Triggers a scan of the file identified by the provided fileID. As the underlying file might be arbitrarily large, this scan is conducted asynchronously. Results from the scan are delivered to the webhook URL provided in the request payload.
a file ID returned from a previous file creation request
the UUID of the Detection Policy to be used with this scan. Exactly one of this field or "policy" should be provided.
A list of pre-existing detection rule UUIDs to scan a file against. These UUIDs can be fetched from the Nightfall Dashboard.
A list of inlined detection rule definitions to scan a file against.
An optional name for the detection rule.
Supported values ALL or ANY. Applies a logical "AND" or "OR" (respectively) to the list of detectors to decide when a finding should be surfaced.
A list of detectors the request payload should be scanned against.
The minimum number of findings required in order for this detector to be reported.
The confidence level of a finding.
The UUID of a pre-existing detector to use. If this value is provided, all below fields are ignored.
The display name for this detector's findings in the response.
The type of detector.
The name for a Nightfall detector.
The regex object for the regex detector, context rules, and exclusion rules.
The regex pattern to match on.
The case sensitivity for the regex pattern.
The WordList object for wordList detector and exclusion rules.
A list of words for wordList.
The case sensitivity for words in the wordList. If false, ignore the case of findings.
A list of context rules.
The regex object for the regex detector, context rules, and exclusion rules.
The regex pattern to match on.
The case sensitivity for the regex pattern.
The object containing the length of characters before and after finding to evaluate context.
The number of leading characters to include as context before the finding itself.
The number of trailing characters to include as context after the finding itself.
The object containing the confidence level to adjust findings to.
The confidence level of a finding.
A list of exclusion rules.
The type of match for a pattern.
The type of exclusion rule.
The regex object for the regex detector, context rules, and exclusion rules.
The regex pattern to match on.
The case sensitivity for the regex pattern.
The WordList object for wordList detector and exclusion rules.
A list of words for wordList.
The case sensitivity for words in the wordList. If false, ignore the case of findings.
A config that determines how a finding will be redacted. Must contain exactly one of [maskConfig, infoTypeSubstitutionConfig, substitutionConfig, cryptoConfig].
A config that masks a sensitive finding. e.g. '4242-4242-4242-4242' can be configured to be redacted to '####-####-####-4242'.
The UTF-8 character used to mask a finding. If not provided, we will mask with an asterisk "*". Other examples include "#", "X", "🙅🏽", "🙈", etc.
A list of characters that will not be masked. For example, you could set this field to ["-","@"] to preserve formatting context that is typically present in credit cards or emails (e.g. --- versus *********, or ***************** versus @).
A character that will not be masked. e.g. "-"
The number of characters that will be left unmasked. For instance, if you want to mask all but the last 4 digits of a credit card number, set this value to 4 so that the redacted finding would look like ***************4242.
Determines if masking is applied left to right (/1984) instead of right to left (01/01). By default, this value is false.
A config that substitutes a sensitive finding with the name of the NIGHTFALL_DETECTOR that triggered it. This config is only valid for detector's with detectorType NIGHTFALL_DETECTOR. e.g. '4242-4242-4242-4242' can be configured to be redacted to '[CREDIT_CARD_NUMBER]'.
A config that substitutes a sensitive finding with the configured substitutionPhrase. If no substitutionPhrase is configured, it will substitute the finding with an empty string. For example, 'my cc is 4242-4242-4242-4242' can be configured to be redacted to 'my cc is <oh no!🙈>'
The value that will replace a sensitive finding. e.g. '<oh no!🙈>'
A config that will encrypt a sensitive finding with the provided PEM formatted public key using RSA encryption.
The PEM formatted public key block that will be used to encrypt findings. Currently, only RSA encryption is supported.
Here's an example PEM formatted public key block:
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAydYMwOYUGyBXDgHkzv19 YR/dYQES4kYTMUps39qv/amNDywz4nsBDvCUqUvcN3nEpplHlYGH5ShSeA4G/Fcm RqynSLVyFPZat/8E7n+EeHsgihFrr8oDWo5UBjCwRinTrC0m11q/5SeNzwVCWkf9 x40u94QBz13dQoa9yPwaZBX5uBzyH86R7yeZHpad2cLq0ltpmJ3j5UfsFilkOb3J B60TNpNDdfabprot/y30CEnDDOgAXGtV1m0AhQpQjKRnkUs39DntqSbS+i0Ugbyq zEGNUkeR1WsotXekW4KnbWA7k6S8SfkO27vnTSY5b9g/KKaOdysn5YaWJPfTVT/n ywIDAQAB -----END PUBLIC KEY-----
Determines if the response object will contain the un-redacted sensitive finding that was triggered by the scan. Defaults to false.
The scope to run the detector over. Setting any detector to File will cause it to run against the file name.
A configuration object that allows clients to specify where alerts should be delivered when findings are discovered as part of a scan. These alerts are delivered asynchronously to the provided platforms.
Contains the configuration required to allow clients to send asynchronous alerts to a Slack workspace when findings are detected. In order to use this alert destination, you must first authenticate Nightfall to your Slack workspace under the Settings menu on the Nightfall Dashboard. Alerts are only sent if findings are detected.
The name of the Slack conversation to which alerts should be sent. Currently, Nightfall supports sending alerts to public channels, formatted like "#general".
Contains the configuration required to allow clients to send an asynchronous email message when findings are detected. Alerts are only sent if findings are detected.
The email address to which alerts should be sent.
Contains the configuration required to allow clients to send a webhook event to an external URL when findings are detected. When findings are detected, an alert is always sent to the webhook, even when there are no findings.
The URL to which alerts should be sent. This URL must (1) use the HTTPS scheme, (2) be able to accept requests made with the POST verb, and (3) respond with a 200 status code upon receipt of the event.
Contains the configuration required to allow clients to send a SIEM events to an external URL when findings are detected. When findings are detected, an alert is always sent to the webhook, even when there are no findings.
The URL to which alerts should be sent. This URL must (1) use the HTTPS scheme, (2) be able to accept requests made with the POST verb, and (3) respond with a 200 status code upon receipt of the event.
Sensitive header key value pairs to include in the SIEM request. Used for adding sensitive content like authentication tokens.
Header key value pairs to include in the SIEM request.
A config that determines how a finding will be redacted. Must contain exactly one of [maskConfig, infoTypeSubstitutionConfig, substitutionConfig, cryptoConfig].
A config that masks a sensitive finding. e.g. '4242-4242-4242-4242' can be configured to be redacted to '####-####-####-4242'.
The UTF-8 character used to mask a finding. If not provided, we will mask with an asterisk "*". Other examples include "#", "X", "🙅🏽", "🙈", etc.
A list of characters that will not be masked. For example, you could set this field to ["-","@"] to preserve formatting context that is typically present in credit cards or emails (e.g. --- versus *********, or ***************** versus @).
A character that will not be masked. e.g. "-"
The number of characters that will be left unmasked. For instance, if you want to mask all but the last 4 digits of a credit card number, set this value to 4 so that the redacted finding would look like ***************4242.
Determines if masking is applied left to right (/1984) instead of right to left (01/01). By default, this value is false.
A config that substitutes a sensitive finding with the name of the NIGHTFALL_DETECTOR that triggered it. This config is only valid for detector's with detectorType NIGHTFALL_DETECTOR. e.g. '4242-4242-4242-4242' can be configured to be redacted to '[CREDIT_CARD_NUMBER]'.
A config that substitutes a sensitive finding with the configured substitutionPhrase. If no substitutionPhrase is configured, it will substitute the finding with an empty string. For example, 'my cc is 4242-4242-4242-4242' can be configured to be redacted to 'my cc is <oh no!🙈>'
The value that will replace a sensitive finding. e.g. '<oh no!🙈>'
A config that will encrypt a sensitive finding with the provided PEM formatted public key using RSA encryption.
The PEM formatted public key block that will be used to encrypt findings. Currently, only RSA encryption is supported.
Here's an example PEM formatted public key block:
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAydYMwOYUGyBXDgHkzv19 YR/dYQES4kYTMUps39qv/amNDywz4nsBDvCUqUvcN3nEpplHlYGH5ShSeA4G/Fcm RqynSLVyFPZat/8E7n+EeHsgihFrr8oDWo5UBjCwRinTrC0m11q/5SeNzwVCWkf9 x40u94QBz13dQoa9yPwaZBX5uBzyH86R7yeZHpad2cLq0ltpmJ3j5UfsFilkOb3J B60TNpNDdfabprot/y30CEnDDOgAXGtV1m0AhQpQjKRnkUs39DntqSbS+i0Ugbyq zEGNUkeR1WsotXekW4KnbWA7k6S8SfkO27vnTSY5b9g/KKaOdysn5YaWJPfTVT/n ywIDAQAB -----END PUBLIC KEY-----
Determines if the response object will contain the un-redacted sensitive finding that was triggered by the scan. Defaults to false.
Determines if a redacted version of the file will be returned, if available for the mime type. Current supported mime types are CSV and TSV. Defaults to false.
A string containing arbitrary metadata. Callers may opt to use this to help identify their input file upon receiving a webhook response. Maximum length 10 KB.
Success
a UUID to uniquely identify a particular file upload
message indicating that file scanning has been initiated