Creating Detection Rules
Nightfall’s Detection Rules enable you to determine what sensitive information you want to scan for, along with thresholds to define what constitutes a violation. A Detection Rule may consist of a single Detector, or multiple Detectors combined with "AND" or "OR" logic.
Detection Rules are created at the platform level, and can be applied to any of the apps you integrate with Nightfall.
Within a Detection Rule, thresholds for Minimum Confidence and Minimum Number of Findings can be applied to each included Detector, and adjusted according to your organizational needs and risk tolerance. These thresholds allow you to optimize your scans to target critical violations and reduce noise.
Within a Detection Rule that has multiple detectors, you must specify whether you want the Detection Rule flagged as a finding by either a single selected Detector (that is any of the Detectors that are part of the Detection Rule are triggered) or that every Detector's minimum confidence and minimum number of findings must be be met in order for the Detection Rule to flag a finding (that is all of the Detectors that are part of the Detection Rule are triggered).
This is done by selecting either the "Any Detector" or "All Detectors" radio button under the "Flag as finding when triggered by"
In the example above, the Detection Rule will be triggered when at least one Credit Card Number with minimum confidence Likely OR at least one Email Address within minimum confidence Likely are detected.
In order for the Detection Rule to be be triggered when at least one Credit Card Number with minimum confidence Likely AND at least one Email Address within minimum confidence Likely are detected you would need to select the "All Detectors" radio button. Colloquially this is referred to as chaining detectors together.
Minimum Confidence settings determine the Confidence Level at which a violation will be triggered. When creating a Detection Rule, you can specify the Minimum Confidence for each Detector that is grouped within the Detection Rule.
Confidence levels include:
- Possible (40-60% confidence)
- Likely (60-80% confidence)
- Very Likely (>80% confidence)
For Nightfall’s pre-built detectors, a “Possible” confidence level is triggered by the appearance of the token, without considering context, whereas “Likely” and “Very Likely” take context into account. When a custom regex is detected, its confidence level is assessed as “Likely” - you may determine how the assessed confidence level adjusts from there based on context.
Of course, there is a tradeoff - a lower Minimum Confidence may result in more noise. We highly recommend setting the Minimum Confidence of every detector to Likely or Very Likely in order to reduce noise and focus your DLP efforts on priority violations. Setting your detectors to Possible or below will lead to many more findings and is best suited for scenarios in which risk tolerance is very low, or for special / advanced use cases that involve optimizing for reducing false negatives.
When setting Minimum Confidence, also consider how structured the data tends to be. For example, a Social Security Number or Credit Card Number has a very typical structure and false positives may be less likely - so you could decrease the Minimum Confidence in order to implement a very conservative policy. On the other hand, less structured data such as Names could result in more false positives, and thus you may want to increase the Minimum Confidence.
The Minimum Number of Findings threshold determines how many sensitive findings must appear within the same message or file in order to trigger a violation. One way to reduce potential noise is to increase the number of occurrences that must appear together in order to trigger a violation. This will be highly dependent on your organization’s needs and risk tolerance. For example, you may choose to ignore occurrences of <10 items, whereas >10 occurrences represents too high of a risk.