a threshold set in one of the exfiltration policies in Nightfall, then Nightfall will flag it an exfiltration event. You can configure which users should receive notifications and what automatic actions must be taken when an exfiltration event is detected.

The detailed steps to configure the Salesforce Exfiltration policy is explained in the following documents.

Integration

Scope

Trigger

Advanced Settings

Creating Policy

Remediation for Salesforce Exfiltration