Nightfall
HomeLoginDeveloper PlatformContact Us
Search…
Introduction
Why Cloud DLP?
Product Updates
Operationalizing DLP
Informing & Coaching Business Users
Running Historical Scans
Alert Management Guiding Principles
Integrating with Security Tools
Detection Engine
Getting Started
How Detection Works
Nightfall’s Detector Library
Detector Glossary
Configuring & Customizing Detectors
Choosing Detectors
Creating Detection Rules
Recommended Detectors
Create Detection Rules for Real-Time vs Historical Scans
Detection Engine FAQs
Evaluating Detection
Nightfall for Slack
Nightfall for Slack: Demo Video
Getting Started
Alert Management
Remediation Guide
FAQs
Nightfall for GitHub
Real-Time Scanning
Historical Scanning
Radar API Reference
Exporting Reports & Results
Integrating Webhook Endpoints
Integrating with Jira
Remediation Guide
Managed Services
FAQs
NIGHTFALL FOR GOOGLE DRIVE
Getting Started
Alert Management
Remediation Guide
Historical Scanning
Nightfall for Confluence
Getting Started
Alert Management
Remediation Guide
Nightfall for Jira
Remediation Guide
Account Management
User Administration
Authentication Options
Compliance
SOC 2 Compliance
HIPAA Compliance
PCI Compliance
Resources
FAQs
Login to Nightfall
Developer Platform
Platform Status
Contact Us
Powered By GitBook
Creating Detection Rules
Nightfall’s Detection Rules enable you to determine what sensitive information you want to scan for, along with thresholds to define what constitutes a violation. A Detection Rule may consist of a single Detector, or multiple Detectors combined with "AND" or "OR" logic. Detection Rules are created at the platform level, and can be applied to any of the apps you integrate with Nightfall.
Within a Detection Rule, thresholds for Minimum Confidence and Minimum Number of Findings can be applied to each included Detector, and adjusted according to your organizational needs and risk tolerance. Ultimately, these thresholds can help you optimize your scans to target critical violations and reduce noise.

Choosing a Logical Operator

Within a Detection Rule that has multiple detectors, specify whether you want the Detection Rule to flag when all detector conditions are met, or when at least one of detector conditions are met. Here are two examples:
In this example above, the Detection Rule will be triggered when at least one Credit Card Number with minimum confidence Likely AND at least one Email Address within minimum confidence Likely are detected. Colloquially this is referred to as chaining detectors together.
In this example above, the Detection Rule will be triggered when at least one Credit Card Number with minimum confidence Likely OR at least one Email Address within minimum confidence Likely are detected.

Setting Minimum Confidence

Minimum Confidence settings determine the Confidence Level at which a violation will be triggered. When creating a Detection Rule, you can specify the Minimum Confidence for each Detector that is grouped within the Detection Rule.
Confidence levels include:
    Possible (40-60% confidence)
    Likely (60-80% confidence)
    Very Likely (>80% confidence)
For Nightfall’s pre-built detectors, a “Possible” confidence level is triggered by the appearance of the token, without considering context, whereas “Likely” and “Very Likely” take context into account. When a custom regex is detected, its confidence level is assessed as “Likely” - you may determine how the assessed confidence level adjusts from there based on context.
Of course, there is a tradeoff - a lower Minimum Confidence may result in more noise. We highly recommend setting the Minimum Confidence of every detector to Likely or Very Likely in order to reduce noise and focus your DLP efforts on priority violations. Setting your detectors to Possible or below will lead to many more findings and is best suited for scenarios in which risk tolerance is very low, or for special / advanced use cases that involve optimizing for reducing false negatives.
When setting Minimum Confidence, also consider how structured the data tends to be. For example, a Social Security Number or Credit Card Number has a very typical structure and false positives may be less likely - so you could decrease the Minimum Confidence in order to implement a very conservative policy. On the other hand, less structured data such as Names could result in more false positives, and thus you may want to increase the Minimum Confidence.

Setting Minimum Number of Findings

The Minimum Number of Findings threshold determines how many sensitive findings must appear within the same message or file in order to trigger a violation. One way to reduce potential noise is to increase the number of occurrences that must appear together in order to trigger a violation. This will be highly dependent on your organization’s needs and risk tolerance. For example, you may choose to ignore occurrences of <10 items, whereas >10 occurrences represents too high of a risk.
Previous
Choosing Detectors
Next
Recommended Detectors
Last modified 1mo ago
Copy link
Contents
Choosing a Logical Operator
Setting Minimum Confidence
Setting Minimum Number of Findings