# Exfiltration Events The Nightfall Exfiltration page displays various details of the Exfiltration Events. An Exfiltration Event is automatically created in Nightfall when an Exfiltration policy is violated. The Event displays useful information like the integration on which the exfiltration occurred (Google Drive, Salesforce, macOS/Windows Endpoint), the name of the policy violated, the details of the asset responsible for the violation, and so on. ## Exfiltration Event List View You can navigate to the Exfiltration Event page by clicking **Exfiltration Prevention** button from the left menu.

Once you land on the Exfiltration Events page, all the Exfiltration Events are listed. This view can be called as the **Event list view**. When you click an Event on the Event list view, the details of only the selected Event is displayed. We can call it the Event Detail view. {% hint style="info" %} Some of the Event features are common to both Exfiltration and Data Detection and Response. In such cases, we will provide a link to the respective section in Data Detection and Response. {% endhint %} The Event list view contains a table which displays details of the Events. You can [click here](https://help.nightfall.ai/dashboard/sdp_events#event-list-view) to learn more about the details displayed in the Event list view. ## Filtering Data You can filter the data on the list view by date or by integrations. To filter the data by integrations, you must execute the following steps. 1. Navigate to **Exfiltration Prevention** from the left menu.Steps 2-6 help you filter the events to only view the alerts generated by Windows OS. 2. Click **Filter**. 3. Click **+ Add Filter**. 4. Select **Integration**. 5. Select the check box required integration(s). 6. Click **Apply**.

You can also use the date filter to view historic Exfiltration events. To learn more about how to use the historic time filter, [refer this section](https://help.nightfall.ai/dashboard/sdp_events#historic-data-filter). ## Search Events Nightfall provides a powerful search bar to search specific Exfiltration events. Nightfall provides you various search operators to perform your search. You must use the following syntax to search data. ``` search operator name:"search term" ``` For example, to search events that are in active state, you must use the `State` search operator with the following syntax. ``` State:"Active" ``` The various Exfiltration search operators provided by Nightfall are as follows. ### General Search Operators

Search Operator Name	Description
actor_Email	Search using the Email ID of the actor whose action triggered the Event.
actor_Name	Search using the name of the actor (device name) from which the Event was triggered.
event_id	Search the unique Exfiltration event ID.
event_type	Search the Exfiltration event type.
integration_name	Search the integration name.
last_action	Search the last action implemented on an event. Example of action can be Acknowledge, Ignore, Resolve, and so on.
last_actioned_by	Search for the user who last took an action on the event.
notes	Search the notes entered in an Event.
policy_id	Search the unique policy ID.
policy_name	Search the policy name.
resource_content_type	Search the resource type of the file that was exfiltrated. Resource type refers to the file format and can be PDF, .doc, d.ocx, and so on.
resource_id	Search the resource ID. This unique identifier is assigned to resources by their integration (Google Drive, Salesforce)
resource_name	Search the resource name (file name) that was exfiltrated.
resource_owner_email	Search the email of the user who owns the exfiltrated file.
resource_owner_name	Search the name of the user who owns the exfiltrated file.
state	Search the current status of the Event. This could be Active, Acknowledge, and so on.
violation_id	Search the unique violation ID of the event.
violation_type	Search the violation type

### Integration Operators

Integration	Operator Name	Description
Endpoint (Browser upload)	endpoint.browser_upload.browser_name	Search the Web browser that was used to upload file.
Endpoint (Browser upload)	endpoint.browser_upload.domain	Search the domain name that was used to upload file.
Endpoint (Browser upload)	endpoint.browser_upload.file_name	Search the name of the file.
Endpoint (Browser upload)	endpoint.browser_upload.origin.browser_name	Search the browser from which the exfiltrated file emerged.
Endpoint (Browser upload)	endpoint.browser_upload.origin.domain	Search the domain from which the exfiltrated file emerged.
Endpoint (Browser upload)	endpoint.browser_upload.origin.url	Search the exact URL from which the exfiltrated file emerged.
Endpoint (Browser upload)	endpoint.browser_upload.url	Search the URL used to upload the exfiltrated file.
Endpoint (Clipboard Copy/Paste)	endpoint.clipboard_copy.destination.browser_name	Search the destination browser name to which the copied data was pasted.
Endpoint (Clipboard Copy/Paste)	endpoint.clipboard_copy.destination.domain	Search the destination domain name to which the copied data was pasted.
Endpoint (Clipboard Copy/Paste)	endpoint.clipboard_copy.origin.browser_name	Search the origin browser name from which the data was copied.
Endpoint (Clipboard Copy/Paste)	endpoint.clipboard_copy.origin.domain	Search the origin domain name from which the data was copied.
Endpoint (Clipboard Copy/Paste)	endpoint.clipboard_copy.origin.url	Search the origin URL from which the data was copied.
Endpoint (Cloud Sync)	endpoint.cloud_sync.account_name	Search the name of the account to which the file was uploaded.
Endpoint (Cloud Sync)	endpoint.cloud_sync.account_type	Search the account type (personal/business) of the account to which the file was uploaded.
Endpoint (Cloud Sync)	endpoint.cloud_sync.app	Search the cloud storage app name (Google Drive, OneDrive) to which the file was uploaded.
Endpoint (Cloud Sync)	endpoint.cloud_sync.destination_file_path	Search the destination directory in the storage app to which the file was exfiltrated.
Endpoint (Cloud Sync)	endpoint.cloud_sync.email	Search the email ID of the account to which the file was uploaded.
Endpoint (Cloud Sync)	endpoint.cloud_sync.file_name	Search the name of the file which was uploaded to a cloud storage app.
Endpoint	endpoint.device_id	Search the endpoint device ID of the device from which the exfiltration was performed.
Endpoint	endpoint.machine_name	Search the endpoint device name from which the exfiltration was performed.
Google Drive	gdrive.drive	Search a drive within Google Drive. Returns all the events that were exfiltrated from the searched drive.
Google Drive	gdrive.file_owner	Search a Google Drive user. Returns all the events that were owned by the searched user and were exfiltrated.
Google Drive	gdrive.label_name	Search a Google Drive label. Returns all the events that contained the searched label and were exfiltrated.
Google Drive	gdrive.permission	Search a Google drive permission (restricted, pubic). Returns all the events that contain the searched permission and exfiltrated.
Google Drive	gdrive.shared_external_email	Search the shared Gmail external email ID.
Google Drive	gdrive.shared_internal_email	Search the shared Gmail internal email ID.
Salesforce	salesforce.file.session_level	Search for Salesforce session level file
Salesforce	salesforce.file.source_ip	Search the IP address of the source machine that initiated the exfiltration of the file.
Salesforce	salesforce.report.description	Search the description provided in Salesforce report.
Salesforce	salesforce.report.event_source	Search the Salesforce report event source.
Salesforce	salesforce.report.operation	Search the Salesforce report operation.
Salesforce	salesforce.report.scope	Search the Salesforce report scope.
Salesforce	salesforce.report.session_level	Search the Salesforce session level report.
Salesforce	salesforce.report.source_ip	Search the source IP address of the Salesforce report.

To learn more about how to search special characters, refer to [this section](https://help.nightfall.ai/dashboard/sdp_events#special-characters). Nightfall allows you to share and download the Event data. The **Share** button creates a link to the current view with all the filters applied. When you click this link, the Events page opens with all the filters applied. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.nightfall.ai/data-exfiltration-prevention/dashboard-and-events/exfiltration-events.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.