Forensics Search
Perform insider risk investigations and threat hunting across all detected data exfiltration events — not only policy-triggered alerts.
Overview
Forensic Search provides a searchable timeline of detected data exfiltration events across your employee base. The search events include all events for all supported exfiltration vectors — not only policy-triggered alerts.
Security teams use Forensic Search to investigate how organizational data moves to external destinations such as cloud storage platforms, SaaS applications, and external email systems.
The interface allows analysts to search, filter, and review exfiltration events to determine:
which user moved data
which device performed the action
where the data was sent
whether sensitive data was involved
This enables rapid investigation of insider risk incidents and potential data exfiltration activity.
Quickstart: Investigate Potential Data Exfiltration
Use the following steps to quickly investigate suspicious data movement.
Navigate to Discovery → Forensic Search.
Select the user of interest with User filter.
Set the Time Range to Last 7 days.
Add a Risk filter and select:
Critical
High
Sort the event table by Timestamp to review the most recent events first.
Scan the Destination column for external services such as:
personal cloud sync
personal accounts
file-sharing sites
unfamiliar SaaS domains
Click any event to open the Event Detail Panel.
Review the following fields:
User – who performed the action
Asset – what file or content was transferred
Destination – where the data was sent
Device – which device performed the action
If suspicious activity is confirmed, include all events by deleting the Risk Filter, and click Export Events to download a CSV for documentation or further investigation.
Filtering to Critical and High risk events is the fastest way to identify suspicious data transfers.
Investigating Data Exfiltration with Forensic Search
Security teams use Forensic Search to investigate how organizational data moves to external destinations and to identify potential data exfiltration activity.
Common investigation scenarios include:
Investigating departing employees
Reviewing unusual data transfer alerts
Performing threat hunting for data exfiltration
Auditing data movement to external services
Investigating suspicious cloud storage activity
Identifying early adopters of Gen AI and AI Agent tools
Forensic Search allows analysts to reconstruct how data moved outside the organization by examining sequences of exfiltration events.
Data exfiltration rarely occurs as a single action. Instead, it typically appears as a pattern of related events occurring over a short period of time.
Security analysts often look for the following behavioral patterns when investigating potential exfiltration.
Burst Uploads
Large numbers of uploads occurring in a short time window.
May indicate bulk data staging prior to exfiltration.
Off-Hours Activity
Transfers occurring late at night or on weekends.
Unexpected activity outside normal working hours may indicate suspicious behavior.
Multiple External Destinations
Sequential uploads to several different services.
May indicate attempts to bypass security controls or distribute data across multiple locations.
Personal Cloud Storage
Uploads to personal accounts such as Google Drive (Personal) or Dropbox (Personal).
Personal accounts are outside corporate control and represent higher exfiltration risk.
Investigation Workflow
Most investigations follow this workflow:
Identify suspicious data movement or receive an alert.
Filter events by user and/or time range.
Review event details and destinations.
Identify patterns of data movement.
Export events for investigation documentation.
This workflow allows analysts to quickly determine whether activity represents legitimate work or potential data exfiltration.
Risk Scoring
To assist in identifying potentially risky behavior, Nightfall assigns a risk score to individual exfiltration events observed in Forensic Search. Each event receives a risk level that helps analysts prioritize investigations and quickly surface higher-risk data transfers.
Event-level risk scoring is currently in beta and is intended to provide investigation guidance rather than definitive risk determinations. Analysts should evaluate events within the broader context of user activity and look for patterns of behavior across multiple events, rather than relying on a single event score.
🚨 Critical
Immediate investigation recommended
🔴 High
Elevated risk signals detected
🟡 Medium
Moderate risk indicators
🟢 Low
Activity appears consistent with expected usage
⚪ Unknown
Insufficient context to determine risk
Risk Signals
In the current release, event risk scores are calculated are based on two primary signals:
Application Risk Level
User Session Context (Corporate vs Personal Account)
These signals help determine whether data is being transferred to a higher-risk application or outside corporate identity boundaries.
Application Risk Level
Every destination application detected in an exfiltration event inherits a baseline risk level from App Intelligence.
App Intelligence continuously discovers and classifies the web applications employees interact with. Each application is categorized based on its function and typical data exposure risk, such as:
Cloud storage
File sharing
Developer tools
GenAI and AI Agent tools
Business SaaS
Applications that enable easy external data transfer or lack strong identity controls typically carry higher baseline risk.
App Intelligence provides the discovery and classification layer used for application risk scoring.
User Session Context
Risk scoring also considers whether the user is operating within a corporate identity boundary.
When available, Nightfall determines whether a user is authenticated to a corporate account or a personal account within the destination application.
Examples:
Upload to corporate Google Drive
Low risk
Upload to personal Google Drive
Critical risk
Files uploaded or copy-pastes to a GenAI site using a corporate account
Low risk
Files uploaded or copy-pastes to a GenAI site using a personal account
High risk
Transfers to personal accounts represent a significantly higher risk of data exfiltration because the organization does not control those accounts.
Session detection requires the Nightfall browser extension to be installed.
Exporting Investigation Evidence
Investigators can export results using Export Events.
Exports include:
event fields
timestamps
risk scores
Exports are commonly used for:
incident response documentation
compliance reporting
deeper analysis in SIEM platforms
Exports respect active filters, allowing analysts to export specific investigation scopes.
Tutorials
Investigating a Departing Employee
Open Forensic Search.
Set the time range to Last 30 days.
Filter by the employee's email.
Review the timeline histogram for activity spikes.
Filter to Critical and High risk events.
Review destinations and file metadata.
Export relevant events for documentation.
Investigating Off-Hours Transfers
Set the time range to Last 7 days.
Review the timeline for late-night activity.
Zoom into suspicious time windows.
Filter by High and Critical risk events.
Review upload destinations.
Investigating Unusual Data Movement
Filter by Upload or Cloud Sync.
Filter by Critical and High risk events.
Look for sequential transfers to external services.
Review event details to confirm file types and destinations.
Export events if escalation is required.
FAQs
How far back can I search events?
Events can be searched for up to 180 days. Currently, the earliest available events begin on February 6, 2026, so searches cannot return events earlier than that date.
How quickly do events appear?
Events typically appear within 30 minutes of occurring.
Can events be exported?
Yes. Events matching current filters can be exported to CSV.
Can searches be saved?
Saved searches are planned for a future release.
Who can access Forensic Search?
Access is controlled through Nightfall role-based permissions.
Last updated
Was this helpful?