How do I use Exclusion Rules?
Exclude certain tokens from detection to suit your business logic
Exclusion Rules, also known as an allowlist, help you reduce false positives in your sensitive findings by ignoring content from detection, or “allowing” it to pass through without being flagged.
For example, let’s say you are using the Email Address detector and you don’t want any corporate domains of “@example.com” to be detected by Nightfall. You can add “*@example.com” as a regex Exclusion Rule.
You can add in a list of known safe tokens as a dictionary or craft a regular expression. A dictionary is a list of literal values, for example, a list of dummy credit card numbers or API keys. Regular expressions are known patterns to match against, for example if you want to allow all emails of a given domain as in the example above. Regular expressions follow RE2 syntax listed here. You can test your regular expression here.
Exclusion Rules can be added on to any detector (either pre-made by Nightfall or off your own custom regular expression or “regex”) to omit certain “tokens” or items from resulting in detection events.
Here’s how you can build your own Exclusion Rule and attach it to a detector:
- 1.Select the type of Exclusion Rule you would like to use. It can be either a dictionary of words or a regex pattern.
- 2.Select the match type from the dropdown menu on the right, either Partial or Full match.
- 3.Append your Exclusion Rule to your custom detector by clicking the "Save" button in the lower right.