Nightfall Dashboard

The Nightfall Dashboard delivers a single‑pane view of your security posture, consolidating data from every native integration in your Nightfall console. At a glance, you’ll see:

• Active Threats: Instantly surface and prioritize your highest‑risk alerts—click any item to jump straight to the violation details and start remediation.

• Insights: Analyze trends in event volume, detection accuracy, and resolution ROI to optimize your security operations continuously.

• Environment: Track scan volume, endpoint coverage, and capacity usage across all integrations in real-time.

Every visualization—widget, chart, or table—is interactive. Use filters for date range, integration, detector, status, and more to drill down into the exact data you need.

Active Threats

This section surfaces your most urgent threats in real-time so that you can address them quickly. Click any chart segment to jump straight to the corresponding violations screen—no manual searches or sorting required.

Detection and Response Events: This is a semi-circle visual display sall unresolved sensitive‑data events, broken out by risk level (Critical, High, Medium, Low). Click on a risk segment to navigate directly to those violations.

Exfiltration Events: Total exfiltration incidents logged over the last 30 days. Click to drill into the Events list and resolve threats.

Posture Events: This widget displays the number of posture‑related issues (e.g., misconfigurations or compliance gaps) recorded in the past 30 days. You can click the widget to drill down to the Events list and resolve them.

D&C Events: This widget displays the number of data classification events recorded in the past 30 days. You can click the widget to drill down to the Events list and resolve them.

Encryption Events: This widget displays the number of encryption events recorded in the past 30 days. You can click the widget to drill down to the Events list and resolve them.

Insights

This section enables you to monitor and optimize your security operations over time with metrics on detection accuracy, resolution efficiency, and ROI—across SecOps teams, end users, and automation.

This section displays the following widgets and charts.

• Events Over Time: This bar graph displays the number of Events recorded across the selected time period. The x-axis represents time, and the y-axis represents the number of events. Data is segmented by integration, risk, policy, or resolution as applicable for the integration. You can click a bar to drill down to the list of respective events. You can also use the filter to view Event data specific to Data detection and Response, Posture, Exfiltration and data classification. Furthermore, you can also filter data based on specific time period.

• Remediation Rate: This widget displays the percentage of events resolved. Data is segmented as follows:

• Remediated: Events actively resolved to mitigate potential threats either by an Admin, End-User, or Automation.

• Ignored: Events that require no further action.

• False Positives (FP): Events annotated as false alerts either by an Admin or End-User.

• Business Justification: Events dismissed with a provided business justification either by an Admin or End-User.

• FP/Ignore Rate: This widget displays the percentage of events that are either ignored or classified as business justified or false positives. This metric reveals the noise level in your alerting system, showing how effectively your policy triggers and detection models minimize unnecessary alerts.

• EU/Automation Rate: This widget measures the proportion of event management tasks handled by end-users and automated systems as opposed to those managed manually by the security operations team.

• Mean Time to Resolution: This chart displays the average time taken to resolve an event from creation to closure. It provides valuable insights into the efficiency and responsiveness of your incident management process, helping reduce resolution times and minimize the risk of exposure.

• Most Active Policies

  The Most Active Policies widget tracks security security events—one policy trigger each time a scanned resource contains ≥1 finding.

  • Findings vs. Events: Findings count individual detections (documents can have thousands); events count one trigger per resource.

  • True Positive Events: Policy triggers that correctly identify real security risks.

  • Ignored Events: Triggers you’ve chosen to dismiss.

    • Business Justification Findings: Annotated by admins or end-users to explain why a finding is acceptable (e.g., “Test data” or “Allowed by process”).

  • False Positive Events: Triggers later overturned as false alarms.

  • Expired Events: Triggers over 30 days old with no follow-up.

  These metrics are essential for refining your policy thresholds and cutting alert fatigue. Drill into any ignored or false-positive segment to inspect the underlying events, tweak rules or scopes, and confidently turn on automation.

• Most Active Detectors

  The Most Active Detector widget tracks findings—each time our models flag sensitive data in a scanned document.

  • Findings vs. Events: Findings count individual detections (documents can have thousands); events count one trigger per resource.

  • True Positive Findings: Genuine security issues that have been resolved or confirmed.

  • Ignored Findings: Linked to violations you’ve dismissed.

  • Business Justification Findings: Annotated by admins or end-users to explain why a finding is acceptable (e.g., “Test data” or “Allowed by process”).

  • False Positive Findings: Marked as false alarms.

  • Expired Findings: Older than 30 days with no action.

  These metrics are vital for eliminating detection noise on your dataset. Your annotations feed into model retraining, boosting precision so you can safely expand automated actions. This widget is not currently clickable.

• Highest Risk Users: This chart provides an overview of the users generating the highest number of detection events, segmented by risk score. It helps you identify outliers and pinpoint areas where specific user behaviours or data hygiene practices may need improvement.

• End-User Remediation Events: This chart provides administrators with insights into end-user resolution actions by categorising requests into:

  • Pending: Requests awaiting a response.

  • Remediated: Cases where users have taken corrective action.

  • Justification: Instances where a business justification led to the event being ignored.

  • False Positive: Cases where users have annotated the event as a false positive.

When you click a segment it opens the detailed event information in the corresponding list view for rapid review and analysis.

Environment

Get a high‑level snapshot of your Nightfall deployment—scan volume, endpoint coverage, and capacity health—all in one place.

Data Pack Usage: This Data Usage widget provides an overview of your data scanning consumption versus your data purchased. Monitor usage trends and be alerted when additional capacity may be needed.

MacOS Endpoints: The Mac Endpoint widget shows the number of deployed endpoints for Mac devices. Quickly assess your endpoint coverage and ensure all devices are adequately protected.

Windows Endpoints: The Windows Endpoint widget shows the number of deployed endpoints for Windows devices. Quickly assess your endpoint coverage and ensure all devices are adequately protected.

Data Scanned: This widget displays the total volume of items and data scanned. Additionally, you can also view the amount of data used for scanning for each integration. Metrics for real-time scans and historical audits are provided. You can choose to view the data for the past 1 month, 3 months, 6 months, 1 year, or 2 years.

Generating Reports

Nightfall allows you download a PDF copy of the Dashboard data or email the dashboard data. If you choose to download a report, a PDF file containing the Dashboard data is downloaded.

If you choose to email the Dashboard data the following types of reports are present in the downloaded data.

• Sensitive Data Exposure: This report consists of information like the location of sensitive data, the nature of sensitive data, and the overall risk associated with it.

• Policy Violations: This report provides information on the policies that are generating the highest number of violations.

• Highest Risk Users: This report provides information about users who are triggering the highest number of violations across all integrations.

• Total Data Scanned: This report displays the total data scanned by Nightfall across all integrations.

To email a Dashboard Report:

1. Click Generate Reports and select Send to email.

2. Select the check boxes of the reports to be included. Click Select All to include all the reports.

3. (Optional) Click Add Recipient to add additional recipients. By default the report is mailed to the logged in user.

4. Select the time period for which you wish to download the report.

5. Click Generate. A pop-up window appears that confirms the Email ID to which reports will be sent.

6. Click Done.

Analyzing Downloaded Reports

When you generate a report, it is sent as an Email to the logged-in user. This email contains a link to download the reports. The download link expires in 7 days from the date you received the Email.

A folder is downloaded to your system. The folder is named as Nightfall_Reports_<date on which report was generated>_<historical time period>. This folder contains the reports that you selected for download in step 2 of the Generating Reports section. All the downloaded files are in CSV format.

The following image shows a folder downloaded on 26-11-2023 for the last 30 days. All four reports were selected for download hence you can see four CSV files.

Analyzing Highest Risk Users Report

The Highest Risk Users report is named as <date on which report was generated>highest_risk_users_<histroical time period selected>. This report displays the list of users who have triggered the maximum number of violations. The users are sorted in decreasing order of violations triggered. Hence the user who caused the highest number of violations is at the top and the user who triggered the lowest number of violations is at the bottom. This report also displays the integrations, policies, and Detection rules that were violated.

This report has the following columns.

The following image shows a screenshot of the Highest Risk users report.

Analyzing Policy Violations Report

The Policy Violations report is named as <date on which report was generated>_policy_violations_<histroical time period selected>. This report displays the list of policies that triggered the violations. The policies are sorted in decreasing order of violations triggered. Hence the policy that triggered the highest number of violations is at the top and the policy that triggered the lowest number of violations is at the bottom. This report also displays the integrations, policies, detection rules, and detectors that were violated.

This report has the following columns.

The following image shows a screenshot of the Policy Violations report.

Analyzing Sensitive Data Exposure Report

The Policy Violations report is named as <date on which report was generated>_sensitive_data_exposure_<histroical time period selected>. This report displays all the details of the sensitive data exposed. This report also displays the integrations, policies, detection rules, and detectors to which the sensitive information belongs to.

This report has the following columns.

The following image shows a screenshot of the Sensitive Data Exposure report.

Analyzing Total Data Scanned Report

The Total Data Scanned report is named as <date on which report was generated>_stotal_data_scanned_<histroical time period selected>. This report displays all the details of the data scanned.

This report has the following columns.

The following image shows a screenshot of the Total Data Scanned report.