Creating Detection Rules
Nightfall’s Detection Rules enable you to determine what sensitive information you want to scan for, along with thresholds to define what constitutes a violation. A Detection Rule may consist of a single Detector, or multiple Detectors combined with "AND" or "OR" logic. Detection Rules are created at the platform level, and can be applied to any of the apps you integrate with Nightfall.
Within a Detection Rule, thresholds for Minimum Confidence and Minimum Number of Findings can be applied to each included Detector, and adjusted according to your organizational needs and risk tolerance. Ultimately, these thresholds can help you optimize your scans to target critical violations and reduce noise.

Choosing a Logical Operator

Within a Detection Rule that has multiple detectors, specify whether you want the Detection Rule to flag when all detector conditions are met, or when at least one of detector conditions are met. Here are two examples:
In this example above, the Detection Rule will be triggered when at least one Credit Card Number with minimum confidence Likely AND at least one Email Address within minimum confidence Likely are detected. Colloquially this is referred to as chaining detectors together.
In this example above, the Detection Rule will be triggered when at least one Credit Card Number with minimum confidence Likely OR at least one Email Address within minimum confidence Likely are detected.

Setting Minimum Confidence

Minimum Confidence settings determine the Confidence Level at which a violation will be triggered. When creating a Detection Rule, you can specify the Minimum Confidence for each Detector that is grouped within the Detection Rule.
Confidence levels include:
    Possible (40-60% confidence)
    Likely (60-80% confidence)
    Very Likely (>80% confidence)
For Nightfall’s pre-built detectors, a “Possible” confidence level is triggered by the appearance of the token, without considering context, whereas “Likely” and “Very Likely” take context into account. When a custom regex is detected, its confidence level is assessed as “Likely” - you may determine how the assessed confidence level adjusts from there based on context.
Of course, there is a tradeoff - a lower Minimum Confidence may result in more noise. We highly recommend setting the Minimum Confidence of every detector to Likely or Very Likely in order to reduce noise and focus your DLP efforts on priority violations. Setting your detectors to Possible or below will lead to many more findings and is best suited for scenarios in which risk tolerance is very low, or for special / advanced use cases that involve optimizing for reducing false negatives.
When setting Minimum Confidence, also consider how structured the data tends to be. For example, a Social Security Number or Credit Card Number has a very typical structure and false positives may be less likely - so you could decrease the Minimum Confidence in order to implement a very conservative policy. On the other hand, less structured data such as Names could result in more false positives, and thus you may want to increase the Minimum Confidence.

Setting Minimum Number of Findings

The Minimum Number of Findings threshold determines how many sensitive findings must appear within the same message or file in order to trigger a violation. One way to reduce potential noise is to increase the number of occurrences that must appear together in order to trigger a violation. This will be highly dependent on your organization’s needs and risk tolerance. For example, you may choose to ignore occurrences of <10 items, whereas >10 occurrences represents too high of a risk.
Last modified 1mo ago