Learn how you can integrate Nightfall with various security tools.
Many customers choose to leverage other security tools, such as SIEMs (e.g. Splunk, Sumo Logic, etc.), to aggregate security-related information and SOARs (e.g. Cortex, Phantom, etc.) to orchestrate remediation & response. With Nightfall, you can export historical scan results and automatically push real-time alerts to third-party sources like a SIEM. From there, you can leverage SIEM capabilities to aggregate, search, filter, and manage alerts.
Some customers have also used workflow tools (e.g. Zapier) to automate workflows or to manipulate data.
Creating dashboards for Nightfall alerts in Splunk
Learn how to integrate Nightfall with a SIEM or push violations downstream to any alert drain, SOAR tool, BI tool, and more.
To integrate with a SIEM or push Nightfall alerts downstream, specify a webhook URL in your Nightfall console.
First, configure an incoming webhook in the tool you'd like to send Nightfall alerts into. For example, this could be Splunk, Sumo Logic, LogRhythm, Slack, PagerDuty, etc.
For LogRhythm integration, initialize the Webhook Beat by following these instructions.
This process will provide you with an HTTPS URL endpoint (as seen in step 4c). Copy this URL as you will use it to complete set up.
For Sumo Logic integration, configure an HTTP Logs and Metrics Source via the following instructions.
This process will provide you with a URL endpoint (as seen in step 10). Copy this URL as you will use it to complete set up.
For a Splunk integration, configure an HTTP Event Collector within Splunk via the following instructions.
This process will provide you with a URL endpoint (as seen in this step). Copy this URL as you will use it to complete set up.
To authenticate to the HTTP Event Collector, you may add an Authorization http header as described in the Splunk documentation with your HTTP Event Collector token.
Note that the Authorization HTTP header for HEC requires the "Splunk" keyword before the HEC token.
It is also possible to add your HEC Token as part of the query string of the Collector URL. This can be done for both Splunk Cloud as well as Enterprise.
If you are a Splunk Cloud customer, you will have to reach out to Splunk to enable the "allowQueryStringAuth" flag for your Splunk Cloud instance. This can be done by raising a Support Ticket with Splunk. This field can only be updated if on a Paid account. For a free/trial account, it will be unavailable.
For Splunk Enterprise, you will have to enable query string authentication for your instance, by following these steps:
Go to $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf file. Your tokens will appear by name in this file, in the form of http://<token_name>.
Within the stanza for each token you want to enable query string authentication, add or change the following setting:
Once the flag is enabled, please use the following steps to query the HEC Token within the URL String. For more information on Query string authentication from Splunk, please reference the docs here.
You can specify the HEC token as a query string in the URL that you specify in your queries to HEC. This can be done with the format shown below:
The following example shows a full Collector URL including a dummy HEC Token appended as a query string: (The example is for an Enterprise instance)
Note: We will be using the /services/collector/raw endpoint instead of the /services/collector/event endpoint. This is because of the JSON format that webhooks from Nightfall will carry, which will only be accepted with the raw version of the HTTP Event Collector endpoint.
For Splunk Cloud customers, the above example URL will look different including the public facing HEC URL. The endpoint (/services/collector/raw?token=12345678-1234-1234-1234-1234567890AB) should remain the same, however. Since you are on a Splunk Cloud instance, this URL should already be visible to the Nightfall console, and you would be able to start using this Webhook URL in the Nightfall console. Please continue with the steps after this section to complete webhook set up.
For Splunk Enterprise customers, there are a few extra steps to have the Splunk Collector exposed to the Nightfall webhook console below.
The next step will be exposing the local host and port of the Splunk collector an HTTP Listening tool. This can be done by using an ngrok tunnel or nginx server, for example This is required so that the Enterprise Splunk instance is accessible to Nightfall's webhook from the console. Please make sure that port 8088 (this is the default port for receiving data for HEC) is accessible by navigating to "Global settings" in your Splunk Enterprise instance and enabling it.
Steps for setting up a ngrok tunnel can be found here. If using a ngrok tunnel, the following command would generate a ngrok tunnel listening to the correct port and protocol for the collector:
./ngrok http https://localhost:8088
Once complete, the ngrok tunnel should show you an HTTPS Forwarding address, that can be used as the ngrok host in the following step. (HTTPS is required by Nightfall's webhook URL validation)
Your ngrok tunnel URL with your HEC auth token should now look something like this:
https://<NGROK_HOST>/services/collector/raw?token=<YOUR_HEC_TOKEN>
This will be your Webhook URL that you can use in the Nightfall console. Now you are all set to integrate alerts from your Nightfall webhook to your ngrok tunnel.
Next, configure the outgoing webhook in Nightfall. This webhook will fire in real-time upon a new event (e.g. a new violation is created).
Navigate to the integration for which you would be interested in setting up a webhook for alerts. Webhooks are available all native integrations.
Select the Settings tab on the top.
Select Change or Add next to the Webhook option.
Enter the URL to your webhook endpoint.
You may send a sample payload to the endpoint that you have entered to verify a successful connection using the Test button.
You may also add HTTP Headers to send authentication tokens or other content using the Add Headers button.
Once your header key and value is entered you may obfuscate it by clicking on the "lock" icon next to the value field for the header. Click the Save button to persist your changes to the headers.
When you have completed configuring your Webhook URL and Headers, click the Save button.
Going forward, you will now see events sent directly from Nightfall into your SIEM or other solution of choice.
When Nightfall sends a message to the configured Webhook, an event is always included in the message. Nightfall sends the following four types of events listed in the following table.
The following are examples of a sample payload for detection rules that were violated, that will be delivered to the webhook. These are examples from each integration, so the specific fields may vary based on the Nightfall product you are using (e.g. Slack, Github, Google Drive Jira, etc.).
The following are examples of a sample payload for remediations/actions that were taken on the above mentioned Nightfall Events, that will be delivered to the webhook. These are examples from each integration, so the specific fields may vary based on the Nightfall product you are using (e.g. Slack, Github, Google Drive Jira, etc.).
Learn how to start creating a dashboard of Nightfall alerts/actions in your Splunk Enterprise/Splunk Cloud environment.
If you are looking to connect Nightfall to Splunk, please reference the instructions here:
Once you have gone through the Splunk integration steps, we are ready to get started creating Dashboards using Splunk.
Now that the HTTP Event Collector has started receiving alerts from the webhook, you can search by a specific query or create charts to add it to a new or an existing Dashboard.
Below, you will see what a JSON payload looks like in Splunk:
Search:
To search for a specific policy that was violated, click on Search and select a time frame from the dropdown menu. In this example, we will be searching for our policy titled "Internal Channels and Direct Messages"
This is what our Search query would look like:
index="*" | "policiesViolated{}"="Internal Channels and Direct Messages"
This query will list out JSON data for all instances which had "Internal Channels and Direct Messages" as the policy that was violated.
Similarly, you can search for multiple parameters too. If you want to search for a specific detection rule that was violated in the "Internal Channels and Direct Messages" policy, the query would then be:
index="*" | "policiesViolated{}"="Internal Channels and Direct Messages" | "detectionRulesViolated{}"="Credentials and Secrets"
From the Homepage, click on "Search and Reporting". Click on "Dashboards". Click on "Create New Dashboard". Enter a suitable name for your dashboard. Choose the type of dashboard you would like to create- Classic/Studio. Click "Create".
Once the dashboard is created, it is displayed in the list of dashboards.
Navigate to the "Search & Reporting" tab. You can create a chart by either entering a search query or navigating to the "Visualization" section.
For a basic search, enter a query like:
index="*"
Go to "Visualization" tab, select "Pivot".
Next, you can either select "All Fields" or "Selected Fields"; these are the fields you would like to use as your Data Model.
Select "Pie Chart" to create a pie chart to show all the detection rules that were violated.
Next, you can click on the dropdown for "Range" to choose the timeframe/time range you want the data to be from.
Next, select "detectionRulesViolated{}" from the "Field" and "Color" dropdown. You can also create a custom label and give it a name.
If you hover over any of the pieces of the pie, it displays specific details about the detection rule that was violated and also displays the number of times it was violated.
Once the pie chart has been created, click on "Save As" > "Dashboard Panel". Select the "Existing Dashboard Panel" that was created in Step 1. Make sure to select the name of the dashboard from the list. Panel title would be the title of the panel. e.g. "Detection Rules Violated" and give a unique model id. e.g. detectionrules. Click on "Save"
Steps 1 and 2 can be used to create multiple charts and to add them to an existing dashboard.
Finally, here are some sample Nightfall-Splunk Dashboard examples:
Please use these as a guide to get started creating your own Dashboards within Splunk. If you have any questions, or would like some assistance on how to get started using Splunk with your Nightfall integration, please reach out to support@nightfall.ai.
| Event Name | Event Description |
|---|---|
exposure_update
An alert that triggers if there are new findings or if findings have been removed from the Nightfall Event.
resolution
An alert that triggers when the Nightfall Event is resolved.
violation
An alert that triggers when a new Nightfall Event is created.
remediation
An alert that is triggered when any remediation action (eg . Redact, delete) content is taken on the Nightfall Event.
Learn how to start creating a dashboard of Nightfall alerts/actions in your Sumo Logic environment.
If you are looking to connect Nightfall to Sumo Logic, please reference the instructions here:
Once you have gone through the Sumo Logic integration steps, we are ready to get started creating Dashboards using Sumo Logic.
Now that the HTTP Event Collector has started receiving alerts from the webhook, you can search by a specific query or create charts to add it to a new or an existing Dashboard.
In this example, my HTTP Event Collector's name is "Minify Tax Collector". Below, you will see what a JSON payload looks like in Sumo Logic:
The JSON payload gives granular details like detection rules violated, policies violated, including findings and details about the sender.
Search:
To search for a specific policy that was violated, click on Search and select a time frame from the dropdown menu. In this example, we will be searching for our policy titled "High Risk, Likely"
This is what our Search query would look like:
(_source="Minify Tax Collector") | where policiesviolated=="High Risk, Likely"
This query will list out JSON data for all instances which had "High Risk, Likely" as the policy that was violated.
Similarly, you can search for multiple parameters too. If you want to search for a specific detection rule that was violated in the "High Risk, Likely" policy, the query would then be:
(_source="Minify Tax Collector") | where policiesviolated=="High Risk, Likely" && detectionrulesviolated == "Credit cards, Likely"
From the Homepage, click on "+New". Click on "Dashboard". Choose a panel type, I have selected "Categorical" in this example. Enter the name of the dashboard. In this example, "Minify Tax - Nightfall" is the name of my dashboard. On the dashboard is created, the next step is to add panels/charts to the newly created dashboard.
For a basic dashboard, we will be searching for all the alerts from all services. Enter the search query:
(_source="Minify Tax Collector") | count by service
Select a time range. In this example, we will look at data from the past 7 days. Click on Search. This query will result in a pie chart which shows alerts from all the 5 services (Slack, GitHub, GDrive, Jira and Confluence).
You can customize this chart using the customization panel on the right side. Once the customization is complete, click on "Add to Dashboard" on the right. Also rename the name of the panel, in this case, the name of the pie chart/panel is "Alerts from Services". Panel name should be something that can make properties of the chart easily identifiable.
Next, we will be creating another chart to look at the different detection rules that were violated.
Select "Add Panel" to add a new panel/chart to the dashboard. Select "Categorical", enter "Last 7 days" as the date range and then enter the search query:
(_source="Minify Tax Collector") | where eventtype == "violation" | count by detectionrulesviolated
This query returns a list of detection rules that were violated in the last 7 days. Sumo Logic gives you the flexibility to have different time ranges in the same dashboard. You can select time period as "Last 30 days" for one panel and have a customized time period for another panel within the same dashboard. For this query, I'll be using "Bar chart" as as my chart type so it would look like:
Step 2 can be replicated to add multiple panels to the existing dashboard.
Here is a sample Sumo Logic - Nightfall Dashboard for your reference:
Please use these as a guide to get started creating your own Dashboards within Sumo Logic. If you have any questions, or would like some assistance on how to get started using Sumo Logic with your Nightfall integration, please reach out to support@nightfall.ai.
Learn how to integrate Nightfall with Microsoft Sentinel.
Microsoft Sentinel is Microsoft's SIEM tool which is part of the Microsoft Azure suite. You can use Sentinel as a SIEM tool and send Nightfall alerts to this tool.
To ingest any data into Microsoft Sentinel, you must use a data connector. A Sentinel data connector is a data pipeline which transfers data (alerts, incidents, and so on) from a specific source to Sentinel. Microsoft provides many out of the box data connectors to ingest data into Sentinel.
To use Sentinel as a Webhook and send alerts from Nightfall to Sentinel, you must first configure Sentinel as a webhook. To configure sentinel as a webhook, you must create a custom connector in Sentinel, since there is no out of the box connector for Nightfall AI in Sentinel. Microsoft provides multiple ways in which you can create custom connectors. To learn more about how to create a custom connector, you can refer to this .
Once you create a custom connector in Sentinel, you must configure the Webhook endpoint in Nightfall.
Click Integrations in Nightfall.
Click Manage for the required integration.
Scroll down to the alerting section and click + Webhook.
Click Test to verify the URL.
You must receive a message as shown in the following image.
Check your webhook if you received a POST message from Nightfall. If no POST message is generated, verify your Webhook URL and try again.
(Optional) Click Add Header to add authentication parameters.
Enter the authentication parameters (key value format) under the key and value columns, respectively.
Click the unlock icon to obfuscate the key value pair.
Click Save.
Learn how to configure Nightfall to send alerts to Microsoft Teams using email.
Integrating your Nightfall alerts to Microsoft Teams for Slack/Jira/GDrive/Confluence can be done using the following the steps:
Log in to your Microsoft Teams account and create a new channel called "Nightfall Alerts". You can also use your existing channel to send your alerts to it. Click on the three dots next to the channel name, "More options"
2. Select "Get email address" in more options.
3. Copy the email address shown in the pop-up:
5. Click on "Settings" and in the "Email alert" textbox, enter the Microsoft Teams email address from Step 3 and Save it.
Once a policy is violated, you should an receive alert in your Teams channel:
You can also take remediation actions like "Redact Findings" or delete (in case of attachment) through Microsoft Teams. For any issues or questions, please feel free to reach out to support@nightfall.ai.
Enter the Sentinel URL obtained in the section.
Once you configure Sentinel as a Webhook, Nightfall sends alert notifications to Sentinel. You can view these notifications in Sentinel. To learn more about how to view visual data in Sentinel, you can refer to this . To learn more querying logs using Microsoft's Kusto Query Language, refer to this .
4. Log in to your account, click on the integration you want to integrate with. In this example, I have selected "Jira":
